Malware and spyware attack recovery system and method

US 20070100905A1
Filed: 11/03/2005
Published: 05/03/2007
Est. Priority Date: 11/03/2005
Status: Active Grant

First Claim

Patent Images

1. A method for malware recovery in a computer system comprising:

a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;

b) determining that an attack by a malicious program has occurred;

c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;

d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and

e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and computer program product with encoded instructions provides for repeatedly making data backups for files by making a series of snapshots of file storage volumes containing the files. The method and computer product further provide for determining that a malware attack has occurred, identifying corrupted files and, for each corrupted file, scanning the series of snapshots to identify an uncorrupted version of the file. Each corrupted file is restored to an uncorrupted version thereof. An event log contains write events and snapshot creation events corresponding to creation of each of the snapshots. A forensic scan scans the event log to determine modifying writes made by the corrupted files and which modified further files. The further files are restored to unmodified versions thereof. A list of at-risk files includes the corrupted files and the further files and the forensic scan is repeated on the at-risk files.

Citations

51 Claims

1. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred;
  
  c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and
  
  e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method as in claim 1, wherein said repeatedly making associated data backups occurs substantially instantaneously.
  - 3. The method as in claim 1, wherein said scanning identifies a most recent version of said uncorrupted versions.
  - 4. The method as in claim 1, wherein said step e) comprises replacing said corrupted file with said most recent uncorrupted version thereof.
  - 5. The method as in claim 1, further comprising:
    - f) identifying further files of said plurality of files that were modified by said corrupted files.
  - 6. The method as in claim 5, wherein said step f) further comprises restoring each of said further files to an unmodified version thereof.
  - 7. The method as in claim 1, further comprising:
    - f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots.
  - 8. The method as in claim 7, further comprising:
    - g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
      
      h) defining a first list of at-risk files comprising said corrupted files and said further files;
      
      i) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said at-risk files and which modified additional files of said plurality of files; and
      
      j) adding said additional files to said first list and repeating said step i).
  - 9. The method as in claim 7, further comprising determining modifier files of said plurality of files that modified said corrupted files and identifying prior versions of each of said modifier files that existed prior to modifying said corrupted file, and adding said modified files to said first list and repeating said step i).
  - 10. The method as in claim 7, further comprising, g) scanning said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files.
  - 11. The method as in claim 10, further comprising, for each said further file, identifying unmodified versions thereof and restoring said further file to one of said unmodified versions thereof.
  - 12. The method as in claim 10, further comprising scanning said event log to identify said snapshot creation event and associated snapshot of a most recent unmodified version of said unmodified versions of said further file.
  - 13. The method as in claim 11, wherein said restoring comprises replacing said further file with said corresponding unmodified version thereof that exists in said snapshot corresponding to a most recent one of said snapshot creation events that precedes an initial write of said modifying writes by which said further file was first modified by one of said corrupted files.
  - 14. The method as in claim 7, wherein said write events and said snapshot creation events are ordered in said event log chronologically.
  - 15. The method as in claim 10, wherein said event log further contains a plurality of write groups, each comprising all of said write events that occur between two successive snapshot creation events of said snapshot creation events, and further comprising scanning said event log to identify first write groups of said write groups that include least recent modifying writes of said modifying writes.
  - 16. The method as in claim 5, further comprising:
    - g) identifying additional files of said plurality of files that were modified by said further files and restoring each said additional file to an unmodified version thereof.
  - 17. The method as in claim 1, further comprising determining further files of said plurality of files that modified said corrupted files and identifying prior versions of each of said further files that existed prior to modifying said corrupted file.
  - 18. The method as in claim 17, further comprising restoring at least one said further file to one of said prior versions thereof.
  - 19. The method as in claim 18, further comprising:
    - f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots; and
      
      g) scanning said event log to determine modifying writes of said writes that were made by said further files to affect said corrupted files of said plurality of files.
  - 20. The method as in claim 19, wherein said restoring each said further file to one of said prior versions thereof comprises scanning said event log to identify said snapshot creation event and corresponding snapshot of said one of said prior versions thereof.
  - 21. The method as in claim 1, further comprising:
    - f) identifying modified files of said plurality of files that were modified by said corrupted files; and
      
      g) repeating a process that identifies additional modified files of said plurality of files that were modified by said modified files or said corrupted files.
  - 22. The method as in claim 21, wherein said repeating a process includes restoring each said modified file and each said additional modified file to a respective unmodified version thereof.
  - 23. The method as in claim 21, wherein said repeating a process comprises iteratively identifying additional modified files of said plurality of files that were modified by said modified files or said corrupted files.
  - 24. The method as in claim 21, wherein said repeating a process comprises recursively identifying additional modified files of said plurality of files that were modified by said modified files or said corrupted files.
  - 25. The method as in claim 24, wherein said recursively identifying includes creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files and snapshot creation events corresponding to creation of each of said snapshots, and scanning said event log to determine modifying writes of said writes that were made by said modified files and which modified said additional modified files.

26. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred;
  
  c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file;
  
  e) for each said corrupted file, restoring said file to said most recent uncorrupted version thereof;
  
  f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
  
  h) restoring each of said further files to an unmodified version thereof;
  
  i) defining a first list of at-risk files comprising said corrupted files and said further files; and
  
  j) identifying additional files of said plurality of files that were modified by said at-risk files.

27. A computer program product with encoded instructions for performing operations comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred;
  
  c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and
  
  e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 28. The computer program product as in claim 27, wherein said repeatedly occurs substantially instantaneously.
  - 29. The computer program product as in claim 27, wherein said scanning identifies a most recent version of said uncorrupted versions.
  - 30. The computer program product as in claim 27, wherein said step e) comprises replacing said corrupted file with said most recent uncorrupted version thereof.
  - 31. The computer program product as in claim 27, further comprising encoded instructions for:
    - f) identifying further files of said plurality of files that were modified by said corrupted files.
  - 32. The computer program product as in claim 31, wherein said step f) further comprises restoring each of said further files to an unmodified version thereof.
  - 33. The computer program product as in claim 27, further comprising encoded instructions for:
    - f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots.
  - 34. The computer program product as in claim 33, further comprising encoded instructions for:
    - g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
      
      h) defining a first list of at-risk files comprising said corrupted files and said further files;
      
      i) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said at-risk files and which modified additional files of said plurality of files; and
      
      j) adding said additional files to said first list and repeating said step i).
  - 35. The computer program product as in claim 33, further comprising encoded instructions for:
    - determining modifier files of said plurality of files that modified said corrupted files;
      
      identifying prior versions of each of said modified files that existed prior to modifying said corrupted file; and
      
      adding said modified files to said first list and repeating said step i).
  - 36. The computer program product as in claim 33, further comprising encoded instructions for:
    - g) scanning said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files.
  - 37. The computer program product as in claim 36, further comprising encoded instructions for identifying unmodified versions of each said further file and for restoring each such further file to an unmodified version thereof.
  - 38. The computer program product as in claim 36, further comprising encoded instructions for scanning said event log to identify said snapshot creation event and associated snapshot of a most recent unmodified version of said unmodified versions of said further file.
  - 39. The computer program product as in claim 37, wherein said restoring comprises replacing said further file with said unmodified version thereof that exists in said snapshot corresponding to a most recent one of said snapshot creation events that precedes an initial write of said modifying writes by which said further file was first modified by one of said corrupted files.
  - 40. The computer program product as in claim 33, wherein said write events and said snapshot creation events are ordered in said event log chronologically.
  - 41. The computer program product as in claim 31, further comprising encoded instructions for:
    - g) identifying additional files of said plurality of files that were modified by said further files and restoring each said additional file to an unmodified version thereof.
  - 42. The computer program product as in claim 27, further comprising encoded instructions for determining further files of said plurality of files that modified said corrupted files and identifying prior versions of each of said further files that existed prior to modifying said corrupted file.
  - 43. The computer program product as in claim 41, further comprising encoded instructions for restoring at least one said further file to one of said prior versions thereof.
  - 44. The computer program product as in claim 42, further comprising encoded instructions for:
    - f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots; and
      
      g) scanning said event log to determine modifying writes of said writes that were made by said further files to affect said corrupted files of said plurality of files.
  - 45. The computer program product as in claim 44, wherein said restoring each said further file to one of said prior versions thereof comprises scanning said event log to identify said snapshot creation event and corresponding snapshot of said one of said prior versions thereof.
  - 46. The computer program product as in claim 27, further comprising encoded instructions for:
    - f) identifying modified files of said plurality of files that were modified by said corrupted files; and
      
      g) repeating a process that identifies additional modified files of said plurality of files that were modified by said modified files or said corrupted files.
  - 47. The computer program product as in claim 46, wherein said repeating a process further includes restoring each said modified file and each said additional modified file to a respective unmodified version thereof.
  - 48. The computer program product as in claim 46, wherein said repeating a process comprises iteratively identifying additional modified files of said plurality of files that were modified by said modified files or said corrupted files.
  - 49. The computer program product as in claim 46, wherein said repeating a process comprises recursively identifying additional modified files of said plurality of files that were modified by said modified files or said corrupted files.
  - 50. The computer program product as in claim 46, wherein said recursively identifying includes creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files and snapshot creation events corresponding to creation of each of said snapshots and scanning said event log to determine modifying writes of said writes that were made by said modified files and which modified said additional modified files.

51. A computer program product with encoded instructions for performing operations comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred;
  
  c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file;
  
  e) for each said corrupted file, restoring said file to said most recent uncorrupted version thereof;
  
  f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
  
  h) restoring each of said further files to an unmodified version thereof;
  
  i) defining a first list of at-risk files comprising said corrupted files and said further files; and
  
  j) identifying additional files of said plurality of files that were modified by said at-risk files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
St Bernard Software Incorporated (GoSecure, Inc.)
Inventors
Masters, Daniel, Neill, Chris

Granted Patent

US 7,756,834 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/568 eliminating virus, restorin...

Malware and spyware attack recovery system and method

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Malware and spyware attack recovery system and method

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links