Method and system for detecting a compressed pestware executable object

US 20070261117A1
Filed: 04/20/2006
Published: 11/08/2007
Est. Priority Date: 04/20/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting a compressed pestware executable object on a computer, the method comprising:

detecting, during startup of the computer, that a running process is attempting to exit; and

preventing the running process from exiting until a pestware detection procedure has been performed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting a compressed pestware executable object is described. In an illustrative embodiment, while a computer is booting up, an attempt by a running process to exit is detected. The running process is prevented from exiting until a pestware detection procedure has been performed. In one embodiment, the pestware detection procedure includes scanning for pestware signatures the portion of executable program memory associated with the suspended running process. In a different embodiment, the pestware detection procedure includes writing to a file at least the portion of executable program memory associated with the running process, after which the running process is permitted to exit. The file can then be scanned for pestware signatures at a convenient time.

64 Citations

View as Search Results

20 Claims

1. A method for detecting a compressed pestware executable object on a computer, the method comprising:
- detecting, during startup of the computer, that a running process is attempting to exit; and
  
  preventing the running process from exiting until a pestware detection procedure has been performed.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the pestware detection procedure includes scanning for pestware signatures a portion of an executable program memory of the computer that is associated with the running process.
  - 3. The method of claim 1, wherein the pestware detection procedure includes writing to a file on a storage device of the computer at least a portion of an executable program memory of the computer that is associated with the running process.
  - 4. The method of claim 3, further comprising:
    - scanning the file for pestware signatures after the running process has been permitted to exit.
  - 5. The method of claim 1, further comprising:
    - logging, before the running process is permitted to exit, at least one change the running process has made to the computer since the running process was launched; and
      
      inspecting the computer for damage associated with the at least one logged change when it has been determined that the running process is associated with a compressed pestware executable object.
  - 6. The method of claim 1, wherein preventing the running process from exiting until the pestware detection procedure has been performed includes:
    - loading, during the startup of the computer, a driver at an earliest possible time permitted by an operating system of the computer;
      
      hooking, with the driver, at least one program-termination application program interface (API) of the operating system;
      
      intercepting, with the driver, a kernel-level call to terminate the running process, the kernel-level call being associated with a program-termination API; and
      
      suspending, with the driver, the kernel-level call until the pestware detection procedure has been performed.

7. A system for detecting a compressed pestware executable object on a computer, the system comprising:
- a driver configured to;
  
  detect, during startup of the computer, that a running process is attempting to exit; and
  
  prevent the running process from exiting until a pestware detection procedure has been performed.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, further comprising:
    - a pestware detection module configured to scan for pestware signatures a portion of an executable program memory of the computer that is associated with the running process, while the driver is preventing the running process from exiting.
  - 9. The system of claim 7, further comprising:
    - a pestware detection module configured to write to a file on a storage device of the computer at least a portion of an executable program memory of the computer that is associated with the running process, while the driver is preventing the running process from exiting.
  - 10. The system of claim 9, wherein the pestware detection module is further configured to scan the file for pestware signatures after the driver has permitted the running process to exit.
  - 11. The system of claim 7, further comprising:
    - a pestware detection module configured to;
      
      record, while the driver is preventing the running process from exiting, at least one change the running process has made to the computer since the running process was launched; and
      
      inspect the computer for damage associated with the at least one recorded change when the pestware detection module has determined that the running process is associated with a compressed pestware executable object.
  - 12. The system of claim 7, wherein the driver is configured to:
    - become operative, during the startup of the computer, at an earliest possible time permitted by an operating system of the computer;
      
      hook at least one program-termination application program interface (API) of the operating system;
      
      intercept a kernel-level call to terminate the running process, the kernel-level call being associated with a program-termination API; and
      
      suspend the kernel-level call until the pestware detection procedure has been performed.

13. A system for detecting a compressed pestware executable object on a computer, the system comprising:
- means for determining, during startup of the computer, that a running process is attempting to exit; and
  
  means for preventing the running process from exiting until a pestware detection procedure has been performed.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, further comprising:
    - means for scanning for pestware signatures a portion of an executable program memory of the computer that is associated with the running process, while the running process is being prevented from exiting.
  - 15. The system of claim 13, further comprising:
    - means for writing to a file on a storage device of the computer at least a portion of an executable program memory of the computer that is associated with the running process, while the running process is being prevented from exiting.
  - 16. The system of claim 15, further comprising:
    - means for scanning the file for pestware signatures after the running process has been permitted to exit.

17. A computer-readable storage medium containing program instructions to detect a compressed pestware executable object on a computer, the computer-readable storage medium comprising:
- a first code segment configured to detect, during startup of the computer, that a running process is attempting to exit; and
  
  a second code segment configured to prevent the running process from exiting until a pestware detection procedure has been performed.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage medium of claim 17, further comprising:
    - a third code segment configured to scan for pestware signatures a portion of an executable program memory of the computer that is associated with the running process, while the second code segment is preventing the running process from exiting.
  - 19. The computer-readable storage medium of claim 17, further comprising:
    - a third code segment configured to write to a file on a storage device of the computer at least a portion of an executable program memory of the computer that is associated with the running process, while the second code segment is preventing the running process from exiting.
  - 20. The computer-readable storage medium of claim 19, wherein the third code segment is further configured to scan the file for pestware signatures after the second code segment has permitted the running process to exit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Inc. (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Boney, Matthew

Application Number

US11/407,658
Publication Number

US 20070261117A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/566 Dynamic detection, i.e. det...

Method and system for detecting a compressed pestware executable object

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting a compressed pestware executable object

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links