Method and system for detecting and removing hidden pestware files

US 20080010310A1
Filed: 07/07/2006
Published: 01/10/2008
Est. Priority Date: 07/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and removing a hidden pestware file on a storage device of a computer, the method comprising:

detecting, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;

determining whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;

identifying the file as a potential hidden pestware file, when the file is undetectable by the operating system;

confirming through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and

removing automatically, using direct drive access, the hidden pestware file from the storage device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting and removing a hidden pestware file is described. One illustrative embodiment detects, using direct drive access, a file on a computer storage device; determines whether the file is also detectable by the operating system by attempting to access the file using a standard file Application-Program-Interface (API) function call of the operating system; identifies the file as a potential hidden pestware file, when the file is undetectable by the operating system; confirms through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and removes automatically, using direct drive access, the hidden pestware file from the storage device.

60 Citations

View as Search Results

17 Claims

1. A method for detecting and removing a hidden pestware file on a storage device of a computer, the method comprising:
- detecting, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  determining whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;
  
  identifying the file as a potential hidden pestware file, when the file is undetectable by the operating system;
  
  confirming through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and
  
  removing automatically, using direct drive access, the hidden pestware file from the storage device.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein a backup copy of the hidden pestware file is made before the hidden pestware file is automatically removed from its original location on the storage device, the hidden pestware file thereby being quarantined to enable automatic recovery of the hidden pestware file when removal of the hidden pestware file is in error.
  - 3. The method of claim 1, wherein the standard file API function call of the operating system is GetFileAttributes.
  - 4. The method of claim 1, wherein the method is performed in conjunction with scanning a data-bearing portion of the storage device, the scanning being performed sequentially in sector order using direct drive access.

5. A method for detecting a potential hidden pestware file on a storage device of a computer, the method comprising:
- detecting, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  determining whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;
  
  identifying the file as a potential hidden pestware file, when the file is undetectable by the operating system; and
  
  performing the following when the file has been identified as a potential hidden pestware file;
  
  notifying a user that the file is a potential hidden pestware file;
  
  presenting to the user an option to remove automatically the potential hidden pestware file from the storage device; and
  
  removing, using direct drive access, the potential hidden pestware file from the storage device automatically in response to an input from the user.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein the method is performed in conjunction with scanning a data-bearing portion of the storage device, the scanning being performed sequentially in sector order using direct drive access.

7. A method for scanning a storage device of a computer for hidden pestware files, the method comprising:
- reading a data-bearing portion of the storage device, the reading being performed sequentially in sector order using direct drive access, the direct drive access substantially bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  identifying, through the reading, files on the storage device;
  
  determining, for each identified file, whether that identified file is detectable by the operating system by attempting to access that identified file using a standard file API function call of the operating system, an identified file being detectable by the operating system when the attempt to access that identified file using the standard file API function call is successful, an identified file being undetectable by the operating system when the attempt to access that identified file using the standard file API function call is unsuccessful;
  
  flagging each identified file that is undetectable to the operating system as a potential hidden pestware file;
  
  performing an automated pestware-signature scan of each identified file flagged as a potential hidden pestware file to determine whether that identified file is indeed a hidden pestware file; and
  
  removing from the storage device automatically, using direct drive access, each identified file determined to be a hidden pestware file.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein a backup copy is made of each identified file determined to be a hidden pestware file before that identified file is automatically removed from its original location on the storage device, that identified file thereby being quarantined to enable automatic recovery of that identified file when removal of that identified file is in error.
  - 9. The method of claim 7, wherein the standard file API function call of the operating system is GetFileAttributes.

10. A system for detecting and removing a hidden pestware file on a storage device of a computer, the system comprising:
- a file-detection module configured to detect, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  a file-analysis module configured to determine whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;
  
  a file-classification module configured to flag the file as a potential hidden pestware file, when the file is undetectable by the operating system;
  
  a pestware-scanning module configured to confirm, through an automated pestware-signature scan of the potential hidden pestware file, that the potential hidden pestware file is a hidden pestware file; and
  
  a pestware-removal module configured to remove automatically, using direct drive access, the hidden pestware file from the storage device.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, wherein the pestware-removal module is configured to make a backup copy of the hidden pestware file before automatically removing the hidden pestware file from its original location on the storage device, the hidden pestware file thereby being quarantined to enable automatic recovery of the hidden pestware file when removal of the hidden pestware file is in error.
  - 12. The system of claim 10, wherein the standard file API function call of the operating system is GetFileAttributes.
  - 13. The system of claim 10, wherein the file-detection module is configured to scan a data-bearing portion of the storage device sequentially in sector order using direct drive access.

14. A system for detecting a potential hidden pestware file on a storage device of a computer, the system comprising:
- a file-detection module configured to detect, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  a file-analysis module configured to determine whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;
  
  a file-classification module configured to flag the file as a potential hidden pestware file, when the file is undetectable by the operating system;
  
  a notification module configured, when the file has been flagged as a potential hidden pestware file, to;
  
  notify a user that the file has been flagged as a potential hidden pestware file; and
  
  present to the user an option to remove automatically the potential hidden pestware file from the storage device; and
  
  a pestware-removal module configured to remove automatically, using direct drive access, the potential hidden pestware file from the storage device in response to an input from the user.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein the file-detection module is configured to scan a data-bearing portion of the storage device sequentially in sector order using direct drive access.

16. A computer-readable storage medium containing program instructions executable by a processor to detect and remove a hidden pestware file on a storage device of a computer, the program instructions comprising:
- a first instruction segment configured to detect, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  a second instruction segment configured to determine whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;
  
  a third instruction segment configured to flag the file as a potential hidden pestware file, when the file is undetectable by the operating system;
  
  a fourth instruction segment configured to confirm, through an automated pestware-signature scan of the potential hidden pestware file, that the potential hidden pestware file is a hidden pestware file; and
  
  a fifth instruction segment configured to remove automatically, using direct drive access, the hidden pestware file from the storage device.

17. A computer-readable storage medium containing program instructions executable by a processor to detect a potential hidden pestware file on a storage device of a computer, the program instructions comprising:
- a first instruction segment configured to detect, using direct drive access, a file on the storage device, the direct drive access bypassing standard file Application-Program-Interface (API) function calls of an operating system of the computer;
  
  a second instruction segment configured to determine whether the file is detectable by the operating system by attempting to access the file using a standard file API function call of the operating system, the file being detectable by the operating system when the attempt to access the file using the standard file API function call is successful, the file being undetectable by the operating system when the attempt to access the file using the standard file API function call is unsuccessful;
  
  a third instruction segment configured to flag the file as a potential hidden pestware file, when the file is undetectable by the operating system;
  
  a fourth instruction segment configured, when the file has been flagged as a potential hidden pestware file, to;
  
  notify a user that the file has been flagged as a potential hidden pestware file; and
  
  present to the user an option to remove automatically the potential hidden pestware file from the storage device; and
  
  a fifth instruction segment configured to remove automatically, using direct drive access, the hidden pestware file from the storage device in response to an input from the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Sprowls, Patrick

Granted Patent

US 7,996,903 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/102
CPC Class Codes

G06F 21/568 eliminating virus, restorin...

G06F 21/78 to assure secure storage of...

Method and system for detecting and removing hidden pestware files

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Method and system for detecting and removing hidden pestware files

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others