MALWARE MANAGEMENT THROUGH KERNEL DETECTION

US 20080034429A1
Filed: 08/07/2006
Published: 02/07/2008
Est. Priority Date: 08/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for managing pestware on a computer comprising:

starting a boot sequence, the boot sequence including a period when boot drivers are initialized;

initiating a kernel-level monitor during the period when boot drivers are initialized;

monitoring, while the boot sequence is being carried out, events with the kernel-level monitor; and

managing pestware-related events with the kernel-level monitor before a period in the boot sequence when native applications are capable of running.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing pestware on a protected computer is described. The method in one variation includes starting a boot sequence that includes a period when boot drivers are initialized, initiating a kernel-level monitor during the period when boot drivers are initialized, monitoring events with the kernel-level monitor during the boot sequence and managing pestware-related events with the kernel-level monitor before a period in the boot sequence when native applications are capable of running. In variations, a pestware management engine is initialized after an operating system of the protected computer is initialized and the pestware management system both receives an event log of the monitored events and compiles the set of behavior rules utilized by kernel-level monitor.

121 Citations

View as Search Results

20 Claims

1. A method for managing pestware on a computer comprising:
- starting a boot sequence, the boot sequence including a period when boot drivers are initialized;
  
  initiating a kernel-level monitor during the period when boot drivers are initialized;
  
  monitoring, while the boot sequence is being carried out, events with the kernel-level monitor; and
  
  managing pestware-related events with the kernel-level monitor before a period in the boot sequence when native applications are capable of running.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 including:
    - acquiring a set of behavior rules, wherein the managing is carried out in accordance with the behavior rules.
  - 3. The method of claim 2, including:
    - launching, after an operating system is initiated, a pestware management engine;
      
      wherein the acquiring the set of behavior rules includes acquiring at least a portion of the behavior rules from behavior rules compiled by the pestware management engine.
  - 4. The method of claim 2, including:
    - generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;
      
      analyzing the record of events so as to identify the pestware-related events; and
      
      modifying the set of behavior rules so as to prevent the pestware related events.
  - 5. The method of claim 4, wherein the record of events includes information selected from the group consisting of process identification information, file identification information and hook generation information.
  - 6. The method of claim 1, including:
    - managing pestware-related events with the kernel-level monitor after the period in the boot sequence when native applications are capable of running.
  - 7. The method of claim 1, wherein the kernel-level monitor is selected from the group consisting of a device driver, a kernel-mode DLL and a virtual machine.
  - 8. The method of claim 1, wherein the loading the kernel-level monitor includes loading the kernel-level driver from a BIOS of the computer.
  - 9. The method of claim 1, wherein the kernel-level monitor is initiated before the boot drivers are initiated.
  - 10. The method of claim 9, wherein the monitoring includes monitoring the boot sequence while the boot drivers are initiated.
  - 11. The method of claim 1 including:
    - loading and initializing a native scanner during the period in the boot sequence when native applications are capable of running; and
      
      managing pestware during the period in the boot sequence when native applications are capable of running.
  - 12. The method of claim 11 including scanning a registry of a protected computer before a Win32 subsystem is loaded and executed.

13. A system for managing pestware on a protected computer comprising:
- a kernel-level monitor configured to be initialized before at least a portion of boot drivers on the protected computer are initialized and to monitor, according to a set of behavior rules, activities on the protected computer before a period in a boot sequence of the protected computer when native applications are capable of running; and
  
  a pestware management engine configured to both be initialized after an operating system of the protected computer is initialized and to compile the set of behavior rules.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein the kernel-level monitor is selected from the group consisting of device driver, a kernel-mode DLL and a virtual machine.
  - 15. The system of claim 13, wherein the kernel-level monitor is configured to prevent, in accordance with the behavior rules, pestware from carrying out pestware-related activities.
  - 16. The system of claim 15 including a memory, wherein the kernel-level monitor is configured to store, before the period in a boot sequence of the protected computer when native applications are capable of running, information about potential pestware-related events in an event log in the memory, wherein the memory is selected from the group consisting of a magnetic storage medium and volatile memory.
  - 17. The system of claim 16, wherein the pestware management engine is configured to read the event log and modify the set of behavior rules based upon the information about potential pestware-related events so as to prevent subsequent pestware-related events during the boor sequence.
  - 18. The system of claim 13, wherein the pestware management engine resides on the protected computer.
  - 19. The system of claim 13 including a native scanner that is initialized during the period in the boot sequence of the protected computer when native applications are capable of running, wherein the native scanner is configured to scan files that are utilized by an operating system of the protected computer.
  - 20. The system of claim 19, wherein the native scanner is configured to scan a registry of a protected computer before a Win32 subsystem is loaded and executed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Schneider, Jerome L.

Granted Patent

US 8,190,868 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

MALWARE MANAGEMENT THROUGH KERNEL DETECTION

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE MANAGEMENT THROUGH KERNEL DETECTION

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links