System and method for using rules to protect against malware

US 20080127334A1
Filed: 09/14/2006
Published: 05/29/2008
Est. Priority Date: 09/14/2006
Status: Active Grant

First Claim

Patent Images

1. A method for preventing a malicious or unwanted software application function from acting upon an object within a computer system, the method utilizing a plurality of rules to associate one or more object attributes with the object within the computer system, the method comprising:

determining one or more of the plurality of rules that apply to the object within the computer system;

associating one or more object attributes with the object within the computer system according to the one or more applicable rules;

detecting a software application function before allowing the software application function to act upon the object within the computer system;

scanning the object within the computer system for the one or more object attributes;

determining whether the one or more object attributes indicate that the software application function must be prevented from acting upon the object within the computer system; and

disabling the software object function when the one or more object attributes indicate that the software application function must be prevented from acting upon the object within the computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a method of disabling malicious or unwanted software on a computer system using a plurality of rules, wherein the plurality of rules automatically disable functions originating from malicious software. In one embodiment, the method includes detecting a function that is attempting to act on an object within the computer system and identifying one or more rules from the plurality of rules that apply to the object. The function may then be automatically disabled when the identified rules indicate that the function should be disabled.

Citations

20 Claims

1. A method for preventing a malicious or unwanted software application function from acting upon an object within a computer system, the method utilizing a plurality of rules to associate one or more object attributes with the object within the computer system, the method comprising:
- determining one or more of the plurality of rules that apply to the object within the computer system;
  
  associating one or more object attributes with the object within the computer system according to the one or more applicable rules;
  
  detecting a software application function before allowing the software application function to act upon the object within the computer system;
  
  scanning the object within the computer system for the one or more object attributes;
  
  determining whether the one or more object attributes indicate that the software application function must be prevented from acting upon the object within the computer system; and
  
  disabling the software object function when the one or more object attributes indicate that the software application function must be prevented from acting upon the object within the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein determining whether the one or more attributes indicate that the software application function must be prevented from acting upon the object within the computer system further comprises associating a function attribute with the software application function.
  - 3. The method of claim 2, wherein the function attribute comprises one of:
    - an indication that the software application function must be prevented from acting upon the object within the computer system,an indication that the software application function must not be prevented from acting upon the object within the computer system, andan indication that the software application function must be prevented from acting upon the object within the computer system pending further review.
  - 4. The method of claim 2, wherein the function attribute comprises an indication that the software application function must be prevented from acting upon the object within the computer system pending further review, the method further comprising alerting at least one user that the software application function requires review prior to acting upon the object within the computer system.
  - 5. The method of claim 1, wherein each of the plurality of rules includes a function type specifying the types of software application functions prevented by the rule.
  - 6. The method of claim 5, wherein the function type comprises one of:
    - an update rule preventing updates to objects within the computer system;
      
      ora delete rule preventing deletion of objects within the computer system.
  - 7. The method of claim 5, wherein associating one or more object attributes with the object further comprises:
    - examining the function type of the one or more applicable rules; and
      
      associating an object attribute with the object within the computer system indicating that software application functions having a function type of the examined function type must be prevented from acting upon the object within the computer system,
  - 8. The method of claim 1, wherein each of the plurality of rules includes a platform value specifying a platform on which an object associated with a rule resides.
  - 9. The method of claim 1, wherein each of the plurality of rules includes a component value that specifies a type of object upon which a rule operates.
  - 10. The method of claim 9, wherein the component value specifies either file objects or registry objects.
  - 11. The method of claim 1, wherein each of the plurality of rules includes a path for an object upon which a rule operates.
  - 12. The method of claim 1, wherein each of the plurality of rules includes a process list specifying one or more processes whose functions are not prevented by a rule.
  - 13. The method of claim 12, wherein associating one or more object attributes with the object further comprises:
    - examining the process list of the one or more applicable rules; and
      
      associating an object attribute with the object within the computer system indicating that software application functions originating from a predetermined list of processes must not be prevented from acting upon the object within the computer system.
  - 14. The method of claim 1, wherein each of the plurality of rules includes an exception list specifying one or more exceptions to a rule, each of the one or more exceptions itself being one of the plurality of rules.
  - 15. The method of claim 1, further comprising creating a log entry when the software application function process is disabled, wherein the log entry includes one or more of:
    - information regarding the identity of the software application function;
      
      the identity of the object within the computer system; and
      
      the identity of the one or more applicable rules.

16. A system for preventing a malicious or unwanted software application function from acting upon an object within a computer system, the system utilizing a plurality of rules to associate one or more object attributes with the object within the computer system, the system comprising:
- a memory upon which the plurality of rules are stored;
  
  a comparator that determined one or more of the plurality of rules that apply to the object within the computer system;
  
  a flagging module that associates one or more object attributes with the object within the computer system according to the one or more applicable rules;
  
  a detector that detects a software application function attempting to act upon the object within the computer system before allowing the software application function to act upon the object within the computer system;
  
  a scanner that scans the object within the computer system for the one or more object attributes and determines whether the one or more object attributes indicate that the software application function must be prevented from acting upon the object within the computer system; and
  
  a disabler that disables the software object function when the one or more object attributes indicate that the software application function must be prevented from acting upon the object within the computer system.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the scanner further comprises a scanner that associates a function attribute with the software application function, the function attribute comprising one of:
    - an indication that the software application function must be prevented from acting upon the object within the computer system,an indication that the software application function must not be prevented from acting upon the object within the computer system, andan indication that the software application function must be prevented from acting upon the object within the computer system pending further review.
  - 18. The system of claim 16, wherein each of the plurality of rules includes a process list specifying one or more processes whose functions are not prevented by a rule.
  - 19. The system of claim 18, wherein the flagging module further comprises a flagging module that:
    - examines the process list of the one or more applicable rules; and
      
      associates an object attribute with the object within the computer system indicating that software application functions originating from a predetermined list of processes must not be prevented from acting upon the object within the computer system.
  - 20. The system of claim 16, further comprising a recorder that creates a log entry of disabled software application functions, wherein the log entry includes one or more of:
    - information regarding the identity of the software application function;
      
      the identity of the object within the computer system; and
      
      the identity of the one or more applicable rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Gassoway, Paul Alan

Granted Patent

US 8,230,509 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

System and method for using rules to protect against malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using rules to protect against malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links