Fixing Computer Files Infected by Virus and Other Malware

US 20100031361A1
Filed: 07/17/2009
Published: 02/04/2010
Est. Priority Date: 07/21/2008
Status: Active Grant

First Claim

Patent Images

9. A method for monitoring behavior of plurality of applications or modules in applications on a computing device that have not been classified based on attributes, comprising the steps of:

injecting a module into the memory space of the said applications;

the injected module monitoring said applications'"'"' file system accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;

the injected module monitoring said applications'"'"' network accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;

the injected module monitoring said applications'"'"' executable content loading by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;

the injected module monitoring the memory access by the applications via inline hooks in API function call and the application programming interface functions provided;

and the injected module monitoring the registry access by the applications via inline hooks in API function call and the application programming interface functions provided.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent.

137 Citations

View as Search Results

53 Claims

9. A method for monitoring behavior of plurality of applications or modules in applications on a computing device that have not been classified based on attributes, comprising the steps of:
- injecting a module into the memory space of the said applications;
  
  the injected module monitoring said applications'"'"' file system accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;
  
  the injected module monitoring said applications'"'"' network accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;
  
  the injected module monitoring said applications'"'"' executable content loading by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;
  
  the injected module monitoring the memory access by the applications via inline hooks in API function call and the application programming interface functions provided;
  
  and the injected module monitoring the registry access by the applications via inline hooks in API function call and the application programming interface functions provided.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 wherein the behavior monitoring method is applied to a specific module inside the application.
  - 11. The method of claim 9 wherein the API function calls are first checked for unauthorized hooks by examining the API function pointers in memory to obtain and display the identities of the modules that are intercepting the API function calls.
  - 12. The method of claim 9 wherein the behavior monitoring method is applied to a specific module inside the kernel.
  - 13. The method of claim 9 wherein the behavior monitoring method is applied to a specific module inside the application as it relates to its interaction with another module.
  - 14. The method of claim 9 wherein the observed behavior of the application over a time period is displayed in a graphical user interface or stored in a file.
  - 15. The method of claim 9 wherein the injected module is a dynamically allotted area in the memory space of the application.

16. A method for creating a lists of malicious or infected or unclassified applications or modules on a computing device for the purpose of obtaining the classification and remedial action on those applications or modules form a remote computing node, comprising steps of:
- creating a list of unclassified items from the scan of file system, registry, and memory of a computing device;
  
  observing the behavior of items in the unclassified list;
  
  matching the behavior of detected items with a local black/white list database;
  
  applying a filter on the list of detected items;
  
  storing the filtered items along with the attributes of the items, their observed behavior, their classification based on local database, and action to be taken on the item into a list that is stored in a human or machine readable format;
  
  and transmitting the list along with the observed behavior to a remote computing node.
- View Dependent Claims (1, 5, 6, 7, 8, 17, 18, 20)
- - 1. A method for creating list of infected, malicious, and unclassified software or modules on a computing device for the purpose of obtaining the classification and remedial action on those applications or modules form a remote computing node, comprising steps of:
    - assigning a unique identifier to the computing device;
      
      listing items in file system, registry, and memory of a computing device;
      
      listing attributes of the said items;
      
      computing cryptographic hash of the said items;
      
      matching the attributes of said items with a local black/white list database;
      
      applying a filter to reduce or limit the number of items in the list;
      
      and storing the identifier and filtered items along with the attributes of the items, their classification, and action to be taken on the items into a list that is stored in a human or machine readable format.
  - 5. The method of claim 1 wherein the application files are uploaded to a network location and the path to the uploaded files are included in the list.
  - 6. The method of claim 1 wherein the list is transmitted over the network and stored at a remote computing node.
  - 7. The method of claim 1 wherein based on their classification, plurality of applications are placed in a sandbox that limits actions they can take on the computing node until the cleanup task is complete.
  - 8. The method of claim 1 wherein the computing device is placed in a restricted mode that limits modifications to the application files until the cleanup task is complete.
  - 17. The method of claim 16 wherein the list may also include items that have been identified as good.
  - 18. The method of claim 16 wherein the list and observed behavior of items are matched with a behavior black/white database and stored at a remote computing device, fields for item classification and remedial action are update, and the list returned to the computing node.
  - 20. The method of claim 16 wherein clean copies or the network location of clean copies plurality of applications are received by the local computing node to replace infected files.

18-1. The method of claim 16 wherein the applications in the unclassified or malicious list are placed in a sandbox that limits actions they can take on the computer until the updated list, in part or entirety, is returned to the computing node from the remote computing node.

21. A method for applying remedial action on application or modules on a computing device based on observed changes, comprising steps of:
- listing items in unclassified list, file system, registry, and memory of a computing device;
  
  creating a reference state by storing the observed attributes, behavior, classification, and remedial action for listed items in a human or machine readable format;
  
  periodically comparing the attributes and observed behavior of items with those stated in the reference state to detect changes;
  
  matching all or part of the binary of items that have changed with a local black/white list database;
  
  and storing the filtered items in a list if the changed items were not classified as known good items.
- View Dependent Claims (2, 3, 4, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The method of claim 1 wherein the unique identifier is locally generated based on the attributes of the computing node.
  - 3. The method of claim 1 wherein the unique identifier is received from the remote computing node via the web service.
  - 4. The method of claim 1 wherein the list may exclude items that have been identified as good and the list is stored in a human or machine readable format.
  - 22. The method of claim 21 wherein the application binaries, reference state, and the current state are transmitted to a remote computing node where the change analysis is performed.
  - 23. The method of claim 21 wherein the analyzed reference state is returned to the computing device along with clean copies of the applications to revert or fix the observed changes.
  - 24. The method of claim 21 wherein the unclassified or malicious items are placed in a sandbox that restricts their actions.
  - 25. The method of claim 21 wherein the unclassified or malicious items are replaced with a clean copy received from a remote computing node.
  - 26. A method for classifying unclassified application or module list received from a computing node, comprising the steps of:
    - scanning the local computing node and generating a list of unclassified and infected applications and other information about those applications;
      
      encoding the generated unclassified application list and other collected information;
      
      establishing a network connection between the local computing node and the remote computing node or database;
      
      transmitting the encoded information about unclassified and infected applications and other information about those applications to the remote computing node;
      
      at the remote computing device;
      
      receiving and decoding the list, and classifying the items in the list;
      
      transmitting the updated list to the local computing node after the items in the unclassified list have been partially or fully classified and instruction on remediation specified;
      
      and executing the cleanup instructions received from the remote computing node.
  - 27. The method of claim 23 wherein the reported information about the unclassified applications includes the application binary, observed behavior, and attributes.
  - 28. The method of claim 23 wherein a clean copies or network location of the clean copies of plurality of applications is sent from the remote computing node to the local computing node to replace the application files.
  - 29. The method of claim 23 wherein the local remote computing node receives a database to classify unclassified application files.

24-2. The method of claim 23 wherein the plurality of local computing node reported unclassified items to an intermediate node before it is relayed to the remote computing node.

25-3. The method of claim 23 wherein the remote computing node is polled periodically by the local computing node to check if the reported unclassified items have been classified.

26-4. The method of claim 23 wherein the actions of unclassified or malicious items are restricted until they are classified or fixed.

30. A method for receiving classification and remedial instructions for file comprising the steps of:
- creating a network connection to the processing server;
  
  authenticating client identity to the server;
  
  server retrieves the processed information from the database;
  
  and server transmits the classification information for the software to the client along with the remediation actions.

32. The method of claim 32 wherein the network connection between the client and the server is an HTTP or HTTPS connection.
- View Dependent Claims (31, 33, 34)
- - 31. The method of claim 32 wherein the client periodically checking with the server for updated information.
  - 33. The method of claim 32 wherein the server provides the client with a new copy of one of more files to replace the virus infected files.
  - 34. The method of claim 32 wherein the server provides the client with the network location of a clean copy of one of more files to replace the virus infected files.

35. A method for removing virus, hidden or otherwise, and fixing infected files comprising the steps of:
- establishing a network connection to a remote computing node and receiving a list containing application names, attributes, classification, and remedial action to be performed;
  
  initiating a lock down mechanism to prevent unauthorized system and file modifications;
  
  scanning the hard drive, registry, and memory of computer for any executable content;
  
  comparing the detected items classification in the received list;
  
  applying the remediation mechanism prescribed for each items in the received file.
- View Dependent Claims (36, 37, 38)
- - 36. The method of claim 35 wherein a default action is applied to every detected item that is not listed in the received file.
  - 37. The method of claim 35 wherein the remedial action is to replace plurality of files with a clean copy received or by downloading the clean copy from a specified location.
  - 38. The method of claim 35 wherein a connection is made to the remote computing device to obtain classification of every new detected item that is not listed in the received file.

39. A method for manually classifying application and modules on a computing node and prescribing remedial action from a remote computing node comprising the steps of:
- scanning the local computing node and generating a list of unclassified and infected applications and other information about those applications;
  
  encoding the generated application list and other collected information;
  
  establishing a network connection to the remote computing node;
  
  transmitting the encoded information to the remote computing node;
  
  at the remote computing device, decoding the information and displaying the items in the list;
  
  manually classifying and prescribing an action for each item in the list;
  
  and transmitting the manually updated list or a definition database to the computing node from the remote computing node.

41. The method of claim 40 wherein the list is displayed in an application or a Web page.

42. The method of claim 40 wherein the updated list includes for each the location of clean copy of file to used to replace infected file.

43. A method for enforcing lockdown on computer for the purpose of removing virus, comprising the steps of:
- scanning the file system, registry, installed programs, and memory of a computing device and creating a reference state;
  
  preventing modifications to the sections of registry or file system of the computer that may enable the malware to start itself upon rebooting of the device by intercepting application and kernel layer calls;
  
  and intercepting application and kernel layer calls.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
- - 44. The method of claim 43, wherein creation of any process not listed in the reference list is prohibited by intercepting the API function call for creating new processes.
  - 45. The method of claim 43, wherein creation of network connections by any module not listed in the reference list is prohibited by intercepting the API function call for creating new network connections.
  - 46. The method of claim 43, wherein loading into the memory of computer, any module not listed in the reference list is prohibited by intercepting the API function call for loading modules.
  - 47. The method of claim 43, wherein injection of a module into the memory space of any executing application is prohibited by intercepting the API function call for loading modules.
  - 48. The method of claim 43, wherein creation or modification of registry entries for starting programs and modification of executable files is prohibited by intercepting the API function call for modifying files and registry entries.
  - 49. The method of claim 43, wherein any action during the lockdown is further checked against a white list and the action is allowed to take place if a match is made.
  - 50. The method of claim 43, wherein the lockdown state is disabled after the cleanup process has been completed.

51. A method fixing virus infected files on a computing device, comprising steps of:
- scanning the files system, registry, and memory of the computing device with plurality of anti-virus scanners;
  
  creating a list of all files along with their attributes that are part of the operating system or a valid application and have been identified as infected;
  
  establishing a network connection and transmitting the list to a remote computing device;
  
  and receiving instructions from the remote computing device for remediation of the infected files.
- View Dependent Claims (52, 53)
- - 52. The method of claim 51 wherein the infected items are placed in a sandbox that restricts their actions.
  - 53. The method of claim 51 wherein the infected items are replaced with a clean copy received or downloaded from a remote computing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
New Relic
Original Assignee
Jayant Shukla
Inventors
Shukla, Jayant

Granted Patent

US 8,935,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/567 using dedicated hardware

G06F 21/568 eliminating virus, restorin...

Fixing Computer Files Infected by Virus and Other Malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Fixing Computer Files Infected by Virus and Other Malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links