Fixing Computer Files Infected by Virus and Other Malware
First Claim
9. A method for monitoring behavior of plurality of applications or modules in applications on a computing device that have not been classified based on attributes, comprising the steps of:
- injecting a module into the memory space of the said applications;
the injected module monitoring said applications'"'"' file system accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;
the injected module monitoring said applications'"'"' network accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;
the injected module monitoring said applications'"'"' executable content loading by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer;
the injected module monitoring the memory access by the applications via inline hooks in API function call and the application programming interface functions provided;
and the injected module monitoring the registry access by the applications via inline hooks in API function call and the application programming interface functions provided.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent.
137 Citations
53 Claims
-
9. A method for monitoring behavior of plurality of applications or modules in applications on a computing device that have not been classified based on attributes, comprising the steps of:
-
injecting a module into the memory space of the said applications; the injected module monitoring said applications'"'"' file system accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer; the injected module monitoring said applications'"'"' network accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer; the injected module monitoring said applications'"'"' executable content loading by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer; the injected module monitoring the memory access by the applications via inline hooks in API function call and the application programming interface functions provided; and the injected module monitoring the registry access by the applications via inline hooks in API function call and the application programming interface functions provided. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method for creating a lists of malicious or infected or unclassified applications or modules on a computing device for the purpose of obtaining the classification and remedial action on those applications or modules form a remote computing node, comprising steps of:
-
creating a list of unclassified items from the scan of file system, registry, and memory of a computing device; observing the behavior of items in the unclassified list; matching the behavior of detected items with a local black/white list database; applying a filter on the list of detected items; storing the filtered items along with the attributes of the items, their observed behavior, their classification based on local database, and action to be taken on the item into a list that is stored in a human or machine readable format; and transmitting the list along with the observed behavior to a remote computing node. - View Dependent Claims (1, 5, 6, 7, 8, 17, 18, 20)
-
-
18-1. The method of claim 16 wherein the applications in the unclassified or malicious list are placed in a sandbox that limits actions they can take on the computer until the updated list, in part or entirety, is returned to the computing node from the remote computing node.
-
21. A method for applying remedial action on application or modules on a computing device based on observed changes, comprising steps of:
-
listing items in unclassified list, file system, registry, and memory of a computing device; creating a reference state by storing the observed attributes, behavior, classification, and remedial action for listed items in a human or machine readable format; periodically comparing the attributes and observed behavior of items with those stated in the reference state to detect changes; matching all or part of the binary of items that have changed with a local black/white list database; and storing the filtered items in a list if the changed items were not classified as known good items. - View Dependent Claims (2, 3, 4, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
24-2. The method of claim 23 wherein the plurality of local computing node reported unclassified items to an intermediate node before it is relayed to the remote computing node.
-
25-3. The method of claim 23 wherein the remote computing node is polled periodically by the local computing node to check if the reported unclassified items have been classified.
-
26-4. The method of claim 23 wherein the actions of unclassified or malicious items are restricted until they are classified or fixed.
-
30. A method for receiving classification and remedial instructions for file comprising the steps of:
-
creating a network connection to the processing server; authenticating client identity to the server; server retrieves the processed information from the database; and server transmits the classification information for the software to the client along with the remediation actions.
-
- 32. The method of claim 32 wherein the network connection between the client and the server is an HTTP or HTTPS connection.
-
35. A method for removing virus, hidden or otherwise, and fixing infected files comprising the steps of:
-
establishing a network connection to a remote computing node and receiving a list containing application names, attributes, classification, and remedial action to be performed; initiating a lock down mechanism to prevent unauthorized system and file modifications; scanning the hard drive, registry, and memory of computer for any executable content; comparing the detected items classification in the received list; applying the remediation mechanism prescribed for each items in the received file. - View Dependent Claims (36, 37, 38)
-
-
39. A method for manually classifying application and modules on a computing node and prescribing remedial action from a remote computing node comprising the steps of:
-
scanning the local computing node and generating a list of unclassified and infected applications and other information about those applications; encoding the generated application list and other collected information; establishing a network connection to the remote computing node; transmitting the encoded information to the remote computing node; at the remote computing device, decoding the information and displaying the items in the list; manually classifying and prescribing an action for each item in the list; and transmitting the manually updated list or a definition database to the computing node from the remote computing node.
-
-
41. The method of claim 40 wherein the list is displayed in an application or a Web page.
-
42. The method of claim 40 wherein the updated list includes for each the location of clean copy of file to used to replace infected file.
-
43. A method for enforcing lockdown on computer for the purpose of removing virus, comprising the steps of:
-
scanning the file system, registry, installed programs, and memory of a computing device and creating a reference state; preventing modifications to the sections of registry or file system of the computer that may enable the malware to start itself upon rebooting of the device by intercepting application and kernel layer calls; and intercepting application and kernel layer calls. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
-
-
51. A method fixing virus infected files on a computing device, comprising steps of:
-
scanning the files system, registry, and memory of the computing device with plurality of anti-virus scanners; creating a list of all files along with their attributes that are part of the operating system or a valid application and have been identified as infected; establishing a network connection and transmitting the list to a remote computing device; and receiving instructions from the remote computing device for remediation of the infected files. - View Dependent Claims (52, 53)
-
Specification