METHOD AND APPARATUS FOR REDUCING FALSE POSITIVE DETECTION OF MALWARE

US 20100083376A1
Filed: 09/26/2008
Published: 04/01/2010
Est. Priority Date: 09/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware on a computer, comprising:

identifying files of unknown trustworthiness as potential threats on the computer;

receiving a trustworthiness level for each of the files from a backend;

comparing the trustworthiness level of each of the files to a threshold level;

designating each of the files where the trustworthiness level thereof satisfies the threshold level as a false positive threat; and

designating each of the files where the trustworthiness level thereof does not satisfy the threshold level as a true positive threat.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for detecting malware are described. In some examples, files of unknown trustworthiness are identified as potential threats on the computer. A trustworthiness level for each of the files is received from a backend. The trustworthiness level of each of the files is compared to a threshold level. Each of the files where the trustworthiness level thereof satisfies the threshold level is designated as a false positive threat. Each of the files where the trustworthiness level thereof does not satisfy the threshold level is designated as a true positive threat.

Citations

20 Claims

1. A method of detecting malware on a computer, comprising:
- identifying files of unknown trustworthiness as potential threats on the computer;
  
  receiving a trustworthiness level for each of the files from a backend;
  
  comparing the trustworthiness level of each of the files to a threshold level;
  
  designating each of the files where the trustworthiness level thereof satisfies the threshold level as a false positive threat; and
  
  designating each of the files where the trustworthiness level thereof does not satisfy the threshold level as a true positive threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - allowing each of the files designated as a false positive threat to be utilized; and
      
      blocking each of the files designated as a true positive threat from being utilized.
  - 3. The method of claim 1, wherein the files of unknown trustworthiness are identified as potential threats during or after installation of software including the files, and wherein the method further comprises:
    - requesting the trustworthiness level for each of the files from the backend in response to the installation of the software.
  - 4. The method of claim 1, further comprising:
    - requesting the trustworthiness level for each of the files from the backend using identification information for the files.
  - 5. The method of claim 4, wherein the identification information for each of the files includes a digest thereof.
  - 6. The method of claim 1, wherein the backend is executing on a server, and wherein the method further comprises:
    - sending a request from the computer to the server over a network for the trustworthiness level for each of the files.
  - 7. The method of claim 1, wherein the trustworthiness level for each of the files is one of a plurality of trustworthiness levels, the plurality of trustworthiness levels including a provider trusted level, a community trusted level, a community presence level, and unknown in order of decreasing trustworthiness, and wherein the threshold level is the community presence level.

8. An apparatus for detecting malware on a computer, comprising:
- means for identifying files of unknown trustworthiness as potential threats on the computer;
  
  means for receiving a trustworthiness level for each of the files from a backend;
  
  means for comparing the trustworthiness level of each of the files to a threshold level;
  
  means for designating each of the files where the trustworthiness level thereof satisfies the threshold level as a false positive threat; and
  
  means for designating each of the files where the trustworthiness level thereof does not satisfy the threshold level as a true positive threat.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, further comprising:
    - means for allowing each of the files designated as a false positive threat to be utilized; and
      
      means for blocking each of the files designated as a true positive threat from being utilized.
  - 10. The apparatus of claim 8, wherein the files of unknown trustworthiness are identified as potential threats during or after installation of software including the files, and wherein the method further comprises:
    - means for requesting the trustworthiness level for each of the files from the backend in response to the installation of the software.
  - 11. The apparatus of claim 8, further comprising:
    - means for requesting the trustworthiness level for each of the files from the backend using identification information for the files.
  - 12. The apparatus of claim 11, wherein the identification information for each of the files includes a digest thereof.
  - 13. The apparatus of claim 8, wherein the backend is executing on a server, and wherein the method further comprises:
    - means for sending a request from the computer to the server over a network for the trustworthiness level for each of the files.
  - 14. The apparatus of claim 8, wherein the trustworthiness level for each of the files is one of a plurality of trustworthiness levels, the plurality of trustworthiness levels including a provider trusted level, a community trusted level, a community presence level, and unknown in order of decreasing trustworthiness, and wherein the threshold level is the community presence level.

15. A computer readable medium having stored thereon instructions that when executed by a processor cause the processor to perform a method of detecting malware on a computer, comprising:
- identifying files of unknown trustworthiness as potential threats on the computer;
  
  receiving a trustworthiness level for each of the files from a backend;
  
  comparing the trustworthiness level of each of the files to a threshold level;
  
  designating each of the files where the trustworthiness level thereof satisfies the threshold level as a false positive threat; and
  
  designating each of the files where the trustworthiness level thereof does not satisfy the threshold level as a true positive threat.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable medium of claim 15, further comprising:
    - allowing each of the files designated as a false positive threat to be utilized; and
      
      blocking each of the files designated as a true positive threat from being utilized.
  - 17. The computer readable medium of claim 15, wherein the files of unknown trustworthiness are identified as potential threats during or after installation of software including the files, and wherein the method further comprises:
    - requesting the trustworthiness level for each of the files from the backend in response to the installation of the software.
  - 18. The computer readable medium of claim 15, further comprising:
    - requesting the trustworthiness level for each of the files from the backend using identification information for the files.
  - 19. The computer readable medium of claim 18, wherein the identification information for each of the files includes a digest thereof.
  - 20. The computer readable medium of claim 15, wherein the trustworthiness level for each of the files is one of a plurality of trustworthiness levels, the plurality of trustworthiness levels including a provider trusted level, a community trusted level, a community presence level, and unknown in order of decreasing trustworthiness, and wherein the threshold level is the community presence level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane, Viljoen, Pieter, Kennedy, Mark

Granted Patent

US 8,931,086 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/562 Static detection

METHOD AND APPARATUS FOR REDUCING FALSE POSITIVE DETECTION OF MALWARE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR REDUCING FALSE POSITIVE DETECTION OF MALWARE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links