EXTENSIBLE ACTIVATION EXPLOIT SCANNER

US 20100169976A1
Filed: 12/30/2008
Published: 07/01/2010
Est. Priority Date: 12/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method, performed on a processing device, for detecting an activation exploit, the method comprising:

executing, by at least one processor of the processing device, at least one detection module, each of the at least one detection module being specific for detecting a respective known activation exploit or a respective class of activation exploit;

executing, by the at least one processor of the processing device, at least one response module, each of the at least one response module includes response logic for performing a corresponding action in response to detecting the respective known activation exploit or the respective class of activation exploit; and

executing, by the at least one processor of the processing device, a scanner, which uses an exploit data file, the at least one detection module, and the at least one response module, the exploit data file including information regarding at least one known activation exploit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An extensible activation exploit scanner may have a modular structure, such that capabilities of the activation exploit scanner may be updated easily. The extensible activation exploit scanner may include an exploit data file, at least one detection module, at least one response module, and a base scanner. The exploit data file may have a number of entries, each of which may include information about a respective activation exploit or a respective class of activation exploit, as well as information about a detection module and a response module. The activation exploit scanner may read an entry of the exploit data file, may execute a detection module, corresponding to the entry, to detect a respective activation exploit or class of activation exploit, and may execute a response module, corresponding to the entry, to perform an action when the respective activation exploit or the class of activation exploit is detected.

16 Citations

View as Search Results

20 Claims

1. A method, performed on a processing device, for detecting an activation exploit, the method comprising:
- executing, by at least one processor of the processing device, at least one detection module, each of the at least one detection module being specific for detecting a respective known activation exploit or a respective class of activation exploit;
  
  executing, by the at least one processor of the processing device, at least one response module, each of the at least one response module includes response logic for performing a corresponding action in response to detecting the respective known activation exploit or the respective class of activation exploit; and
  
  executing, by the at least one processor of the processing device, a scanner, which uses an exploit data file, the at least one detection module, and the at least one response module, the exploit data file including information regarding at least one known activation exploit.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the information regarding at least one known activation exploit or class of activation exploit comprises a breach identifier corresponding to one of the at least one known activation exploit or the class of activation exploit, an identifier corresponding to an application or an operating system associated with the one of the at least one known activation exploit or the class of activation exploit, location information of a detection module of the at least one detection module, and location information of a response module of the at least one response module, andthe method further comprises;
      
      determining, by the scanner, whether the detection module and the response module are present based on the information included in the exploit data file; and
      
      when the detection module and the response module are determined to be present, the scanner performs;
      
      scanning to detect a presence of the one of the at least one known activation exploit or the class of activation exploit by executing the detection module, andperforming a corresponding action in response to detecting the presence of the one of the at least one known activation exploit or the class of activation exploits by executing the response module.
  - 3. The method of claim 2, further comprising:
    - determining whether the one of the at least one known activation exploit or the class of activation exploit applies to the processing device, based on the information included in the exploit data file; and
      
      scanning, by the scanner, to detect a presence of the one of the at least one known activation exploit or the class of activation exploit only when the one of the at least one activation exploit or the class of activation exploit is determined to apply to the processing device.
  - 4. The method of claim 2, wherein the performing of a corresponding action further comprises:
    - executing, by the response module, one or more response sub-modules.
  - 5. The method of claim 4, wherein the one or more response sub-modules perform one or more actions from a group of actions comprising sending telemetry data, providing a pop up user interface, providing a notification regarding detection of the detected one of the at least one activation exploit or the detected class of activation exploit, and removing the detected one of the at least one activation exploit or the detected class of activation exploits.
  - 6. The method of claim 1, further comprising:
    - updating a capability to detect an activation exploit or class of activation exploit by replacing one or more of the at least one detection module with corresponding one or more replacement detection modules or by adding one or more new detection modules.
  - 7. The method of claim 1, further comprising:
    - updating a capability to respond to a detected activation exploit or a detected class of activation exploit by replacing one or more of the at least one response module with corresponding one or more replacement response modules or by adding one or more new response modules.

8. A system for an extensible activation exploit scanner installed on a processing device, the system comprising:
- at least one detection module, each of the at least one detection module including a signature for detecting a respective known activation exploit or a respective known class of activation exploit;
  
  at least one response module, each of the at least one response module for performing a corresponding action responsive to detecting a respective known activation exploit or a respective known class of activation exploit;
  
  an exploit data file including at least one entry, each of the at least one entry including an identifier corresponding to a respective known activation exploit or a respective known class of activation exploit, location information of one of the at least one detection module, and location information of one of the at least one response module; and
  
  a scanner for scanning for a presence of a known activation exploit or a known class of activation exploit by calling a detection module identified by an entry of the exploit file as being for detecting the known activation exploit or the known class of activation exploit, and the scanner further being for responding to the presence of the known activation exploit or the known class of activation exploit by calling a response module identified by the entry of the exploit file.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - before scanning for the presence of the known activation exploit or the known class of activation exploit, the scanner reads the entry of the exploit file to obtain the location information of the detection module and the location information of the response module and determines whether the detection module and the response module are present, andthe scanner scans for the presence of the known activation exploit or the known class of activation exploit only when the detection module and the response module are determined to be present.
  - 10. The system of claim 8, wherein:
    - each of the at least one entry of the exploit file includes an identifier corresponding to an application or an operating system associated with the respective known activation exploit or the respective known class of activation exploit.
  - 11. The system of claim 10, wherein:
    - the scanner scans for the respective activation exploit or the respective class of activation exploit only when the respective activation exploit or the respective class of activation exploit applies to the processing device, based on the identifier, corresponding to an application or an operating system, included a corresponding one of the at least one entry.
  - 12. The system of claim 8, wherein the at least one response module executes one or more response sub-modules to perform one or more actions.
  - 13. The system of claim 12, wherein the one or more actions include one or more actions from a group of actions comprising sending telemetry data, providing a pop-up user interface, providing a notification regarding detection of a known activation exploit or a known class of activation exploit, and removing a detected activation exploit or a detected class of activation exploit.
  - 14. The system of claim 12, wherein the scanner is extensible by:
    - changing the exploit data file, andperforming at least one of;
      
      changing a module of any of the at least one detection module,changing a module of any of the at least one response module,adding a new detection module, oradding a new response module.

15. A machine-readable medium having instructions recorded thereon for a processing device to perform a method comprising:
- reading an entry of an exploit data file, the entry including an identifier corresponding to a known activation exploit, location information of a detection module, and location information of a response module;
  
  using the location information of the detection module to execute the detection module to detect whether the known activation exploit is present; and
  
  using the location information of the response module to execute the response module to perform one or more actions in response to the detection module detecting that the known activation exploit breach is present.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The machine-readable medium of claim 15, wherein the method further comprises:
    - using the detection module to determine whether a file is present which, when hashed, produces a hash that matches a breach file hash included in the entry of the exploit data file.
  - 17. The machine-readable medium of claim 15, wherein:
    - the response module executes one or more sub-modules, andeach of the sub-modules is for performing an action form a group of actions.
  - 18. The machine-readable medium of claim 17, wherein the group of actions comprise:
    - sending telemetry data;
      
      informing a user about a detected known activation exploit; and
      
      removing the detected known activation exploit.
  - 19. The machine-readable medium of claim 15, wherein the method further comprises:
    - updating detection capabilities by performing one or more of;
      
      replacing the detection module; and
      
      adding a new detection module and replacing the exploit data file with a new exploit data file, the new exploit data file including an entry having location information of the new detection module.
  - 20. The machine-readable medium of claim 15, wherein the method further comprises:
    - updating a response capability by replacing the response module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gurevich, Peter Alexi

Granted Patent

US 8,146,158 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/105   Arrangements for software l...

G06F 21/121   Restricting unauthorised ex...

G06F 21/16   Program or content traceabi...

G06F 21/56   Computer malware detection ...

G06F 2221/2137   Time limited access, e.g. t...

EXTENSIBLE ACTIVATION EXPLOIT SCANNER

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXTENSIBLE ACTIVATION EXPLOIT SCANNER

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links