IDENTIFICATION OF TELEMETRY DATA

US 20100242094A1
Filed: 03/17/2009
Published: 09/23/2010
Est. Priority Date: 03/17/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

scanning a file by an anti-malware engine and comparing the file to at least one attribute to identify the file for telemetry collection;

identifying the file as a telemetry candidate, comprising identifying a match between the file and the at least one attribute;

communicating an offer to send a sample of the file to a server;

receiving a response to the offer from the server; and

sending a sample of the file to the server when the response indicates an acceptance of the offer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer-readable media are disclosed for identifying telemetry data. A particular method scans a file and compares the file to at least one attribute to be used for telemetry collection. When the file is identified as a telemetry candidate, an offer to submit a sample of the file is sent to a server. A response to the offer is received from the server. If the response to the offer indicates an acceptance, a sample of the file is sent to the server.

39 Citations

View as Search Results

20 Claims

1. A method comprising:
- scanning a file by an anti-malware engine and comparing the file to at least one attribute to identify the file for telemetry collection;
  
  identifying the file as a telemetry candidate, comprising identifying a match between the file and the at least one attribute;
  
  communicating an offer to send a sample of the file to a server;
  
  receiving a response to the offer from the server; and
  
  sending a sample of the file to the server when the response indicates an acceptance of the offer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the at least one attribute comprises a heuristic for file analysis by the anti-malware engine or a signature within a definition file.
  - 3. The method of claim 2, wherein the heuristic comprises a maximum acceptable scanning time, and wherein identifying a match comprises determining that scanning the file took longer than the maximum acceptable scanning time.
  - 4. The method of claim 1, wherein the at least one attribute further comprises a behavior pattern.
  - 5. The method of claim 1, wherein the definition file is included in telemetry data identification files that are independently updatable from the anti-malware engine.
  - 6. The method of claim 1, wherein the offer to send the file further comprises a telemetry report related to the file, wherein the telemetry report includes at least one of a hash of the file, attributes of the file, metadata of the file, and a unique identifier of the file.
  - 7. The method of claim 1, wherein the file is identified as a telemetry candidate at a computer having a plurality of users, wherein each of the plurality of users has an associated user access level.
  - 8. The method of claim 7, further comprising:
    - determining that a user access level associated with a particular user of the computer allows access to the file;
      
      prompting the particular user for permission to send the file to the server; and
      
      receiving permission from the particular user to send the file to the server.
  - 9. The method of claim 8, wherein the user access level that allows access to the file is an administrator access level.
  - 10. The method of claim 7, further comprising:
    - determining that a user access level associated with a particular user does not allow access to the file;
      
      prompting the particular user to elevate the user access level to an elevated user access level that allows access to the file;
      
      determining that the particular user has elevated the user access level to the elevated user access level;
      
      prompting the particular user for permission to send the file to the server; and
      
      receiving permission from the particular user to send the file to the server.
  - 11. The method of claim 10, wherein the user access level that does not allow access to the file is a non-administrator access level.
  - 12. The method of claim 10, wherein the elevated user access level that allows access to the file is an administrator access level.
  - 13. The method of claim 1, wherein sending the offer to the server and receiving the response to the offer from the server occur without user notification.
  - 14. The method of claim 1, wherein the file is scanned during one of:
    - prior to downloading the file by a web browser, a low-usage time, prior to opening the file, prior to storing the file, and after a user-initiated scan of the file.

15. A computer-readable medium comprising instructions, that when executed by a computer, cause the computer to:
- scan a file on the computer, wherein the file is not a known malware file, wherein the file is scanned by an anti-malware engine on the computer, and wherein the anti-malware engine has access to definition files that are updateable independently of updating the anti-malware engine;
  
  determine that the file is a telemetry candidate based on an attribute within the definition files;
  
  send an offer to send a sample of the file to a server without user notification, wherein the offer comprises a telemetry report related to the file;
  
  receive a response to the offer from the server; and
  
  send the sample of the file to the server when the response indicates an acceptance of the offer.
- View Dependent Claims (16)
- - 16. The computer-readable medium of claim 15, further comprising instructions, that when executed by a computer, cause the computer to:
    - scan a second file on the computer by the anti-malware engine;
      
      determine that the second file is a telemetry candidate;
      
      send a second offer to send a second sample of the second file to the server; and
      
      receive a second response to the second offer from the server, wherein the second sample of the second file is not sent to the server when the second response indicates a rejection of the offer.

17. A method comprising:
- sending telemetry data identification files to a plurality of user computers, wherein the telemetry data identification files include at least one attribute to be used for telemetry collection by an anti-malware engine;
  
  receiving an offer of telemetry data from a particular user computer of the plurality of user computers related to a file on the particular user computer, wherein the file is identified by the anti-malware engine at the particular user computer based on a match between the file and the at least one attribute;
  
  determining that a sample of the file has not previously been obtained from the particular user computer;
  
  indicating an acceptance of the offer of telemetry data; and
  
  receiving telemetry data comprising a sample of the file from the particular user computer.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the telemetry data identification files comprise definition files.
  - 19. The method of claim 17, wherein the telemetry data identification files and the anti-malware engine are updateable independently of each other.
  - 20. The method of claim 17, wherein the file is not malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kumar, Ajith, Hussain, Ahmed S., Faulhaber, Joseph L., Chakraborty, Santanu, Reasor, Sterling M., Loh, Alvin, Sandu, Catalin D.

Granted Patent

US 9,208,315 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/564 by virus signature recognition

IDENTIFICATION OF TELEMETRY DATA

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

IDENTIFICATION OF TELEMETRY DATA

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others