PREVENTING AND RESPONDING TO DISABLING OF MALWARE PROTECTION SOFTWARE

US 20110093953A1
Filed: 10/20/2009
Published: 04/21/2011
Est. Priority Date: 10/20/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

monitoring, by a first computer, for attempts to disable a malware protection program;

in response to monitoring an attempt to disable the malware protection program;

identifying, by the first computer, a first process that generated the attempt to disable the malware protection program;

preventing, by the first computer, the first process from disabling the malware protection program;

determining, by the first computer, whether the first process is an approved process;

in response to determining that the first process is an approved process, providing, by the first computer, a user prompt to terminate the first process; and

in response to determining that the first process is not an approved process, performing, by the first computer, one or more protection processes on the first process.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for responding to an attempt to disable a malware protection program and performing an identification process and one or more protection processes to prevent the execution of potentially malicious code. In one aspect, a method includes monitoring for attempts to disable a malware protection program, identifying a process that generated an attempt to disable the malware protection program, determining whether the process is an approved process, and in response, performing one or more protection processes on the process so as to prevent the execution of potentially malicious code.

39 Citations

View as Search Results

17 Claims

1. A computer-implemented method, comprising:
- monitoring, by a first computer, for attempts to disable a malware protection program;
  
  in response to monitoring an attempt to disable the malware protection program;
  
  identifying, by the first computer, a first process that generated the attempt to disable the malware protection program;
  
  preventing, by the first computer, the first process from disabling the malware protection program;
  
  determining, by the first computer, whether the first process is an approved process;
  
  in response to determining that the first process is an approved process, providing, by the first computer, a user prompt to terminate the first process; and
  
  in response to determining that the first process is not an approved process, performing, by the first computer, one or more protection processes on the first process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein monitoring, by the first computer, for attempts to disable the malware protection program comprises monitoring for one or more of the following:
    - an attempt to stop a service of the malware protection program;
      
      an attempt to terminate a process of the malware protection program;
      
      an attempt to delete one or more files for the malware protection program;
      
      an attempt to delete one or more registry entries for the malware protection program; and
      
      an attempt to prevent an update for the malware protection program.
  - 3. The computer-implemented method of claim 1, wherein determining, by the first computer, whether the first process is an approved process comprises:
    - generating, by the first computer, data descriptive of the first process;
      
      sending, by the first computer, the data descriptive of the first process to a second computer;
      
      receiving, by the first computer, data indicative of whether the first process is an approved process from the second computer; and
      
      determining, by the first computer, in response to the data received from the second computer, whether the first process is an approved process.
  - 4. The computer-implemented method of claim 3, wherein data descriptive of the first process comprises a signature of the first process.
  - 5. The computer-implemented method of claim 1, wherein determining, by the first computer, whether the first process is an approved process comprises:
    - generating, by the first computer, data descriptive of the first process;
      
      comparing, by the first computer, the data descriptive of the first process with data descriptive of approved processes;
      
      determining, by the first computer, whether the first process is an approved process.
  - 6. The computer-implemented method of claim 5, wherein data descriptive of the first process comprises a signature of the first process.
  - 7. The computer-implemented method of claim 1, wherein the one or more protection processes comprise one or more of the following:
    - terminating, by the first computer, the first process;
      
      deleting, by the first computer, one or more files associated with the first process;
      
      renaming, by the first computer, one or more files associated with the first process;
      
      quarantining, by the first computer, one or more files associated with the first process; and
      
      sending, by the first computer, one or more files associated with the first process to a second computer for analysis.
  - 8. The computer-implemented method of claim 7, wherein, performing, by the first computer, one or more protection processes on the first process further comprises:
    - providing, by the first computer, a user prompt to perform the one or more protection processes;
      
      receiving, by the first computer, one or more selections of the one or more protection processes;
      
      performing, by the first computer, the one or more selected protection processes.
  - 9. The computer-implemented method of claim 1, wherein the steps of monitoring, identifying, preventing, determining, providing, and performing are performed by the malware protection program.

10. A computer storage medium encoded with a computer program, the program comprising instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
- monitoring for attempts to disable a malware protection program;
  
  in response to monitoring an attempt to disable the malware protection program;
  
  identifying a first process that generated the attempt to disable the malware protection program;
  
  preventing the first process from disabling the malware protection program;
  
  determining whether the first process is an approved process;
  
  in response to determining that the first process is an approved process, providing a user prompt to terminate the first process; and
  
  in response to determining that the first process is not an approved process, performing one or more protection processes on the first process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer storage medium of claim 10, comprising further instructions that cause the data processing apparatus to perform further operations comprising monitoring for one or more of the following:
    - an attempt to stop a service of the malware protection program;
      
      an attempt to terminate a process of the malware protection program;
      
      an attempt to delete one or more files for the malware protection program;
      
      an attempt to delete one or more registry entries for the malware protection program; and
      
      an attempt to prevent an update for the malware protection program.
  - 12. The computer storage medium of claim 10, comprising further instructions that cause the data processing apparatus to perform further operations comprising:
    - generating data descriptive of the first process;
      
      sending the data descriptive of the first process to a second computer;
      
      receiving data indicative of whether the first process is an approved process from the second computer; and
      
      determining, in response to the data received from the second computer, whether the first process is an approved process.
  - 13. The computer storage medium of claim 12, wherein data descriptive of the first process comprises a signature of the first process.
  - 14. The computer storage medium of claim 10, comprising further instructions that cause the data processing apparatus to perform further operations comprising:
    - generating data descriptive of the first process;
      
      comparing the data descriptive of the first process with data descriptive of approved processes;
      
      determining whether the first process is an approved process.
  - 15. The computer storage medium of claim 13, wherein data descriptive of the first process comprises a signature of the first process.
  - 16. The computer storage medium of claim 10, wherein the one or more protection measures comprise one or more of the following:
    - terminating the first process;
      
      deleting one or more files associated with the first process;
      
      renaming one or more files associated with the first process;
      
      quarantining one or more files associated with the first process; and
      
      sending one or more files associated with the first process to a second computer for analysis.
  - 17. The computer storage medium of claim 16 comprising further instructions that cause the data processing apparatus to perform further operations comprising:
    - providing a user prompt to perform the one or more protection processes;
      
      receiving one or more selections of the one or more protection processes;
      
      performing the one or more selected protection processes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ramchetty, Harinath Vishwanath, Ramabhatta, Anil Bhadrarajapura, Kishore, Nandi Dharma

Granted Patent

US 9,015,829 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/629   to features or functions of...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2147   Locking files

H04L 63/12   Applying verification of th...

PREVENTING AND RESPONDING TO DISABLING OF MALWARE PROTECTION SOFTWARE

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

PREVENTING AND RESPONDING TO DISABLING OF MALWARE PROTECTION SOFTWARE

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others