Rollback Feature
First Claim
1. A computer-implemented method, comprising:
- determining, by a malware protection program executing on a computer, that a file stored in first portion of a computer memory of the computer is a malicious file;
storing a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory;
performing, by the malware protection program, one or more protection processes on the file;
determining whether the determination that the file is a malicious file is a false positive determination;
in response to determining that the determination that the file is a malicious file is a false positive determination;
restoring the file by a pre-boot rollback process executing on the computer during a boot sequence to a state prior to the one or more protection processes performed on the file; and
booting the computer with the restored file; and
in response to determining that the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rolling back protection processes. In one aspect, a method includes determining that a file is a malicious file, storing a duplicate of the file in a quarantine area, performing one or more protection processes on the file, if the determination that the file is a malicious file is a false positive determination, restoring the file by a pre-boot rollback process to a state prior to the one or more protection processes performed on the file, and booting the computer with the restored file, and if the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file, and booting the computer.
-
Citations
17 Claims
-
1. A computer-implemented method, comprising:
-
determining, by a malware protection program executing on a computer, that a file stored in first portion of a computer memory of the computer is a malicious file; storing a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory; performing, by the malware protection program, one or more protection processes on the file; determining whether the determination that the file is a malicious file is a false positive determination; in response to determining that the determination that the file is a malicious file is a false positive determination; restoring the file by a pre-boot rollback process executing on the computer during a boot sequence to a state prior to the one or more protection processes performed on the file; and booting the computer with the restored file; and in response to determining that the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method, comprising:
-
storing a duplicate file in a quarantine area, the duplicate file being a copy of a candidate malicious file that was repaired by a malware protection program, wherein the candidate malicious file consists of one or more files that were identified by the malware protection program as containing malicious content; performing, by the malware protection program, a protection process on the candidate malicious file, wherein the protection process results in modification of at least some portion of the candidate malicious file from a first portion of the computer memory; receiving a false positive data, wherein the false positive data is used to determine whether to restore the candidate malicious file; and in response to determining to restore the candidate malicious file, restoring, through a pre-boot scan during a boot sequence, the candidate malicious file to the first portion of the computer memory by replacing the candidate malicious file with the duplicate file from the quarantine area. - View Dependent Claims (11, 12)
-
-
13. A system, comprising:
-
a memory component configured to store data for a computer, the memory component including a first memory component and a second memory component, wherein the first memory component is logically separate from the second memory component; a quarantine configured to store data for the computer in the first memory component; malware protection program configured to identify a malicious file and perform a protection process on the malicious file; and data processing apparatus configured to store a copy of the malicious file identified by the malware protection program in the quarantine, determine if a false positive determination has occurred; and
if it is determined that a false positive determination has occurred, restore the copy of the malicious file from the quarantine to the second part of the memory component. - View Dependent Claims (14, 15, 16, 17)
-
Specification