Protecting Computer Systems From Malicious Software

US 20110225649A1
Filed: 03/11/2010
Published: 09/15/2011
Est. Priority Date: 03/11/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining whether newly installed software is malicious software, the method comprising:

installing software on a computer system to produce newly installed software running in a secured part of the computer system, wherein the newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part;

running the newly installed software on the computer system until a selected event occurs;

monitoring the newly installed software running on the computer system until the selected event occurs, wherein the monitoring creates information used to evaluate the software for malicious behavior; and

presenting the information on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer program product, and apparatus for determining whether newly installed software is malicious software are presented. In one illustrative embodiment, software is installed on a computer system to produce newly installed software running in a secured part of the computer system. The newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part. The newly installed software is run on the computer system until a selected event occurs. The newly installed software running on the computer system is monitored until the selected event occurs. The monitoring creates information used to evaluate the software for malicious behavior. The information is presented on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources.

28 Citations

View as Search Results

20 Claims

1. A method for determining whether newly installed software is malicious software, the method comprising:
- installing software on a computer system to produce newly installed software running in a secured part of the computer system, wherein the newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part;
  
  running the newly installed software on the computer system until a selected event occurs;
  
  monitoring the newly installed software running on the computer system until the selected event occurs, wherein the monitoring creates information used to evaluate the software for malicious behavior; and
  
  presenting the information on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - responsive to receiving a user input, providing the newly installed software access to other resources in the computer system in addition to the subset of resources.
  - 3. The method of claim 1 further comprising:
    - transmitting an identifier for the newly installed software to a service; and
      
      receiving, from the service, the recommendation on whether to provide the software access to the resources in the computer system outside the subset of resources.
  - 4. The method of claim 1, wherein the step of presenting the information after the selected event has occurred comprises:
    - presenting use statistics for the subset of resources by the newly installed software after the selected event occurs.
  - 5. The method of claim 1, wherein the information comprises at least one of a file access by the newly installed software, a registry access by the newly installed software, processor unit use by the newly installed software, memory use by the newly installed software, network use by the newly installed software, how frequently the newly installed software has been started by a user, a user interaction frequency with the newly installed software, whether the newly installed software is started during an operating system startup phase, and how often the newly installed software runs in a background mode.
  - 6. The method of claim 1, wherein the subset of resources comprises virtualized disk space and a virtualized registry.
  - 7. The method of claim 1, wherein the resources are first resources, and further comprising:
    - responsive to the newly installed software requesting access to second resources that are not in the subset of the resources, presenting a list of the second resources and waiting for a user input;
      
      responsive to the user input indicating that the access is permitted, allowing the access to the second resources.
  - 8. The method of claim 1, wherein the selected event is selected from one of an expiration of a period of time, a number of operations, and a number of startups of the newly installed software.

9. A computer program product comprising:
- a computer readable storage medium;
  
  program code, stored on the computer readable storage medium, for installing software on a computer system to produce newly installed software running in a secured part of the computer system, wherein the newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part;
  
  program code, stored on the computer readable storage medium, for running the newly installed software on the computer system until a selected event occurs;
  
  program code, stored on the computer readable storage medium, for monitoring the newly installed software running on the computer system until the selected event occurs for information used to evaluate the software, wherein the monitoring creates information used to evaluate the software for malicious behavior; and
  
  program code, stored on the computer readable storage medium, for presenting the information on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9 further comprising:
    - program code, stored on the computer readable storage medium, for, responsive to receiving a user input, providing the newly installed software access to other resources in the computer system in addition to the subset of resources.
  - 11. The computer program product of claim 9 further comprising:
    - transmitting an identifier for the newly installed software to a service; and
      
      receiving, from the service, the recommendation on whether to provide the software access to the resources in the computer system outside the subset of resources.
  - 12. The computer program product of claim 9, wherein the program code for presenting the information after the selected event has occurred comprises:
    - program code, stored on the computer readable storage medium, for presenting use statistics for the subset of resources by the newly installed software after the selected event occurs.
  - 13. The computer program product of claim 9, wherein the information comprises at least one of a file access by the newly installed software, a registry access by the newly installed software, processor unit use by the newly installed software, memory use by the newly installed software, network use by the newly installed software, how frequently the newly installed software has been started by a user, a user interaction frequency with the newly installed software, whether the newly installed software is started during an operating system startup phase, and how often the newly installed software runs in a background mode.
  - 14. The computer program product of claim 9, wherein the subset of resources comprises virtualized disk space and a virtualized registry.
  - 15. The computer program product of claim 9, wherein the resources are first resources, and further comprising:
    - program code, stored on the computer readable storage medium, for, responsive to the newly installed software requesting access to second resources that are not in the subset of the resources, presenting a list of the second resources and waiting for a user input;
      
      program code, stored on the computer readable storage medium, for, responsive to the user input indicating that the access is permitted, allowing the access to the second resources.
  - 16. The computer program product of claim 9, wherein the selected event is selected from one of an expiration of a period of time, a number of operations, and a number of startups of the newly installed software.

17. An apparatus comprising:
- a bus;
  
  a memory connected to the bus; and
  
  a processor unit connected to the bus, wherein the processor unit is configured to install software on a computer system to produce newly installed software running in a secured part of the computer system, wherein the newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part;
  
  run the newly installed software on the computer system until a selected event occurs;
  
  monitor the newly installed software running on the computer system until the selected event occurs, wherein the monitoring creates information used to evaluate the software for malicious behavior; and
  
  present the information on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, wherein the processor unit is further configured to provide the newly installed software access to other resources in the computer system in addition to the subset of resources responsive to receiving a user input.
  - 19. The apparatus of claim 17, wherein the processor unit is further configured to transmit an identifier for the newly installed software to a service;
    - and receive, from the service, the recommendation on whether to provide the software access to the resources in the computer system outside the subset of resources.
  - 20. The apparatus of claim 17, wherein the processor unit being configured to present the information after the selected event has occurred further comprises the processor unit being configured to present use statistics for the subset of resources by the newly installed software after the selected event occurs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Peterson, Robert R., Bhogal, Kulvir S., DeLuca, Lisa Seacat

Application Number

US12/721,818
Publication Number

US 20110225649A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/53 by executing in a restricte...

Protecting Computer Systems From Malicious Software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting Computer Systems From Malicious Software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links