SYSTEMS AND METHODS FOR LOOKING UP ANTI-MALWARE METADATA

US 20120240229A1
Filed: 03/15/2011
Published: 09/20/2012
Est. Priority Date: 03/15/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for looking up anti-malware metadata, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a plurality of executable objects to be scanned for malware before execution;

for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object;

prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects;

retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for looking up anti-malware metadata may include identifying a plurality of executable objects to be scanned for malware before execution. The computer-implemented method may also include, for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object. The computer-implemented method may further include prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects. The computer-implemented method may additionally include retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order. Various other methods, systems, and computer-readable media are also disclosed.

36 Citations

View as Search Results

20 Claims

1. A computer-implemented method for looking up anti-malware metadata, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a plurality of executable objects to be scanned for malware before execution;
  
  for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object;
  
  prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects;
  
  retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein identifying the plurality of executable objects comprises using system configuration information to identify a set of automatically launched executable objects, the system configuration information indicating when each automatically launched executable object in the set of automatically launched executable objects is likely to launch.
  - 3. The computer-implemented method of claim 2, wherein identifying the set of automatically launched executable objects comprises identifying at least one executable object configured to launch during an operating system boot process.
  - 4. The computer-implemented method of claim 2, wherein identifying the set of automatically launched executable objects comprises identifying at least one of:
    - a service;
      
      a driver;
      
      an executable object configured to execute upon login;
      
      an executable object configured to execute according to a task scheduler.
  - 5. The computer-implemented method of claim 1, wherein identifying the plurality of executable objects comprises identifying a set of executable objects likely to be launched by a user.
  - 6. The computer-implemented method of claim 5, wherein identifying the set of executable objects likely to be launched by the user comprises identifying at least one of:
    - an executable object on a desktop belonging to the user;
      
      an executable object in a download folder belonging to the user.
  - 7. The computer-implemented method of claim 1, wherein identifying the plurality of executable objects comprises:
    - identifying a first executable object within the plurality of executable objects;
      
      identifying dependency information that indicates that the first executable object depends upon a second executable object;
      
      including the second executable object in the plurality of executable objects.
  - 8. The computer-implemented method of claim 1, wherein identifying the plurality of executable objects comprises:
    - identifying a first executable object within the plurality of executable objects;
      
      identifying a second executable object that operates as an extension to the first executable object.
  - 9. The computer-implemented method of claim 1, wherein identifying the plurality of executable objects comprises identifying at least one of:
    - an executable object launched for execution;
      
      an executable object in execution.
  - 10. The computer-implemented method of claim 1, wherein prioritizing the retrieval order comprises receiving, from a remote computing system, prioritization information for retrieving anti-malware metadata relating to at least one executable object within the plurality of executable objects.
  - 11. The computer-implemented method of claim 1, wherein assessing the imminence of execution of the executable object comprises:
    - identifying a creation time of the executable object;
      
      increasing an expectation of imminent execution of the executable object monotonically with a distance between the creation time and the present time.
  - 12. The computer-implemented method of claim 1, wherein retrieving the anti-malware metadata corresponding to the executable object comprises retrieving the anti-malware metadata in time to scan the executable object before an attempted launch of the executable object.
  - 13. The computer-implemented method of claim 1, wherein retrieving the anti-malware metadata comprises retrieving an anti-malware signature from a remote storage system.

14. A system for looking up anti-malware metadata, the system comprising:
- an identification module programmed to identify a plurality of executable objects to be scanned for malware before execution;
  
  a prediction module programmed to, for each executable object within the plurality of executable objects, assess an imminence of execution of the executable object;
  
  a prioritization module programmed to prioritize, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects;
  
  a retrieval module programmed to retrieve at least one anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order;
  
  at least one processor configured to execute the identification module, the prediction module, the prioritization module, and the retrieval module.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the identification module is programmed to identify the plurality of executable objects by using system configuration information to identify a set of automatically launched executable objects, the system configuration information indicating when each automatically launched executable object in the set of automatically launched executable objects is likely to launch.
  - 16. The system of claim 15, wherein the identification module is programmed to identify the set of automatically launched executable objects by identifying at least one executable object configured to launch during an operating system boot process.
  - 17. The system of claim 15, wherein the identification module is programmed to identify the set of automatically launched executable objects by identifying at least one of:
    - a service;
      
      a driver;
      
      an executable object configured to execute upon login;
      
      an executable object configured to execute according to a task scheduler.
  - 18. The system of claim 14, wherein the identification module is programmed to identify the plurality of executable objects by identifying a set of executable objects likely to be launched by a user.
  - 19. The system of claim 18, wherein the identification module is programmed to identify the set of executable objects likely to be launched by the user by identifying at least one of:
    - an executable object on a desktop belonging to the user;
      
      an executable object in a download folder belonging to the user.

20. A computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a plurality of executable objects to be scanned for malware before execution;
  
  for each executable object within the plurality of executable objects, assess an imminence of execution of the executable object;
  
  prioritize, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects;
  
  retrieve anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., Satish, Sourabh

Granted Patent

US 8,667,592 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

SYSTEMS AND METHODS FOR LOOKING UP ANTI-MALWARE METADATA

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR LOOKING UP ANTI-MALWARE METADATA

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links