SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING

US 20120255002A1
Filed: 03/31/2011
Published: 10/04/2012
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system for protecting an electronic device against malware, comprising:

a memory;

an operating system configured to execute on the electronic device;

a below-operating-system security agent configured to;

trap an attempted access of one or more resources of the operating system, the attempted access comprising an attempted loading or unloading of a driver in the operating system;

access one or more security rules to determine whether the attempted access is indicative of malware; and

operate at a level below all of the operating systems of the electronic device accessing the one or more resources.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system.

72 Citations

View as Search Results

21 Claims

1. A system for protecting an electronic device against malware, comprising:
- a memory;
  
  an operating system configured to execute on the electronic device;
  
  a below-operating-system security agent configured to;
  
  trap an attempted access of one or more resources of the operating system, the attempted access comprising an attempted loading or unloading of a driver in the operating system;
  
  access one or more security rules to determine whether the attempted access is indicative of malware; and
  
  operate at a level below all of the operating systems of the electronic device accessing the one or more resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the attempted access is trapped by trapping an attempted execution of a system function for loading or unloading the driver.
  - 3. The system of claim 1, wherein the attempted access is trapped by trapping an attempted execution of a subfunction of system function for loading or unloading the driver, the system function provided by the operating system.
  - 4. The system of claim 1, wherein determining whether the attempted access is indicative of malware comprises determining the identity of the driver to be loaded.
  - 5. The system of claim 1, wherein determining whether the attempted access is indicative of malware comprises determining the entity that attempted to load or unload the driver.
  - 6. The system of claim 1, wherein the attempted access is trapped by trapping the execution of a physical memory address containing code for a system function for loading or unloading the driver.
  - 7. The system of claim 1, wherein the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver.

8. A method for protecting an electronic device against malware, comprising:
- trapping an attempted access of one or more resources of an operating system, the attempted access comprising an attempted loading or unloading of a driver in the operating system; and
  
  accessing one or more security rules to determine whether the attempted access is indicative of malware;
  
  wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware are conducted at a level below all of the operating systems of the electronic device accessing the one or more resources.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the attempted access is trapped by trapping an attempted execution of a system function for loading or unloading the driver.
  - 10. The method of claim 8, wherein the attempted access is trapped by trapping an attempted execution of a subfunction of system function for loading or unloading the driver, the system function provided by the operating system.
  - 11. The method of claim 8, wherein determining whether the attempted access is indicative of malware comprises determining the identity of the driver to be loaded.
  - 12. The method of claim 8, wherein determining whether the attempted access is indicative of malware comprises determining the entity that attempted to load or unload the driver.
  - 13. The method of claim 8, wherein the attempted access is trapped by trapping the execution of a physical memory address containing code for a system function for loading or unloading the driver.
  - 14. The method of claim 8, wherein the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver.

15. An article of manufacture, comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  trap an attempted access of one or more resources of an operating system, the attempted access comprising an attempted loading or unloading of a driver in the operating system; and
  
  access one or more security rules to determine whether the attempted access is indicative of malware;
  
  wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware are conducted at a level below all of the operating systems of the electronic device accessing the one or more resources.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The article of claim 15, wherein configuring the processor to trap the attempted access comprises configuring the processor to trap an attempted execution of a system function for loading or unloading the driver.
  - 17. The article of claim 15, wherein configuring the processor to trap the attempted access comprises configuring the processor to trap an attempted execution of a subfunction of a system function for loading or unloading the driver, the system function provided by the operating system.
  - 18. The article of claim 15, wherein configuring the processor to determine whether the attempted access is indicative of malware comprises configuring the processor to determine the identity of the driver to be loaded.
  - 19. The article of claim 15, wherein configuring the processor to determine whether the attempted access is indicative of malware comprises configuring the processor to determine the entity that attempted to load or unload the driver.
  - 20. The article of claim 15, wherein configuring the processor to trap the attempted access comprises configuring the processor to trap the attempted execution of a physical memory address containing code for a system function for loading or unloading the driver.
  - 21. The article of claim 15, wherein configuring the processor to trap the attempted access comprises configuring the processor to trap the attempted execution of a memory page containing code for a system function for loading or unloading the driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said

Granted Patent

US 8,966,629 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links