METHODS AND APPARATUS FOR DEALING WITH MALWARE
First Claim
1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored, wherein said data includes information about events initiated or involving the object when the object is created, configured or runs on the respective remote computers, said information including at least the identify of the object initiating the event, the event type, and the identity of the object or other entity on which the event is being performed;
storing at the base computer said data received from plural remote computers;
comparing in the base computer the data about the computer object received from the plural computers to identify relationships between the object and other objects or entities; and
,classifying the computer object as malware on the basis of said comparison.
11 Assignments
0 Petitions
Accused Products
Abstract
In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object;
the size of the object; the name of the object; the logical storage location or path of the object on the respective remote computers; the vendor of the object; the software product and version associated with the object; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.
13 Citations
29 Claims
-
1. A method of classifying a computer object as malware, the method comprising:
-
at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored, wherein said data includes information about events initiated or involving the object when the object is created, configured or runs on the respective remote computers, said information including at least the identify of the object initiating the event, the event type, and the identity of the object or other entity on which the event is being performed; storing at the base computer said data received from plural remote computers; comparing in the base computer the data about the computer object received from the plural computers to identify relationships between the object and other objects or entities; and
,classifying the computer object as malware on the basis of said comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 29)
-
-
15. Apparatus for classifying a computer object as malware, the apparatus comprising:
-
a base computer constructed and arranged to receive data about a computer object from each of plural remote computers on which the object or similar objects are stored, wherein said data includes information about events initiated or involving the object when the object is created, configured or runs on the respective remote computers, said information including at least the identify of the object initiating the event, the event type, and the identity of the object or other entity on which the event is being performed; the base computer being constructed and arranged to compare the data about the computer object received from said plural computers to identify relationships between the object and other objects or entities; and
,the base computer being constructed and arranged to classify the computer object as malware on the basis of said comparison. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification