Method and Apparatus for Retroactively Detecting Malicious or Otherwise Undesirable Software As Well As Clean Software Through Intelligent Rescanning

US 20140165203A1
Filed: 07/15/2013
Published: 06/12/2014
Est. Priority Date: 07/13/2012
Status: Active Grant

First Claim

Patent Images

1. A system for intelligently rescanning files previously identified as having a benign or malicious disposition, comprising a client component and a server component which are capable of communicating with each other either directly or indirectly;

wherein the client is configured to extract meta-data from files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, and to provide the server with an identification of said files of interest as well as said meta-data for each of said files of interest, and wherein the server is configured to log said files of interest and associated meta-data, and wherein the server is configured to periodically scan file logs to identify files whose characteristics may be indicative of a disposition change; and

wherein files whose characteristics may be indicative of a disposition change are identified for rescanning against the most current intelligence the server has for identifying updated file dispositions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. Accordingly we present novel methods, components, and systems for intelligently rescanning file collections and thereby enabling retroactive detection of malicious software and also retroactive identification of clean software. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file'"'"'s core disposition might not have changed. More specifically, we describe methods, components, and systems that perform data analytics to intelligently rescan file collections for the purpose of retroactively identifying malware and retroactively identifying clean files. The disclosed invention provides a significant improvement with regard to efficacy and performance compared to previous approaches.

101 Citations

View as Search Results

14 Claims

1. A system for intelligently rescanning files previously identified as having a benign or malicious disposition, comprising a client component and a server component which are capable of communicating with each other either directly or indirectly;
- wherein the client is configured to extract meta-data from files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, and to provide the server with an identification of said files of interest as well as said meta-data for each of said files of interest, and wherein the server is configured to log said files of interest and associated meta-data, and wherein the server is configured to periodically scan file logs to identify files whose characteristics may be indicative of a disposition change; and
  
  wherein files whose characteristics may be indicative of a disposition change are identified for rescanning against the most current intelligence the server has for identifying updated file dispositions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A system according to claim 1, in which the server component is configured to communicate with the client component if a file that had been previously assigned a malicious or benign disposition is determined upon rescanning, but which rescanning determines that said file should be assigned a different disposition, and wherein said server component is configured to update its database of known malicious and benign applications.
  - 3. A system according to claim 1, in which the server component is configured to communicate with the client component if a file that had been previously assigned a malicious or benign disposition, and which rescanning determines that there is now additional intelligence about the file, and wherein said server component is configured to update its database of information pertaining to known malicious and known benign applications.
  - 4. A system according to claim 3 wherein the additional intelligence comprises one or more of the following:
    - an updated threat name for the file, an updated classification about how to categorize the file, updated information about what the file does, when executed, on different systems.
  - 5. A system according to claim 1, wherein extracted metadata is first used to make an immediate disposition and is subsequently used to determine whether a file is a good candidate for subsequent rescanning and is later used to simplify the process of rescanning.
  - 6. A system according to claim 1, wherein said server component comprises a logging component configured to receive data from a meta-data extraction component, said logging component configured to log said data as well as transactional information relating to said data, and wherein said logging component maintains a record of what software applications reside on what end user systems.
  - 7. A system according to claim 1, wherein said server component comprises an intelligent filtering component configured to examine metadata gathered on a plurality of files from a plurality of devices on which these files reside and identifies a subset of these files that are suitable candidates for rescanning.
  - 8. A system according to claim 7, wherein file characteristics used to determine whether a file is a suitable candidate for rescanning includes whether the file was accessed shortly after one or more known malicious or known clean files were accessed.
  - 9. A system according to claim 7, wherein file characteristics used to determine whether a file is a suitable candidate for rescanning includes whether a parent process that created a file is determined to be malicious.
  - 10. A system according to claim 7, wherein file characteristics used to determine whether a file is a suitable candidate for rescanning includes whether a parent process that created a file is determined to benign.
  - 11. A system according to claim 7, wherein file characteristics used to determine whether a file is a suitable candidate for rescanning includes whether the file was detected as a threat on a system in a way that might have been specific to that system.
  - 12. A system according to claim 7, wherein file characteristics used to determine whether a file is a suitable candidate for rescanning includes whether there is system-level behavior that is indicative of malicious software running on the system.
  - 13. A system according to claim 7, wherein file characteristics used to determine whether a file is a suitable candidate for rescanning includes whether the file'"'"'s prevalence among multiple users exceeds a pre-defined threshold.

14. A non-transitory computer readable medium containing computer readable instructions extracting meta-data from client files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, providing a server with an identification of said files of interest as well as said meta-data for each of said files of interest, and log said files of interest and associated meta-data on said server, and periodically scanning file logs to identify files whose characteristics may be indicative of a disposition change;
- and rescanning identified files by the server against the most current intelligence the server has for identifying updated file dispositions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
FRIEDRICHS, Oliver, HUGER, Alfred, RAMZAN, Zulfikar

Granted Patent

US 9,245,120 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/2358   Change logging, detection, ...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 2221/033   Test or assess software

Method and Apparatus for Retroactively Detecting Malicious or Otherwise Undesirable Software As Well As Clean Software Through Intelligent Rescanning

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Retroactively Detecting Malicious or Otherwise Undesirable Software As Well As Clean Software Through Intelligent Rescanning

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links