Method and Apparatus for Retroactively Detecting Malicious or Otherwise Undesirable Software As Well As Clean Software Through Intelligent Rescanning
First Claim
1. A system for intelligently rescanning files previously identified as having a benign or malicious disposition, comprising a client component and a server component which are capable of communicating with each other either directly or indirectly;
- wherein the client is configured to extract meta-data from files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, and to provide the server with an identification of said files of interest as well as said meta-data for each of said files of interest, and wherein the server is configured to log said files of interest and associated meta-data, and wherein the server is configured to periodically scan file logs to identify files whose characteristics may be indicative of a disposition change; and
wherein files whose characteristics may be indicative of a disposition change are identified for rescanning against the most current intelligence the server has for identifying updated file dispositions.
3 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. Accordingly we present novel methods, components, and systems for intelligently rescanning file collections and thereby enabling retroactive detection of malicious software and also retroactive identification of clean software. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file'"'"'s core disposition might not have changed. More specifically, we describe methods, components, and systems that perform data analytics to intelligently rescan file collections for the purpose of retroactively identifying malware and retroactively identifying clean files. The disclosed invention provides a significant improvement with regard to efficacy and performance compared to previous approaches.
101 Citations
14 Claims
-
1. A system for intelligently rescanning files previously identified as having a benign or malicious disposition, comprising a client component and a server component which are capable of communicating with each other either directly or indirectly;
- wherein the client is configured to extract meta-data from files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, and to provide the server with an identification of said files of interest as well as said meta-data for each of said files of interest, and wherein the server is configured to log said files of interest and associated meta-data, and wherein the server is configured to periodically scan file logs to identify files whose characteristics may be indicative of a disposition change; and
wherein files whose characteristics may be indicative of a disposition change are identified for rescanning against the most current intelligence the server has for identifying updated file dispositions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- wherein the client is configured to extract meta-data from files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, and to provide the server with an identification of said files of interest as well as said meta-data for each of said files of interest, and wherein the server is configured to log said files of interest and associated meta-data, and wherein the server is configured to periodically scan file logs to identify files whose characteristics may be indicative of a disposition change; and
-
14. A non-transitory computer readable medium containing computer readable instructions extracting meta-data from client files of interest, including files that have previously been assigned a benign disposition and files that have previously been assigned a malicious disposition, providing a server with an identification of said files of interest as well as said meta-data for each of said files of interest, and log said files of interest and associated meta-data on said server, and periodically scanning file logs to identify files whose characteristics may be indicative of a disposition change;
- and rescanning identified files by the server against the most current intelligence the server has for identifying updated file dispositions.
Specification