COMPUTER PROTECTION AGAINST MALWARE AFFECTION

US 20150332047A1
Filed: 07/23/2015
Published: 11/19/2015
Est. Priority Date: 01/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method of preventing malware from being written, by a process, to a permanent or persistent data storage of a computer, the method comprising:

providing a filter module in an operating system of the computer, wherein the filter module is arranged to operate between the process and a driver associated with the data storage, and wherein the filter module is further arranged to, prior to storing data in a file in the data storage;

detect an attempt by the process to store the data in the file in the data storage by intercepting a write access request originating from the process and intended for the driver associated with the data storage;

check if a file name of the file to be created associated with the write access request is part of a blocking list;

if the file name does not match a name in the blocking list, the filter module is further arranged to;

check whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format by inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data;

if the write access request includes a portion of a file header associated with executable data, the filter module is further arranged to;

prevent the storage of the data in the file in the data storage and return an indication that the request is denied;

thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating at its propagation phase by preventing execution code of the data from being saved to the data storage.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided of protecting a computer against malware affection. The computer has a data storage and an operating system for managing the data storage. The method comprises providing a filter module in the operating system which operates to detect an attempt to store data in the data storage, to determine a data format of the data to be stored in the data storage, and to prevent storage of the data if the data format is determined to relate to a predefined type. The filter module may be provided as a file system filter driver in a kernel of the operating system. The filter module may be arranged to operate between an input/output manager of the operating system and a driver associated with the data storage. The input/output manager and driver associated with the data storage may form part of the kernel of the operating system.

33 Citations

View as Search Results

16 Claims

1. A method of preventing malware from being written, by a process, to a permanent or persistent data storage of a computer, the method comprising:
- providing a filter module in an operating system of the computer, wherein the filter module is arranged to operate between the process and a driver associated with the data storage, and wherein the filter module is further arranged to, prior to storing data in a file in the data storage;
  
  detect an attempt by the process to store the data in the file in the data storage by intercepting a write access request originating from the process and intended for the driver associated with the data storage;
  
  check if a file name of the file to be created associated with the write access request is part of a blocking list;
  
  if the file name does not match a name in the blocking list, the filter module is further arranged to;
  
  check whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format by inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data;
  
  if the write access request includes a portion of a file header associated with executable data, the filter module is further arranged to;
  
  prevent the storage of the data in the file in the data storage and return an indication that the request is denied;
  
  thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating at its propagation phase by preventing execution code of the data from being saved to the data storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the process is an application or system process.
  - 3. The method of claim 1, wherein the filter module is arranged to operate between an input/output management function of the operating system and a driver associated with the data storage, wherein the input/output management function is arranged to operate between the process and the driver associated with the data storage.
  - 4. The method of claim 3, wherein the indication that the request is denied is returned to the input/output management function.
  - 5. The method of claim 1, comprising providing an administration application to enable the user to turn off the blocking, in order to allow the user to install software or perform other routine maintenance.
  - 6. The method of claim 1, wherein the filter module is provided as a file system filter driver in a kernel of the operating system.
  - 7. The method of claim 3, wherein the input/output management function and driver associated with the data storage form part of a kernel of the operating system.
  - 8. A computer program embodied in a non-transitory computer-readable medium which, when run on a computer, causes the computer to carry out a method as claimed in claim 1.

9. A computer comprising a permanent or persistent data storage, an operating system for managing the data storage, and a filter module provided in the operating system for thwarting malware at its propagation phase to protect the computer against malware infection, the filter module being arranged to operate between a process and a driver associated with the data storage, and wherein the filter module is further arranged to, prior to storing data in a file in the data storage:
- detect an attempt by the process to store the data in the file in the data storage by intercepting a write access request originating from the process and intended for the driver associated with the data storage;
  
  check if a file name of the file to be created associated with the write access request is part of a blocking list;
  
  if the file name does not match a name in the blocking list, the filter module is further arranged to;
  
  check whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format by inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data;
  
  if the write access request includes a portion of a file header associated with executable data, the filter module is further arranged to;
  
  prevent the storage of the data in the file in the data storage and return an indication that the request is denied;
  
  thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating at its propagation phase by preventing execution code of the data from being saved to the data storage.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A computer program embodied in a non-transitory computer-readable medium which, when loaded into a computer, causes the computer to become one as claimed in claim 9.
  - 11. The computer of claim 9 wherein the process is an application or system process.
  - 12. The computer of claim 9, wherein the filter module is arranged to operate between an input/output management function of the operating system and a driver associated with the data storage, wherein the input/output management function is arranged to operate between the process and the driver associated with the data storage.
  - 13. The computer of claim 14, wherein the indication that the request is denied is returned to the input/output management function.
  - 14. The computer of claim 9, comprising providing an administration application to enable the user to turn off the blocking, in order to allow the user to install software or perform other routine maintenance.
  - 15. The computer of claim 9, wherein the filter module is provided as a file system filter driver in a kernel of the operating system.
  - 16. The computer of claim 12, wherein the input/output management function and driver associated with the data storage form part of a kernel of the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
William Grant Rothwell
Original Assignee
William Grant Rothwell
Inventors
ROTHWELL, William Grant

Granted Patent

US 9,760,715 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/034   Test or assess a computer o...

COMPUTER PROTECTION AGAINST MALWARE AFFECTION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

COMPUTER PROTECTION AGAINST MALWARE AFFECTION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others