COMPUTER PROTECTION AGAINST MALWARE AFFECTION
First Claim
1. A method of preventing malware from being written, by a process, to a permanent or persistent data storage of a computer, the method comprising:
- providing a filter module in an operating system of the computer, wherein the filter module is arranged to operate between the process and a driver associated with the data storage, and wherein the filter module is further arranged to, prior to storing data in a file in the data storage;
detect an attempt by the process to store the data in the file in the data storage by intercepting a write access request originating from the process and intended for the driver associated with the data storage;
check if a file name of the file to be created associated with the write access request is part of a blocking list;
if the file name does not match a name in the blocking list, the filter module is further arranged to;
check whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format by inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data;
if the write access request includes a portion of a file header associated with executable data, the filter module is further arranged to;
prevent the storage of the data in the file in the data storage and return an indication that the request is denied;
thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating at its propagation phase by preventing execution code of the data from being saved to the data storage.
0 Assignments
0 Petitions
Accused Products
Abstract
A method is provided of protecting a computer against malware affection. The computer has a data storage and an operating system for managing the data storage. The method comprises providing a filter module in the operating system which operates to detect an attempt to store data in the data storage, to determine a data format of the data to be stored in the data storage, and to prevent storage of the data if the data format is determined to relate to a predefined type. The filter module may be provided as a file system filter driver in a kernel of the operating system. The filter module may be arranged to operate between an input/output manager of the operating system and a driver associated with the data storage. The input/output manager and driver associated with the data storage may form part of the kernel of the operating system.
33 Citations
16 Claims
-
1. A method of preventing malware from being written, by a process, to a permanent or persistent data storage of a computer, the method comprising:
-
providing a filter module in an operating system of the computer, wherein the filter module is arranged to operate between the process and a driver associated with the data storage, and wherein the filter module is further arranged to, prior to storing data in a file in the data storage; detect an attempt by the process to store the data in the file in the data storage by intercepting a write access request originating from the process and intended for the driver associated with the data storage; check if a file name of the file to be created associated with the write access request is part of a blocking list;
if the file name does not match a name in the blocking list, the filter module is further arranged to;check whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format by inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data;
if the write access request includes a portion of a file header associated with executable data, the filter module is further arranged to;prevent the storage of the data in the file in the data storage and return an indication that the request is denied; thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating at its propagation phase by preventing execution code of the data from being saved to the data storage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer comprising a permanent or persistent data storage, an operating system for managing the data storage, and a filter module provided in the operating system for thwarting malware at its propagation phase to protect the computer against malware infection, the filter module being arranged to operate between a process and a driver associated with the data storage, and wherein the filter module is further arranged to, prior to storing data in a file in the data storage:
-
detect an attempt by the process to store the data in the file in the data storage by intercepting a write access request originating from the process and intended for the driver associated with the data storage; check if a file name of the file to be created associated with the write access request is part of a blocking list;
if the file name does not match a name in the blocking list, the filter module is further arranged to;check whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format by inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data;
if the write access request includes a portion of a file header associated with executable data, the filter module is further arranged to;prevent the storage of the data in the file in the data storage and return an indication that the request is denied; thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating at its propagation phase by preventing execution code of the data from being saved to the data storage. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification