×

System and method for defending against malicious software

  • US 7,085,928 B1
  • Filed: 03/30/2001
  • Issued: 08/01/2006
  • Est. Priority Date: 03/31/2000
  • Status: Active Grant
First Claim
Patent Images

1. A method for preventing process creation of an unauthorized user application executable by an operating system of a computer, comprising:

  • creating a first device driver;

    loading the first device driver into a kernel of the operating system, wherein the first device driver installs a first process creation wrapper function;

    modifying an operating system table consulted by a dispatcher using the first device driver, wherein the modifying an operating system table causes the dispatcher to call the first process creation wrapper function before a process creation function and wherein the first process creation wrapper function and one or more subsequent process creation wrapper functions installed by one or more subsequent device drivers are modifiable so that the one or more subsequent process creation wrapper functions are added and removed serially between the first process creation wrapper function and the process creation function and the one or more subsequent process creation wrapper functions are called by the dispatcher before the process creation function;

    intercepting a request for execution of an application executable by a user using the first process creation wrapper function;

    communicating information about the request from the first process creation wrapper function to a user-mode application running as a service on the operating system, wherein the communicating information about the request from the first process creation wrapper function to a user-mode application occurs within the operating system;

    comparing the information to a list of authorized executables for the user using the user-mode application;

    if the information does not match an item on the list, communicating a first message to deny the request from the user-mode application to the first process creation wrapper function; and

    if the information does match an item on the list, communicating a second message to permit the request from the user-mode application to the first process creation wrapper function.

View all claims
  • 7 Assignments
Timeline View
Assignment View
    ×
    ×