System and method for heuristic analysis to identify pestware
First Claim
Patent Images
1. A method for blocking pestware activity, the method comprising:
- detecting an initial pestware activity on a protected computer;
recording the initial pestware activity;
receiving an instruction from a user of the protected computer to block the initial pestware activity;
blocking the initial pestware activity;
detecting a subsequent pestware activity;
comparing the subsequent pestware activity with the initial pestware activity;
responsive to the subsequent pestware activity matching the initial pestware activity, automatically blocking the subsequent pestware activity;
identifying a process responsible for the subsequent pestware activity;
identifying, on a storage device, a program file corresponding to the process;
injecting termination code into the program file corresponding to the process, the termination code determining whether the process is permitted to restart from the program file subsequent to being terminated; and
terminating the process;
wherein the termination code is configured to;
cause the process, upon attempting to launch itself from the program file subsequent to being terminated, to compare itself against a list of pestware that is targeted for removal from the protected computer;
prevent the process from starting up when the process matches pestware in the list of pestware that is targeted for removal from the protected computer; and
permit the process to start up normally when the process does not match any pestware in the list of pestware that is targeted for removal from the protected computer.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems for preventing pestware activity are described. One embodiment a heuristic engine configured to identify repeat pestware activity and configured to block the repeat pestware activity; an operating system pestware shield in communication with the heuristic engine, the operating system pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine; and a browser pestware shield in communication with the heuristic engine, the browser pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine.
96 Citations
7 Claims
-
1. A method for blocking pestware activity, the method comprising:
-
detecting an initial pestware activity on a protected computer; recording the initial pestware activity; receiving an instruction from a user of the protected computer to block the initial pestware activity; blocking the initial pestware activity; detecting a subsequent pestware activity; comparing the subsequent pestware activity with the initial pestware activity; responsive to the subsequent pestware activity matching the initial pestware activity, automatically blocking the subsequent pestware activity; identifying a process responsible for the subsequent pestware activity; identifying, on a storage device, a program file corresponding to the process; injecting termination code into the program file corresponding to the process, the termination code determining whether the process is permitted to restart from the program file subsequent to being terminated; and terminating the process; wherein the termination code is configured to; cause the process, upon attempting to launch itself from the program file subsequent to being terminated, to compare itself against a list of pestware that is targeted for removal from the protected computer; prevent the process from starting up when the process matches pestware in the list of pestware that is targeted for removal from the protected computer; and permit the process to start up normally when the process does not match any pestware in the list of pestware that is targeted for removal from the protected computer. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A digital computer, comprising:
-
at least one processor; and a memory containing a plurality of program instructions configured to cause the at least one processor to; detect an initial pestware activity on the digital computer; record the initial pestware activity; receive an instruction from a user of the digital computer to block the initial pestware activity; block the initial pestware activity; detect a subsequent pestware activity; compare the subsequent pestware activity with the initial pestware activity; block automatically the subsequent pestware activity responsive to the subsequent pestware activity matching the initial pestware activity; identify a process responsible for the subsequent pestware activity; identify, on a storage device, a program file corresponding to the process; inject termination code into the program file corresponding to the process, the termination code determining whether the process is permitted to restart from the program file subsequent to being terminated; and terminate the process; wherein the termination code is configured to; cause the process, upon attempting to launch itself from the program file subsequent to being terminated, to compare itself against a list of pestware that is targeted for removal from the digital computer; prevent the process from starting up when the process matches pestware in the list of pestware that is targeted for removal from the digital computer; and permit the process to start up normally when the process does not match any pestware in the list of pestware that is targeted for removal from the digital computer.
-
Specification