System and method for heuristic analysis to identify pestware

US 7,480,683 B2
Filed: 10/01/2004
Issued: 01/20/2009
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for blocking pestware activity, the method comprising:

detecting an initial pestware activity on a protected computer;

recording the initial pestware activity;

receiving an instruction from a user of the protected computer to block the initial pestware activity;

blocking the initial pestware activity;

detecting a subsequent pestware activity;

comparing the subsequent pestware activity with the initial pestware activity;

responsive to the subsequent pestware activity matching the initial pestware activity, automatically blocking the subsequent pestware activity;

identifying a process responsible for the subsequent pestware activity;

identifying, on a storage device, a program file corresponding to the process;

injecting termination code into the program file corresponding to the process, the termination code determining whether the process is permitted to restart from the program file subsequent to being terminated; and

terminating the process;

wherein the termination code is configured to;

cause the process, upon attempting to launch itself from the program file subsequent to being terminated, to compare itself against a list of pestware that is targeted for removal from the protected computer;

prevent the process from starting up when the process matches pestware in the list of pestware that is targeted for removal from the protected computer; and

permit the process to start up normally when the process does not match any pestware in the list of pestware that is targeted for removal from the protected computer.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for preventing pestware activity are described. One embodiment a heuristic engine configured to identify repeat pestware activity and configured to block the repeat pestware activity; an operating system pestware shield in communication with the heuristic engine, the operating system pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine; and a browser pestware shield in communication with the heuristic engine, the browser pestware shield configured to detect pestware activity and report the pestware activity to the heuristic engine.

96 Citations

View as Search Results

7 Claims

1. A method for blocking pestware activity, the method comprising:
- detecting an initial pestware activity on a protected computer;
  
  recording the initial pestware activity;
  
  receiving an instruction from a user of the protected computer to block the initial pestware activity;
  
  blocking the initial pestware activity;
  
  detecting a subsequent pestware activity;
  
  comparing the subsequent pestware activity with the initial pestware activity;
  
  responsive to the subsequent pestware activity matching the initial pestware activity, automatically blocking the subsequent pestware activity;
  
  identifying a process responsible for the subsequent pestware activity;
  
  identifying, on a storage device, a program file corresponding to the process;
  
  injecting termination code into the program file corresponding to the process, the termination code determining whether the process is permitted to restart from the program file subsequent to being terminated; and
  
  terminating the process;
  
  wherein the termination code is configured to;
  
  cause the process, upon attempting to launch itself from the program file subsequent to being terminated, to compare itself against a list of pestware that is targeted for removal from the protected computer;
  
  prevent the process from starting up when the process matches pestware in the list of pestware that is targeted for removal from the protected computer; and
  
  permit the process to start up normally when the process does not match any pestware in the list of pestware that is targeted for removal from the protected computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the termination code is configured to remove itself from the program file automatically when the process does not match any pestware in the list of pestware that is targeted for removal from the protected computer.
  - 3. The method of claim 1, wherein the list of pestware that is targeted for removal from the protected computer includes at least one of known pestware and pestware that is suspected of restarting itself.
  - 4. The method of claim 1, wherein the termination code is configured to cause the process to compare a file name associated with the process against a list of file names associated with the pestware that is targeted for removal from the protected computer.
  - 5. The method of claim 1, wherein the termination code is configured to cause the process to compare a digital signature of itself against a set of digital signatures associated with known pestware.
  - 6. The method of claim 1, wherein the termination code is configured to cause the process to call another program that compares the process against the list of pestware that is targeted for removal from the protected computer.

7. A digital computer, comprising:
- at least one processor; and
  
  a memory containing a plurality of program instructions configured to cause the at least one processor to;
  
  detect an initial pestware activity on the digital computer;
  
  record the initial pestware activity;
  
  receive an instruction from a user of the digital computer to block the initial pestware activity;
  
  block the initial pestware activity;
  
  detect a subsequent pestware activity;
  
  compare the subsequent pestware activity with the initial pestware activity;
  
  block automatically the subsequent pestware activity responsive to the subsequent pestware activity matching the initial pestware activity;
  
  identify a process responsible for the subsequent pestware activity;
  
  identify, on a storage device, a program file corresponding to the process;
  
  inject termination code into the program file corresponding to the process, the termination code determining whether the process is permitted to restart from the program file subsequent to being terminated; and
  
  terminate the process;
  
  wherein the termination code is configured to;
  
  cause the process, upon attempting to launch itself from the program file subsequent to being terminated, to compare itself against a list of pestware that is targeted for removal from the digital computer;
  
  prevent the process from starting up when the process matches pestware in the list of pestware that is targeted for removal from the digital computer; and
  
  permit the process to start up normally when the process does not match any pestware in the list of pestware that is targeted for removal from the digital computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Thomas, Steve, Greene, Michael P., Stowers, Bradley D.
Primary Examiner(s)
ALAM, SHAHID AL

Application Number

US10/956,573
Publication Number

US 20060075501A1
Time in Patent Office

1,572 Days
Field of Search

726/24, 726/22, 713/200, 713/201, 713/182, 707/6, 707/205
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/2101   Auditing as a secondary aspect

System and method for heuristic analysis to identify pestware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for heuristic analysis to identify pestware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links