System and method for security rating of computer processes

US 7,530,106 B1
Filed: 07/02/2008
Issued: 05/05/2009
Est. Priority Date: 07/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method for security rating of a process, the method comprising:

(a) detecting an attempt to execute a file on a computer;

(b) performing an initial risk assessment of the file;

(c) if the initial security rating is higher than a predetermined value, notifying a user;

(d) starting the process based on code in the file;

(e) monitoring the process for the suspicious activities;

(f) updating the security rating of the process when the process attempts to perform the suspicious activity;

(g) if the updated security rating exceeds a first threshold, notifying a user and continuing execution of the process; and

(h) if the updated security rating exceeds a second threshold, blocking the process'"'"' access to computer resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product for secure rating of processes in an executable file for malware presence comprising: (a) detecting an attempt to execute a file on a computer; (b) performing an initial risk assessment of the file; (c) starting a process from code in the file; (d) analyzing an initial risk pertaining to the process and assigning an initial security rating to the process; (e) monitoring the process for the suspicious activities; (f) updating the security rating of the process when the process attempts to perform the suspicious activity; (g) if the updated security rating exceeds a first threshold, notifying a user and continuing execution of the process; and (h) if the updated security rating exceeds a second threshold, blocking the action and terminating the process.

285 Citations

19 Claims

1. A method for security rating of a process, the method comprising:
- (a) detecting an attempt to execute a file on a computer;
  
  (b) performing an initial risk assessment of the file;
  
  (c) if the initial security rating is higher than a predetermined value, notifying a user;
  
  (d) starting the process based on code in the file;
  
  (e) monitoring the process for the suspicious activities;
  
  (f) updating the security rating of the process when the process attempts to perform the suspicious activity;
  
  (g) if the updated security rating exceeds a first threshold, notifying a user and continuing execution of the process; and
  
  (h) if the updated security rating exceeds a second threshold, blocking the process'"'"' access to computer resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising terminating the process after step (h).
  - 3. The method of claim 1, further comprising curing the process and then resuming execution of the process.
  - 4. The method of claim 1, wherein, if the corrupted file is a system component, curing the file and then resuming execution of the file.
  - 5. The method of claim 1, wherein, if the corrupted file is an independent (non-system) executable file, deleting the executable file.
  - 6. The method of claim 1, wherein, if the corrupted file is an independent (non-system) executable file, quarantining the executable file.
  - 7. The method of claim 1, wherein, if the corrupted file is an independent (non-system) executable file, curing the executable file.
  - 8. The method of claim 1, wherein the security rating comprises a static rating and a dynamic rating.
  - 9. The method of claim 8, wherein the static rating is based on any of name of the file, file size, file location, compression and/or static properties of the file.
  - 10. The method of claim 8, wherein the dynamic rating is based on the results of the file emulation process.
  - 11. The method of claim 1, wherein the risk assessment of the file is based on any of file size, file format, file structure, whether the file is digitally signed, whether the file is a download utility, whether the file is packed, file source, and whether the file was received from a CD-ROM.
  - 12. The method of claim 1, wherein the risk assessment is based on a URL from which the file was received.
  - 13. The method of claim 1, wherein the risk assessment is based on file origin.
  - 14. The method of claim 1, wherein the risk assessment is based on file path.
  - 15. The method of claim 1, wherein the risk assessment of the process is based on any of the following:
    - whether the process tries to write into a memory allocated to other processes;
      
      whether the process tries to access password-protected files;
      
      whether the process tries to start service with a name identical to a system process name;
      
      whether the process tries to start service with a name identical to an antivirus process;
      
      whether the process tries to handle or delete a system service;
      
      whether the process tries to handle or delete an antivirus service;
      
      whether the process tries to modify a system registry;
      
      whether the process tries to scan a network resource;
      
      whether the process tries to add a network resource;
      
      whether the process tries to request a system privilege;
      
      whether process tries to access a system kernel; and
      
      properties of a system call made by the process.
  - 16. The method of claim 1, further comprising:
    - placing the process into a group having permissions for related activities; and
      
      blocking activities by the process if those activities require permissions for a different group.
  - 17. The method of claim 16, wherein the activities related to the group can include any of:
    - local network access;
      
      Internet access;
      
      file access;
      
      system registry access;
      
      password-related activities;
      
      activities that require system privileges; and
      
      activities that require OS kernel privileges.
  - 18. The method of claim 1, wherein, if the process security rating is high, the process will have limited access to computer resources.

19. A system for security rating of a process, the system comprising:
- a processor;
  
  memory coupled to the processor;
  
  a plurality of risk analysis factors maintained by the system;
  
  a plurality of weights, maintained by the system, corresponding to the risk analysis factors;
  
  an antivirus program loaded into the memory that assigns an initial security rating based on the risk assessment by comparison of file attributes with the risk analysis factors and weights, and notifies a user if the initial security rating is higher than a predetermined value;
  
  a process executing on the processor based on code in the file;
  
  wherein the antivirus program continuously monitors the processes for suspicious activities and updates the security rating of the process when the process attempts to perform a suspicious activity;
  
  wherein the antivirus program notifies the user and continues execution of the process if the updated security rating exceeds a first threshold; and
  
  wherein the antivirus program blocks the process access to computer resources if the updated security rating exceeds a second threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Zaitsev, Oleg V., Pavlyushchik, Mikhail A., Grebennikov, Nikolay A., Monastyrsky, Alexey V.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/167,138
Time in Patent Office

307 Days
Field of Search

726/22, 726/23, 726/24, 713/164, 713/165, 713/187, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

System and method for security rating of computer processes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

285 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for security rating of computer processes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links