System and method for pestware detection and removal
First Claim
Patent Images
1. A method of managing pestware on a protected computer, the method comprising:
- receiving a plurality of definitions corresponding to pestware;
scanning the storage systems of the protected computer for files corresponding to any of the plurality of definitions;
responsive to determining that one of the files matches one of the plurality of definitions, preventing the file from operating;
detecting an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer;
blocking the initial pestware activity;
detecting a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer;
determining that the second pestware activity is similar to the initial pestware activity;
responsive to determining that the second pestware activity is similar to the initial pestware activity, sending data about the protected computer and the second pestware activity to a host system;
receiving a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity;
scanning the storage systems of the protected computer for files corresponding to the new definition; and
taking corrective action to protect the protected computer from at least one detected file corresponding to the new definition.
10 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing pestware are described. One system includes a pestware shield configured to detect pestware activity on a protected computer; a heuristics engine configured to identify repeat pestware activity; a drive scan module configured to scan files stored on the storage device and to identify pestware in the scanned files; a program memory scan module configured to scan programs running in the program memory of the protected computer and to identify pestware in the scanned programs; a registry scan module configured to identify any attempts to change data in the registry file; and a quarantine module configured to quarantine the pestware identified by either the drive scan module or the program memory module.
85 Citations
11 Claims
-
1. A method of managing pestware on a protected computer, the method comprising:
-
receiving a plurality of definitions corresponding to pestware; scanning the storage systems of the protected computer for files corresponding to any of the plurality of definitions; responsive to determining that one of the files matches one of the plurality of definitions, preventing the file from operating; detecting an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; blocking the initial pestware activity; detecting a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; determining that the second pestware activity is similar to the initial pestware activity; responsive to determining that the second pestware activity is similar to the initial pestware activity, sending data about the protected computer and the second pestware activity to a host system; receiving a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity; scanning the storage systems of the protected computer for files corresponding to the new definition; and taking corrective action to protect the protected computer from at least one detected file corresponding to the new definition. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system, comprising:
-
a processor; one or more storage systems; and a memory containing a plurality of program instructions configured to cause the processor to; receive a plurality of definitions corresponding to pestware; scan the storage systems of the protected computer for files corresponding to any of the plurality of definitions; prevent a file from operating, responsive to determining that the file matches one of the plurality of definitions; detect an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; block the initial pestware activity; detect a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; determine that the second pestware activity is similar to the initial pestware activity; send data about the protected computer and the second pestware activity to a host system, responsive to determining that the second pestware activity is similar to the initial pestware activity; receive a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity; scan the storage systems of the protected computer for files corresponding to the new definition; and take corrective action to protect the protected computer from at least one detected file corresponding to the new definition.
-
-
8. A computer-readable storage medium containing a plurality of program instructions executable by a processor for managing pestware on a protected computer, the plurality of program instructions comprising:
-
a first instruction segment configured to receive a plurality of definitions corresponding to pestware; a second instruction segment configured to scan the storage systems of the protected computer for files corresponding to any of the plurality of definitions; a third instruction segment configured to prevent a file from operating, responsive to determining that the file matches one of the plurality of definitions; a fourth instruction segment configured to detect an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; a fifth instruction segment configured to block the initial pestware activity; a sixth instruction segment configured to detect a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; a seventh instruction segment configured to determine that the second pestware activity is similar to the initial pestware activity; an eighth instruction segment configured to send data about the protected computer and the second pestware activity to a host system, responsive to determining that the second pestware activity is similar to the initial pestware activity; a ninth instruction segment configured to receive a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity; a tenth instruction segment configured to scan the storage systems of the protected computer for files corresponding to the new definition; and an eleventh instruction segment configured to take corrective action to protect the protected computer from at least one detected file corresponding to the new definition. - View Dependent Claims (9, 10, 11)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCarbonite LLC (Open Text Corporation)
-
Original AssigneeWebroot Software Incorporated (Open Text Corporation)
-
InventorsHerman, Jeffery, Barton, Kevin, Stowers, Bradley D., Thomas, Steve
-
Primary Examiner(s)Corrielus; Jean M
-
Assistant Examiner(s)Bullock; Joshua
-
Application NumberUS10/956,574Publication NumberTime in Patent Office1,684 DaysField of Search707/4, 707/200, 726/24, 726/22US Class Current1/1CPC Class CodesG06F 21/55 Detecting local intrusion o...G06F 21/56 Computer malware detection ...
