System and method for pestware detection and removal
First Claim
1. A method of managing pestware on a protected computer, the method comprising:
- receiving a plurality of definitions corresponding to pestware;
scanning the storage systems of the protected computer for files corresponding to any of the plurality of definitions;
responsive to determining that one of the files matches one of the plurality of definitions, preventing the file from operating;
detecting an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer;
blocking the initial pestware activity;
detecting a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer;
determining that the second pestware activity is similar to the initial pestware activity;
responsive to determining that the second pestware activity is similar to the initial pestware activity, sending data about the protected computer and the second pestware activity to a host system;
receiving a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity;
scanning the storage systems of the protected computer for files corresponding to the new definition; and
taking corrective action to protect the protected computer from at least one detected file corresponding to the new definition.
10 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing pestware are described. One system includes a pestware shield configured to detect pestware activity on a protected computer; a heuristics engine configured to identify repeat pestware activity; a drive scan module configured to scan files stored on the storage device and to identify pestware in the scanned files; a program memory scan module configured to scan programs running in the program memory of the protected computer and to identify pestware in the scanned programs; a registry scan module configured to identify any attempts to change data in the registry file; and a quarantine module configured to quarantine the pestware identified by either the drive scan module or the program memory module.
85 Citations
11 Claims
-
1. A method of managing pestware on a protected computer, the method comprising:
-
receiving a plurality of definitions corresponding to pestware; scanning the storage systems of the protected computer for files corresponding to any of the plurality of definitions; responsive to determining that one of the files matches one of the plurality of definitions, preventing the file from operating; detecting an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; blocking the initial pestware activity; detecting a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; determining that the second pestware activity is similar to the initial pestware activity; responsive to determining that the second pestware activity is similar to the initial pestware activity, sending data about the protected computer and the second pestware activity to a host system; receiving a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity; scanning the storage systems of the protected computer for files corresponding to the new definition; and taking corrective action to protect the protected computer from at least one detected file corresponding to the new definition. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system, comprising:
-
a processor; one or more storage systems; and a memory containing a plurality of program instructions configured to cause the processor to; receive a plurality of definitions corresponding to pestware; scan the storage systems of the protected computer for files corresponding to any of the plurality of definitions; prevent a file from operating, responsive to determining that the file matches one of the plurality of definitions; detect an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; block the initial pestware activity; detect a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; determine that the second pestware activity is similar to the initial pestware activity; send data about the protected computer and the second pestware activity to a host system, responsive to determining that the second pestware activity is similar to the initial pestware activity; receive a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity; scan the storage systems of the protected computer for files corresponding to the new definition; and take corrective action to protect the protected computer from at least one detected file corresponding to the new definition.
-
-
8. A computer-readable storage medium containing a plurality of program instructions executable by a processor for managing pestware on a protected computer, the plurality of program instructions comprising:
-
a first instruction segment configured to receive a plurality of definitions corresponding to pestware; a second instruction segment configured to scan the storage systems of the protected computer for files corresponding to any of the plurality of definitions; a third instruction segment configured to prevent a file from operating, responsive to determining that the file matches one of the plurality of definitions; a fourth instruction segment configured to detect an initial pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; a fifth instruction segment configured to block the initial pestware activity; a sixth instruction segment configured to detect a second pestware activity on the protected computer based on at least one of comparing data with a predetermined pestware definition and identifying pestware-related behavior on the protected computer; a seventh instruction segment configured to determine that the second pestware activity is similar to the initial pestware activity; an eighth instruction segment configured to send data about the protected computer and the second pestware activity to a host system, responsive to determining that the second pestware activity is similar to the initial pestware activity; a ninth instruction segment configured to receive a new definition from the host system, the new definition corresponding to the second pestware activity and generated using the sent data about the protected computer and the second pestware activity; a tenth instruction segment configured to scan the storage systems of the protected computer for files corresponding to the new definition; and an eleventh instruction segment configured to take corrective action to protect the protected computer from at least one detected file corresponding to the new definition. - View Dependent Claims (9, 10, 11)
-
Specification