Detecting malicious software through file group behavior

US 7,594,272 B1
Filed: 10/05/2004
Issued: 09/22/2009
Est. Priority Date: 10/05/2004
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious software on a computer system, comprising:

a computer-readable storage medium having computer executable program code recorded thereon comprising;

a suspicious software module for detecting suspicious software on the computer system;

a tracking module for identifying a set of files on the computer system associated with the suspicious software and adding to the set a file touched by a file already in the set; and

a behavior monitoring module for monitoring the files in the set to determine whether the suspicious software is malicious.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malicious software detection module (MSDM) detects worms and other malicious software. The MSDM executes on a computer system connected to a network. The MSDM monitors a storage device of the computer system for the arrival of software from a suspicious portal. The MSDM designates such software as suspicious. The MSDM tracks the set of files that are associated with the suspicious software. If the files in the set individually or collectively engage in suspicious behavior, the MSDM declares the suspicious software malicious and prevents file replication and/or other malicious behavior.

Citations

21 Claims

1. A system for detecting malicious software on a computer system, comprising:
- a computer-readable storage medium having computer executable program code recorded thereon comprising;
  
  a suspicious software module for detecting suspicious software on the computer system;
  
  a tracking module for identifying a set of files on the computer system associated with the suspicious software and adding to the set a file touched by a file already in the set; and
  
  a behavior monitoring module for monitoring the files in the set to determine whether the suspicious software is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the suspicious software module determines a portal through which software arrives on the computer system, and wherein software arriving through certain portals is designated as suspicious.
  - 3. The system of claim 1, wherein the tracking module adds to the set a file created and/or modified by a file already in the set.
  - 4. The system of claim 1, wherein the tracking module adds to the set a file created and/or modified by a program caused to be executed by a file in the set.
  - 5. The system of claim 1, wherein the behavior monitoring module utilizes one or more heuristics to detect whether the set of files is malicious.
  - 6. The system of claim 5, wherein a heuristic specifies a condition that is satisfied if the files in the set collectively satisfy the condition.
  - 7. The system of claim 5, wherein a heuristic specifies that suspicious software is malicious if a file in the set associated with the suspicious software copies any file in the set to another computer system.

8. A method for detecting malicious software on a computer system, comprising:
- detecting suspicious software on the computer system;
  
  identifying a set of files on the computer system associated with the suspicious software and adding to the set a file touched by a file already in the set; and
  
  monitoring the files in the set to determine whether the suspicious software is malicious.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein detecting suspicious software comprises:
    - determining a portal through which the software arrives;
      
      determining whether the portal is suspicious; and
      
      responsive to a determination that the portal is suspicious, declaring the software suspicious.
  - 10. The method of claim 8, wherein identifying a set of files on the computer system associated with the suspicious software comprises:
    - adding to the set a file created and, or modified by a file already in the set.
  - 11. The method of claim 8, wherein identifying a set of files on the computer system associated with the suspicious software comprises:
    - adding to the set a file created and/or modified by a program caused to be executed by a file in the set.
  - 12. The method of claim 8, wherein monitoring the files in the set comprises:
    - determining whether the files in the set behave in a manner satisfying one or more conditions of one or more heuristics.
  - 13. The method of claim 12, wherein a condition of a heuristic is satisfied if the files in the set collectively satisfy the condition.
  - 14. The method of claim 12, wherein a heuristic specifies that suspicious software is malicious if a file in the set associated with the suspicious software copies any file in the set to another computer system.

15. A computer-readable storage medium storing computer executable program code for detecting malicious software on a computer system, the program code comprising:
- a suspicious software module for detecting suspicious software on the computer system;
  
  a tracking module for identifying a set of files on the computer system associated with the suspicious software and adding to the set a file touched by a file already in the set; and
  
  a behavior monitoring module for monitoring the files in the set to determine whether the suspicious software is malicious.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable storage medium of claim 15, wherein the suspicious software module determines a portal through which software arrives on the computer system, and wherein software arriving through certain portals is designated as suspicious.
  - 17. The computer-readable storage medium of claim 15, wherein the tracking module adds to the set a file created and/or modified by a file already in the set.
  - 18. The computer-readable storage medium of claim 15, wherein the tracking module adds to the set a file created and/or modified by a program caused to be executed by a file in the set.
  - 19. The computer-readable storage medium of claim 15, wherein the behavior monitoring module utilizes one or more heuristics to detect whether the set of files is malicious.
  - 20. The computer-readable storage medium of claim 19, wherein a heuristic specifies a condition that is satisfied if the files in the set collectively satisfy the condition.
  - 21. The computer-readable storage medium of claim 19, wherein a heuristic specifies that suspicious software is malicious if a file in the set associated with the suspicious software copies any file in the set to another computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kennedy, Mark, Kane, David
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Fields; Courtney D

Application Number

US10/959,484
Time in Patent Office

1,813 Days
Field of Search

726/24, 726/22, 713/187, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/1408 by monitoring network traff...

Detecting malicious software through file group behavior

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious software through file group behavior

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links