Privacy friendly malware quarantines

US 7,716,743 B2
Filed: 01/14/2005
Issued: 05/11/2010
Est. Priority Date: 01/14/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for generating a quarantine file from a regular file identified as being infected with a malware, the method comprising:

encoding data in the regular file with a reversible function;

identifying a set of metadata that describes security attributes of the regular file, the security attributes controlling access to the regular file;

detecting that the regular file is infected with the malware and, in response, generating the quarantine file;

combining the encoded file data and the set of metadata in the generated quarantine file;

setting security attributes of the generated quarantine file to match the security attributes of the regular file;

copying the set of metadata to a central location that is accessible to a user interface while maintaining the original set of metadata in the generated quarantine file, wherein the user interface displays the set of metadata to a user; and

deleting the regular file after the encoded data and the set of metadata are stored in the quarantine file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system, method, and computer-readable medium for quarantining a file. Embodiments of the present invention are included in antivirus software that maintains a user interface. From the user interface, a user may issue a command to quarantine a file or the quarantine process may be initiated automatically by the antivirus software after malware is identified. When a file is marked for quarantine, aspects of the present invention encode file data with a function that is reversible. Then a set of metadata is identified that describes attributes of the file including any heightened security features that are used to limit access to the file. The metadata is moved to a quarantine folder, while the encoded file remains at the same location in the file system. As a result, the encoded file maintains the same file attributes as the original, non-quarantined file, including any heightened security features.

Citations

19 Claims

1. A computer-implemented method for generating a quarantine file from a regular file identified as being infected with a malware, the method comprising:
- encoding data in the regular file with a reversible function;
  
  identifying a set of metadata that describes security attributes of the regular file, the security attributes controlling access to the regular file;
  
  detecting that the regular file is infected with the malware and, in response, generating the quarantine file;
  
  combining the encoded file data and the set of metadata in the generated quarantine file;
  
  setting security attributes of the generated quarantine file to match the security attributes of the regular file;
  
  copying the set of metadata to a central location that is accessible to a user interface while maintaining the original set of metadata in the generated quarantine file, wherein the user interface displays the set of metadata to a user; and
  
  deleting the regular file after the encoded data and the set of metadata are stored in the quarantine file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method as recited in claim 1, further comprising applying security features associated with the regular file to the quarantine file.
  - 3. The computer-implemented method as recited in claim 1, further comprising after deleting the regular file after the encoded data and the set of metadata are stored in the quarantine file, evaluating whether deletion has been satisfied and, when deletion has failed, calling an error handling routine.
  - 4. The computer-implemented method as recited in claim 1, wherein encoding data in the regular file includes performing exclusive-OR encryption.
  - 5. The computer-implemented method as recited in claim 4, wherein performing exclusive-OR encryption includes:
    - generating a random key; and
      
      applying the exclusive-OR algebraic function to file data and the random key.
  - 6. The computer-implemented method as recited in claim 1, wherein the quarantine file that contains the encoded file data and the set of metadata is compressed into an archive file.
  - 7. The computer-implemented method as recited in claim 1, wherein the set of metadata are stored in a manifest that consists of the set of metadata.
  - 8. The computer-implemented method as recited in claim 1, where in the quarantine file that contains the encoded file data and the set of metadata remains in a same location in the file system as the regular file.
  - 9. The computer-implemented method as recited in claim 1, wherein the quarantine file does not contain data that matches any malware signature.
  - 10. The computer-implemented method as recited in claim 1, wherein setting attributes of the quarantine file to match the attributes of the regular file includes making function calls to an application programming interface.
  - 11. The computer-implemented method as recited in claim 1, further comprising:
    - receiving a request to restore the regular file from the quarantine file and, in response;
      
      decompressing the generated quarantine file to generate restored encoded file data and restored metadata describing security attributes;
      
      decoding the restored encoded file data in the generated quarantine file;
      
      storing the restored decoded data in a second regular file; and
      
      setting security attributes of the second regular file to match the security attributes that are recorded in the metadata included in the set of metadata included in the generated quarantine file, wherein a duplicate copy of the metadata is stored in the central location.
  - 12. The computer-implemented method as recited in claim 11, wherein in response to receiving the request to restore the regular file from quarantine, the method further includes automatically removing the duplicate copy of the metadata from the central location after setting the security attributes of the second regular file.
  - 13. The computer-implemented method as recited in claim 11, wherein the encoded file data is decoded using the exclusive-OR algebraic function.

14. A user computing system for generating a quarantine file from a regular file identified as being infected with malware, the user computing system comprising:
- a processor; and
  
  a computer-readable storage media having stored thereon an antivirus application accessible to the processor, the antivirus application including;
  
  an antivirus engine that, when executed by the processor, detects the malware in the regular file on the user computing system;
  
  a quarantine module that, when executed by the processor, causes the user computing system to;
  
  encode the regular file data;
  
  generate the quarantine file that contains the encoded file data and a metadata that describes security attributes of the regular file detected to have malware, the security attributes controlling access to the regular file;
  
  create a duplicate copy of the metadata and store the duplicate copy of the metadata in a quarantine folder also stored on the computer-readable storage media of the user computing system;
  
  apply the security attributes of the regular file to the quarantine file; and
  
  delete the regular file after the encoded file data and the metadata are stored in the quarantine file; and
  
  a user interface that, when executed by the processor, causes the user computing system to;
  
  search the quarantine folder for the duplicate copy of the metadata and display the metadata to a user; and
  
  accept a command to quarantine the regular file, wherein the user interface is further configured to accept commands to;
  
  scan the quarantine file for malware; and
  
  submit the quarantine file to an antivirus vendor.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system as recited in claim 14, wherein the antivirus engine detects malware by identifying data that is characteristic of malware.
  - 16. The user computing system as recited in claim 15, wherein the quarantine module is further configured to decode data in the quarantine file to allow the data to be scanned for malware by the antivirus engine.
  - 17. The user computing system as recited in claim 14, wherein the user interface accepts a command to restore a quarantine file, wherein the quarantine module converts the quarantine file back into the regular file in response to the command.
  - 18. The user computing system as recited in claim 14, wherein the quarantine file and the regular file are stored in the same location in the file system and maintain the same file attributes.
  - 19. The user computing system as recited in claim 14, wherein the regular file and the quarantine file are protected from unauthorized access with heightened security features.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Thomas, Anil Francis, Bluvstein, Vadim N., Gheorghescu, Gheorghe Marius, Larsen, Kyle A., Marinescu, Adrian M., Costea, Mihai
Primary Examiner(s)
GERGISO, TECHANE

Application Number

US11/035,584
Publication Number

US 20060161988A1
Time in Patent Office

1,943 Days
Field of Search

726/25, 726/22, 713/165
US Class Current

726/25
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/6209   to a single file or object,...

G06F 21/64   Protecting data integrity, ...

Privacy friendly malware quarantines

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Privacy friendly malware quarantines

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links