Feedback-driven malware detector
First Claim
1. A computer-implemented method to determine whether an application program contains malware, comprising:
- employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts;
monitoring an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants;
determining whether the application program is scheduled to be installed and added to the extensibility point;
informing the user that the application program is scheduled to be installed and added to the extensibility point;
sending one or more portions of information regarding the application program that is scheduled to be installed and added to the extensibility point to a remote computer, wherein the remote computer is a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants;
receiving from a remote computer aggregated application program information indicating the number of other malware prevention service participants who previously allowed and declined the application to be installed;
displaying to the user the number of malware prevention service participants that allowed installation of the application program and the number of malware prevention service participants that declined installation of the application program;
obtaining decision input from the user regarding whether the application program should be installed, where the user'"'"'s decision is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program; and
transmitting a set of data that includes the input obtained from the user to a remote computer, wherein the set of data includes;
a signature of an object that is scheduled to be executed when the application program is added to the extensibility point;
metadata that describes attributes of the object; and
run-time attributes that identify the state of the computer.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of a feedback-driven malware detector are directed to protecting a computer from programs that perform actions that are malicious or not expected by a user. In one embodiment, the feedback-driven malware detector performs a method that initially determines whether the state of an application program scheduled to be added to an extensibility point on a computer is already known. If the state of the object is not already known, the user is informed that an application program is being installed on the computer and that the application program is being added to an extensibility point. Then, input is obtained from the user that assists in determining whether the application program is malware.
-
Citations
17 Claims
-
1. A computer-implemented method to determine whether an application program contains malware, comprising:
employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts; monitoring an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants; determining whether the application program is scheduled to be installed and added to the extensibility point; informing the user that the application program is scheduled to be installed and added to the extensibility point; sending one or more portions of information regarding the application program that is scheduled to be installed and added to the extensibility point to a remote computer, wherein the remote computer is a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants; receiving from a remote computer aggregated application program information indicating the number of other malware prevention service participants who previously allowed and declined the application to be installed; displaying to the user the number of malware prevention service participants that allowed installation of the application program and the number of malware prevention service participants that declined installation of the application program; obtaining decision input from the user regarding whether the application program should be installed, where the user'"'"'s decision is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program; and transmitting a set of data that includes the input obtained from the user to a remote computer, wherein the set of data includes; a signature of an object that is scheduled to be executed when the application program is added to the extensibility point; metadata that describes attributes of the object; and run-time attributes that identify the state of the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer-implemented method of determining whether an application program is malware, comprising:
-
employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts; receiving a set of data at a remote computer system when an application program is scheduled to be installed and added to an extensibility point on a remote computer, the data set being received from a computer system that is monitored for changes to an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants, the remote computer being a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants, wherein the data set includes; a signature of an object that is scheduled to be executed when the application program is added to the extensibility point; metadata that describes attributes of the object; and run-time attributes that identify the state of the computer; aggregating data that was obtained from a plurality of malware prevention service participants at remote computers including a plurality of indicators regarding whether malware prevention service participants allowed or did not allow the application program to be installed on their respective remote computers; and performing an analysis of the aggregated data to determine whether the application program is malware, wherein the analysis is based upon the aggregated application data indicating whether other malware prevention service participants allowed or declined installation of the application program. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer-implemented system for determining whether an application program is malware, comprising:
-
a processor; a computer readable storage medium operationally coupled to the processor and storing computer executable instructions, the computer executable instructions, when executed by the processor, implement components comprising; a reporting module that causes a set of data to be transmitted to the backend server when the application program is scheduled to be added to an extensibility point on the client computer including an indication regarding whether a user of the client computer allowed or did not allow the application program to be installed, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants, wherein the set of data includes; a signature of an object that is scheduled to be executed when the application program is added to the extensibility point; metadata that describes attributes of the object; and run-time attributes that identify the state of the computer; an analysis module that is operative to receive the set of data generated by the reporting module and use the data to determine whether the application program is malware; and a database application that aggregates the set of data generated by the reporting module together with data previously received from other computers in the computer networking environment whose users are participants of the malware prevention service, the previously received data includes the number of malware prevention service participants who allowed and did not allow the application program to be installed on their computer, wherein the database application is a trusted entity that is trusted by the malware prevention service participants and wherein the determination as to whether the application program is malware is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program. - View Dependent Claims (14, 15, 16, 17)
-
Specification