Malware and spyware attack recovery system and method

US 7,756,834 B2
Filed: 11/03/2005
Issued: 07/13/2010
Est. Priority Date: 11/03/2005
Status: Active Grant

First Claim

Patent Images

1. A method for malware recovery in a computer system comprising:

a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;

b) determining that an attack by a malicious program has occurred at the computer system;

c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;

d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file;

e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof;

f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files;

g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and

h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and computer program product with encoded instructions provides for repeatedly making data backups for files by making a series of snapshots of file storage volumes containing the files. The method and computer product further provide for determining that a malware attack has occurred, identifying corrupted files and, for each corrupted file, scanning the series of snapshots to identify an uncorrupted version of the file. Each corrupted file is restored to an uncorrupted version thereof. An event log contains write events and snapshot creation events corresponding to creation of each of the snapshots. A forensic scan scans the event log to determine modifying writes made by the corrupted files and which modified further files. The further files are restored to unmodified versions thereof. A list of at-risk files includes the corrupted files and the further files and the forensic scan is repeated on the at-risk files.

Citations

42 Claims

1. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred at the computer system;
  
  c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file;
  
  e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof;
  
  f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and
  
  h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as in claim 1, wherein said scanning identifies a most recent version of said uncorrupted versions.
  - 3. The method as in claim 1, wherein said step e) comprises replacing at the computer system said corrupted file with said most recent uncorrupted version thereof.
  - 4. The method as in claim 1, wherein the event log further contains snapshot creation events corresponding to creation of each of said snapshots.
  - 5. The method as in claim 4, further comprising:
    - h) defining a first list of at-risk files comprising said corrupted files and said further files;
      
      i) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said at-risk files and which modified additional files of said plurality of files; and
      
      j) adding said additional files to said first list and repeating said step i).
  - 6. The method as in claim 5, further comprising determining modifier files of said plurality of files that modified said corrupted files and identifying prior versions of each of said modifier files that existed prior to modifying said corrupted file, and adding said modified files to said first list and repeating said step i).
  - 7. The method as in claim 4, further comprising scanning said event log to identify said snapshot creation event and associated snapshot of a most recent unmodified version of said unmodified versions of said further file.
  - 8. The method as in claim 4, wherein said restoring at the computer system said further file comprises replacing said further file with said corresponding unmodified version thereof that exists in said snapshot corresponding to a most recent one of said snapshot creation events that precedes an initial write of said modifying writes by which said further file was first modified by one of said corrupted files.
  - 9. The method as in claim 4, wherein said write events and said snapshot creation events are ordered in said event log chronologically.
  - 10. The method as in claim 4, wherein said event log further contains a plurality of write groups, each comprising all of said write events that occur between two successive snapshot creation events of said snapshot creation events, and further comprising scanning said event log to identify first write groups of said write groups that include least recent modifying writes of said modifying writes.
  - 11. The method as in claim 1, further comprising:
    - repeating a process that identifies additional modified files of said plurality of files that were modified by said modified files.
  - 12. The method as in claim 11, wherein said repeating a process includes restoring at the computer system each said additional modified file to a respective unmodified version thereof.
  - 13. The method as in claim 11, wherein said repeating a process comprises iteratively identifying additional modified files of said plurality of files that were modified by said modified files.
  - 14. The method as in claim 11, wherein said repeating a process comprises recursively identifying additional modified files of said plurality of files that were modified by said modified files.
  - 15. The method as in claim 14, wherein said recursively identifying includes scanning said event log to determine modifying writes of said writes that were made by said modified files and which modified said additional modified files.

16. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred at the computer system;
  
  c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file;
  
  e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof;
  
  f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files; and
  
  g) scanning said event log to determine further files of said plurality of files that modified said corrupted files and identifying prior versions of each of said further files that existed prior to modifying said corrupted file.
- View Dependent Claims (17, 18, 19)
- - 17. The method as in claim 16, further comprising restoring at least one said further files to one of said prior versions thereof.
  - 18. The method as in claim 17, wherein said event log further includes snapshot creation events corresponding to creation of each of said snapshots, the method further comprising:
    - g) scanning said event log to determine modifying writes of said writes that were made by said further files to affect said corrupted files of said plurality of files.
  - 19. The method as in claim 18, wherein said restoring each said further file to one of said prior versions thereof comprises scanning said event log to identify said snapshot creation event and corresponding snapshot of said one of said prior versions thereof.

20. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred at the computer system;
  
  c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning by the computer system said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file; and
  
  e) for each said corrupted file, restoring at the computer system said file to said most recent uncorrupted version thereof;
  
  f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
  
  h) restoring at the computer system each of said further files to an unmodified version thereof;
  
  i) defining a first list of at-risk files comprising said corrupted files and said further files; and
  
  j) identifying additional files of said plurality of files that were modified by said at-risk files.

21. A computer program product storing thereon computer-readable instructions for causing a computer system to perform operations comprising:
- a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred at the computer system;
  
  c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and
  
  e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof;
  
  f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and
  
  h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 22. The computer program product as in claim 21, wherein said scanning identifies a most recent version of said uncorrupted versions.
  - 23. The computer program product as in claim 21, wherein said step e) comprises replacing said corrupted file with said most recent uncorrupted version thereof.
  - 24. The computer program product as in claim 21, wherein the event log further contains snapshot creation events corresponding to creation of each of said snapshots.
  - 25. The computer program product as in claim 24, further comprising encoded instructions for:
    - h) defining a first list of at-risk files comprising said corrupted files and said further files;
      
      i) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said at-risk files and which modified additional files of said plurality of files; and
      
      j) adding said additional files to said first list and repeating said step i).
  - 26. The computer program product as in claim 25, further comprising encoded instructions for:
    - determining modifier files of said plurality of files that modified said corrupted files;
      
      identifying prior versions of each of said modifier files that existed prior to modifying said corrupted file; and
      
      adding said modified files to said first list and repeating said step i).
  - 27. The computer program product as in claim 24 further comprising encoded instructions for scanning said event log to identify said snapshot creation event and associated snapshot of a most recent unmodified version of said unmodified versions of said further file.
  - 28. The computer program product as in claim 24, wherein said restoring comprises replacing said further file with said unmodified version thereof that exists in said snapshot corresponding to a most recent one of said snapshot creation events that precedes an initial write of said modifying writes by which said further file was first modified by one of said corrupted files.
  - 29. The computer program product as in claim 24, wherein said write events and said snapshot creation events are ordered in said event log chronologically.
  - 30. The computer program product as in claim 21, further comprising encoded instructions for:
    - identifying additional files of said plurality of files that were modified by said further files and restoring each said additional file to an unmodified version thereof.
  - 31. The computer program product as in claim 30, further comprising encoded instructions for restoring at the computer system at least one said further file to one of said prior versions thereof.
  - 32. The computer program product as in claim 21, further comprising encoded instructions for determining further files of said plurality of files that modified said corrupted files and identifying prior versions of each of said further files that existed prior to modifying said corrupted file.
  - 33. The computer program product as in claim 32, wherein the event log further includes snapshot creation events corresponding to creation of each of said snapshot, further comprising encoded instructions for:
    - scanning said event log to determine modifying writes of said writes that were made by said further files to affect said corrupted files of said plurality of files.
  - 34. The computer program product as in claim 33, wherein said restoring each said further file to one of said prior versions thereof comprises scanning said event log to identify said snapshot creation event and corresponding snapshot of said one of said prior versions thereof.
  - 35. The computer program product as in claim 21, further comprising encoded instructions for:
    - f) identifying modified files of said plurality of files that were modified by said corrupted files; and
      
      g) repeating a process that identifies additional modified files of said plurality of files that were modified by said modified files.
  - 36. The computer program product as in claim 35, wherein said repeating a process includes restoring at the computer system each said modified file and each said additional modified file to a respective unmodified version thereof.
  - 37. The computer program product as in claim 35, wherein said repeating a process comprises iteratively identifying additional modified files of said plurality of files that were modified by said modified files.
  - 38. The computer program product as in claim 35, wherein said repeating a process comprises recursively identifying additional modified files of said plurality of files that were modified by said modified files.
  - 39. The computer program product as in claim 38, wherein said recursively identifying includes scanning said event log to determine modifying writes of said writes that were made by said modified files and which modified said additional modified files.

40. A computer program product storing thereon computer-readable instructions for causing a computer system to perform operations comprising:
- a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred at the computer system;
  
  c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning by the computer system said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file; and
  
  e) for each said corrupted file, restoring at the computer system said file to said most recent uncorrupted version thereof;
  
  f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files;
  
  h) restoring at the computer system each of said further files to an unmodified version thereof;
  
  i) defining a first list of at-risk files comprising said corrupted files and said further files; and
  
  j) identifying additional files of said plurality of files that were modified by said at-risk files.

41. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred;
  
  c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file;
  
  e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof;
  
  f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and
  
  h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.

42. A computer program product storing thereon computer-readable instructions for causing a computer system to perform operations comprising:
- a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
  
  b) determining that an attack by a malicious program has occurred;
  
  c) identifying corrupted files of said plurality of files that were corrupted by said malicious program;
  
  d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file;
  
  e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof;
  
  f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files;
  
  g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and
  
  h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
I365 Incorporated (Seagate Technology Holdings Plc)
Inventors
Masters, Daniel, Neill, Chris
Primary Examiner(s)
Trujillo; James
Assistant Examiner(s)
Moser; Bruce M

Application Number

US11/266,528
Publication Number

US 20070100905A1
Time in Patent Office

1,713 Days
Field of Search

707/201, 707/202, 707/999.201, 707/999.202, 726 22- 24, 714/2, 714/15
US Class Current

707/640
CPC Class Codes

G06F 21/568 eliminating virus, restorin...

Malware and spyware attack recovery system and method

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Malware and spyware attack recovery system and method

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links