Malware and spyware attack recovery system and method
First Claim
1. A method for malware recovery in a computer system comprising:
- a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state;
b) determining that an attack by a malicious program has occurred at the computer system;
c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program;
d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file;
e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof;
f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files;
g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and
h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and computer program product with encoded instructions provides for repeatedly making data backups for files by making a series of snapshots of file storage volumes containing the files. The method and computer product further provide for determining that a malware attack has occurred, identifying corrupted files and, for each corrupted file, scanning the series of snapshots to identify an uncorrupted version of the file. Each corrupted file is restored to an uncorrupted version thereof. An event log contains write events and snapshot creation events corresponding to creation of each of the snapshots. A forensic scan scans the event log to determine modifying writes made by the corrupted files and which modified further files. The further files are restored to unmodified versions thereof. A list of at-risk files includes the corrupted files and the further files and the forensic scan is repeated on the at-risk files.
-
Citations
42 Claims
-
1. A method for malware recovery in a computer system comprising:
-
a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred at the computer system; c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof; f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files; g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for malware recovery in a computer system comprising:
-
a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred at the computer system; c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof; f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files; and g) scanning said event log to determine further files of said plurality of files that modified said corrupted files and identifying prior versions of each of said further files that existed prior to modifying said corrupted file. - View Dependent Claims (17, 18, 19)
-
-
20. A method for malware recovery in a computer system comprising:
-
a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred at the computer system; c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning by the computer system said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file; and e) for each said corrupted file, restoring at the computer system said file to said most recent uncorrupted version thereof; f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots; g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; h) restoring at the computer system each of said further files to an unmodified version thereof;
i) defining a first list of at-risk files comprising said corrupted files and said further files; andj) identifying additional files of said plurality of files that were modified by said at-risk files.
-
-
21. A computer program product storing thereon computer-readable instructions for causing a computer system to perform operations comprising:
-
a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred at the computer system; c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning by the computer system said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; and e) for each said corrupted file, restoring at the computer system said file to one of said uncorrupted versions thereof; f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files; g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A computer program product storing thereon computer-readable instructions for causing a computer system to perform operations comprising:
-
a) repeatedly making associated data backups at the computer system for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred at the computer system; c) identifying at the computer system corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning by the computer system said series of snapshots to identify a most recent uncorrupted version of said uncorrupted versions of said file; and e) for each said corrupted file, restoring at the computer system said file to said most recent uncorrupted version thereof; f) creating and maintaining an event log that contains write events corresponding to writes performed by said plurality of files, and snapshot creation events corresponding to creation of each of said snapshots; g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; h) restoring at the computer system each of said further files to an unmodified version thereof; i) defining a first list of at-risk files comprising said corrupted files and said further files; and j) identifying additional files of said plurality of files that were modified by said at-risk files.
-
-
41. A method for malware recovery in a computer system comprising:
-
a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred; c) identifying corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof; f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files; g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.
-
-
42. A computer program product storing thereon computer-readable instructions for causing a computer system to perform operations comprising:
-
a) repeatedly making associated data backups for each of a plurality of files by making a series of snapshots of file storage volumes containing said plurality of files, each of said data backups comprising versions of said associated file, including uncorrupted versions of said associated file in an uncorrupted state; b) determining that an attack by a malicious program has occurred; c) identifying corrupted files of said plurality of files that were corrupted by said malicious program; d) for each said corrupted file, scanning said series of snapshots to identify an uncorrupted version of said uncorrupted versions of said file; e) for each said corrupted file, restoring said file to one of said uncorrupted versions thereof; f) creating and maintaining an event log at the computer system that contains write events corresponding to writes performed by said plurality of files; g) performing a forensic scan that scans said event log to determine modifying writes of said writes that were made by said corrupted files and which modified further files of said plurality of files; and h) for each of said further files, identifying unmodified versions thereof and restoring at the computer system said further file to one of said unmodified versions thereof.
-
Specification