Snapshot and restore technique for computer system recovery
First Claim
1. A method of creating a restore point for a computer system, said method comprising:
- monitoring operating system operations of said computer system using a module of said computer system;
opening a restore point log at the start of a computer process and logging operating system changes in said log after said restore point log is opened;
assigning a score to each of said operations being monitored, said score reflecting the extent to which each of said operations is suspected of being caused by malware;
keeping a running total of said scores for said operations being monitored;
making a determination that said running total is greater than a threshold value; and
creating a restore point for said computer system using said operating system changes that have been logged in said restore point log, wherein said restore point represents a point in time before the beginning of possible malware activity in said computer system.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer system operation registers as an event when an operation potentially characteristic of malware occurs. Events are scored and when a threshold is reached indicative of a possible malware infection a restore point is created. Many restore points are created. When a user decides to restore the system because of the presence of malware a malware report is retrieved. The malware report describes characteristics of a particular piece of malware. The malware report is compared to the restore point logs that had been created earlier. Any number of malware reports are compared to the restore point logs. A restore point log that shares many of the same system changes or other effects also present in a malware report is likely to be an indication of the beginning of a malware infection. The matched restore point log is recommended to the user as the best restore point.
-
Citations
33 Claims
-
1. A method of creating a restore point for a computer system, said method comprising:
-
monitoring operating system operations of said computer system using a module of said computer system; opening a restore point log at the start of a computer process and logging operating system changes in said log after said restore point log is opened; assigning a score to each of said operations being monitored, said score reflecting the extent to which each of said operations is suspected of being caused by malware; keeping a running total of said scores for said operations being monitored; making a determination that said running total is greater than a threshold value; and creating a restore point for said computer system using said operating system changes that have been logged in said restore point log, wherein said restore point represents a point in time before the beginning of possible malware activity in said computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of creating a restore point for a computer system, said method comprising:
-
monitoring operating system operations of said computer system using a kernel mode module of said computer system; turning on a snapshot utility of said computer system at the start of a computer process and beginning to log operating system changes in a restore point log after said snapshot utility is turned on; assigning a score to each of said operations being monitored, said score reflecting the extent to which each of said operations is suspected of being caused by malware; keeping a running total of said scores for said operations being monitored; making a determination that said running total is greater than a threshold value; and issuing a snapshot commit command and creating a restore point for said computer system using said operating system changes that have been logged in said restore point log, wherein said restore point represents a point in time before the beginning of possible malware activity in said computer system. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method of recommending a restore point for a computer system, said method comprising:
-
retrieving a plurality of restore point logs previously created for said computer system using a module of said computer system; retrieving a malware report that describes characteristics of a particular piece of malware; comparing said malware report to said restore point logs; determining that said malware report is similar to one of said restore point logs; and making a recommendation that said computer system be restored from a point in time represented by said one of said restore point logs, said point in time being prior to a malware infection. - View Dependent Claims (17, 18, 19)
-
-
20. A method of recommending a restore point for a computer system, said method comprising:
-
determining that said computer system should be restored to a previous point in time using a module of said computer system; retrieving a plurality of restore point logs previously created for said computer system, said restore point logs including changes to said computer system; retrieving a malware report that describes changes made by said malware to computer systems in which it is present; comparing said changes in said malware report to said changes in said restore point logs; determining that said malware report is similar to one of said restore point logs; and making a recommendation that said computer system be restored from a point in time represented by said one of said restore point logs, said point in time being prior to a malware infection. - View Dependent Claims (21, 22)
-
-
23. A method of recovering from malware present in a computer system, said method comprising:
-
monitoring operating system operations of said computer system using a module of said computer system; logging operating system changes in a log from a particular point in time; ranking each of said operating system operations from said particular point in time, said rankings reflecting the extent to which each of said operations is suspected of being caused by malware; making a determination that a value of said rankings has crossed a threshold value and creating a restore point for said computer system that includes said logged operating system changes; comparing a malware report to said log, said malware report describing characteristics of a particular piece of malware; determining that said malware report is similar to said log; and restoring said computer system using said restore point. - View Dependent Claims (24, 25, 26, 27, 28)
-
-
29. A method of recovering from malware present in a computer system, said method comprising:
-
monitoring operating system operations of said computer system using a module of said computer system; turning on a snapshot utility of said computer system and beginning to log operating system changes at a particular point in time in a log; ranking each of said operating system operations from said particular point in time, said rankings reflecting the extent to which each of said operations is suspected of being caused by malware; making a determination that a value of said rankings has crossed a threshold value; issuing a snapshot commit command and creating a restore point for said computer system using said operating system changes that have been logged in said log; retrieving a malware report that describes characteristics of said malware; comparing said malware report with said log; and making a recommendation that said computer system be restored from a point in time represented by said log. - View Dependent Claims (30, 31, 32, 33)
-
Specification