Snapshot and restore technique for computer system recovery

US 7,784,098 B1
Filed: 07/14/2005
Issued: 08/24/2010
Est. Priority Date: 07/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method of creating a restore point for a computer system, said method comprising:

monitoring operating system operations of said computer system using a module of said computer system;

opening a restore point log at the start of a computer process and logging operating system changes in said log after said restore point log is opened;

assigning a score to each of said operations being monitored, said score reflecting the extent to which each of said operations is suspected of being caused by malware;

keeping a running total of said scores for said operations being monitored;

making a determination that said running total is greater than a threshold value; and

creating a restore point for said computer system using said operating system changes that have been logged in said restore point log, wherein said restore point represents a point in time before the beginning of possible malware activity in said computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system operation registers as an event when an operation potentially characteristic of malware occurs. Events are scored and when a threshold is reached indicative of a possible malware infection a restore point is created. Many restore points are created. When a user decides to restore the system because of the presence of malware a malware report is retrieved. The malware report describes characteristics of a particular piece of malware. The malware report is compared to the restore point logs that had been created earlier. Any number of malware reports are compared to the restore point logs. A restore point log that shares many of the same system changes or other effects also present in a malware report is likely to be an indication of the beginning of a malware infection. The matched restore point log is recommended to the user as the best restore point.

117 Citations

View as Search Results

33 Claims

1. A method of creating a restore point for a computer system, said method comprising:
- monitoring operating system operations of said computer system using a module of said computer system;
  
  opening a restore point log at the start of a computer process and logging operating system changes in said log after said restore point log is opened;
  
  assigning a score to each of said operations being monitored, said score reflecting the extent to which each of said operations is suspected of being caused by malware;
  
  keeping a running total of said scores for said operations being monitored;
  
  making a determination that said running total is greater than a threshold value; and
  
  creating a restore point for said computer system using said operating system changes that have been logged in said restore point log, wherein said restore point represents a point in time before the beginning of possible malware activity in said computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1 wherein said creating a restore point makes use of an application programming interface (API) to communicate with a software application.
  - 3. A method as recited in claim 1 wherein said monitoring operating system operations occurs in a module of the kernel of said computer system.
  - 4. A method as recited in claim 1 further comprising:
    - recommending said restore point from which to restore said computer system.
  - 5. A method as recited in claim 1 wherein said malware is a computer virus, a computer worm or a computer Trojan horse.
  - 6. A method as recited in claim 1 further comprising:
    - creating said restore point at a point in time before said operating system changes occur.
  - 7. A method as recited in claim 1 wherein said steps of assigning, keeping and making occur while said operating system operations are being monitored.
  - 8. A method as recited in claim 1 further comprising:
    - making said determination at the end of said computer process.

9. A method of creating a restore point for a computer system, said method comprising:
- monitoring operating system operations of said computer system using a kernel mode module of said computer system;
  
  turning on a snapshot utility of said computer system at the start of a computer process and beginning to log operating system changes in a restore point log after said snapshot utility is turned on;
  
  assigning a score to each of said operations being monitored, said score reflecting the extent to which each of said operations is suspected of being caused by malware;
  
  keeping a running total of said scores for said operations being monitored;
  
  making a determination that said running total is greater than a threshold value; and
  
  issuing a snapshot commit command and creating a restore point for said computer system using said operating system changes that have been logged in said restore point log, wherein said restore point represents a point in time before the beginning of possible malware activity in said computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A method as recited in claim 9 wherein said creating a restore point makes use of an application programming interface (API) to communicate with a software application.
  - 11. A method as recited in claim 9 further comprising:
    - recommending said restore point from which to restore said computer system.
  - 12. A method as recited in claim 9 wherein said malware is a computer virus, a computer worm or a computer Trojan horse.
  - 13. A method as recited in claim 9 further comprising:
    - creating said restore point at a point in time before said operating system changes occur.
  - 14. A method as recited in claim 9 wherein said steps of assigning, keeping and making occur while said operating system operations are being monitored.
  - 15. A method as recited in claim 9 further comprising:
    - making said determination at the end of said computer process.

16. A method of recommending a restore point for a computer system, said method comprising:
- retrieving a plurality of restore point logs previously created for said computer system using a module of said computer system;
  
  retrieving a malware report that describes characteristics of a particular piece of malware;
  
  comparing said malware report to said restore point logs;
  
  determining that said malware report is similar to one of said restore point logs; and
  
  making a recommendation that said computer system be restored from a point in time represented by said one of said restore point logs, said point in time being prior to a malware infection.
- View Dependent Claims (17, 18, 19)
- - 17. A method as recited in claim 16 wherein said comparing compares said malware report to one of said restore point logs category-by-category.
  - 18. A method as recited in claim 16 wherein said malware is a computer virus, a computer worm or a computer Trojan horse.
  - 19. A method as recited in claim 16 wherein each of said restore point logs includes information indicating malware activities within said computer system.

20. A method of recommending a restore point for a computer system, said method comprising:
- determining that said computer system should be restored to a previous point in time using a module of said computer system;
  
  retrieving a plurality of restore point logs previously created for said computer system, said restore point logs including changes to said computer system;
  
  retrieving a malware report that describes changes made by said malware to computer systems in which it is present;
  
  comparing said changes in said malware report to said changes in said restore point logs;
  
  determining that said malware report is similar to one of said restore point logs; and
  
  making a recommendation that said computer system be restored from a point in time represented by said one of said restore point logs, said point in time being prior to a malware infection.
- View Dependent Claims (21, 22)
- - 21. A method as recited in claim 20 wherein said comparing compares said malware report to one of said restore point logs category-by-category.
  - 22. A method as recited in claim 20 wherein said malware is a computer virus, a computer worm or a computer Trojan horse.

23. A method of recovering from malware present in a computer system, said method comprising:
- monitoring operating system operations of said computer system using a module of said computer system;
  
  logging operating system changes in a log from a particular point in time;
  
  ranking each of said operating system operations from said particular point in time, said rankings reflecting the extent to which each of said operations is suspected of being caused by malware;
  
  making a determination that a value of said rankings has crossed a threshold value and creating a restore point for said computer system that includes said logged operating system changes;
  
  comparing a malware report to said log, said malware report describing characteristics of a particular piece of malware;
  
  determining that said malware report is similar to said log; and
  
  restoring said computer system using said restore point.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. A method as recited in claim 23 wherein said creating a restore point makes use of an application programming interface (API) to communicate with a software application.
  - 25. A method as recited in claim 23 wherein said monitoring operating system operations occurs in a module of the kernel of said computer system.
  - 26. A method as recited in claim 23 further comprising:
    - recommending said restore point from which to restore said computer system.
  - 27. A method as recited in claim 23 wherein said malware is a computer virus, a computer worm or a computer Trojan horse.
  - 28. A method as recited in claim 23 wherein said comparing compares said malware report to said restore point log category-by-category.

29. A method of recovering from malware present in a computer system, said method comprising:
- monitoring operating system operations of said computer system using a module of said computer system;
  
  turning on a snapshot utility of said computer system and beginning to log operating system changes at a particular point in time in a log;
  
  ranking each of said operating system operations from said particular point in time, said rankings reflecting the extent to which each of said operations is suspected of being caused by malware;
  
  making a determination that a value of said rankings has crossed a threshold value;
  
  issuing a snapshot commit command and creating a restore point for said computer system using said operating system changes that have been logged in said log;
  
  retrieving a malware report that describes characteristics of said malware;
  
  comparing said malware report with said log; and
  
  making a recommendation that said computer system be restored from a point in time represented by said log.
- View Dependent Claims (30, 31, 32, 33)
- - 30. A method as recited in claim 29 wherein said creating a restore point makes use of an application programming interface (API) to communicate with a software application.
  - 31. A method as recited in claim 29 wherein said monitoring operating system operations occurs in a module of the kernel of said computer system.
  - 32. A method as recited in claim 29 wherein said malware is a computer virus, a computer worm or a computer Trojan horse.
  - 33. A method as recited in claim 29 wherein said comparing compares said malware report to said restore point log category-by-category.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Lin, Jason, Wang, Pumbaa, Fan, Paul
Primary Examiner(s)
Cervetti; David García

Application Number

US11/181,320
Time in Patent Office

1,867 Days
Field of Search

726/24, 726/25
US Class Current

726/25
CPC Class Codes

G06F 11/1469   Backup restoration techniques

G06F 11/1471   involving logging of persis...

G06F 21/568   eliminating virus, restorin...

G06F 2201/84   Using snapshots, i.e. a log...

Snapshot and restore technique for computer system recovery

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Snapshot and restore technique for computer system recovery

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links