Mechanism to check the malicious alteration of malware scanner

US 7,810,091 B2
Filed: 04/04/2002
Issued: 10/05/2010
Est. Priority Date: 04/04/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product embodied on a computer-readable physical storage medium, said computer program product comprising:

installation checking code validated with a further computer connected by a network link to a target computer and operable to execute upon said target computer to gather characteristics of an installation of a target computer program upon said target computer;

comparing code operable to compare said gathered characteristics with predetermined valid characteristics, said predetermined valid characteristics being set up by an administrator as common valid characteristics for a plurality of computers of a network including said target computer;

response code operable if said gathered characteristics match said predetermined valid characteristics to trigger an installation valid response and operable if said gathered characteristics do not match said predetermined valid characteristics to trigger an installation invalid response;

wherein said computer program product is operable such that said characteristics of said installation include;

operating system registry entries for said target computer program;

a list of files stored in a program file directory of said target computer program;

one or more file size values associated with one or more files of said target computer program; and

one or more checksum values associated with one or more files of said target computer program;

wherein said target computer program is a malware scanning computer program;

wherein said computer program product is operable such that validation of said installation is triggered when said target computer connects to the network;

wherein said computer program product is operable such that an agent computer program that executes said installation checking code is installed on said target computer and is authenticated using a Pretty Good Privacy (PGP) signature associated with said agent computer program after said agent computer program is installed on said target computer;

wherein said computer program product is operable such that, if said authentication of said agent computer program is not passed, said target computer is refused access to said network, and a warning message is issued;

wherein said computer program product is operable such that, if said authentication of said agent computer program is passed, said installation checking code is executed by said agent computer program as part of its own agent main routine.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The installation of a computer program, such as a malware scanner, may be checked to determine whether or not it has not been tampered with using an installation checking computer program to gather characteristics of the installation of the target computer program after the installation checking computer program has first been validated by a separate further computer. The installation characteristics may include operating system registry entries, installed files list, file sizes and file checksums.

44 Citations

View as Search Results

25 Claims

1. A computer program product embodied on a computer-readable physical storage medium, said computer program product comprising:
- installation checking code validated with a further computer connected by a network link to a target computer and operable to execute upon said target computer to gather characteristics of an installation of a target computer program upon said target computer;
  
  comparing code operable to compare said gathered characteristics with predetermined valid characteristics, said predetermined valid characteristics being set up by an administrator as common valid characteristics for a plurality of computers of a network including said target computer;
  
  response code operable if said gathered characteristics match said predetermined valid characteristics to trigger an installation valid response and operable if said gathered characteristics do not match said predetermined valid characteristics to trigger an installation invalid response;
  
  wherein said computer program product is operable such that said characteristics of said installation include;
  
  operating system registry entries for said target computer program;
  
  a list of files stored in a program file directory of said target computer program;
  
  one or more file size values associated with one or more files of said target computer program; and
  
  one or more checksum values associated with one or more files of said target computer program;
  
  wherein said target computer program is a malware scanning computer program;
  
  wherein said computer program product is operable such that validation of said installation is triggered when said target computer connects to the network;
  
  wherein said computer program product is operable such that an agent computer program that executes said installation checking code is installed on said target computer and is authenticated using a Pretty Good Privacy (PGP) signature associated with said agent computer program after said agent computer program is installed on said target computer;
  
  wherein said computer program product is operable such that, if said authentication of said agent computer program is not passed, said target computer is refused access to said network, and a warning message is issued;
  
  wherein said computer program product is operable such that, if said authentication of said agent computer program is passed, said installation checking code is executed by said agent computer program as part of its own agent main routine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A computer program product as claimed in claim 1, wherein said installation checking code is validated by being securely stored on said further computer and transferred from said further computer to said target computer before being executed on said target computer.
  - 3. A computer program product as claimed in claim 1, wherein said installation checking code is validated by sending a secure key to said further computer.
  - 4. A computer program product as claimed in claim 1, wherein validation of said installation is also triggered by a user input.
  - 5. A computer program product as claimed in claim 1, wherein a login script for said target computer starts execution of said installation checking computer code.
  - 6. A computer program product as claimed in claim 1, wherein said malware scanning computer program scans for one or more of:
    - computer viruses;
      
      worms;
      
      Trojans;
      
      banned files;
      
      banned words; and
      
      banned images.
  - 7. A computer program product as claimed in claim 1, wherein said predetermined valid characteristics are stored on said further computer.
  - 8. A computer program product as claimed in claim 1, wherein said installation invalid response disables said target computer program and issues an alert message.
  - 9. A computer program product as claimed in claim 1, wherein said installation invalid response installs a clean copy of said malware scanning computer program.
  - 10. A computer program product as claimed in claim 4, wherein said user input includes a scheduled event.
  - 11. A computer program product as claimed in claim 1, wherein said installation checking code is transferred from said further computer to said target computer for execution on said target computer.

12. A method, said method comprising the steps of:
- validating security of an installation checking computer program with a further computer connected by a network link to a target computer;
  
  executing said installation checking computer program upon said target computer to gather characteristics of an installation of a target computer program upon said target computer;
  
  comparing said gathered characteristics with predetermined valid characteristics, said predetermined valid characteristics being set up by an administrator as common valid characteristics for a plurality of computers of a network including said target computer;
  
  if said gathered characteristics match said predetermined valid characteristics, then triggering an installation valid response; and
  
  if said gathered characteristics do not match said predetermined valid characteristics, then triggering an installation invalid response;
  
  wherein said characteristics of said installation include;
  
  operating system registry entries for said target computer program;
  
  a list of files stored in a program file directory of said target computer program;
  
  one or more file size values associated with one or more files of said target computer program; and
  
  one or more checksum values associated with one or more files of said target computer program;
  
  wherein said target computer program is a malware scanning computer program;
  
  wherein validation of said installation is triggered when said target computer connects to the network;
  
  wherein said installation checking computer program is installed on said target computer and is authenticated using a Pretty Good Privacy (PGP) signature associated with said installation checking computer program after said installation checking computer program is installed on said target computer;
  
  wherein, if said authentication of said installation checking computer program is not passed, said target computer is refused access to said network, and a warning message is issued;
  
  wherein, if said authentication of said installation checking computer program is passed, installation checking code is executed by said installation checking computer program as part of its own agent main routine.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. A method as claimed in claim 12, wherein said installation checking computer program is validated by being securely stored on said further computer and transferred from said further computer to said target computer before being executed on said target computer.
  - 14. A method as claimed in claim 12, wherein said installation checking computer program is validated by sending a secure key to said further computer.
  - 15. A method as claimed in claim 12, wherein validation of said installation is also triggered by a user input.
  - 16. A method as claimed in claim 12, wherein a login script for said target computer starts execution of said installation checking.
  - 17. A method as claimed in claim 12, wherein said malware scanning computer program scans for one or more of:
    - computer viruses;
      
      worms;
      
      Trojans;
      
      banned files;
      
      banned words; and
      
      banned images.
  - 18. A method as claimed in claim 12, wherein said predetermined valid characteristics are stored on said further computer.

19. Apparatus embodied on a computer-readable physical storage medium, said apparatus comprising:
- installation checking logic validated with a further computer connected by a network link to a target computer and operable to execute upon said target computer to gather characteristics of an installation of a target computer program upon said target computer;
  
  comparing logic operable to compare said gathered characteristics with predetermined valid characteristics, said predetermined valid characteristics being set up by an administrator as common valid characteristics for a plurality of computers of a network including said target computer;
  
  response logic operable if said gathered characteristics match said predetermined valid characteristics to trigger an installation valid response and operable if said gathered characteristics do not match said predetermined valid characteristics to trigger an installation invalid response;
  
  wherein said apparatus is operable such that said characteristics of said installation include;
  
  operating system registry entries for said target computer program;
  
  a list of files stored in a program file directory of said target computer program;
  
  one or more file size values associated with one or more files of said target computer program; and
  
  one or more checksum values associated with one or more files of said target computer program;
  
  wherein said target computer program is a malware scanning computer program;
  
  wherein said apparatus is operable such that validation of said installation is triggered when said target computer connects to the network;
  
  wherein said apparatus is operable such that an agent computer program that executes said installation checking logic is installed on said target computer and is authenticated using a Pretty Good Privacy (PGP) signature associated with said agent computer program after said agent computer program is installed on said target computer;
  
  wherein said apparatus is operable such that, if said authentication of said agent computer program is not passed, said target computer is refused access to said network, and a warning message is issued;
  
  wherein said apparatus is operable such that, if said authentication of said agent computer program is passed, said installation checking logic is executed by said agent computer program as part of its own agent main routine.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. Apparatus as claimed in claim 19, wherein said installation checking logic is validated by being securely stored on said further computer and transferred from said further computer to said target computer before being executed on said target computer.
  - 21. Apparatus as claimed in claim 19, wherein said installation checking logic is validated by sending a secure key to said further computer.
  - 22. Apparatus as claimed in claim 19, wherein validation of said installation is also triggered by a user input.
  - 23. Apparatus as claimed in claim 19, wherein a login script for said target computer starts execution of said installation checking logic.
  - 24. Apparatus as claimed in claim 19, wherein said malware scanning computer program scans for one or more of:
    - computer viruses;
      
      worms;
      
      Trojans;
      
      banned files;
      
      banned words; and
      
      banned images.
  - 25. Apparatus as claimed in claim 19, wherein said predetermined valid characteristics are stored on said further computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Harris, Mark, Gartside, Paul Nicholas
Primary Examiner(s)
Bullock, Jr.; Lewis A
Assistant Examiner(s)
Tecklu; Isaac T

Application Number

US10/115,039
Publication Number

US 20030192033A1
Time in Patent Office

3,106 Days
Field of Search

717168-178, 714/38, 714/39, 707/201, 707/232, 713/200, 726/22
US Class Current

717/177
CPC Class Codes

G06F 21/565   by checking file integrity

G06F 21/567   using dedicated hardware

G06F 8/61   Installation

Mechanism to check the malicious alteration of malware scanner

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism to check the malicious alteration of malware scanner

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links