Malware removal system and method

US 7,941,850 B1
Filed: 12/23/2005
Issued: 05/10/2011
Est. Priority Date: 12/23/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

executing, on a processor, a malicious code removal application, wherein said executing includes;

hooking a creation function to permit interception of a recreation request;

determining if an attempt to recreate a new instance of a requested resource via the recreation request made by an originating process,wherein said determining is performed prior to execution of the recreation request; and

wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed;

upon determining that said attempt to recreate a requested resource via a recreation request was made, determining if said requested resource is a suspicious resource;

upon determining that said requested resource is said suspicious resource, stalling said recreation request;

identifying, following the stalling, the originating process of said recreation request;

upon identifying said originating process of said recreation request, determining if said originating process is a non-trusted originating process or a trusted originating process;

upon determining that said originating process is said non-trusted originating process, determining if said non-trusted originating process is a known false positive module;

upon a determination that said non-trusted originating process is not the known false positive module taking a protective action; and

upon a determination that said non-trusted originating process is said known false positive module, taking no protective action.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes determining if an attempt to recreate a requested resource is made, and, if so, if the requested resource is a suspicious resource. If the requested resource is a suspicious resource, identification of an originating process is made. A determination is made if the originating process is a non-trusted originating process or a trusted originating process. If the originating process is the non-trusted originating process, a protective action is taken. In this manner, self-repairing and persistent malicious code is identified and removed with minimal adverse impact on system functionality.

18 Citations

View as Search Results

17 Claims

1. A computer-implemented method comprising:
- executing, on a processor, a malicious code removal application, wherein said executing includes;
  
  hooking a creation function to permit interception of a recreation request;
  
  determining if an attempt to recreate a new instance of a requested resource via the recreation request made by an originating process,wherein said determining is performed prior to execution of the recreation request; and
  
  wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed;
  
  upon determining that said attempt to recreate a requested resource via a recreation request was made, determining if said requested resource is a suspicious resource;
  
  upon determining that said requested resource is said suspicious resource, stalling said recreation request;
  
  identifying, following the stalling, the originating process of said recreation request;
  
  upon identifying said originating process of said recreation request, determining if said originating process is a non-trusted originating process or a trusted originating process;
  
  upon determining that said originating process is said non-trusted originating process, determining if said non-trusted originating process is a known false positive module;
  
  upon a determination that said non-trusted originating process is not the known false positive module taking a protective action; and
  
  upon a determination that said non-trusted originating process is said known false positive module, taking no protective action.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - upon determining that said originating process is a trusted originating process, identifying an originating thread of said recreation request;
      
      upon identifying said originating thread of said recreation request, determining if said originating thread is a non-trusted originating thread or a trusted originating thread; and
      
      upon determining that said originating thread is said non-trusted originating thread, taking said protective action.
  - 3. The computer-implemented method of claim 1, further comprising:
    - establishing communication with a security process to generate information about malicious code removal, said generated information used for said determining if an attempt to recreate a requested resource via a recreation request is made.
  - 4. The computer-implemented method of claim 1, wherein said protective action comprises:
    - terminating said non-trusted originating process.
  - 5. The computer-implemented method of claim 2, wherein if said originating thread is determined to be said non-trusted originating thread, said protective action comprises:
    - terminating said non-trusted originating thread.
  - 6. The computer-implemented method of claim 5, wherein said protective action further comprises:
    - removing malicious code.
  - 7. The computer-implemented method of claim 2, wherein if said originating thread is determined to be said non-trusted originating thread, said protective action comprises:
    - stalling said non-trusted originating thread.

8. A computer-implemented method comprising:
- executing, on a processor, a malicious code removal application, wherein said executing includes;
  
  establishing communication with a security process to provide information about malicious code removal;
  
  hooking a creation function to permit interception of a recreation request;
  
  determining if an attempt to recreate a new instance of a requested resource via said recreation request made by an originating process,wherein said determining is performed prior to execution of the recreation request; and
  
  wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed;
  
  upon determining that said attempt to recreate a requested resource is made, determining if said requested resource is a suspicious resource;
  
  upon determining that said requested resource is said suspicious resource, stalling said recreation request;
  
  identifying, following the stalling, the originating process of said recreation request;
  
  determining if said originating process is a non-trusted originating process or a trusted originating process;
  
  upon determining that said originating process is said non-trusted originating process, determining if said non-trusted originating process is a known false positive module;
  
  upon determining that said non-trusted originating process is not said known false positive module, taking a protective action;
  
  upon determining that said originating process is said trusted originating process, identifying an originating thread of said trusted originating process, said originating thread associated with said attempt to recreate a requested resource;
  
  determining if said originating thread of said trusted originating process is a non-trusted originating thread or a trusted originating thread;
  
  upon determining that said originating thread is said non-trusted originating thread, determining if said non-trusted originating thread is said known false positive module; and
  
  upon determining that said non-trusted originating thread is not said known false positive module, taking said protective action.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer-implemented method of claim 8, further comprising:
    - upon determining that said originating thread is said trusted originating thread, enabling recreation of said requested resource.
  - 10. The computer-implemented method of claim 8, whereupon determining that said originating process is said non-trusted originating process, said protective action comprises:
    - removing malicious code; and
      
      terminating said non-trusted originating process.
  - 11. The computer-implemented method of claim 8, whereupon determining that said originating thread is said non-trusted originating thread, said protective action comprises:
    - enabling recreation of said new instance of said requested resource;
      
      terminating said non-trusted originating thread; and
      
      removing malicious code.
  - 12. The computer-implemented method of claim 8, whereupon determining that said originating thread is said non-trusted originating thread, said protective action comprises:
    - terminating said non-trusted originating thread; and
      
      gathering information.
  - 13. The computer-implemented method of claim 12, further comprising:
    - returning an imposter success code to said non-trusted originating thread.
  - 14. The computer-implemented method of claim 12, further comprising:
    - taking a defined action based on information gathered in said gathering information.
  - 15. The computer-implemented method of claim 14, wherein said defined action comprises at least one of:
    - permitting creation of said requested resource;
      
      invoking security code;
      
      permitting said attempt to recreate a requested resource to fail;
      
      providing notification to a user;
      
      providing notification to a log; and
      
      permitting a selective action.

16. A computer-program product comprising a computer readable medium containing computer program code comprising:
- a malicious code removal application for hooking a creation function to permit interception of a recreation request;
  
  a malicious code removal application for determining that an attempt to recreate a new instance of a requested resource via the recreation request made by an originating process,wherein said determining is performed prior to execution of the recreation request; and
  
  wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed;
  
  said malicious code removal application further for determining that said requested resource is a suspicious resource, upon determining said attempt to recreate a requested resource via a recreation request is made;
  
  said malicious code removal application further for stalling said recreation request, upon determining said requested resource is said suspicious resource;
  
  said malicious code removal application further for identifying the originating process of said recreation request following the stalling said malicious code removal application further for determining that said originating process is a non-trusted originating process or a trusted originating process, upon said identifying the originating process;
  
  said malicious code removal application further for determining if said non-trusted originating process is a known false positive module, upon determining that said originating process is said non-trusted originating process;
  
  said malicious code removal application further for taking a protective action upon determining said non-trusted originating process is not the known false positive module; and
  
  said malicious code removal application further taking no protective action upon a determination that said non-trusted originating process is said known false positive module.
- View Dependent Claims (17)
- - 17. The computer-program product of claim 16, wherein:
    - said malicious code removal application further for identifying an originating thread of said originating process, upon determining said originating process is said trusted originating process;
      
      said malicious code removal application further for determining that said originating thread is a non-trusted originating thread or a trusted originating thread, upon said identifying an originating thread; and
      
      said malicious code removal application further for taking said protective action upon determining said originating thread is said non-trusted originating thread.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
Salehi; Helai

Application Number

US11/317,320
Time in Patent Office

1,964 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 713189-194
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

Malware removal system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Malware removal system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links