Malware removal system and method
First Claim
Patent Images
1. A computer-implemented method comprising:
- executing, on a processor, a malicious code removal application, wherein said executing includes;
hooking a creation function to permit interception of a recreation request;
determining if an attempt to recreate a new instance of a requested resource via the recreation request made by an originating process,wherein said determining is performed prior to execution of the recreation request; and
wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed;
upon determining that said attempt to recreate a requested resource via a recreation request was made, determining if said requested resource is a suspicious resource;
upon determining that said requested resource is said suspicious resource, stalling said recreation request;
identifying, following the stalling, the originating process of said recreation request;
upon identifying said originating process of said recreation request, determining if said originating process is a non-trusted originating process or a trusted originating process;
upon determining that said originating process is said non-trusted originating process, determining if said non-trusted originating process is a known false positive module;
upon a determination that said non-trusted originating process is not the known false positive module taking a protective action; and
upon a determination that said non-trusted originating process is said known false positive module, taking no protective action.
6 Assignments
0 Petitions
Accused Products
Abstract
A method includes determining if an attempt to recreate a requested resource is made, and, if so, if the requested resource is a suspicious resource. If the requested resource is a suspicious resource, identification of an originating process is made. A determination is made if the originating process is a non-trusted originating process or a trusted originating process. If the originating process is the non-trusted originating process, a protective action is taken. In this manner, self-repairing and persistent malicious code is identified and removed with minimal adverse impact on system functionality.
-
Citations
17 Claims
-
1. A computer-implemented method comprising:
executing, on a processor, a malicious code removal application, wherein said executing includes; hooking a creation function to permit interception of a recreation request; determining if an attempt to recreate a new instance of a requested resource via the recreation request made by an originating process, wherein said determining is performed prior to execution of the recreation request; and wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed; upon determining that said attempt to recreate a requested resource via a recreation request was made, determining if said requested resource is a suspicious resource; upon determining that said requested resource is said suspicious resource, stalling said recreation request; identifying, following the stalling, the originating process of said recreation request; upon identifying said originating process of said recreation request, determining if said originating process is a non-trusted originating process or a trusted originating process; upon determining that said originating process is said non-trusted originating process, determining if said non-trusted originating process is a known false positive module; upon a determination that said non-trusted originating process is not the known false positive module taking a protective action; and upon a determination that said non-trusted originating process is said known false positive module, taking no protective action. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer-implemented method comprising:
executing, on a processor, a malicious code removal application, wherein said executing includes; establishing communication with a security process to provide information about malicious code removal; hooking a creation function to permit interception of a recreation request; determining if an attempt to recreate a new instance of a requested resource via said recreation request made by an originating process, wherein said determining is performed prior to execution of the recreation request; and wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed; upon determining that said attempt to recreate a requested resource is made, determining if said requested resource is a suspicious resource; upon determining that said requested resource is said suspicious resource, stalling said recreation request; identifying, following the stalling, the originating process of said recreation request; determining if said originating process is a non-trusted originating process or a trusted originating process; upon determining that said originating process is said non-trusted originating process, determining if said non-trusted originating process is a known false positive module; upon determining that said non-trusted originating process is not said known false positive module, taking a protective action; upon determining that said originating process is said trusted originating process, identifying an originating thread of said trusted originating process, said originating thread associated with said attempt to recreate a requested resource; determining if said originating thread of said trusted originating process is a non-trusted originating thread or a trusted originating thread; upon determining that said originating thread is said non-trusted originating thread, determining if said non-trusted originating thread is said known false positive module; and upon determining that said non-trusted originating thread is not said known false positive module, taking said protective action. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
16. A computer-program product comprising a computer readable medium containing computer program code comprising:
-
a malicious code removal application for hooking a creation function to permit interception of a recreation request; a malicious code removal application for determining that an attempt to recreate a new instance of a requested resource via the recreation request made by an originating process, wherein said determining is performed prior to execution of the recreation request; and wherein were the recreation request executed, said recreation request would create the new instance of said requested resource whether or not said requested resource presently exists or previously existed; said malicious code removal application further for determining that said requested resource is a suspicious resource, upon determining said attempt to recreate a requested resource via a recreation request is made; said malicious code removal application further for stalling said recreation request, upon determining said requested resource is said suspicious resource; said malicious code removal application further for identifying the originating process of said recreation request following the stalling said malicious code removal application further for determining that said originating process is a non-trusted originating process or a trusted originating process, upon said identifying the originating process; said malicious code removal application further for determining if said non-trusted originating process is a known false positive module, upon determining that said originating process is said non-trusted originating process; said malicious code removal application further for taking a protective action upon determining said non-trusted originating process is not the known false positive module; and said malicious code removal application further taking no protective action upon a determination that said non-trusted originating process is said known false positive module. - View Dependent Claims (17)
-
Specification