Methods and arrangement for efficiently detecting and removing malware

US 7,971,258 B1
Filed: 09/28/2007
Issued: 06/28/2011
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malware in a computer storage drive that stores computer readable code implementing at least a first operating system, said computer storage drive being installed in a computer system, the system comprising:

a second operating system different from said first operating system;

an analysis module configured to execute under said second operating system, said analysis module being further configured to ascertain, while said first operating system is inactive, at least a first boot-up parameter of said first operating system that would be involved in booting up said computer system if said first operating system had been activated instead, said analysis module being further configured to identify at least one of a first file and a first folder that said first boot-up parameter refers to; and

a malware scanning engine configured for scanning, while said first operating system is inactive, said at least one of said first file and said first folder after said at least one of said first file and said first folder has been identified by said analysis module, said malware scanning engine being further configured for neutralizing said malware responsive to said scanning if said at least one of said first file and said first folder includes said malware, wherein said second operating system is configured to become dormant after said malware is neutralized in order to enable said first operating system to boot up said computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malware in a computer that employs a production operating system during normal use is provided. The method includes activating on the computer a first operating system while the production operating system is dormant and ascertaining at least a portion of the production operating system that would be involved in booting up the computer if the production operating system had been activated instead. The method further includes scanning, while the first operating system is activated and while the production operating system is dormant, the portion of the production operating system. The method further includes neutralizing, while the first operating system is activated and while the production operating system is dormant, the malware responsive to the scanning.

58 Citations

View as Search Results

20 Claims

1. A system for detecting malware in a computer storage drive that stores computer readable code implementing at least a first operating system, said computer storage drive being installed in a computer system, the system comprising:
- a second operating system different from said first operating system;
  
  an analysis module configured to execute under said second operating system, said analysis module being further configured to ascertain, while said first operating system is inactive, at least a first boot-up parameter of said first operating system that would be involved in booting up said computer system if said first operating system had been activated instead, said analysis module being further configured to identify at least one of a first file and a first folder that said first boot-up parameter refers to; and
  
  a malware scanning engine configured for scanning, while said first operating system is inactive, said at least one of said first file and said first folder after said at least one of said first file and said first folder has been identified by said analysis module, said malware scanning engine being further configured for neutralizing said malware responsive to said scanning if said at least one of said first file and said first folder includes said malware, wherein said second operating system is configured to become dormant after said malware is neutralized in order to enable said first operating system to boot up said computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein said first boot-up parameter is a registry key associated with said first operating system.
  - 3. The system of claim 1 wherein said first boot-up parameter is a configuration setting parameter associated with said first operating system.
  - 4. The system of claim 1 whereinsaid analysis module is further configured to ascertain a second boot-up parameter after said malware scanning engine has scanned said at least one of said first file and said first folder,said analysis module is further configured to determine whether said second boot-up parameter refers to at least a file or at least a folder, andsaid analysis module is further configured to ascertain a next boot-up parameter if said second boot-up parameter does not refer to any file or folder.
  - 5. The system of claim 1 wherein said first file is a start-up file.
  - 6. The system of claim 1 whereinsaid analysis module is further configured to ascertain a second boot-up parameter of said first operating system after said malware scanning engine has neutralized said malware,said analysis module is further configured to identify at least one of a second file and a second folder that said second boot-up parameter refers to, andsaid malware scanning engine is further configured to scan said at least one of said second file and said second folder after said at least one of said second file and said second folder has been identified by said analysis module.
  - 7. The system of claim 1 wherein said second operating system is stored on a peripheral component different from said computer storage drive.
  - 8. The system of claim 1 wherein said second operating system is stored on a memory storage medium outside of said computer storage drive.
  - 9. The system of claim 1 wherein said second operating system is also stored on said computer storage drive.

10. A method for detecting malware in a computer storage drive that stores computer readable code implementing at least a first operating system, said computer storage drive being installed in a computer system, the method comprising:
- activating a second operating system different from said first operating system;
  
  ascertaining, using an analysis module executing under said second operating system while said first operating system is inactive, at least a first boot-up parameter of said first operating system that would be involved in booting up said computer system if said first operating system had been activated instead;
  
  identifying, using said analysis module, at least one of a first file and a first folder that said first boot-up parameter refers to;
  
  after said identifying, scanning, using a malware scanning engine executing under said second operating system while said first operating system is inactive, said at least one of said first file and said first folder; and
  
  if said at least one of said first file and said first folder includes said malware, neutralizing said malware responsive to said scanning while said first operating system is inactive, wherein said scanning is performed while said computer storage drive remains installed in said computer system.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein said first boot-up parameter is a registry key associated with said first operating system.
  - 12. The method of claim 10 wherein said first boot-up parameter is a configuration setting parameter associated with said first operating system.
  - 13. The method of claim 10 further comprising:
    - ascertaining, using said analysis module, a second boot-up parameter after said malware scanning engine has scanned said at least one of said first file and said first folder;
      
      determining, using said analysis module, whether said second boot-up parameter refers to at least a file or at least a folder; and
      
      ascertaining, using said analysis module, a next boot-up parameter if said second boot-up parameter does not refer to any file or folder.
  - 14. The method of claim 10 wherein said first file is a start-up file.
  - 15. The method of claim 10 further comprising:
    - ascertaining, using said analysis module, a second boot-up parameter of said first operating system after said malware scanning engine has neutralized said malware;
      
      identifying, using said analysis module, at least one of a second file and a second folder that said second boot-up parameter refers to; and
      
      scanning, using said malware scanning engine, said at least one of said second file and said second folder after said at least one of said second file and said second folder has been identified using said analysis module.
  - 16. The method of claim 10 further comprising:
    - providing a menu to a user for enabling said user to at least select one of a first operating system environment associated with said first operating system and a second operating system environment associated with said second operating system;
      
      after said providing, receiving a choice of said second operating system environment selected by said user;
      
      in response to said choice, performing said activating said second operating system without activating said first operating system, thereby preventing said malware from being launched.
  - 17. The method of claim 10 wherein said second operating system is stored on a memory storage medium outside of said computer storage drive.
  - 18. The method of claim 10 wherein said second operating system is also stored on said computer storage drive.

19. A method for detecting malware in a computer that employs a production operating system during normal use, the method comprising:
- activating on said computer a first operating system different from said production operating system, said activating being performed while said production operating system is dormant;
  
  ascertaining, while said first operating system is activated and while said production operating system is dormant, at least a first boot-up parameter of said production operating system that would be involved in booting up said computer if said production operating system had been activated instead;
  
  identifying, using said analysis module, at least one of a first file and a first folder that said first boot-up parameter refers to;
  
  after said identifying, scanning, while said first operating system is activated and while said production operating system is dormant, said at least one of said first file and said first folder; and
  
  if said at least one of said first file and said first folder includes said malware, neutralizing, while said first operating system is activated and while said production operating system is dormant, said malware responsive to said scanning.
- View Dependent Claims (20)
- - 20. The method of claim 19 wherein said first operating system is stored on a flash drive different from a memory device employed to store said production operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Hsu, Richard, Zhang, Zhihe, Liao, En-Yi, Lin, Serend, Lu, Flanker, Fang, Franson
Primary Examiner(s)
SMITHERS, MATTHEW

Application Number

US11/864,312
Time in Patent Office

1,369 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/568   eliminating virus, restorin...

G06F 21/575   Secure boot

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2145   Inheriting rights or proper...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Methods and arrangement for efficiently detecting and removing malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and arrangement for efficiently detecting and removing malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links