Method for mitigating false positive generation in antivirus software

US 8,087,086 B1
Filed: 06/30/2008
Issued: 12/27/2011
Est. Priority Date: 06/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method of mitigating false-positive malware detection comprising:

accessing an operating system file that has been identified as malware;

determining whether the operating system file has an existing digital signature;

if there is no existing digital signature, creating a signature for the operating system file;

comparing at least one signature attribute of the existing or created signature to at least one of a number of signature attributes contained in a signature database, wherein the at least one signature attribute of the existing or created signature comprises a name of a publisher of the operating system file; and

if the at least one signature attribute is not found in the signature database, defining the operating system file as malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for mitigating false-positives as detected by antivirus software comprising accessing an operating system file that has been identified as malware; creating a signature for the operating system file; comparing the created signature to a signature database; and, if the created signature is not found in the signature database, defining the operating system file as malware. An operating system file, as used herein, is any file included as a part of the operating system binary executable file set, as well as any files added from third party vendors that integrate with or plug into the operating system.

287 Citations

18 Claims

1. A method of mitigating false-positive malware detection comprising:
- accessing an operating system file that has been identified as malware;
  
  determining whether the operating system file has an existing digital signature;
  
  if there is no existing digital signature, creating a signature for the operating system file;
  
  comparing at least one signature attribute of the existing or created signature to at least one of a number of signature attributes contained in a signature database, wherein the at least one signature attribute of the existing or created signature comprises a name of a publisher of the operating system file; and
  
  if the at least one signature attribute is not found in the signature database, defining the operating system file as malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - analyzing files within a computer system using an anti-virus module to identify the operating system file as malware.
  - 3. The method of claim 1 wherein the creating step further comprises:
    - generating a hash value representing the operating system file.
  - 4. The method of claim 3 wherein the hash value is at least one of an SHA-1 value or an MD5 value.
  - 5. The method of claim 1 further comprising:
    - accessing an operating system catalog;
      
      parsing the operating system catalog;
      
      reading hash values from the parsed operating system catalog to represent content of each file in the operating system; and
      
      storing the hash values in the signature database.
  - 6. The method of claim 5 further comprising:
    - verifying a digital signature of the operating system catalog prior to using the operating system catalog to generate the signature database.
  - 7. The method of claim 1 further comprising:
    - identifying a digital signature within the operating system file;
      
      extracting the digital signature from the operating system file; and
      
      verifying the authenticity of the digital signature.
  - 8. The method of claim 1 further comprising:
    - blocking the comparing step while the signature database is being generated.

9. A method of mitigating false-positive malware detection comprising:
- accessing an operating system catalog;
  
  parsing the operating system catalog;
  
  reading hash values from the parsed operating system catalog to represent content of files in the operating system;
  
  storing the hash values in a signature database;
  
  accessing an operating system file that has been identified as malware;
  
  determining whether the operating system file has an existing digital signature;
  
  if there is no existing digital signature, creating a signature for the operating system file;
  
  comparing at least one signature attribute of the existing or created signature to at least one of a number of signature attributes contained in the signature database, wherein the at least one signature attribute of the existing or created signature comprises a name of a publisher of the operating system file; and
  
  if the at least one signature attribute is not found in the signature database, defining the operating system file as malware.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 further comprising:
    - analyzing files within a computer system using an anti-virus module to identify the operating system file as malware.
  - 11. The method of claim 9 wherein the creating step further comprises:
    - generating a hash value as the signature representing the operating system file.
  - 12. The method of claim 11 wherein the hash value is at least one of an SHA-I value or an MD5 value.
  - 13. The method of claim 9 further comprising:
    - verifying a digital signature of the operating system catalog prior to using the operating system catalog to generate the signature database.
  - 14. The method of claim 9 further comprising:
    - identifying a digital signature within the operating system file;
      
      extracting the digital signature from the operating system file; and
      
      verifying the authenticity of the digital signature.
  - 15. The method of claim 9 further comprising:
    - blocking the comparing step while the signature database is being generated.

16. A method of mitigating false-positive malware detection comprising:
- accessing an operating system file that has been identified as malware;
  
  determining a publisher of the operating system file;
  
  comparing at least one signature attribute of the operating system file to at least one of a number of signature attributes contained in an operating system catalog; and
  
  if the publisher of the operating system file is not found to be represented in the operating system catalog, defining the operating system file as malware.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 further comprising verifying that the operating system catalog is authentic.
  - 18. The method of claim 17 wherein the verifying step further comprises an authenticating digital signature within the operating system catalog.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Gardner, Patrick, Lai, Everett, Meade, John
Primary Examiner(s)
Lanier, Benjamin
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US12/164,771
Time in Patent Office

1,275 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

Method for mitigating false positive generation in antivirus software

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

287 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for mitigating false positive generation in antivirus software

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

287 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links