System and method for defining and detecting pestware with function parameters
First Claim
Patent Images
1. A method for generating pestware definitions comprising:
- receiving a pestware file;
placing at least a portion of the pestware file into a processor-readable memory;
following a plurality of execution paths within code of the pestware file, wherein each of the execution paths is a potential path that a processor executing the code may follow;
retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter from each of the function calls so as to obtain a plurality of parameters;
storing, in a processor-readable pestware-definition file, a representation of each of the parameters; and
sending the pestware-definition file to a plurality of client devices;
wherein the selected function calls are selected on the basis that the selected function calls include calls to addresses of the processor-readable memory that are outside of the memory occupied by the code of the pestware file.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for defining and detecting pestware is described. In one embodiment, a pestware file is received and at least a portion of the pestware file is placed into a processor-readable memory. A plurality of execution paths within code of the pestware file are followed and for each of a plurality of selected function calls within the execution paths of the pestware file, at least one parameter from each of the function calls is retrieved so as to obtain a plurality of parameters. A representation of each of the parameters is then stored in a processor-readable pestware-definition file, which is sent to a plurality of client devices.
-
Citations
11 Claims
-
1. A method for generating pestware definitions comprising:
-
receiving a pestware file; placing at least a portion of the pestware file into a processor-readable memory; following a plurality of execution paths within code of the pestware file, wherein each of the execution paths is a potential path that a processor executing the code may follow; retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter from each of the function calls so as to obtain a plurality of parameters; storing, in a processor-readable pestware-definition file, a representation of each of the parameters; and sending the pestware-definition file to a plurality of client devices; wherein the selected function calls are selected on the basis that the selected function calls include calls to addresses of the processor-readable memory that are outside of the memory occupied by the code of the pestware file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting pestware on a computer comprising:
-
receiving a file; placing at least a portion of the file into a processor-readable memory of the computer; following a plurality of execution paths within code of the pestware file, wherein each of the execution paths is a potential path that a processor executing the code may follow; retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter from each of the function calls so as to obtain a plurality of parameters; comparing the plurality of parameters with parameters within a processor-readable pestware-definition file so as to determine whether the file is a potential pestware file; and quarantining the file in the event the plurality of parameters match a minimum percentage of parameters within the processor-readable pestware-definition file; wherein the retrieving, for each of a plurality of selected function calls within the code of the pestware file, at least one parameter includes identifying calls to addresses to portions of the processor-readable memory that are outside of the memory occupied by the code of the pestware file. - View Dependent Claims (9, 10, 11)
-
Specification