Backward researching time stamped events to find an origin of pestware

US 8,181,244 B2
Filed: 04/20/2006
Issued: 05/15/2012
Est. Priority Date: 04/20/2006
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for identifying an origin of suspected pestware activity on a computer, the method comprising:

monitoring, with a kernel-mode driver, activity on the computer;

generating an activity log on a file storage device of the computer from the kernel-mode driver;

receiving, from a user via an interface of the computer, a time of interest relating to a suspicion of pestware on the computer, wherein the time of interest includes a time interval;

issuing a timestamp after receiving the time of interest;

identifying, based upon the time of interest, indicia of pestware, wherein the identifying is initiated by the issuing the timestamp; and

accessing, using a hardware processor of the computer, at least a portion of a recorded history of externally networked sources that the computer received files from so as to identify, based at least in part upon the identified indicia of pestware, a reference to an identity of an externally networked source that is suspected of originating pestware;

wherein the recorded history of externally networked sources is stored on the file storage device.

View all claims

9 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

A system and method for identifying an origin of suspected pestware activity on a computer is described. One embodiment includes establishing a time of interest relating to a suspicion of pestware on the computer, identifying, based upon the time of interest, indicia of pestware and accessing at least a portion of a recorded history of sources that the computer received files from so as to identify, based at least in part upon the identified indicia of pestware, a reference to an identity of a source that is suspected of originating pestware.

94 Citations

View as Search Results

16 Claims

1. A method for identifying an origin of suspected pestware activity on a computer, the method comprising:
- monitoring, with a kernel-mode driver, activity on the computer;
  
  generating an activity log on a file storage device of the computer from the kernel-mode driver;
  
  receiving, from a user via an interface of the computer, a time of interest relating to a suspicion of pestware on the computer, wherein the time of interest includes a time interval;
  
  issuing a timestamp after receiving the time of interest;
  
  identifying, based upon the time of interest, indicia of pestware, wherein the identifying is initiated by the issuing the timestamp; and
  
  accessing, using a hardware processor of the computer, at least a portion of a recorded history of externally networked sources that the computer received files from so as to identify, based at least in part upon the identified indicia of pestware, a reference to an identity of an externally networked source that is suspected of originating pestware;
  
  wherein the recorded history of externally networked sources is stored on the file storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the identifying includes:
    - accessing at least one log of historical events on the computer;
      
      locating at least one event in the at least one log that corresponds to the time of interest; and
      
      determining that the at least one event is associated with the indicia of pestware.
  - 3. The method of claim 2, wherein the determining that the at least one event is associated with the indicia of pestware includes following references in the at least one log to a suspected pestware object.
  - 4. The method of claim 3, wherein following the references includes following at least one reference in the activity log from the event to a suspected pestware process.
  - 5. The method of claim 2, wherein the at least one log includes at least one log selected from the group consisting of an activity log, a browser history, browser cache, browser settings, operating system settings, an event log, a debugging log, a firewall log, file information and monitoring software logs.
  - 6. The method of claim 1, wherein the user input is in response to an alert provided to the user regarding a detected suspicious activity on the computer.
  - 7. The method of claim 1, including:
    - reporting the identity of the externally networked source to an externally networked pestware research entity so as to enable the pestware research entity to research whether the externally networked source is a source of pestware.
  - 8. The method of claim 1, wherein the externally networked source is identified by an identifier selected from the group consisting of an I.P. address and a URL.

9. A system for identifying a source of suspected pestware on a computer, the system comprising:
- a hardware processor;
  
  a file storage device coupled to the hardware processor;
  
  a timestamp module configured to be executed by the hardware processor, to generate a time of interest including a time interval in response to detected activity on the computer that is indicative of pestware, to issue a timestamp after generating the time of interest, and to initiate, in response to the issuance of the timestamp, identification of indicia of pestware;
  
  a research portion configured to be executed by the hardware processor and to access at least one log on a file storage device of the computer to relate the time of interest to at least one externally networked source of potential pestware activity on the computer;
  
  a kernel-mode driver configured to monitor activity on the computer and to generate an activity log that is included within the at least one log; and
  
  a reporting portion configured to be executed by the hardware processor and to generate a report that identifies the at least one externally networked source of potential pestware activity.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the at least one log includes information that relates the time of interest to an event, and wherein the at least one log includes information that relates the event to a suspected pestware object, and wherein the at least one log includes information that relates the suspected pestware object to the at least one externally networked source of potential pestware activity.
  - 11. The system of claim 10, including:
    - a heuristics module configured to be executed by the hardware processor and to evaluate whether the event is a suspected pestware-related event before the research portion accesses information in the at least one log that relates the event to the suspected pestware object.
  - 12. The system of claim 11, wherein the heuristics module determines that the at least one event is suspected to be pestware-related by analyzing other events in connection with the event, wherein the other events are also related to the time of interest.
  - 13. The system of claim 9, wherein the at least one log includes at least one log selected from the group consisting of an activity log, a browser history, browser cache, browser settings, operating system settings, an event log, a debugging log, a firewall log, file information and monitoring software logs.
  - 14. The system of claim 9, wherein the timestamp module is further configured to generate the time of interest as a point in time.
  - 15. The system of claim 9, wherein the at least one externally networked source of potential pestware activity is identified by an identifier selected from the group consisting of an I.P. address and a URL.
  - 16. The system of claim 9, wherein the at least one log includes at least one log selected from the group consisting of an activity log, a browser history, browser cache, browser settings, operating system settings, an event log, a debugging log, a firewall log, file information and monitoring software logs.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Boney, Matthew L.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Rahman, Mahfuzur

Application Number

US11/408,145
Publication Number

US 20070250928A1
Time in Patent Office

2,217 Days
Field of Search

726 22- 25, 726/13, 713187-188, 713193-194
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

Backward researching time stamped events to find an origin of pestware

First Claim

9 Assignments

Litigations

2 Petitions

Accused Products

Abstract

94 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Backward researching time stamped events to find an origin of pestware

First Claim

9 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links