Malware management through kernel detection

US 8,190,868 B2
Filed: 08/07/2006
Issued: 05/29/2012
Est. Priority Date: 08/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for managing pestware on a computer comprising:

starting a boot sequence, the boot sequence including a period when boot drivers are initialized;

initiating a kernel-level monitor during the period when boot drivers are initialized;

monitoring, while the boot sequence is being carried out, events with the kernel-level monitor;

managing pestware-related events with the kernel-level monitor before a period in the boot sequence when the computer is configured to run native applications, the period in the boot sequence when the computer is configured to run native applications being after a kernel is loaded and before a Win32 subsystem is loaded;

loading and initializing a native scanner during the period in the boot sequence when the computer is configured to run native applications;

managing pestware-related events during the period in the boot sequence when the computer is configured to run native applications;

acquiring a set of behavior rules, wherein the managing pestware-related events is carried out in accordance with the behavior rules; and

scanning, using the native scanner, a registry of the computer for pestware during the period in the boot sequence when the computer is configured to run native applications.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing pestware on a protected computer is described. The method in one variation includes starting a boot sequence that includes a period when boot drivers are initialized, initiating a kernel-level monitor during the period when boot drivers are initialized, monitoring events with the kernel-level monitor during the boot sequence and managing pestware-related events with the kernel-level monitor before a period in the boot sequence when native applications are capable of running. In variations, a pestware management engine is initialized after an operating system of the protected computer is initialized and the pestware management system both receives an event log of the monitored events and compiles the set of behavior rules utilized by kernel-level monitor.

62 Citations

View as Search Results

15 Claims

1. A method for managing pestware on a computer comprising:
- starting a boot sequence, the boot sequence including a period when boot drivers are initialized;
  
  initiating a kernel-level monitor during the period when boot drivers are initialized;
  
  monitoring, while the boot sequence is being carried out, events with the kernel-level monitor;
  
  managing pestware-related events with the kernel-level monitor before a period in the boot sequence when the computer is configured to run native applications, the period in the boot sequence when the computer is configured to run native applications being after a kernel is loaded and before a Win32 subsystem is loaded;
  
  loading and initializing a native scanner during the period in the boot sequence when the computer is configured to run native applications;
  
  managing pestware-related events during the period in the boot sequence when the computer is configured to run native applications;
  
  acquiring a set of behavior rules, wherein the managing pestware-related events is carried out in accordance with the behavior rules; and
  
  scanning, using the native scanner, a registry of the computer for pestware during the period in the boot sequence when the computer is configured to run native applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, including:
    - launching, after an operating system is initiated, a pestware management engine;
      
      wherein the acquiring the set of behavior rules includes acquiring at least a portion of the behavior rules from behavior rules compiled by the pestware management engine.
  - 3. The method of claim 1, including:
    - generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;
      
      analyzing the record of events so as to identify the pestware-related events; and
      
      modifying the set of behavior rules so as to prevent the pestware-related events.
  - 4. The method of claim 3, wherein the record of events includes information selected from the group consisting of process identification information, file identification information and hook generation information.
  - 5. The method of claim 1, including:
    - managing pestware-related events with the kernel-level monitor after the period in the boot sequence when the computer is configured to run native applications.
  - 6. The method of claim 1, wherein the kernel-level monitor is selected from the group consisting of a device driver, a kernel-mode DLL and a virtual machine.
  - 7. The method of claim 1, wherein the initiating the kernel-level monitor includes loading the kernel-level driver from a BIOS of the computer.
  - 8. The method of claim 1, wherein the initiating the kernel-level monitor is before the boot drivers are initialized.
  - 9. The method of claim 8, wherein the monitoring includes monitoring the boot sequence while the boot drivers are initialized.

10. A system for managing pestware on a protected computer comprising:
- a processor;
  
  a kernel-level monitor executed by the processor, the kernel-level monitor configured to be initialized before at least a portion of boot drivers on the protected computer are initialized and to monitor, according to a set of behavior rules, activities on the protected computer before a period in a boot sequence of the protected computer when the computer is configured to run native applications, the period when the computer is configured to run native applications being after a kernel is loaded but before a Win32 subsystem is loaded;
  
  a pestware management engine executed by the processor that is configured to both be initialized after an operating system of the protected computer is initialized and to compile the set of behavior rules; and
  
  a native scanner executed by the processor that is initialized during the period in the boot sequence of the protected computer when the computer is configured to run native applications, wherein the native scanner is configured to scan files that are utilized by an operating system of the protected computer;
  
  wherein the native scanner is configured to scan a registry of the protected computer for pestware during the period in the boot sequence of the protected computer when the computer is configured to run native applications.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the kernel-level monitor is selected from the group consisting of device driver, a kernel-mode DLL and a virtual machine.
  - 12. The system of claim 10, wherein the kernel-level monitor is configured to prevent, in accordance with the behavior rules, pestware from carrying out pestware-related activities.
  - 13. The system of claim 12 including a memory, wherein the kernel-level monitor is configured to store, before the period in a boot sequence of the protected computer when the computer is configured to run native applications, information about potential pestware-related events in an event log in the memory, wherein the memory is selected from the group consisting of a magnetic storage medium and volatile memory.
  - 14. The system of claim 13, wherein the pestware management engine is configured to read the event log and modify the set of behavior rules based upon the information about potential pestware-related events so as to prevent subsequent pestware-related events during the boot sequence.
  - 15. The system of claim 10, wherein the pestware management engine resides on the protected computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Schneider, Jerome L.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US11/462,827
Publication Number

US 20080034429A1
Time in Patent Office

2,122 Days
Field of Search

713/164, 726/2, 726/4, 726 23- 25
US Class Current

713/2
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

Malware management through kernel detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Malware management through kernel detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others