×

Performing security functions when a process is created

  • US 8,201,253 B1
  • Filed: 07/15/2005
  • Issued: 06/12/2012
  • Est. Priority Date: 07/15/2005
  • Status: Expired due to Fees
First Claim
Patent Images

1. A method in a computing device of performing a security related function, the method comprising:

  • providing security code that performs a security related function;

    providing a plurality of software components that include code, each software component for executing within a process;

    setting a configuration to cause the security code to execute within a first process before a first software component executes within the first process;

    creating by an operating system executing in kernel mode the first process for executing the first software component of the plurality of software components, the operating system storing an indication of existence of the first process;

    after the first process is created for executing the first software component of the plurality of software components,executing by the computing device the provided security code within the first process before the code of the first software component is executed in accordance with the set configuration so the security related function can be performed before the code of the first software component is executed within the first process, the security related function to support detecting whether the first software component contains malware, wherein the security code records an identifier of the first software component of the first process and performs an action so that the operating system maintains certain information relating to the action only while the first process exists; and

    after executing the provided security code within the first process, starting execution of the first software component within the first process;

    after executing the provided security code, executing code of a security system outside of the first process and the operating system, thatrequests the operating system for a report of existing processes;

    determines whether the first process is in the report of existing processes; and

    upon determining that the first process is not in the report of existing processes,determines whether the certain information is still maintained by the operating system, the certain information relating to the action performed by the security code within the first process before the code of the first software component was executed; and

    upon determining that the certain information is still maintained by the operating system, indicating that the first software component contains malware.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×