Performing security functions when a process is created
First Claim
1. A method in a computing device of performing a security related function, the method comprising:
- providing security code that performs a security related function;
providing a plurality of software components that include code, each software component for executing within a process;
setting a configuration to cause the security code to execute within a first process before a first software component executes within the first process;
creating by an operating system executing in kernel mode the first process for executing the first software component of the plurality of software components, the operating system storing an indication of existence of the first process;
after the first process is created for executing the first software component of the plurality of software components,executing by the computing device the provided security code within the first process before the code of the first software component is executed in accordance with the set configuration so the security related function can be performed before the code of the first software component is executed within the first process, the security related function to support detecting whether the first software component contains malware, wherein the security code records an identifier of the first software component of the first process and performs an action so that the operating system maintains certain information relating to the action only while the first process exists; and
after executing the provided security code within the first process, starting execution of the first software component within the first process;
after executing the provided security code, executing code of a security system outside of the first process and the operating system, thatrequests the operating system for a report of existing processes;
determines whether the first process is in the report of existing processes; and
upon determining that the first process is not in the report of existing processes,determines whether the certain information is still maintained by the operating system, the certain information relating to the action performed by the security code within the first process before the code of the first software component was executed; and
upon determining that the certain information is still maintained by the operating system, indicating that the first software component contains malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system in a computing device for performing security related functions as part of a process created to execute a software component that may be unrelated to security is provided. The security system provides security code that performs one or more security related functions. When a process is created to execute the code of a software component, the security system causes the security code to be executed before the execution of the code of the software component. One security related function of the security code may be to cause the operating system to maintain information about the process as long as the process exists. If the operating system later reports that the process no longer exists but the information is still being maintained, then the security system can assume that malware is attempting to hide the process.
-
Citations
17 Claims
-
1. A method in a computing device of performing a security related function, the method comprising:
-
providing security code that performs a security related function; providing a plurality of software components that include code, each software component for executing within a process; setting a configuration to cause the security code to execute within a first process before a first software component executes within the first process; creating by an operating system executing in kernel mode the first process for executing the first software component of the plurality of software components, the operating system storing an indication of existence of the first process; after the first process is created for executing the first software component of the plurality of software components, executing by the computing device the provided security code within the first process before the code of the first software component is executed in accordance with the set configuration so the security related function can be performed before the code of the first software component is executed within the first process, the security related function to support detecting whether the first software component contains malware, wherein the security code records an identifier of the first software component of the first process and performs an action so that the operating system maintains certain information relating to the action only while the first process exists; and after executing the provided security code within the first process, starting execution of the first software component within the first process; after executing the provided security code, executing code of a security system outside of the first process and the operating system, that requests the operating system for a report of existing processes; determines whether the first process is in the report of existing processes; and upon determining that the first process is not in the report of existing processes, determines whether the certain information is still maintained by the operating system, the certain information relating to the action performed by the security code within the first process before the code of the first software component was executed; and upon determining that the certain information is still maintained by the operating system, indicating that the first software component contains malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable memory device configured to control a computing device to detect whether a process managed by an operating system is hidden, by a method comprising:
-
setting a configuration to cause security code to execute within the process before a software component executes within the process; after the process is created for execution of the software component within the process and before executing code of the software component within the process as indicated by the set configuration, executing code within the process that performs an action that causes the operating system of the computing device to maintain certain information while the process exists; after executing the code within the process that causes the operating system to maintain certain information while the process exists, starting execution of the software component within the process; and after starting execution of the software component within the process, executing a security system outside of the process and the operating system, the security system for; requesting the operating system for a list of existing processes; determining whether the process is within the list of existing processes; and after determining that the process is not within the list of existing processes, determining whether the certain information is still maintained by the operating system, the certain information maintained by the operating system as a result of the action performed by the code executing within the process before executing the code of the software component within the process; and upon determining that the certain information is still maintained by the operating system, indicating that the process is hidden. - View Dependent Claims (13, 14, 15)
-
-
16. A computing device configured to perform a security related function for the computing device, comprising:
-
a memory storing computer-executable instructions of; software components; a component that sets a configuration to cause security code to execute within a process before a software component executes within the process; a component that, after the process is created by an operating system for executing the software component, automatically executes security code within the process before executing code of the software component as indicated by the set configuration wherein the security code performs the security related function so that the operating system maintains information relating to the process while the process exists for detecting whether the software component contains malware; and a component of a security system that executes outside of the process and the operating system to determine whether the information, that is maintained by the operating system as a result of the security code performing the security related function within the process before executing code of the software component within the process, is still maintained by the operating system but the operating system reports that the process does not exist and upon such a determination, reporting the software component contains malware; and a processor for executing the computer-executable instructions stored in the memory. - View Dependent Claims (17)
-
Specification