User-assisted security system
First Claim
1. A computer-implemented method for detecting malicious code on a client, the method comprising:
- detecting, using a computer, a pop-up displayed on the client by an executing source application;
determining, using the computer, a reputation associated with the source application;
when the reputation associated with the source application indicates that the source application is suspicious, prompting, using the computer, a user to provide feedback about the pop-up;
responsive to negative feedback about the pop-up, declaring, using the computer, the source application to be malicious software; and
after declaring the source application to be malicious software;
blocking, using the computer, a subsequent attempt by the executing source application to display a subsequent pop-up on the client;
tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and
blocking, using the computer, attempts by the new code modules to display a new pop-up on the client.
2 Assignments
0 Petitions
Accused Products
Abstract
A user-assisted security software program alerts a user when a new pop-up is displayed from a suspicious source application. If the source application may be suspicious if it has a low reputation. Displayed in connection with the pop-up, the alert prompts the user to indicate whether the source application that generated the pop-up should be trusted. If the user indicates that the source application is not trusted, the security software declares the source application to be malicious. The malicious code can then be dealt with, such as by removing it from the computing system, blocking it from generating new pop-ups, and preventing further network communications. The user'"'"'s feedback about the source application may also be used to adjust the application'"'"'s reputation.
97 Citations
26 Claims
-
1. A computer-implemented method for detecting malicious code on a client, the method comprising:
-
detecting, using a computer, a pop-up displayed on the client by an executing source application; determining, using the computer, a reputation associated with the source application; when the reputation associated with the source application indicates that the source application is suspicious, prompting, using the computer, a user to provide feedback about the pop-up; responsive to negative feedback about the pop-up, declaring, using the computer, the source application to be malicious software; and after declaring the source application to be malicious software; blocking, using the computer, a subsequent attempt by the executing source application to display a subsequent pop-up on the client; tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and blocking, using the computer, attempts by the new code modules to display a new pop-up on the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 25, 26)
-
-
10. A computer-implemented method for detecting malicious code on a client, the method comprising:
-
detecting, using a computer, an attempt by a source application executing on the client to cause the client to display a visual element on a display of the client; determining, using the computer, whether the source application is suspicious; when the source application is determined to be suspicious, displaying, using the computer, an alert to a user requesting a user input indicating whether to block the source application from displaying visual elements on the display of the client; responsive to the user input indicating whether to block the source application, storing, using the computer, a preference based on the user input in a storage medium coupled to the client; and responsive to the preference identifying the source application as a blocked application; blocking, using the computer, subsequent attempts by the executing source application to display subsequent visual elements on the display of the client; tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and blocking, using the computer, attempts by the new code modules to display new visual elements on the display of the client. - View Dependent Claims (11, 12)
-
-
13. A computer program product for detecting malicious code on a client, the computer program product comprising a non-transitory computer-readable storage medium comprising computer program code executable by a processor for:
-
detecting a pop-up displayed on the client by an executing source application; determining a reputation associated with the source application; when the reputation associated with the source application indicates that the source application is suspicious, prompting a user to provide feedback about the pop-up; and responsive to negative feedback about the pop-up, declaring the source application to be malicious software; and after declaring the source application to be malicious software; blocking, using the computer, a subsequent attempt by the executing source application to display a subsequent pop-up on the client; tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and blocking, using the computer, attempts by the new code modules to display a new pop-up on the client. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer program product for detecting malicious code on a client, the computer program product comprising a non-transitory computer-readable storage medium containing computer program code executable by a processor for:
-
detecting an attempt by a source application executing on the client to cause the client to display a visual element on a display of the client; determining whether the source application is suspicious; when the source application is determined to be suspicious, displaying an alert to a user requesting a user input indicating whether to block the source application from displaying visual elements on the display of the client; responsive to the user input indicating whether to block the source application, storing a preference in a storage medium coupled to the client, the preference identifying the source application as a blocked application; and responsive to the preference identifying the source application as a blocked application; blocking, using the computer, subsequent attempts by the executing application to display subsequent visual elements on the display of the client; tracking, using the computer, executable code produced by the executing source application to identify one or more new code modules on the client as originating from the source application; and blocking, using the computer, attempts by the new code modules to display new visual elements on the display of the client. - View Dependent Claims (23, 24)
-
Specification