System, method and computer program product for context-driven behavioral heuristics
First Claim
Patent Images
1. A method, comprising:
- receiving a request to open a file in a computer;
scanning the file;
determining whether unwanted data is present in the file by;
comparing data in the file with a plurality of signatures representative of certain types of unwanted data;
evaluating a context associated with the scanning activities using a state machine,wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and
detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and
communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file.
9 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.
-
Citations
15 Claims
-
1. A method, comprising:
-
receiving a request to open a file in a computer; scanning the file; determining whether unwanted data is present in the file by; comparing data in the file with a plurality of signatures representative of certain types of unwanted data; evaluating a context associated with the scanning activities using a state machine, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
a server computer coupled to an end user computer over a network connection, the server computer providing software to the end user computer such that the end user computer is configured for; scanning a file received by the end user computer; determining whether unwanted data is present in the file by; comparing data in the file with a plurality of signatures representative of certain types of unwanted data; evaluating a context associated with the scanning activities using a state machine, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the end user computer; and receiving additional data through monitoring of a behavior of data in the computer and through a determination of an additional context, using a state machine, based on the monitoring of the behavior of data; and receiving a sample of the file to be used in generating an exact signature that encompasses all of the contexts associated with the file. - View Dependent Claims (9, 10, 11)
-
-
12. Logic encoded in non-transitory media that includes code for execution and when executed by a processor operable to perform operations comprising:
-
receiving a request to open a file in a computer; scanning the file; determining whether unwanted data is present in the file by; comparing data in the file with a plurality of signatures representative of certain types of unwanted data; evaluating a context associated with the scanning activities using a state machine, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file. - View Dependent Claims (13, 14, 15)
-
Specification