Silent detection of malware and feedback over a network

US 8,443,449 B1
Filed: 11/09/2009
Issued: 05/14/2013
Est. Priority Date: 11/09/2009
Status: Active Grant

First Claim

Patent Images

1. A method of generating a pattern file, said method comprising:

receiving a response at one of a plurality of client machines from a user, said response indicating that a feedback option has been selected;

detecting a suspicious process at said one of said client machines;

sending client feedback data from said one of said client machines to an anti-malware service to help determine whether said suspicious process is a malicious process without informing said user that said suspicious process has been detected;

receiving feedback data from said plurality of client machines at said anti-malware service over an Internet connection, said feedback data including said client feedback data, each set of feedback data from one of said client machines providing characteristics of said suspicious process, said suspicious process not being identified as malware;

correlating said feedback data from at least two sets of said feedback data;

determining that said correlated feedback data indicates that said suspicious process is a malicious process;

calculating a virus signature of a computer file associated with said malicious process;

producing a virus pattern file that includes said calculated virus signature; and

sending said virus pattern file over the Internet from said anti-malware service to said one of said client machines.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Upon detection of a suspicious file, a client computer sends feedback data to an anti-malware service over the Internet. Files that are not suspicious or that are known clean are not reported; files that are known malware are acted upon immediately without needing to report them to the anti-malware service. Upon detection, no alert or warning is provided to the user of the client computer. The anti-malware service correlates data from other detection engines on the client computer or from other client computers and determines whether the file is malware or not. A new virus pattern is generated if the file is malware and includes the virus signature of the file; the new virus pattern is distributed back to the client computers. If not malware, no action need be taken, or, the virus signature of the file is removed from existing pattern files.

64 Citations

View as Search Results

15 Claims

1. A method of generating a pattern file, said method comprising:
- receiving a response at one of a plurality of client machines from a user, said response indicating that a feedback option has been selected;
  
  detecting a suspicious process at said one of said client machines;
  
  sending client feedback data from said one of said client machines to an anti-malware service to help determine whether said suspicious process is a malicious process without informing said user that said suspicious process has been detected;
  
  receiving feedback data from said plurality of client machines at said anti-malware service over an Internet connection, said feedback data including said client feedback data, each set of feedback data from one of said client machines providing characteristics of said suspicious process, said suspicious process not being identified as malware;
  
  correlating said feedback data from at least two sets of said feedback data;
  
  determining that said correlated feedback data indicates that said suspicious process is a malicious process;
  
  calculating a virus signature of a computer file associated with said malicious process;
  
  producing a virus pattern file that includes said calculated virus signature; and
  
  sending said virus pattern file over the Internet from said anti-malware service to said one of said client machines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method as recited in claim 1 further comprising:
    - correlating said feedback data from at least two different client machines.
  - 3. A method as recited in claim 1 further comprising:
    - correlating said feedback data from at least two different detection engines from a single client machine.
  - 4. A method as recited in claim 1 further comprising:
    - sending said virus pattern file with said calculated virus signature back over the Internet to at least one of said client machines.
  - 5. A method as recited in claim 1 wherein said calculated virus signature is a CRC value or a hash value.
  - 6. A method as recited in claim 1 further comprising:
    - detecting said suspicious process on said one of said client machines, said suspicious process not being identified as malware when detected; and
      
      performing a feedback action in response to said detected suspicious process, said feedback action not alerting a user of said client machine.
  - 7. A method as recited in claim 1, further comprising:
    - receiving said virus pattern file from said anti-malware service at said one of said client machines;
      
      executing a detection engine on said client machine using said virus pattern file received from said anti-malware service; and
      
      detecting said suspicious process on said client machine and identifying said suspicious process as malware.
  - 8. A method as recited in claim 7 wherein said detection engine is a scanning engine, a rules-based engine, or a URL reputation-based engine.
  - 9. A method as recited in claim 1 wherein said virus pattern file includes virus signatures or heuristics.
  - 10. A method as recited in claim 1 wherein each set of feedback data includes a CRC value of a computer file associated with said suspicious process.
  - 11. A method as recited in claim 1 wherein each set of feedback data includes a URL of the origin of a computer file associated with said suspicious process.
  - 12. A method as recited in claim 7 wherein said detection engine uses a beta pattern or an aggressive pattern.
  - 13. A method as recited in claim 7 further comprising:
    - detecting said suspicious process by comparing a virus signature of said suspicious process to said virus pattern file of said client machine.
  - 14. A method as recited in claim 7 further comprising:
    - detecting said suspicious process by detecting a suspicious activity performed by said suspicious process.
  - 15. A method as recited in claim 1 comprising:
    - receiving a plurality of different sets of feedback data from said plurality of client machines at said anti-malware service; and
      
      matching common elements between said different sets of feedback data to help determine whether said suspicious process is a malicious process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Ho, Chang-Hsing, Cheng, Yi-Hung, Lee, Kun-Wei, Fan, Chi-Huang
Primary Examiner(s)
Armouche, Hadi

Application Number

US12/614,879
Time in Patent Office

1,282 Days
Field of Search

713/188, 726 22- 26
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Silent detection of malware and feedback over a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Silent detection of malware and feedback over a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others