System, method and computer program product for identifying unwanted code associated with network communications

US 8,458,789 B1
Filed: 03/09/2006
Issued: 06/04/2013
Est. Priority Date: 03/09/2006
Status: Active Grant

First Claim

Patent Images

1. A method performed by at least one computer, comprising:

identifying a network communication that includes computer code;

comparing the computer code to a plurality of trusted codes, wherein a state associated with the computer code is stored such that if the computer code were disabled through a changing of references to registry locations, the computer code can be re-enabled utilizing the state, which was stored;

comparing content within the network communication to a plurality of stored network communication content known to be initiated by unwanted code when the comparing of the computer code to the plurality of trusted codes indicates that the computer code does not match one of the plurality of trusted codes; and

determining, utilizing a firewall, whether the network communication is initiated by a process associated with unwanted code based upon the comparison of the content within the network communication to the plurality of stored network communication content.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided including identifying a network communication and determining whether the network communication is initiated by a process associated with unwanted code. As an option, a firewall may identify the network communication and computer code may determine whether the network communication is initiated by a process associated with unwanted code. As an option, in one embodiment, a method may be provided whereby unwanted code identified by network communication may be quarantined and/or the process associated with the unwanted code may be terminated.

Citations

18 Claims

1. A method performed by at least one computer, comprising:
- identifying a network communication that includes computer code;
  
  comparing the computer code to a plurality of trusted codes, wherein a state associated with the computer code is stored such that if the computer code were disabled through a changing of references to registry locations, the computer code can be re-enabled utilizing the state, which was stored;
  
  comparing content within the network communication to a plurality of stored network communication content known to be initiated by unwanted code when the comparing of the computer code to the plurality of trusted codes indicates that the computer code does not match one of the plurality of trusted codes; and
  
  determining, utilizing a firewall, whether the network communication is initiated by a process associated with unwanted code based upon the comparison of the content within the network communication to the plurality of stored network communication content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the unwanted code is installed on a computer on which the firewall is installed.
  - 3. The method of claim 1, wherein the network communication includes an incoming network communication.
  - 4. The method of claim 1, wherein the network communication includes an outgoing network communication.
  - 5. The method of claim 1, wherein the determining includes comparing suspect code associated with the network communication with a database of known unwanted code.
  - 6. The method of claim 1, wherein the comparing of the network communication to the plurality of stored network communications further includes comparing the network communication with a database of network communications known to be initiated by unwanted code.
  - 7. The method of claim 1, wherein the comparing of the network communication is performed after comparing suspect code associated with the network communication with a database of known unwanted code.
  - 8. The method of claim 1, wherein a user is notified if it is determined that the network communication is initiated by a process associated with unwanted code.
  - 9. The method of claim 8, wherein a reaction is performed in response to the determination that the network communication is initiated by a process associated with unwanted code.
  - 10. The method of claim 9, wherein the user is prompted to approve the reaction.
  - 11. The method of claim 9, wherein the reaction includes removal of references to the unwanted code from a registry.
  - 12. The method of claim 9, wherein the reaction includes termination of the process.
  - 13. The method of claim 9, wherein the reaction includes quarantining the unwanted code.
  - 14. The method of claim 9, wherein the reaction includes storing a state associated with the unwanted code for allowing the reaction to be undone.
  - 15. The method of claim 1, wherein the unwanted code includes at least one of adware, spyware, and malicious software.
  - 16. The method of claim 1, wherein the unwanted code is directed toward terrorism, and the terrorism is countered by the determining.

17. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- identifying a network communication that includes computer code;
  
  comparing the computer code to a plurality of trusted codes, wherein a state associated with the computer code is stored such that if the computer code were disabled through a changing of references to registry locations, the computer code can be re-enabled utilizing the state, which was stored;
  
  comparing content within the network communication to a plurality of stored network communication content known to be initiated by unwanted code when the comparing of the computer code to the plurality of trusted codes indicates that the computer code does not match one of the plurality of trusted codes; and
  
  determining, utilizing a firewall, whether the network communication is initiated by a process associated with unwanted code based upon the comparison of the content within the network communication to the plurality of stored network communication content.

18. A system, comprising:
- a firewall that includes a processor, the system being configured for;
  
  identifying a network communication that includes computer code;
  
  comparing the computer code to a plurality of trusted codes, wherein a state associated with the computer code is stored such that if the computer code were disabled through a changing of references to registry locations, the computer code can be re-enabled utilizing the state, which was stored;
  
  comparing content within the network communication to a plurality of stored network communication content known to be initiated by unwanted code when the comparing of the computer code to the plurality of trusted codes indicates that the computer code does not match one of the plurality of trusted codes; and
  
  determining, utilizing a firewall, whether the network communication is initiated by a process associated with unwanted code based upon the comparison of the content within the network communication to the plurality of stored network communication content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bartram, Anthony V.
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/373,070
Time in Patent Office

2,644 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

H04L 63/145   the attack involving the pr...

System, method and computer program product for identifying unwanted code associated with network communications

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for identifying unwanted code associated with network communications

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links