Method and system for minimizing the effects of rogue security software

US 8,479,289 B1
Filed: 10/27/2009
Issued: 07/02/2013
Est. Priority Date: 10/27/2009
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented process for minimizing the effects of rogue security software comprising:

providing a security system to monitor a given user computing system to detect any alerts generated regarding the given user computing system, the security system being implemented, at least in part, on one or more computing systems;

detecting a given alert regarding the given user computing system through the security system;

analyzing the given alert regarding the given user computing system using one or more processors associated with the one or more computing systems and determining that the given alert is a malware alert, wherein a malware alert is an alert that is generated to alert a user of the user computing system of one or more malware files the alert indicates are present within the user computing system;

transforming data indicating a status of the given alert regarding the given user computing system to data indicating a status of malware alert using one or more processors associated with the one or more computing systems;

taking one or more actions to protect a user of the given user computing system from responding to the given malware alert while an initial malware alert analysis of the given malware alert is performed;

performing the initial malware alert analysis of the given malware alert using one or more processors associated with the one or more computing systems and determining that the malware alert is associated with rogue security software, wherein determining that the malware alert is associated with rogue security software comprises determining that at least one of the files indicated by the alert is not present within the system;

transforming data indicating a status of the given malware alert to data indicating a status of malware alert potentially associated with rogue security software using one or more processors associated with the one or more computing systems; and

taking one or more actions to protect a user of the given user computing system from responding to the given malware alert at least until further analysis of the given malware alert is performed.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for minimizing the effects of rogue security software leverages the fact that virtually all rogue security software generates malware alerts to scare the user/victim into submitting their payment information, and the fact that the malware alerts generated by rogue security software are almost never changed. In one example, a user computing system is monitored/scanned for any alerts being presented to the user. Once an alert is detected, the alert content is sampled and analyzed for defined keywords that indicate the alert is a malware alert and any alert including the defined keywords is considered a malware alert and is treated as being potentially generated by rogue security software. All malware alerts are therefore subjected to an initial malware alert analysis before the user is allowed to see, and/or respond, at least without a warning, to the malware alert. If it is determined that the malware alert is suspicious for any reason, then the malware alert is determined to be potentially generated by rogue security software and the user is prevented from seeing, and/or responding to, at least without a warning, the malware alert until a more definitive analysis can be performed.

25 Citations

View as Search Results

20 Claims

1. A computing system implemented process for minimizing the effects of rogue security software comprising:
- providing a security system to monitor a given user computing system to detect any alerts generated regarding the given user computing system, the security system being implemented, at least in part, on one or more computing systems;
  
  detecting a given alert regarding the given user computing system through the security system;
  
  analyzing the given alert regarding the given user computing system using one or more processors associated with the one or more computing systems and determining that the given alert is a malware alert, wherein a malware alert is an alert that is generated to alert a user of the user computing system of one or more malware files the alert indicates are present within the user computing system;
  
  transforming data indicating a status of the given alert regarding the given user computing system to data indicating a status of malware alert using one or more processors associated with the one or more computing systems;
  
  taking one or more actions to protect a user of the given user computing system from responding to the given malware alert while an initial malware alert analysis of the given malware alert is performed;
  
  performing the initial malware alert analysis of the given malware alert using one or more processors associated with the one or more computing systems and determining that the malware alert is associated with rogue security software, wherein determining that the malware alert is associated with rogue security software comprises determining that at least one of the files indicated by the alert is not present within the system;
  
  transforming data indicating a status of the given malware alert to data indicating a status of malware alert potentially associated with rogue security software using one or more processors associated with the one or more computing systems; and
  
  taking one or more actions to protect a user of the given user computing system from responding to the given malware alert at least until further analysis of the given malware alert is performed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system implemented process for minimizing the effects of rogue security software of claim 1, wherein:
    - analyzing the given alert regarding the given user computing system using one or more processors associated with the one or more computing systems includes scanning the given alert regarding the given user computing system using one or more processors associated with the one or more computing systems to check for one or more defined keywords that indicate the given alert is a malware alert.
  - 3. The computing system implemented process for minimizing the effects of rogue security software of claim 1, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine one of more user computing system files identified in the given malware alert as purportedly containing malware and identifying the source of the files identified in the given malware alert.
  - 4. The computing system implemented process for minimizing the effects of rogue security software of claim 1, wherein:
    - at least one of the one or more actions taken to protect a user of the given user computing system from responding to the given malware alert is selected from the group of protective actions consisting of;
      
      quarantining the given malware alert;
      
      disabling one or more potential user response actions to the given malware alert; and
      
      generating a warning and presenting the warning to the user warning the user that the given malware alert may be associated with rogue security software and may be malicious.
  - 5. The computing system implemented process for minimizing the effects of rogue security software of claim 1, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and then scanning the given user computing system to determine if the files identified in the given malware alert as purportedly containing malware are present on the given user computing system.
  - 6. The computing system implemented process for minimizing the effects of rogue security software of claim 1, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and then comparing the files identified in the given malware alert as purportedly containing malware with known “
      
      clean”
      
      copies of the files identified in the given malware alert as purportedly containing malware to determine if they do contain malware.
  - 7. The computing system implemented process for minimizing the effects of rogue security software of claim 1, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and scanning/analyzing the files identified in the given malware alert as purportedly containing malware using one or more security systems associated with one or more security system providers to determine if the files identified in the given malware alert as purportedly containing malware do in fact contain malware.

8. A system for minimizing the effects of rogue security software comprising:
- a given user computing system;
  
  a security system associated with the given user computing system;
  
  a security system provider computing system;
  
  one or more processors associated with the security system provider computing system, the one or more processors associated with the security system provider computing system executing at least part of a computing system implemented process for minimizing the effects of rogue security software, the computing system implemented process for minimizing the effects of rogue security software comprising;
  
  monitoring the given user computing system using the security system to detect any alerts generated regarding the given user computing system, the security system being implemented, at least in part, by the security system provider computing system;
  
  detecting a given alert regarding the given user computing system through the security system;
  
  analyzing the given alert regarding the given user computing system using the one or more processors associated with the security system provider computing system and determining that the given alert is a malware alert, wherein a malware alert is an alert that is generated to alert a user of the user computing system of one or more malware files the alert indicates are present within the user computing system;
  
  transforming data indicating a status of the given alert regarding the given user computing system to data indicating a status of malware alert using the one or more processors associated with the security system provider computing system;
  
  taking one or more actions to protect a user of the given user computing system from responding to the given malware alert while an initial malware alert analysis of the given malware alert is performed;
  
  performing the initial malware alert analysis of the given malware alert using the one or more processors associated with the security system provider computing system and determining that the malware alert is associated with rogue security software, wherein determining that the malware alert is associated with rogue security software comprises determining that at least one of the files indicated by the alert is not present within the system;
  
  transforming data indicating a status of the given malware alert to data indicating a status of malware alert potentially associated with rogue security software using the one or more processors associated with the security system provider computing system; and
  
  taking one or more actions to protect a user of the given user computing system from responding to the given malware alert at least until further analysis of the given malware alert is performed.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system for minimizing the effects of rogue security software of claim 8, wherein:
    - analyzing the given alert regarding the given user computing system using the one or more processors associated with the security system provider computing system includes scanning the given alert regarding the given user computing system using the one or more processors associated with the security system provider computing system to check for one or more defined keywords that indicate the given alert is a malware alert.
  - 10. The computing system implemented process for minimizing the effects of rogue security software of claim 9, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine one of more user computing system files identified in the given malware alert as purportedly containing malware and identifying the source of the files identified in the given malware alert.
  - 11. The system for minimizing the effects of rogue security software of claim 8, wherein:
    - at least one of the one or more actions taken to protect a user of the given user computing system from responding to the given malware alert is selected from the group of protective actions consisting of;
      
      quarantining the given malware alert;
      
      disabling one or more potential user response actions to the given malware alert; and
      
      generating a warning and presenting the warning to the user warning the user that the given malware alert may be associated with rogue security software and may be malicious.
  - 12. The system for minimizing the effects of rogue security software of claim 8, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine one of more user computing system files identified in the given malware alert as purportedly containing malware and then scanning the given user computing system to determine if the files identified in the given malware alert as purportedly containing malware are present on the given user computing system.
  - 13. The system for minimizing the effects of rogue security software of claim 8, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and then comparing the files identified in the given malware alert as purportedly containing malware with known “
      
      clean”
      
      copies of the files identified in the given malware alert as purportedly containing malware to determine if they do contain malware.
  - 14. The system for minimizing the effects of rogue security software of claim 8, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and scanning/analyzing the files identified in the given malware alert as purportedly containing malware using one or more security systems associated with one or more security system providers to determine if the files identified in the given malware alert as purportedly containing malware do in fact contain malware.

15. A system for minimizing the effects of rogue security software comprising:
- a given user computing system;
  
  a security system associated with the given user computing system;
  
  one or more processors associated with the given user computing system, the one or more processors associated with the given user computing system executing at least part of a computing system implemented process for minimizing the effects of rogue security software, the computing system implemented process for minimizing the effects of rogue security software comprising;
  
  monitoring the given user computing system using the security system to detect any alerts generated regarding the given user computing system, the security system being implemented, at least in part, by the given user computing system;
  
  detecting a given alert regarding the given user computing system through the security system;
  
  analyzing the given alert regarding the given user computing system using the one or more processors associated with the given user computing system and determining that the given alert is a malware alert, wherein a malware alert is an alert that is generated to alert a user of the user computing system of one or more malware files the alert indicates are present within the user computing system;
  
  transforming data indicating a status of the given alert regarding the given user computing system to data indicating a status of malware alert using the one or more processors associated with the given user computing system;
  
  taking one or more actions to protect a user of the given user computing system from responding to the given malware alert while an initial malware alert analysis of the given malware alert is performed;
  
  performing the initial malware alert analysis of the given malware alert using the one or more processors associated with the given user computing system and determining that the malware alert is associated with rogue security software, wherein determining that the malware alert is associated with rogue security software comprises determining that at least one of the files indicated by the alert is not present within the system;
  
  transforming data indicating a status of the given malware alert to data indicating a status of malware alert potentially associated with rogue security software using the one or more processors associated with the given user computing system; and
  
  taking one or more actions to protect a user of the given user computing system from responding to the given malware alert at least until further analysis of the given malware alert is performed.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system for minimizing the effects of rogue security software of claim 15, wherein:
    - analyzing the given alert regarding the given user computing system using the one or more processors associated with the given user computing system to determine if the given alert is a malware alert includes scanning the given alert regarding the given user computing system using the one or more processors associated with the given user computing system to check for one or more defined keywords that indicate the given alert is a malware alert.
  - 17. The computing system implemented process for minimizing the effects of rogue security software of claim 16, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine one of more user computing system files identified in the given malware alert as purportedly containing malware and identifying the source of the files identified in the given malware alert.
  - 18. The system for minimizing the effects of rogue security software of claim 15, wherein:
    - at least one of the one or more actions taken to protect a user of the given user computing system from responding to the given malware alert is selected from the group of protective actions consisting of;
      
      quarantining the given malware alert;
      
      disabling one or more potential user response actions to the given malware alert; and
      
      generating a warning and presenting the warning to the user warning the user that the given malware alert may be associated with rogue security software and may be malicious.
  - 19. The system for minimizing the effects of rogue security software of claim 15, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and then scanning the given user computing system to determine if the files identified in the given malware alert as purportedly containing malware are present on the given user computing system.
  - 20. The system for minimizing the effects of rogue security software of claim 15, wherein:
    - the initial malware alert analysis of the given malware alert includes scanning the given malware alert to determine what files are identified in the given malware alert as purportedly containing malware and then comparing the files identified in the given malware alert as purportedly containing malware with known “
      
      clean”
      
      copies of the files identified in the given malware alert as purportedly containing malware to determine if they do contain malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Krishnappa, Bhaskar
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US12/606,418
Time in Patent Office

1,344 Days
Field of Search

726/22, 726/23
US Class Current

726/23
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/56 Computer malware detection ...

Method and system for minimizing the effects of rogue security software

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and system for minimizing the effects of rogue security software

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others