System and method of opportunistically protecting a computer from malware

US 8,561,190 B2
Filed: 05/16/2005
Issued: 10/15/2013
Est. Priority Date: 05/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method performed on a local computer that includes antivirus software, the method for closing a vulnerability on the local computer, the method comprising:

in response to the antivirus software detecting a presence of malware on the local computer, determining whether to request a remote computer associated with a trusted entity to identify a vulnerability exploited by the malware detected by the antivirus software on the local computer;

in response to determining that the remote computer is to be requested;

generating a dump file that contains current memory contents of the local computer,including the dump file in a request,transmitting the request to the remote computer associated with the trusted entity that provides a service that identifies vulnerabilities on behalf of other computers, the request comprising malware information identifying the malware detected by the antivirus software on the local computer,causing, in response to the transmitted request, the remote computer to match the memory contents of the local computer as recorded in the dump file to a malware and the vulnerability exploited by the malware, andreceiving, from the remote computer associated with the trusted entity, in response to the transmitted request, vulnerability information identifying the vulnerability;

in response to determining that the remote computer is not to be requested, identifying, based on information accessible to the local computer, the vulnerability;

obtaining a software update from the trusted entity, the software update being designed to close the vulnerability; and

causing the software update to be installed on the local computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system, method, and computer-readable medium that opportunistically install a software update on a computer that closes a vulnerability that existed on the computer. In accordance with one aspect of the present invention, when antivirus software on a computer identifies malware, a method causes a software update that closes the vulnerability exploited by the malware to be installed on the computer. The method includes identifying the vulnerability exploited by the malware, using a software update system to obtain a software update that is configured to close the vulnerability; and causing the software update to be installed on the computer where the vulnerability exists.

18 Citations

View as Search Results

13 Claims

1. A method performed on a local computer that includes antivirus software, the method for closing a vulnerability on the local computer, the method comprising:
- in response to the antivirus software detecting a presence of malware on the local computer, determining whether to request a remote computer associated with a trusted entity to identify a vulnerability exploited by the malware detected by the antivirus software on the local computer;
  
  in response to determining that the remote computer is to be requested;
  
  generating a dump file that contains current memory contents of the local computer,including the dump file in a request,transmitting the request to the remote computer associated with the trusted entity that provides a service that identifies vulnerabilities on behalf of other computers, the request comprising malware information identifying the malware detected by the antivirus software on the local computer,causing, in response to the transmitted request, the remote computer to match the memory contents of the local computer as recorded in the dump file to a malware and the vulnerability exploited by the malware, andreceiving, from the remote computer associated with the trusted entity, in response to the transmitted request, vulnerability information identifying the vulnerability;
  
  in response to determining that the remote computer is not to be requested, identifying, based on information accessible to the local computer, the vulnerability;
  
  obtaining a software update from the trusted entity, the software update being designed to close the vulnerability; and
  
  causing the software update to be installed on the local computer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1, wherein the software update is obtained from the trusted entity using a client-based software update system designed to identify software updates that need to be installed on the local computer after performing an analysis of at least some configuration of the local computer.
  - 3. The method as recited in claim 1, wherein the software update is obtained from the trusted entity through a Web service that links the local computer to the software update.
  - 4. The method as recited in claim 1, wherein the software update is installed automatically without requiring input from the user.
  - 5. The method of claim 1, further comprising querying a database that stores at least one first identifier for the vulnerability in association with at least one second identifier for one or more malware which exploits the vulnerability.

6. At least one computer-readable storage device storing computer-executable instructions that, when executed by a local computer that includes antivirus software, cause the local computer to perform actions for closing a vulnerability on the local computer, the actions comprising:
- in response to the antivirus software identifying malware on the local computer, determining whether to request a remote computer to identify a vulnerability exploited by the malware detected by the antivirus software on the local computer;
  
  in response to determining that the remote computer is to be requested;
  
  generating a dump file that contains current memory contents of the local computer,including the dump file in a request,transmitting the request to the remote computer, the request comprising malware information identifying the malware detected by the antivirus software on the local computer,causing, in response to the transmitted request, the remote computer to match the memory contents of the local computer as recorded in the dump file to a malware and the vulnerability exploited by the malware, andreceiving, from the remote computer in response to the transmitted request, vulnerability information identifying the vulnerability;
  
  in response to determining that the remote computer is not to be requested, identifying the vulnerability;
  
  obtaining a software update from a trusted entity, the software update being designed to close the vulnerability; and
  
  causing the software update to be installed on the local computer.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The at least one computer-readable storage device as recited in claim 6, wherein the remote computer provides a Web service and the request transmitted to the remote computer is a Web request.
  - 8. The at least one computer-readable storage device as recited in claim 6, wherein the software update is obtained from the trusted entity using a client-based software update system designed to identify software updates that need to be installed on the local computer after identifying at least some configuration of the local computer.
  - 9. The at least one computer-readable storage device as recited in claim 6, wherein the software update is obtained from the trusted entity through a Web service that links the local computer to the software update using a Web page.
  - 10. The at least one computer-readable storage device as recited in claim 6, wherein the software update is installed automatically without requiring input from the user.
  - 11. The at least one computer-readable storage device of claim 6, wherein the method further comprises querying a database that stores at least one first identifier for the vulnerability in association with at least one second identifier for one or more malware which exploits the vulnerability.

12. A first computer and at least one program module together configured for performing actions for closing a vulnerability on the first computer, the first computer comprising a memory, the actions comprising:
- executing antivirus software configured for identifying data on the first computer that is characteristic of malware;
  
  determining whether to request a remote computer to identify a vulnerability exploited by malware detected by the antivirus software on the first computer;
  
  in response to determining that the remote computer is to be requested;
  
  generating a dump file that contains current memory contents of the first computer,including the dump file in a request,transmitting a request to the remote computer, the request comprising malware information identifying the malware detected by the antivirus software on the first computer,causing, in response to the transmitted request, the remote computer to match the memory contents of the first computer as recorded in the dump file to a malware and the vulnerability exploited by the malware, andreceiving, from the remote computer in response to the transmitted request, vulnerability information identifying the vulnerability;
  
  in response to determining that the remote computer is not to be requested, identifying the vulnerability on the first computer at least in part by accessing, based at least in part on the malware detected by the antivirus software on the first computer, a local data store that stores at least one first identifier for a vulnerability in association with at least one second identifier for malware that exploits the vulnerability;
  
  determining whether a software update is available from a trusted entity to close the vulnerability;
  
  in response to the determining that the software update is available from the trusted entity, causing the software update to be installed on the first computer; and
  
  in response to the determining that the software update is not available from the trusted entity, reporting to the trusted entity that no software updates are available to close the vulnerability.
- View Dependent Claims (13)
- - 13. The system as recited in claim 12, the actions further comprising using a software update system to obtain the software update from the trusted entity by issuing an application programming interface call to the software update system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Marinescu, Adrian M, Seinfeld, Marc E, Braverman, Matthew I
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US11/130,570
Publication Number

US 20060259974A1
Time in Patent Office

3,074 Days
Field of Search

726 22- 25, 713/188, 708238-249
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

System and method of opportunistically protecting a computer from malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of opportunistically protecting a computer from malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links