System and method for removal of malicious software from computer systems and management of treatment side-effects
First Claim
1. A security arrangement for removing malware from a computer system, the security arrangement comprising:
- computing hardware, including a processor, a data store, and input/output facilities;
an operating system and application programs executable on the computing hardware;
an inspection module that monitors operation of the operating system and application programs for a presence of malware, and generates an inspection log representing operational history of the operating system and the application programs;
wherein the inspection module passes the inspection log to a log analyzer module operating on a remote service that responds by detecting a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs; and
a treatment scenario execution module that obtains, from the remote service a pre-evaluated treatment scenario which contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected by the log analyzer module, the pre-evaluated treatment scenario having been generated specifically for use by the computer system by a scenario generator module based on the information contained in the inspection log and on a knowledge base of malware removal rules, the generated treatment scenario having been further pre-evaluated by a scenario side-effect evaluation module based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk; and
wherein the treatment scenario execution module executes the pre-evaluated treatment scenario using the computing hardware.
2 Assignments
0 Petitions
Accused Products
Abstract
Removing malware from a computer system. An inspection module obtains an inspection log representing operational history of the operating system and the application programs of the computer system. The inspection log is analyzed to detect a presence of any malware on the computer system. A treatment scenario is generated that defines a plurality of actions to be executed for removing any malware present on the computer system, as detected in the analyzing. The treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules. The generated treatment scenario is evaluated to assess the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system. A modified treatment scenario can be created to reduce the risk in response to an assessment of the risk.
-
Citations
18 Claims
-
1. A security arrangement for removing malware from a computer system, the security arrangement comprising:
-
computing hardware, including a processor, a data store, and input/output facilities; an operating system and application programs executable on the computing hardware; an inspection module that monitors operation of the operating system and application programs for a presence of malware, and generates an inspection log representing operational history of the operating system and the application programs; wherein the inspection module passes the inspection log to a log analyzer module operating on a remote service that responds by detecting a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs; and a treatment scenario execution module that obtains, from the remote service a pre-evaluated treatment scenario which contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected by the log analyzer module, the pre-evaluated treatment scenario having been generated specifically for use by the computer system by a scenario generator module based on the information contained in the inspection log and on a knowledge base of malware removal rules, the generated treatment scenario having been further pre-evaluated by a scenario side-effect evaluation module based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk; and wherein the treatment scenario execution module executes the pre-evaluated treatment scenario using the computing hardware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for removing malware from a remote computer system having computing hardware, an operating system, and application programs executable on the computing hardware, the method comprising:
-
obtaining, from an inspection module having access to the remote computer system, an inspection log representing operational history of the operating system and the application programs, the inspection log being produced as a result of monitoring of the operating system and application programs for a presence of malware; analyzing the inspection log to detect a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs; generating a treatment scenario that contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected in the analyzing, wherein the treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules; evaluating the generated treatment scenario based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are assessed; in response to an assessment of the risk, creating a modified treatment scenario to reduce the risk; and providing the modified treatment scenario for execution by a treatment scenario execution module operating on the remote computer system. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for removing malware from a computer system having computing hardware, an operating system, and application programs executable on the computing hardware, the system comprising:
-
means for obtaining, from an inspection module having access to the computer system, an inspection log representing operational history of the operating system and the application programs, the inspection log being produced as a result of monitoring of the operating system and application programs for a presence of malware; means for analyzing the inspection log to detect a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs; means for generating a treatment scenario that contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected in the analyzing, wherein the treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules; means for evaluating the generated treatment scenario based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are assessed; means for creating a modified treatment scenario to reduce the risk in response to an assessment of the risk; and means for providing the modified treatment scenario for execution by a treatment scenario execution module operating for the benefit of the computer system.
-
Specification