System and method for using snapshots for rootkit detection
First Claim
1. A method for identifying malicious code running on a computer having a data storage device, the method comprising:
- starting an operating system on the computer;
starting a trusted software component running simultaneously with the operating system;
performing an online snapshot process of a current state of the data storage device to store a snapshot of the storage media in a backup storage area, performing the snapshot process including;
creating a map of the storage drive absent using drivers of the operating system, the map identifying areas of the data storage device to be copied;
upon receipt of a write request to write a block into an area, determining if the area has been previously copied to the backup storage area by the snapshot process;
for areas not previously copied by the snapshot process, copying data blocks that need to be re-written from the storage device to intermediate storage and updating a pointer in the map of the snapshot;
analyzing data representing the snapshot of the storage media via the trusted software component for snapshot area to detect malicious code; and
replacing files with detected malicious code with trusted/malicious code-free copies of the files.
11 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for identifying malicious code running on a computer, including an operating system running on the computer with a data storage device; and a trusted software component running simultaneously with the operating system. An online snapshot process of a current state of the data storage device copies data blocks from the storage device to intermediate storage. Processes running under the control of the operating system have access to the data storage device. A scanning procedure runs under control of the trusted software component that has access to data representing the snapshot of the data storage device from the trusted software component. The scanning procedure analyzes the snapshot of the data storage device for the malicious code, and, in response to a “write” directed to a data block in the snapshot area of the storage device, that data block is written to the intermediate storage.
-
Citations
17 Claims
-
1. A method for identifying malicious code running on a computer having a data storage device, the method comprising:
-
starting an operating system on the computer; starting a trusted software component running simultaneously with the operating system;
performing an online snapshot process of a current state of the data storage device to store a snapshot of the storage media in a backup storage area, performing the snapshot process including;creating a map of the storage drive absent using drivers of the operating system, the map identifying areas of the data storage device to be copied; upon receipt of a write request to write a block into an area, determining if the area has been previously copied to the backup storage area by the snapshot process; for areas not previously copied by the snapshot process, copying data blocks that need to be re-written from the storage device to intermediate storage and updating a pointer in the map of the snapshot; analyzing data representing the snapshot of the storage media via the trusted software component for snapshot area to detect malicious code; and replacing files with detected malicious code with trusted/malicious code-free copies of the files. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17)
-
-
15. A method for identifying malicious code running on a computer having a data storage device, the method comprising:
-
starting a trusted software component running simultaneously with the operating system, wherein the trusted software component has access to the data storage device; performing a backup process of a current state of the data storage device, performing the backup process including; creating a map of the storage drive absent using drivers of the operating system, the map identifying areas of the data storage device to be copied; upon receipt of a write request to write a block into an area, determining if the area has been previously copied to the backup storage area by the backup process; and for areas not previously copied by the backup process, copying data blocks that need to be re-written from the storage device to intermediate storage and updating a pointer in the map of the snapshot; and copying the data from the intermediate storage to the backup storage area; providing access to the data storage device to processes running under the control of the operating system; using a trusted software component to scan the backup of the storage media via the trusted software component for detecting malicious code.
-
Specification