System and method for using snapshots for rootkit detection

US 8,856,927 B1
Filed: 11/24/2010
Issued: 10/07/2014
Est. Priority Date: 07/22/2003
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malicious code running on a computer having a data storage device, the method comprising:

starting an operating system on the computer;

starting a trusted software component running simultaneously with the operating system;

performing an online snapshot process of a current state of the data storage device to store a snapshot of the storage media in a backup storage area, performing the snapshot process including;

creating a map of the storage drive absent using drivers of the operating system, the map identifying areas of the data storage device to be copied;

upon receipt of a write request to write a block into an area, determining if the area has been previously copied to the backup storage area by the snapshot process;

for areas not previously copied by the snapshot process, copying data blocks that need to be re-written from the storage device to intermediate storage and updating a pointer in the map of the snapshot;

analyzing data representing the snapshot of the storage media via the trusted software component for snapshot area to detect malicious code; and

replacing files with detected malicious code with trusted/malicious code-free copies of the files.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for identifying malicious code running on a computer, including an operating system running on the computer with a data storage device; and a trusted software component running simultaneously with the operating system. An online snapshot process of a current state of the data storage device copies data blocks from the storage device to intermediate storage. Processes running under the control of the operating system have access to the data storage device. A scanning procedure runs under control of the trusted software component that has access to data representing the snapshot of the data storage device from the trusted software component. The scanning procedure analyzes the snapshot of the data storage device for the malicious code, and, in response to a “write” directed to a data block in the snapshot area of the storage device, that data block is written to the intermediate storage.

Citations

17 Claims

1. A method for identifying malicious code running on a computer having a data storage device, the method comprising:
- starting an operating system on the computer;
  
  starting a trusted software component running simultaneously with the operating system;
  
  performing an online snapshot process of a current state of the data storage device to store a snapshot of the storage media in a backup storage area, performing the snapshot process including;
  
  creating a map of the storage drive absent using drivers of the operating system, the map identifying areas of the data storage device to be copied;
  
  upon receipt of a write request to write a block into an area, determining if the area has been previously copied to the backup storage area by the snapshot process;
  
  for areas not previously copied by the snapshot process, copying data blocks that need to be re-written from the storage device to intermediate storage and updating a pointer in the map of the snapshot;
  
  analyzing data representing the snapshot of the storage media via the trusted software component for snapshot area to detect malicious code; and
  
  replacing files with detected malicious code with trusted/malicious code-free copies of the files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17)
- - 2. The method of claim 1, wherein a backup is created based on the snapshot, and further comprising performing an analysis of data representing the backup of the storage media via the trusted software component for backup area to detect malicious code.
  - 3. The method of claim 1, wherein, after detection of the malicious code the malicious code is removed from the file in which the malicious code was detected, without otherwise damaging the file.
  - 4. The method of claim 1, further comprising deleting the file in which the malicious code was detected.
  - 5. The method of claim 2, wherein contents of the intermediate storage are used for restoring a previous state of a storage device and are copied to the backup storage as an incremental backup upon user command.
  - 6. The method of claim 2, wherein data blocks of the intermediate storage are copied to the backup storage as an incremental backup.
  - 7. The method of claim 1, wherein the trusted software component is an antivirus.
  - 8. The method of claim 7, wherein the malicious code is detected by the trusted software component using a comparison with a database of names, fingerprints, signatures, control sums, or CRCs.
  - 9. The method of claim 8, wherein the malicious code is rootkit.
  - 10. The method of claim 8, wherein the malicious code is a computer virus.
  - 11. The method of claim 8, wherein the files being analyzed are hidden files.
  - 12. The method of claim 8, wherein the files being analyzed are hidden from the file system.
  - 13. The method of claim 8, wherein the files being analyzed are hidden from an antivirus program.
  - 14. The method of claim 1, wherein the trusted software component includes a procedure that compares characteristic properties of files on the storage medium with properties stored in a database.
  - 16. The method of claim 1, wherein the trusted software component has the same privilege level as the operating system.
  - 17. The method of claim 1, wherein performing the online snapshot process further comprises copying the data from the intermediate storage to the backup storage area.

15. A method for identifying malicious code running on a computer having a data storage device, the method comprising:
- starting a trusted software component running simultaneously with the operating system, wherein the trusted software component has access to the data storage device;
  
  performing a backup process of a current state of the data storage device, performing the backup process including;
  
  creating a map of the storage drive absent using drivers of the operating system, the map identifying areas of the data storage device to be copied;
  
  upon receipt of a write request to write a block into an area, determining if the area has been previously copied to the backup storage area by the backup process; and
  
  for areas not previously copied by the backup process, copying data blocks that need to be re-written from the storage device to intermediate storage and updating a pointer in the map of the snapshot; and
  
  copying the data from the intermediate storage to the backup storage area;
  
  providing access to the data storage device to processes running under the control of the operating system;
  
  using a trusted software component to scan the backup of the storage media via the trusted software component for detecting malicious code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MidCap Financial Trust
Original Assignee
Acronis International GmbH (Acronis AG)
Inventors
Beloussov, Serguei M., Lyadvinsky, Maxim V.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US12/954,454
Time in Patent Office

1,413 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 11/1458   Management of the backup or...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/033   Test or assess software

System and method for using snapshots for rootkit detection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using snapshots for rootkit detection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links