Dynamic selection and loading of anti-malware signatures

US 8,925,085 B2
Filed: 11/15/2012
Issued: 12/30/2014
Est. Priority Date: 11/15/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

determining which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines on a local network that includes the device;

automatically obtaining the relevant malware detection signatures;

loading the relevant malware detection signatures to a malware scanner;

scanning the device using the relevant malware detection signatures; and

unloading signatures for threats that are no longer relevant to the device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine.

19 Citations

View as Search Results

18 Claims

1. A computer-implemented method, comprising:
- determining which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines on a local network that includes the device;
  
  automatically obtaining the relevant malware detection signatures;
  
  loading the relevant malware detection signatures to a malware scanner;
  
  scanning the device using the relevant malware detection signatures; and
  
  unloading signatures for threats that are no longer relevant to the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining which malware detection signatures are relevant to the device based upon the device'"'"'s hardware configuration or software configuration or both.
  - 3. The computer-implemented method of claim 1, further comprising:
    - determining which malware detection signatures are relevant to the device based upon malware detected by one or more other machines on the device'"'"'s network.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining which malware detection signatures are relevant to the device based upon a configuration of one or more other machines on the device'"'"'s network.
  - 5. The computer-implemented method of claim 1, further comprising:
    - determining which malware detection signatures are relevant to the device based upon data aggregated on a global scale.
  - 6. The computer-implemented method of claim 1, further comprising:
    - determining which malware detection signatures are relevant to the device based upon a geographic location of the device.
  - 7. The computer-implemented method of claim 1, further comprising:
    - automatically obtaining the relevant malware detection signatures from one or more signature repositories.
  - 8. The computer-implemented method of claim 1, further comprising:
    - automatically obtaining the relevant malware detection signatures from a peer machine on the device'"'"'s network.
  - 9. The computer-implemented method of claim 1, further comprising:
    - automatically obtaining the relevant malware detection signatures from a local network signature server.
  - 10. The computer-implemented method of claim 1, further comprising:
    - automatically obtaining the relevant malware detection signatures from a local storage.
  - 11. The computer-implemented method of claim 1, wherein the relevant malware detection signatures comprise one or more classes of signatures, and further comprising:
    - automatically obtaining signatures for the one or more classes.
  - 12. The computer-implemented method of claim 1, further comprising:
    - loading the relevant malware detection signatures for a specified duration and then unloading the relevant malware detection signatures.
  - 13. The computer-implemented method of claim 1, further comprising:
    - blocking one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded.

14. A computer system, comprising:
- one or more processors;
  
  system memory;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the processors to perform a method for automatically determining and loading relevant malware detection signatures, the processor operating to;
  
  determine which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines on a local network that includes the device;
  
  automatically obtain the relevant malware detection signatures;
  
  load the relevant malware detection signatures to a malware scanner;
  
  scan the device using the relevant malware detection signatures; and
  
  unload signatures for threats that are no longer relevant to the device.
- View Dependent Claims (15, 16, 17)
- - 15. The computer system of claim 14, the processor further operating to:
    - determine which malware detection signatures are relevant to the device based upon a hardware configuration or a software configuration of the device.
  - 16. The computer system of claim 14, the processor further operating to:
    - determine which malware detection signatures are relevant to the device based upon a configuration of one or more other machines on the device'"'"'s network.
  - 17. The computer system of claim 14, the processor further operating to:
    - block one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded.

18. A computer program product for implementing a method for automatically determining and loading relevant malware detection signatures, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing system to perform the method comprising of:
- determining which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines on a local network that includes the device, wherein the relevant malware detection signatures are determined based upona hardware configuration or a software configuration of the device,malware detected by one or more other machines on a local network,a configuration of one or more other machines on the device'"'"'s network,data aggregated on a global scale, ora geographic location of the device;
  
  blocking one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded;
  
  automatically obtaining the relevant malware detection signatures;
  
  loading the relevant malware detection signatures to a malware scanner;
  
  scanning the device using the relevant malware detection signatures; and
  
  unloading signatures for threats that are no longer relevant to the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Johnson, Joseph, Kapoor, Vishal, Jarrett, Michael S., Thompson, Ronald L.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BELL, KALISH K

Application Number

US13/677,931
Publication Number

US 20140137249A1
Time in Patent Office

775 Days
Field of Search

726 22- 26
US Class Current

726/23
CPC Class Codes

G06F 21/564 by virus signature recognition

Dynamic selection and loading of anti-malware signatures

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic selection and loading of anti-malware signatures

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links