System and method for below-operating system modification of malicious code on an electronic device
First Claim
Patent Images
1. A method for securing an electronic device, comprising:
- detecting, at a higher priority than all of one or more operating systems of the electronic device, presence of malicious code;
determining whether the malicious code is included in an operating system component;
in response to detecting the presence of malicious code in the operating system component, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code with trusted code for the operating system component;
in response to detecting the presence of malicious code as residing outside of operating system components, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates;
wherein;
the modification includes insertion of a call to an operating system exit routine; and
detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between an internal operating system monitor and external operating system monitor outside of the operating system;
determining whether the malicious code is embodied in storage of the electronic device;
performing corrective action upon the malicious code in storage of the electronic device based upon a determination that the malicious code is embodied in storage of the electronic device;
identifying a related portion of memory associated with a memory location of the malicious code; and
performing corrective action upon the related portion of memory.
10 Assignments
0 Petitions
Accused Products
Abstract
A system for securing an electronic device, may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to detect presence of malicious code, and in response to detecting presence of the malicious code, modify the malicious code.
117 Citations
13 Claims
-
1. A method for securing an electronic device, comprising:
-
detecting, at a higher priority than all of one or more operating systems of the electronic device, presence of malicious code; determining whether the malicious code is included in an operating system component; in response to detecting the presence of malicious code in the operating system component, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code with trusted code for the operating system component; in response to detecting the presence of malicious code as residing outside of operating system components, modifying, at a higher priority than all of one or more operating systems of the electronic device, the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates; wherein; the modification includes insertion of a call to an operating system exit routine; and detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between an internal operating system monitor and external operating system monitor outside of the operating system; determining whether the malicious code is embodied in storage of the electronic device; performing corrective action upon the malicious code in storage of the electronic device based upon a determination that the malicious code is embodied in storage of the electronic device; identifying a related portion of memory associated with a memory location of the malicious code; and performing corrective action upon the related portion of memory. - View Dependent Claims (2, 3, 4)
-
-
5. A system for securing an electronic device, comprising:
-
a memory; a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a higher priority than all of the operating systems of the electronic device, and further configured to; detect presence of malicious code; determine whether the malicious code infects an operating system component; in response to detecting presence of the malicious code infection in the operating system component, modify the malicious code with trusted code for the operating system component; in response to detecting the presence of the malicious code beyond the operating system component, modify the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates by inserting a call to an operating system exit routine, wherein; detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between file writes monitored by an internal operating system monitor and file writes monitored by an external operating system monitor residing outside of the operating system; determine whether storage of the electronic device also includes the malicious code; performing corrective action upon storage of the electronic device based upon a determination that the storage includes the malicious code; identify a portion of memory contiguous with a memory location of the malicious code; and performing corrective action for the malicious code upon a physical memory location translated from the portion of memory. - View Dependent Claims (6, 7, 8)
-
-
9. An article of manufacture, comprising:
-
a non-transitory computer readable medium; computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to, at a level below higher priority than all of one or more operating systems of an electronic device; detect presence of malicious code in the memory or storage of electronic device; determine whether the malicious code has infected an operating system component; in response to detecting the presence of the malicious code and that the malicious code has infected the operating system component, modify the malicious code by adding trusted code in the operating system component; in response to detecting the presence of the malicious code and that the operating system component is free from the malicious code, modify the malicious code as embodied in a memory of the electronic device such that an entity including the malicious code self-terminates by adding a call to an operating system exit routine, wherein; detecting the presence of malicious code as residing outside of operating system components includes detecting a difference in monitored file writes between file writes monitored by an internal operating system monitor and file writes monitored by an external operating system monitor residing outside of the operating system; determine whether storage of the electronic device includes the malicious code; perform corrective action upon the storage of the electronic device for the malicious code based upon a determination that the storage includes the malicious code; identify a related portion of memory associated with a memory location of the malicious code; and perform corrective action upon the related portion of memory. - View Dependent Claims (10, 11, 12, 13)
-
Specification