Fixing computer files infected by virus and other malware
First Claim
1. A method for creating list of infected, malicious, and unclassified software or modules or applications on a computing device for a purpose of obtaining a classification and remedial action on the applications, software or modules from a remote computing node, comprising steps of:
- assigning a unique identifier to the computing device;
listing items in file system, registry, and memory of the computing device;
listing attributes of the listed items;
computing cryptographic hash of the listed items;
matching the attributes of the listed items with a local black/white list database;
applying a filter to reduce the listed items;
storing the unique identifier and filtered items along with the attributes of the listed items;
classifying the filtered items and storing the classified items in graphical user interface or machine readable format and taking the remedial action on the classified items;
transmitting the stored the classified items and application files to the remote computing node;
based on the classification of the classified items, placing plurality of the application files of a computer system placed into a sandbox using intercepting API function calls using imported or exported functions table patching and inline hooking of functions that restrict actions on the classified items while the application files are in the computing device until a cleanup task is completed;
and placing the computing device in a restricted mode that limits modifications of the application files until the task of repairing infected application files of the computer device is completed.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent.
-
Citations
5 Claims
-
1. A method for creating list of infected, malicious, and unclassified software or modules or applications on a computing device for a purpose of obtaining a classification and remedial action on the applications, software or modules from a remote computing node, comprising steps of:
-
assigning a unique identifier to the computing device; listing items in file system, registry, and memory of the computing device; listing attributes of the listed items; computing cryptographic hash of the listed items; matching the attributes of the listed items with a local black/white list database; applying a filter to reduce the listed items; storing the unique identifier and filtered items along with the attributes of the listed items; classifying the filtered items and storing the classified items in graphical user interface or machine readable format and taking the remedial action on the classified items; transmitting the stored the classified items and application files to the remote computing node; based on the classification of the classified items, placing plurality of the application files of a computer system placed into a sandbox using intercepting API function calls using imported or exported functions table patching and inline hooking of functions that restrict actions on the classified items while the application files are in the computing device until a cleanup task is completed; and placing the computing device in a restricted mode that limits modifications of the application files until the task of repairing infected application files of the computer device is completed.
-
-
2. A method for monitoring behavior of plurality of applications or modules in applications on a computing device that have not been classified based on attributes, comprising steps of:
-
injecting a module into a memory space of the applications; the injected module monitoring said applications'"'"' file system accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at application layer of the applications; the injected module monitoring said applications'"'"' network accesses by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer of the applications; the injected module monitoring said applications'"'"' executable content loading by intercepting API function calls via imported or exported functions table patching and inline hooking of functions at the application layer of the application; the injected module monitoring a memory access by the applications via inline hooks in API function call and application programming interface functions provided; and the injected module monitoring a registry access by the applications via inline hooks in API function call and application programming interface functions provided and observing the behavior of the applications over a time period; and the observed behavior of the applications over a time period is displayed in a graphical user interface or stored in a file.
-
-
3. A method for applying remedial action on applications on a computing device based on observed changes, comprising steps of:
-
listing items in a file system, registry, and memory of the computing device; listing attributes of the items and matching items with a black/white list database; observing behavior of the listed attributes of the items; classifying the listed attributes of the items based on the observed behavior of the listed attributes of the items; taking a remedial action on based on the classification of the listed attributes of the items; creating a reference state by storing the observed behavior, listed attributes, behavior, classification, and remedial action for the items in a graphical user interface or machine readable format; periodically comparing the listed attributes of the items and the observed behavior of the listed attributes of the items with the behavior and listed attributes stated in the reference state to detect changes; the applications'"'"'s binaries, the reference state of the listed attributes of the items, and a current state of the listed attributed of the items are transmitted to a remote computing node where a change analysis is performed on the reference state of the listed attributes of the items; the analyzed reference state is returned to the computing device along with clean copies of the applications to revert or fix observed changes; placing any unclassified or malicious items of the file system, registry, and memory of the computing device in a sandbox using intercepting API function calls, imported or exported functions table patching and inline hooking of functions that restricts actions of the unclassified or malicious items; and the unclassified or malicious items are replaced with a clean copy received from the remote computing node; and replacing all changed or infected items of the file system, registry and memory of the computing device with a clean copy stored locally or retrieved from the remote computing node.
-
-
4. A method for removing virus hidden inside applications and fixing infected files comprising steps of:
-
establishing a network connection to a remote computing node and receiving a list containing application names, attributes, classification, and remedial action to be performed; initiating a lock down mechanism to prevent unauthorized system and file modifications; scanning a file system, registry, and memory of a computer for any executable content; classifying items of the executable content; detecting a change in the items of the executable content; comparing the items with the received list; applying a remediation mechanism prescribed for the items in the received list; default action is applied to every detected item that is not listed in the received list; remedial action is to replace plurality of files of the executable content with a clean copy received or by downloading the clean copy from a specified network location; a network connection is made to the remote computing node to obtain classification of every new detected item that is not listed in the received list; unclassified or malicious applications from the received list are placed in a sandbox using intercepting API function calls, using imported or exported functions table patching and inline hooking of functions that restrict actions of the unclassified or malicious applications on the computer until an updated list, in part or entirety, is returned to the computer from the remote computing node; and clean copies or the network location of the clean copies of the plurality of the applications are received by the computer to replace the infected files of the executable content.
-
-
5. A method for enforcing lockdown state on computer for a purpose of removing virus, comprising steps of:
-
scanning a file system, registry, installed programs, and memory of the computer and creating a reference state; preventing modifications to sections of the registry or file system of the computer that may enable malware to start itself upon rebooting of the computer by intercepting application and kernel layer calls; prohibiting creation of any process not listed in a reference list by intercepting an API function call for creating new processes; prohibiting creation of network connections by any module not listed in the reference list by intercepting the API function call for creating new network connections; prohibiting loading into the memory of the computer, any module not listed in the reference list by intercepting the API function call for loading modules; prohibiting injection of a module into a memory space of any executing application by intercepting the API function call for loading modules via inline hooking; prohibiting creation or modification of the registry for starting programs and modification of executable files by intercepting the API function call for modifying the executable files and registry; checking any action during the lockdown state on the computer against a white list and allowing the action to take place if the action is found in the white list; disabling the lockdown state after a cleanup process has been completed.
-
Specification