System and method for below-operating system trapping and securing of interdriver communication
First Claim
Patent Images
1. A system for protecting an electronic device against malware, comprising:
- a memory;
an operating system included in one or more operating systems configured to execute on the electronic device;
a below-operating-system security agent configured to;
trap an attempted access by a first driver of the operating system of a second, different driver of the electronic device, the attempted access including the first driver calling a function of the second driver;
determine and evaluate an identity and security status of the first driver;
determine whether the attempted access includes an attempted direct access of a code section of the second driver by bypassing functions provided by a kernel module of the operating system, the functions for accessing the code section of the second driver;
access one or more security rules to;
determine whether the attempted access is indicative of malware based on a determination that the first driver called the function of the second driver;
determine that the attempted access is indicative of malware based upon a determination that a security status of the first driver is unknown;
determine whether the attempted access is indicative of malware based upon a determination that the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver; and
take corrective action based upon;
whether the first driver calling the function of the second driver is indicative of malware;
whether the identity of the first driver is unknown; and
whether the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver andoperate at a level below all operating systems of the electronic device accessing the second driver.
10 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access by a first driver of the operating system of a second driver of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the second driver.
116 Citations
28 Claims
-
1. A system for protecting an electronic device against malware, comprising:
-
a memory; an operating system included in one or more operating systems configured to execute on the electronic device; a below-operating-system security agent configured to; trap an attempted access by a first driver of the operating system of a second, different driver of the electronic device, the attempted access including the first driver calling a function of the second driver; determine and evaluate an identity and security status of the first driver; determine whether the attempted access includes an attempted direct access of a code section of the second driver by bypassing functions provided by a kernel module of the operating system, the functions for accessing the code section of the second driver; access one or more security rules to; determine whether the attempted access is indicative of malware based on a determination that the first driver called the function of the second driver; determine that the attempted access is indicative of malware based upon a determination that a security status of the first driver is unknown; determine whether the attempted access is indicative of malware based upon a determination that the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver; and take corrective action based upon; whether the first driver calling the function of the second driver is indicative of malware; whether the identity of the first driver is unknown; and whether the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver and operate at a level below all operating systems of the electronic device accessing the second driver. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for protecting an electronic device against malware, comprising:
-
trapping an attempted access by a first driver of an operating system of a second, different driver of the electronic device, the attempted access including the first driver calling a function of the second driver; determining an identity and security status of the first driver; determining whether the attempted access includes an attempted direct access of a code section of the second driver by bypassing functions provided by a kernel module of the operating system, the functions for accessing the code section of the second driver; accessing one or more security rules; determining, based on the one or more security rules; whether the attempted access, including the first driver calling the function of the second driver, is indicative of malware; that the attempted access is indicative of malware based upon a determination that a security status of the first driver is unknown; whether the attempted access is indicative of malware based upon a determination that the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver; and taking corrective action based upon; whether the first driver calling the function of the second driver is indicative of malware; whether the identity of the first driver is unknown; and whether the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver; wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware are conducted at a level below all operating systems of the electronic device accessing the second driver. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An article of manufacture, comprising:
-
a non-transitory computer readable medium; and computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; trap an attempted access by a first driver of an operating system of a second driver of the electronic device, the attempted access including the first driver calling a function of the second driver, the electronic device including one or more operating systems; determining an identity and security status of the first driver; determining whether the attempted access includes an attempted direct access of a code section of the second driver by bypassing functions provided by a kernel module of the operating system, the functions for accessing the code section of the second driver; access one or more security rules to determine whether the attempted access is indicative of malware; determine, based on the one or more security rules, whether the first driver calling the function of the second driver is indicative of malware; determine, based on the one or more security rules, that the attempted access is indicative of malware based upon a determination that a security status of the first driver is unknown; determine, based on the one or more security rules, whether the attempted access is indicative of malware based upon a determination that the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver; and take corrective action based upon; whether the first driver calling the function of the second driver is indicative of malware; whether the identity of the first driver is unknown; and whether the second driver attempted to access the code section of the second driver by bypassing functions provided by a kernel module of the operating system for accessing the code section of the second driver; wherein the processor is configured to conduct the trapping of the attempted access and determining whether the attempted access is indicative of malware at a level below all operating systems of the electronic device accessing the second driver. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
Specification