System and method for below-operating system trapping of driver loading and unloading

US 8,966,629 B2
Filed: 03/31/2011
Issued: 02/24/2015
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system for protecting an electronic device against malware, comprising:

a hardware processor;

a memory communicatively coupled to the processor;

an operating system to load and unload a driver in the operating system;

a trapping agent comprising instructions in the memory for execution by the processor and configured to trap an attempted access of one or more resources of the operating system, the attempted access comprising an attempted loading or unloading of the driver in the operating system, wherein the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver; and

a triggered-event handler comprising instructions in the memory for execution by the processor;

wherein;

the trapping agent is further to send information about the trapped attempt, including the loading or unloading of the driver, to the triggered-event handler;

the triggered-event handler to;

access one or more security rules based on the information;

evaluate the attempted loading or unloading of the driver in view of the security rules; and

send an evaluation to the trapping-agent; and

the trapping agent is further configured to;

take corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and

allow the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe; and

the trapping agent and the triggered-event handler are further to operate at a level below all operating systems of the electronic device accessing the one or more resources, including running on a processor of the system without use of an operating system.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system.

130 Citations

23 Claims

1. A system for protecting an electronic device against malware, comprising:
- a hardware processor;
  
  a memory communicatively coupled to the processor;
  
  an operating system to load and unload a driver in the operating system;
  
  a trapping agent comprising instructions in the memory for execution by the processor and configured to trap an attempted access of one or more resources of the operating system, the attempted access comprising an attempted loading or unloading of the driver in the operating system, wherein the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver; and
  
  a triggered-event handler comprising instructions in the memory for execution by the processor;
  
  wherein;
  
  the trapping agent is further to send information about the trapped attempt, including the loading or unloading of the driver, to the triggered-event handler;
  
  the triggered-event handler to;
  
  access one or more security rules based on the information;
  
  evaluate the attempted loading or unloading of the driver in view of the security rules; and
  
  send an evaluation to the trapping-agent; and
  
  the trapping agent is further configured to;
  
  take corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and
  
  allow the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe; and
  
  the trapping agent and the triggered-event handler are further to operate at a level below all operating systems of the electronic device accessing the one or more resources, including running on a processor of the system without use of an operating system.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the trapping agent is further to trap an attempted execution of a subfunction of the system function for loading or unloading the driver, the system function provided by the operating system.
  - 3. The system of claim 1, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an identity of the driver to be loaded.
  - 4. The system of claim 1, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an entity that attempted to load or unload the driver.

5. A system for protecting an electronic device against malware, comprising:
- a hardware processor;
  
  a memory communicatively coupled to the processor;
  
  an operating system to load and unload a driver in the operating system;
  
  a trapping agent comprising instructions in the memory for execution by the processor and configured to trap an attempted access of one or more resources of the operating system, the attempted access comprising an attempted loading or unloading of the driver in the operating system, wherein the attempted access is trapped by trapping the execution of a physical memory address containing code for a system function for loading or unloading the driver; and
  
  a triggered-event handler comprising instructions in the memory for execution by the processor;
  
  wherein;
  
  the trapping agent is further to send information about the trapped attempt, including the loading or unloading of the driver, to the triggered-event handler;
  
  the triggered-event handler to;
  
  access one or more security rules based on the information;
  
  evaluate the attempted loading or unloading of the driver in view of the security rules; and
  
  send an evaluation to the trapping-agent; and
  
  the trapping agent is further configured to;
  
  take corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and
  
  allow the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe; and
  
  the trapping agent and the triggered-event handler are further to operate at a level below all operating systems of the electronic device, including accessing a processor of the system without use of an operating system.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein the trapping agent is further to trap an attempted execution of a subfunction of the system function for loading or unloading the driver, the system function provided by the operating system.
  - 7. The system of claim 5, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an identity of the driver to be loaded.
  - 8. The system of claim 5, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an entity that attempted to load or unload the driver.

9. A method for protecting an electronic device against malware, comprising:
- trapping an attempted access of one or more resources of an operating system, the operating system to load and unload a driver, wherein;
  
  the attempted access includes an attempted loading or unloading of the driver in the operating system; and
  
  the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver;
  
  accessing one or more security rules based on the attempted access;
  
  evaluating the attempted loading or unloading of the driver in view of the security rules;
  
  taking corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and
  
  allowing the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe;
  
  wherein the trapping of the attempted access and evaluating the attempted loading or unloading of the driver are conducted at a level below all operating systems of the electronic device, including accessing a processor of the electronic device without use of an operating system.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the trapping the attempted access further includes trapping an attempted execution of a subfunction of the system function for loading or unloading the driver, the system function provided by the operating system.
  - 11. The method of claim 9, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an identity of the driver to be loaded.
  - 12. The method of claim 9, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an entity that attempted to load or unload the driver.

13. A method for protecting an electronic device against malware, comprising:
- trapping an attempted access of one or more resources of an operating system, the operating system to load and unload a driver, wherein;
  
  the attempted access includes an attempted loading or unloading of the driver in the operating system; and
  
  the attempted access is trapped by trapping the execution of a physical memory address containing code for a system function for loading or unloading the driver;
  
  accessing one or more security rules based on the attempted access;
  
  evaluating the attempted loading or unloading of the driver in view of the security rules;
  
  taking corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and
  
  allowing the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe;
  
  wherein the trapping of the attempted access and evaluating the attempted loading or unloading of the driver are conducted at a level below all operating systems of the electronic device, including accessing a processor of the electronic device without use of an operating system.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the trapping the attempted access further includes trapping an attempted execution of a subfunction of the system function for loading or unloading the driver, the system function provided by the operating system.
  - 15. The method of claim 13, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an identity of the driver to be loaded.
  - 16. The method of claim 13, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an entity that attempted to load or unload the driver.

17. An article of manufacture, comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions embodied on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  trap an attempted access of one or more resources of an operating system, the operating system to load and unload a driver, wherein;
  
  the attempted access includes an attempted loading or unloading of the driver in the operating system; and
  
  the attempted access is trapped by trapping the execution of a memory page containing code for a system function for loading or unloading the driver;
  
  access one or more security rules based on the attempted access;
  
  evaluate the attempted loading or unloading of the driver in view of the security rules;
  
  take corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and
  
  allow the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe;
  
  wherein the trapping of the attempted access and evaluating the attempted loading or unloading of the driver are conducted at a level below all operating systems of an electronic device, including accessing a processor of the electronic device without use of an operating system.
- View Dependent Claims (18, 19, 20)
- - 18. The article of manufacture of claim 17, wherein the trapping the attempted access further includes trapping an attempted execution of a subfunction of the system function for loading or unloading the driver, the system function provided by the operating system.
  - 19. The article of manufacture of claim 17, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an identity of the driver to be loaded.
  - 20. The article of manufacture of claim 17, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an entity that attempted to load or unload the driver.

21. An article of manufacture, comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions embodied on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  trap an attempted access of one or more resources of an operating system, the operating system to load and unload a driver, wherein;
  
  the attempted access includes an attempted loading or unloading of the driver in the operating system; and
  
  the attempted access is trapped by trapping the execution of a physical memory address containing code for a system function for loading or unloading the driver;
  
  access one or more security rules based on the attempted access;
  
  evaluate the attempted loading or unloading of the driver in view of the security rules;
  
  take corrective action when the evaluation includes that attempted loading or unloading of the driver is indicative of malware; and
  
  allow the attempted loading or unloading of the driver when the evaluation includes that the attempted loading or unloading of the driver is safe;
  
  wherein the trapping of the attempted access and evaluating the attempted loading or unloading of the driver are conducted at a level below all operating systems of an electronic device, including accessing a processor of the electronic device without use of an operating system.
- View Dependent Claims (22, 23)
- - 22. The article of manufacture of claim 21 wherein the trapping the attempted access further includes trapping an attempted execution of a subfunction of the system function for loading or unloading the driver, the system function provided by the operating system.
  - 23. The article of manufacture of claim 21, wherein evaluating the attempted loading or unloading of the driver in view of the security rules comprises determining and evaluating an identity of the driver to be loaded.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
Faramarzi, Gita

Application Number

US13/076,512
Publication Number

US 20120255002A1
Time in Patent Office

1,426 Days
Field of Search

726/23, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

System and method for below-operating system trapping of driver loading and unloading

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for below-operating system trapping of driver loading and unloading

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links