Preventing and responding to disabling of malware protection software

US 9,015,829 B2
Filed: 10/20/2009
Issued: 04/21/2015
Est. Priority Date: 10/20/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

installing a particular code hook on a computing system, wherein the computing system comprises an operating system providing an execution environment and the computing system further comprises one or more programs to execute in the execution environment, the one or more programs include a malware protection program, and the particular code hook is installed using the malware protection program and is configured to intercept application programming interface (API) calls to the operating system;

detecting that a particular one of the calls, intercepted by the particular code hook, comprises an attempt to disable the malware protection program;

identifying, using a first computer, a first process that generated the attempt to disable the malware protection program, wherein identifying the first process includes collecting identification data describing characteristics of the first process;

preventing the first process from disabling the malware protection program, wherein the preventing includes blocking the attempt to disable the malware protection program; and

determining, in response to blocking the attempt to disable the malware protection program, whether the first process is an approved process based at least in part on the collected identification data;

wherein determining that the first process is an approved process causes a user prompt to be presented to provide a user an option to terminate the first process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the first process.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for responding to an attempt to disable a malware protection program and performing an identification process and one or more protection processes to prevent the execution of potentially malicious code. In one aspect, a method includes monitoring for attempts to disable a malware protection program, identifying a process that generated an attempt to disable the malware protection program, determining whether the process is an approved process, and in response, performing one or more protection processes on the process so as to prevent the execution of potentially malicious code.

15 Citations

View as Search Results

18 Claims

1. A computer-implemented method, comprising:
- installing a particular code hook on a computing system, wherein the computing system comprises an operating system providing an execution environment and the computing system further comprises one or more programs to execute in the execution environment, the one or more programs include a malware protection program, and the particular code hook is installed using the malware protection program and is configured to intercept application programming interface (API) calls to the operating system;
  
  detecting that a particular one of the calls, intercepted by the particular code hook, comprises an attempt to disable the malware protection program;
  
  identifying, using a first computer, a first process that generated the attempt to disable the malware protection program, wherein identifying the first process includes collecting identification data describing characteristics of the first process;
  
  preventing the first process from disabling the malware protection program, wherein the preventing includes blocking the attempt to disable the malware protection program; and
  
  determining, in response to blocking the attempt to disable the malware protection program, whether the first process is an approved process based at least in part on the collected identification data;
  
  wherein determining that the first process is an approved process causes a user prompt to be presented to provide a user an option to terminate the first process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the first process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein monitoring for attempts to disable the malware protection program comprises monitoring for one or more of the following:
    - an attempt to stop a service of the malware protection program;
      
      an attempt to terminate a process of the malware protection program;
      
      an attempt to delete one or more files for the malware protection program;
      
      an attempt to delete one or more registry entries for the malware protection program; and
      
      an attempt to prevent an update for the malware protection program.
  - 3. The computer-implemented method of claim 1, wherein determining whether the first process is an approved process comprises:
    - generating data descriptive of the first process based at least in part on the identification data;
      
      sending the data descriptive of the first process to a second computer;
      
      receiving data indicative of whether the first process is an approved process from the second computer; and
      
      determining whether the first process is an approved process based at least in part on the data received from the second computer.
  - 4. The computer-implemented method of claim 3, wherein data descriptive of the first process comprises a signature of the first process.
  - 5. The computer-implemented method of claim 1, wherein determining whether the first process is an approved process comprises:
    - generating data descriptive of the first process based at least in part on the identification data;
      
      comparing the data descriptive of the first process with data descriptive of approved processes;
      
      determining whether the first process is an approved process.
  - 6. The computer-implemented method of claim 5, wherein data descriptive of the first process comprises a signature of the first process.
  - 7. The computer-implemented method of claim 1, wherein the one or more malware protection processes comprise one or more of the following:
    - terminating the first process;
      
      deleting one or more files associated with the first process;
      
      renaming one or more files associated with the first process;
      
      quarantining one or more files associated with the first process; and
      
      sending one or more files associated with the first process to a second computer for analysis.
  - 8. The computer-implemented method of claim 7, wherein performing one or more malware protection processes on the first process further comprises:
    - providing a user prompt to perform the one or more malware protection processes;
      
      receiving one or more selections of the one or more malware protection processes; and
      
      performing the one or more selected malware protection processes.
  - 9. The computer-implemented method of claim 1, wherein the steps of monitoring, identifying, preventing, determining, providing, and performing are performed by the malware protection program.

10. A non-transitory computer storage medium encoded with a computer program, the program comprising instructions that when executed by a data processing apparatus cause the data processing apparatus to:
- install a particular code hook on a computing system, wherein the computing system comprises an operating system providing an execution environment and the computing system further comprises one or more programs to execute in the execution environment, the one or more programs include a malware protection program, and the particular code hook is installed using the malware protection program and is configured to intercept application programming interface (API) calls to the operating system;
  
  detect that a particular one of the calls, intercepted by the particular code hook, comprises an attempt to disable the malware protection program;
  
  identify, using a first computer, a first process that generated the attempt to disable the malware protection program, wherein identifying the first process includes collecting identification data describing characteristics of the first process;
  
  prevent the first process from disabling the malware protection program, wherein the preventing includes blocking the attempt to disable the malware protection program; and
  
  determine, in response to blocking the attempt to disable the malware protection program, whether the first process is an approved process based at least in part on the collected identification data;
  
  wherein determining that the first process is an approved process causes a user prompt to be presented to provide a user an option to terminate the first process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the first process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer storage medium of claim 10, comprising further instructions that, when executed, cause the data processing apparatus to monitor for one or more of the following:
    - an attempt to stop a service of the malware protection program;
      
      an attempt to terminate a process of the malware protection program;
      
      an attempt to delete one or more files for the malware protection program;
      
      an attempt to delete one or more registry entries for the malware protection program; and
      
      an attempt to prevent an update for the malware protection program.
  - 12. The computer storage medium of claim 10, comprising further instructions that, when executed, cause the data processing apparatus to:
    - generate data descriptive of the first process based at least in part on the identification data;
      
      send the data descriptive of the first process to a second computer;
      
      receive data indicative of whether the first process is an approved process from the second computer; and
      
      determine whether the first process is an approved process based at least in part on the data received from the second computer.
  - 13. The computer storage medium of claim 12, wherein data descriptive of the first process comprises a signature of the first process.
  - 14. The computer storage medium of claim 13, wherein data descriptive of the first process comprises a signature of the first process.
  - 15. The computer storage medium of claim 10, comprising further instructions that, when executed, cause the data processing apparatus to:
    - generate data descriptive of the first process based at least in part on the identification data;
      
      compare the data descriptive of the first process with data descriptive of approved processes; and
      
      determine whether the first process is an approved process.
  - 16. The computer storage medium of claim 10, wherein the one or more malware protection processes comprise one or more of the following:
    - terminating the first process;
      
      deleting one or more files associated with the first process;
      
      renaming one or more files associated with the first process;
      
      quarantining one or more files associated with the first process; and
      
      sending one or more files associated with the first process to a second computer for analysis.
  - 17. The computer storage medium of claim 16, comprising further instructions that, when executed, cause the data processing apparatus to:
    - provide a user prompt to perform the one or more malware protection processes;
      
      receive one or more selections of the one or more malware protection processes; and
      
      perform the one or more selected malware protection processes.

18. A system comprising:
- at least one data processing device;
  
  at least one memory element;
  
  an operating system to provide an execution environment; and
  
  a plurality of programs to execute within the execution environment, wherein the plurality of programs comprise a malware protection program to;
  
  install software hooks within the system, wherein the hooks are each configured to intercept application programming interface (API) calls to the operating system;
  
  detect malware affecting other programs in the plurality of programs;
  
  determine that a particular API call intercepted by one of the hooks comprises an attempt to disable the malware protection program;
  
  identify a particular process that generated the particular intercepted call, wherein identifying the particular process includes collecting identification data describing characteristics of the particular process;
  
  prevent the particular process from disabling the malware protection program by at least blocking the attempt to disable the malware protection program; and
  
  determine, in response to blocking the attempt to disable the malware protection program, whether the particular process is an approved process based at least in part on the collected identification data, wherein determining that the particular process is an approved process causes a user prompt to be presented to provide a user an option to terminate the particular process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the particular process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ramchetty, Harinath Vishwanath, Kishore, Nandi Dharma, Ramabhatta, Anil Bhadrarajapura
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
POTRATZ, DANIEL B

Application Number

US12/582,260
Publication Number

US 20110093953A1
Time in Patent Office

2,009 Days
Field of Search

726/22, 726/24, 726/26, 713/193, 713/194
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/629   to features or functions of...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2147   Locking files

H04L 63/12   Applying verification of th...

Preventing and responding to disabling of malware protection software

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Preventing and responding to disabling of malware protection software

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others