Rollback feature

US 9,032,523 B2
Filed: 09/16/2013
Issued: 05/12/2015
Est. Priority Date: 11/03/2009
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

determine that a file stored in a first portion of a computer memory of a computer is a malicious file;

store a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory;

perform one or more protection processes on the file;

determine that the determination that the file is a malicious file is a false positive; and

restore the file, during a boot sequence, to a state prior to the one or more protection processes being performed on the file, wherein the computer is to be booted with the restored file.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file.

Citations

22 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- determine that a file stored in a first portion of a computer memory of a computer is a malicious file;
  
  store a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory;
  
  perform one or more protection processes on the file;
  
  determine that the determination that the file is a malicious file is a false positive; and
  
  restore the file, during a boot sequence, to a state prior to the one or more protection processes being performed on the file, wherein the computer is to be booted with the restored file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The storage medium of claim 1, wherein the file is to be restored by a pre-boot rollback process executing on the computer during the boot sequence.
  - 3. The storage medium of claim 2, wherein the determination that the file is a malicious file is a false positive is determined during the pre-boot rollback process.
  - 4. The storage medium of claim 1, wherein the instructions, when executed, are further to identify received false positive data, and determining that the determination that the file is a malicious file is a false positive is based on the false positive data.
  - 5. The storage medium of claim 4, wherein the false positive data is received based on inputs of a user.
  - 6. The storage medium of claim 5, wherein the inputs of the user comprise inputs received through a selection menu presented to the user during a pre-boot rollback process, wherein the selection menu includes an identification that the file is stored in the quarantine area and further includes a selection option to restore the file, the pre-boot rollback process is initiated in association with an interruption of a boot process, and the false positive data is based on selection by the user of the selection option.
  - 7. The storage medium of claim 4, wherein the false positive data is received from a rollback server.
  - 8. The storage medium of claim 7, wherein the false positive data comprises signatures of files identified as corresponding to false positive determinations of malware.
  - 9. The storage medium of claim 8, wherein determining that the determination that the file is a malicious file is a false positive is based at least in part on determining that a signature of the file substantially matches at least one of the signatures of files included in the false positive data.
  - 10. The storage medium of claim 1, wherein the one or more protection processes include deleting the file from the first portion of the computer memory.
  - 11. The storage medium of claim 1, wherein the one or more protection processes include modifying contents of the file.
  - 12. The storage medium of claim 11, wherein restoring the file comprises:
    - deleting the modified file from the first portion of computer memory; and
      
      moving the file from the quarantine area to the first portion of computer memory.

13. A method comprising:
- determining that a file stored in a first portion of a computer memory of a computer is a malicious file;
  
  storing a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory;
  
  performing one or more protection processes on the file;
  
  determining that the determination that the file is a malicious file is a false positive; and
  
  restoring the file, during a boot sequence, to a state prior to the one or more protection processes being performed on the file, wherein the computer is to be booted with the restored file.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein files determined to be malicious are not to be restored when the determination that the files are malicious are determined not to be false positives.
  - 15. The method of claim 13, wherein the file is to be restored by a pre-boot rollback process executing on the computer during the boot sequence.
  - 16. The method of claim 15, wherein the determination that the file is a malicious file is a false positive is determined during the pre-boot rollback process.
  - 17. The method of claim 13, further comprising providing false positive data indicating that the file is not a malicious file, wherein the false positive data is for use by a malware protection program and the false positive data is to cause the malware protection program to determine that the file is not a malicious file.

18. A system, comprising:
- one or more processor devices;
  
  memory comprising a first memory component and a second memory component, wherein the first memory component is logically separate from the second memory component and the second memory component comprises a quarantine area;
  
  a malware protection program executable by at least one of the processors to;
  
  identify a malicious file stored in the first memory component; and
  
  perform a protection process on the malicious file; and
  
  rollback logic executable by at least one of the processors to;
  
  cause a copy of the malicious file identified by the malware protection program to be stored in the quarantine area;
  
  determine that a false positive determination has occurred relating to the identification of the malicious file; and
  
  restore the copy of the malicious file from the quarantine area to the first part of the memory component during a boot sequence.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The system of claim 18, further comprising a server interface which receives false positive data from a rollback server, the false positive data indicating false positive detections.
  - 20. The system of claim 18, further comprising a user server interface which receives false positive data from a user, the false positive data indicating false positive detections.
  - 21. The system of claim 18, wherein the first memory component comprises a first portion of a hard drive and the second memory component comprises a second portion of the hard drive.
  - 22. The system of claim 18, wherein the second memory component comprises a protected storage area of memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Singh, Prabhat Kumar, Jyoti, Nitin, Srinivasa, Gangadharasa
Primary Examiner(s)
McNally, Michael S.

Application Number

US14/027,895
Publication Number

US 20140026218A1
Time in Patent Office

603 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 11/1417   Boot up procedures

G06F 11/1446   Point-in-time backing up or...

G06F 11/1451   by selection of backup cont...

G06F 16/152   using file content signatur...

G06F 16/162   Delete operations erasing i...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/568   eliminating virus, restorin...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/10   in which an application is ...

Rollback feature

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Rollback feature

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links