System and method for below-operating system trapping of driver filter attachment
First Claim
1. A system for protecting against malware, comprising:
- a hardware processor;
a memory communicatively coupled the hardware processor;
a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to;
identify one or more resources for changing filters of a driver;
trap an attempted access of the one or more resources, the attempted access to originate from the one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver;
access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;
determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver;
determining whether an entity making the attempt is authorized to execute the function;
determining whether the subfunction was executed without executing the function; and
operate at a level below all of the one or more operating systems to access the one or more resources for changing filters of the driver.
10 Assignments
0 Petitions
Accused Products
Abstract
A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver.
160 Citations
42 Claims
-
1. A system for protecting against malware, comprising:
-
a hardware processor; a memory communicatively coupled the hardware processor; a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to; identify one or more resources for changing filters of a driver; trap an attempted access of the one or more resources, the attempted access to originate from the one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes; determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver; determining whether an entity making the attempt is authorized to execute the function; determining whether the subfunction was executed without executing the function; and operate at a level below all of the one or more operating systems to access the one or more resources for changing filters of the driver. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for protecting against malware, comprising:
-
identifying one or more resources for changing a filter of a driver; trapping an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and accessing one or more security rules to determine whether the attempted access is indicative of malware, including; determining that the attempted access included the execution of the subfunction of the function for attaching or detaching the filter to the driver; determining whether an entity making the attempt is authorized to execute the function; and determining whether the subfunction was executed without executing the function; wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware is conducted at a level below all of the one or more operating systems to access the one or more resources for changing the filter. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An article of manufacture, comprising:
-
a non-transitory computer readable medium; and computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; identify one or more resources for changing a filter of a driver; trap an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes; determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver; determining whether an entity making the attempt is authorized to execute the function; and determining whether the subfunction was executed without executing the function; wherein the instructions cause the processor to trap the attempted access and determine whether the attempted access is indicative of malware at a level below all of the one or more operating systems to access the one or more resources for changing the filter. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A system for protecting against malware, comprising:
-
a hardware processor; a memory communicatively coupled to the processor; a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to; identify one or more resources for changing filters of a driver; detect an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes; evaluating whether the execution of the subfunction of the function for attaching or detaching the filter to the driver is indicative of malware; determining whether an entity making the attempt is authorized to execute the function; and determining whether the subfunction was executed without executing the function; and operate at a higher priority than all of the one or more operating systems to access the one or more resources for changing filters of the driver. - View Dependent Claims (32, 33, 34)
-
-
35. A method for protecting against malware, comprising:
-
identifying one or more resources for changing a filter of a driver; detecting an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and accessing one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes; determining that the attempted included the execution of the subfunction of the function for attaching or detaching a filter to the driver; determining whether an entity making the attempt is authorized to execute the function; and determining whether the subfunction was executed without executing the function; wherein detecting the attempted access and determining whether the attempted access is indicative of malware is conducted at a bare metal layer lower than all of the one or more operating systems to access the one or more resources for changing the filter. - View Dependent Claims (36, 37, 38)
-
-
39. An article of manufacture, comprising:
-
a non-transitory computer readable medium; and computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; identify one or more resources for changing a filter of a driver; detect an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes; determining that the attempted included the execution of the subfunction of the function for attaching or detaching a filter to the driver; determining whether an entity making the attempt is authorized to execute the function; and determining whether the subfunction was executed without executing the function; wherein the instructions cause the processor to detect the attempted access and determine whether the attempted access is indicative of malware at a level below all of the one or more operating systems to access the one or more resources for changing the filter. - View Dependent Claims (40, 41, 42)
-
Specification