System and method for below-operating system trapping of driver filter attachment

US 9,032,525 B2
Filed: 03/29/2011
Issued: 05/12/2015
Est. Priority Date: 03/29/2011
Status: Active Grant

First Claim

Patent Images

1. A system for protecting against malware, comprising:

a hardware processor;

a memory communicatively coupled the hardware processor;

a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to;

identify one or more resources for changing filters of a driver;

trap an attempted access of the one or more resources, the attempted access to originate from the one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver;

access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;

determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver;

determining whether an entity making the attempt is authorized to execute the function;

determining whether the subfunction was executed without executing the function; and

operate at a level below all of the one or more operating systems to access the one or more resources for changing filters of the driver.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver.

160 Citations

42 Claims

1. A system for protecting against malware, comprising:
- a hardware processor;
  
  a memory communicatively coupled the hardware processor;
  
  a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to;
  
  identify one or more resources for changing filters of a driver;
  
  trap an attempted access of the one or more resources, the attempted access to originate from the one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver;
  
  access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;
  
  determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver;
  
  determining whether an entity making the attempt is authorized to execute the function;
  
  determining whether the subfunction was executed without executing the function; and
  
  operate at a level below all of the one or more operating systems to access the one or more resources for changing filters of the driver.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein determining whether the attempted access is indicative of malware comprises:
    - determining an entity that made the attempt; and
      
      determining whether the entity was authorized to make the attempt.
  - 3. The system of claim 2, wherein determining whether the entity was authorized to make the attempt comprises determining whether the entity is digitally signed.
  - 4. The system of claim 2, wherein determining whether the entity was authorized to make the attempt comprises determining whether the entity is the owner of a device coupled to the driver.
  - 5. The system of claim 1, wherein the resources are identified by pages of virtual memory containing the resources.
  - 6. The system of claim 1, wherein the resources are identified by addresses of physical memory containing the resources.
  - 7. The system of claim 1, wherein the attempted access includes an execution of a function for attaching or detaching a filter to the driver.
  - 8. The system of claim 1, wherein the attempted access includes an attempted change to permissions for a data structure of the driver.
  - 9. The system of claim 1, wherein the attempted access includes an attempted access of a data structure of the driver.
  - 10. The system of claim 1, wherein determining whether the attempted access is indicative of malware comprises considering whether the attempted access was a read, write or execute request.

11. A method for protecting against malware, comprising:
- identifying one or more resources for changing a filter of a driver;
  
  trapping an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and
  
  accessing one or more security rules to determine whether the attempted access is indicative of malware, including;
  
  determining that the attempted access included the execution of the subfunction of the function for attaching or detaching the filter to the driver;
  
  determining whether an entity making the attempt is authorized to execute the function; and
  
  determining whether the subfunction was executed without executing the function;
  
  wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware is conducted at a level below all of the one or more operating systems to access the one or more resources for changing the filter.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein determining whether the attempted access is indicative of malware comprises:
    - determining an entity that made the attempt; and
      
      determining whether the entity was authorized to make the attempt.
  - 13. The method of claim 12, wherein determining whether the entity was authorized to make the attempt comprises determining whether the entity is digitally signed.
  - 14. The method of claim 12, wherein determining whether the entity was authorized to make the attempt comprises determining whether the entity is the owner of a device coupled to the driver.
  - 15. The method of claim 11, wherein the resources are identified by pages of virtual memory containing the resources.
  - 16. The method of claim 11, wherein the resources are identified by addresses of physical memory containing the resources.
  - 17. The method of claim 11, wherein the attempted access includes an execution of a function for attaching or detaching a filter to the driver.
  - 18. The method of claim 11, wherein the attempted access includes an attempted change to permissions for a data structure of the driver.
  - 19. The method of claim 11, wherein the attempted access includes an attempted access of a data structure of the driver.
  - 20. The method of claim 11, wherein determining whether the attempted access is indicative of malware comprises considering whether the attempted access was a read, write or execute request.

21. An article of manufacture, comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  identify one or more resources for changing a filter of a driver;
  
  trap an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and
  
  access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;
  
  determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver;
  
  determining whether an entity making the attempt is authorized to execute the function; and
  
  determining whether the subfunction was executed without executing the function;
  
  wherein the instructions cause the processor to trap the attempted access and determine whether the attempted access is indicative of malware at a level below all of the one or more operating systems to access the one or more resources for changing the filter.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The article of claim 21, wherein causing the processor to determine whether the attempted access is indicative of malware comprises causing the processor to:
    - determine an entity that made the attempt; and
      
      determine whether the entity was authorized to make the attempt.
  - 23. The article of claim 22, wherein causing the processor to determine whether the entity was authorized to make the attempt comprises causing the processor to determine whether the entity is digitally signed.
  - 24. The article of claim 22, wherein causing the processor to determine whether the entity was authorized to make the attempt comprises causing the processor to determine whether the entity is the owner of a device coupled to the driver.
  - 25. The article of claim 21, wherein the resources are identified by pages of virtual memory containing the resources.
  - 26. The article of claim 21, wherein the resources are identified by addresses of physical memory containing the resources.
  - 27. The article of claim 21, wherein the attempted access includes an execution of a function for attaching or detaching a filter to the driver.
  - 28. The article of claim 21, wherein the attempted access includes an attempted change to permissions for a data structure of the driver.
  - 29. The article of claim 21, wherein the attempted access includes an attempted access of a data structure of the driver.
  - 30. The article of claim 21, wherein causing the processor to determine whether the attempted access is indicative of malware comprises causing the processor to consider whether the attempted access was a read, write or execute request.

31. A system for protecting against malware, comprising:
- a hardware processor;
  
  a memory communicatively coupled to the processor;
  
  a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to;
  
  identify one or more resources for changing filters of a driver;
  
  detect an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver;
  
  access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;
  
  evaluating whether the execution of the subfunction of the function for attaching or detaching the filter to the driver is indicative of malware;
  
  determining whether an entity making the attempt is authorized to execute the function; and
  
  determining whether the subfunction was executed without executing the function; and
  
  operate at a higher priority than all of the one or more operating systems to access the one or more resources for changing filters of the driver.
- View Dependent Claims (32, 33, 34)
- - 32. The system of claim 31, wherein:
    - the attempted access includes an execution of a function for attaching or detaching a filter to the driver; and
      
      determining whether the attempted access is indicative of malware includes evaluating whether the execution of the function for attaching or detaching the filter to the driver is indicative of malware.
  - 33. The system of claim 31, wherein detecting the attempted access includes triggering an exception.
  - 34. The system of claim 31, wherein detecting the attempted access includes generating an interrupt.

35. A method for protecting against malware, comprising:
- identifying one or more resources for changing a filter of a driver;
  
  detecting an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and
  
  accessing one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;
  
  determining that the attempted included the execution of the subfunction of the function for attaching or detaching a filter to the driver;
  
  determining whether an entity making the attempt is authorized to execute the function; and
  
  determining whether the subfunction was executed without executing the function;
  
  wherein detecting the attempted access and determining whether the attempted access is indicative of malware is conducted at a bare metal layer lower than all of the one or more operating systems to access the one or more resources for changing the filter.
- View Dependent Claims (36, 37, 38)
- - 36. The method of claim 35, wherein:
    - the attempted access includes an execution of a function for attaching or detaching a filter to the driver; and
      
      determining whether the attempted access is indicative of malware includes evaluating whether the execution of the function for attaching or detaching the filter to the driver is indicative of malware.
  - 37. The method system of claim 35, wherein detecting the attempted access includes triggering an exception.
  - 38. The method system of claim 35, wherein detecting the attempted access includes generating an interrupt.

39. An article of manufacture, comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  identify one or more resources for changing a filter of a driver;
  
  detect an attempted access of the one or more resources, the attempted access to originate from one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver; and
  
  access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes;
  
  determining that the attempted included the execution of the subfunction of the function for attaching or detaching a filter to the driver;
  
  determining whether an entity making the attempt is authorized to execute the function; and
  
  determining whether the subfunction was executed without executing the function;
  
  wherein the instructions cause the processor to detect the attempted access and determine whether the attempted access is indicative of malware at a level below all of the one or more operating systems to access the one or more resources for changing the filter.
- View Dependent Claims (40, 41, 42)
- - 40. The article of claim 39, wherein:
    - the attempted access includes an execution of a function for attaching or detaching a filter to the driver; and
      
      determining whether the attempted access is indicative of malware includes evaluating whether the execution of the function for attaching or detaching the filter to the driver is indicative of malware.
  - 41. The article system of claim 39, wherein detecting the attempted access includes triggering an exception.
  - 42. The article system of claim 39, wherein detecting the attempted access includes generating an interrupt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
SONG, HEE K

Application Number

US13/075,101
Publication Number

US 20120255001A1
Time in Patent Office

1,505 Days
Field of Search

726 22- 27, 718/1
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

System and method for below-operating system trapping of driver filter attachment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

160 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

System and method for below-operating system trapping of driver filter attachment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others