System and method for below-operating system trapping and securing loading of code into memory
First Claim
Patent Images
1. A system for protecting an electronic device against malware, comprising:
- a memory;
one or more operating systems an operating system configured to execute on the electronic device;
a below operating-system security agent configured to;
identify an attempted access of a resource of the electronic device, the attempted access comprising;
attempting to write instructions to the memory; and
attempting to execute the instructions;
trap the attempted access based upon an identification of the attempt to write instructions to the memory and an identification of the attempt to execute the instructions;
access one or more security rules to determine whether the attempted access is indicative of malware; and
operate at a higher priority than all of the operating systems of the electronic device;
wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware is conducted at a higher priority than all of the operating systems of the electronic device,wherein the below operating-system security agent is further configured to;
identify the attempted access based on an attempt to access a portion of the memory containing a memory page data structure entry for a driver;
determine that the malware status of the driver is unknown; and
the below operating-system security agent is configured to trap the attempted access further based upon an identification of the attempted access of the portion of the memory containing the memory page data structure for the driver and a determination that the malware status of the driver is unknown.
10 Assignments
0 Petitions
Accused Products
Abstract
A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions.
-
Citations
27 Claims
-
1. A system for protecting an electronic device against malware, comprising:
-
a memory; one or more operating systems an operating system configured to execute on the electronic device; a below operating-system security agent configured to; identify an attempted access of a resource of the electronic device, the attempted access comprising; attempting to write instructions to the memory; and attempting to execute the instructions; trap the attempted access based upon an identification of the attempt to write instructions to the memory and an identification of the attempt to execute the instructions; access one or more security rules to determine whether the attempted access is indicative of malware; and operate at a higher priority than all of the operating systems of the electronic device; wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware is conducted at a higher priority than all of the operating systems of the electronic device, wherein the below operating-system security agent is further configured to; identify the attempted access based on an attempt to access a portion of the memory containing a memory page data structure entry for a driver; determine that the malware status of the driver is unknown; and the below operating-system security agent is configured to trap the attempted access further based upon an identification of the attempted access of the portion of the memory containing the memory page data structure for the driver and a determination that the malware status of the driver is unknown. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for protecting an electronic device against malware, comprising:
-
identifying trapping an attempted access of a resource of an electronic device, the attempted access comprising; attempting to write instructions to a memory of the electronic device, the memory comprising the resource; and attempting to execute the instructions; trap the attempted access based upon an identification of the attempt to write instructions to the memory and an identification of the attempt to execute the instructions; accessing one or more security rules to determine whether the attempted access is indicative of malware; wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware is conducted at a higher priority than all of the one or more operating systems of the electronic device, wherein identifying the attempted access further comprises identifying an attempted access of a portion of the memory containing a memory page data structure entry for a driver; the method further comprises determining that the malware status of the driver is unknown; and trapping the attempted access is further based upon an identification of the attempted access of a portion of the memory containing a memory page data structure entry for a driver and a determination that the malware status of the driver is unknown; wherein the method is performed by at least one hardware processor. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An article of manufacture, comprising:
-
a computer readable medium; and computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; identify an attempted access of a resource of an electronic device, the attempted access comprising; attempting to write instructions to a memory of the electronic device, the memory comprising the resource; and attempting to execute the instructions; trap the attempted access based upon an identification of the attempt to write instructions to the memory and an identification of the attempt to execute the instructions; access one or more security rules to determine whether the attempted access is indicative of malware; wherein the processor is configured to conduct the trapping of the attempted access and determining whether the attempted access is indicative of malware at a higher priority than all of the one or more operating systems of the electronic device, wherein identifying the attempted access comprises identifying an attempted access of a portion of the memory containing a memory page data structure entry for a driver; the article further comprises instructions for determining that the malware status of the driver is unknown; and trapping the attempted access is further based upon an identification of the attempted access of the portion of the memory containing the memory page data structure for the driver and a determination that the malware status of the driver is unknown. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification