Anti-malware digital-signature verification
First Claim
1. A computer-implemented method for managing access to files and processes associated with an anti-malware application, comprising:
- initializing a self-protection application, the self-protection application comprising instructions executed by a processor of a client device, the self protection application executing in kernel mode of an operating system of the client device;
monitoring one or more processes executing on the client device;
detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application;
verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority;
verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate;
determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application;
determining whether to allow the detected process based at least in part on whether the process is a trusted; and
allowing the detected process access to the file or process associated with the anti-malware application subject to the determining.
7 Assignments
0 Petitions
Accused Products
Abstract
A self-protection application executes in kernel mode and manages access to processes and files related to an associated anti-malware application. The self-protection application monitors executing processes on the client device and detects the processes that are attempting to access files/processes related to the anti-malware software. These processes and files are verified by the self-protection application using digital signature authentication. Trusted processes such as those originating from the anti-malware software or other authorized programs are allowed access while other processes are restricted access.
-
Citations
17 Claims
-
1. A computer-implemented method for managing access to files and processes associated with an anti-malware application, comprising:
-
initializing a self-protection application, the self-protection application comprising instructions executed by a processor of a client device, the self protection application executing in kernel mode of an operating system of the client device; monitoring one or more processes executing on the client device; detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application; verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority; verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate; determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application; determining whether to allow the detected process based at least in part on whether the process is a trusted; and allowing the detected process access to the file or process associated with the anti-malware application subject to the determining. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable storage medium encoded with executable computer program code for managing access to files and processes associated with anti-malware application, the computer program code comprising program code for:
-
initializing a self-protection application executing in kernel mode of a client device; monitoring one or more processes executing on the client device; detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application; verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority; verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate; determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application; determining whether to allow the detected process based at least in part on whether the process is a trusted process; and allowing the detected process access to the file or process associated with the anti-malware application subject to the determining. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A system for managing access to files and processes associated with an anti-malware application, the system comprising:
-
a processor; a computer-readable storage medium storing executable instructions that when executed cause the process to perform steps including; initializing the self-protection application executing in kernel mode of a client device; monitoring one or more processes executing on the client device; detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application; verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority; verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate; determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application; determining whether to allow the detected process based at least in part on whether the process is a trusted process; and allowing the detected process access to the file or process associated with the anti-malware application subject to the determining. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification