Anti-malware digital-signature verification

US 9,058,504 B1
Filed: 05/21/2013
Issued: 06/16/2015
Est. Priority Date: 05/21/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing access to files and processes associated with an anti-malware application, comprising:

initializing a self-protection application, the self-protection application comprising instructions executed by a processor of a client device, the self protection application executing in kernel mode of an operating system of the client device;

monitoring one or more processes executing on the client device;

detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application;

verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority;

verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate;

determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application;

determining whether to allow the detected process based at least in part on whether the process is a trusted; and

allowing the detected process access to the file or process associated with the anti-malware application subject to the determining.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A self-protection application executes in kernel mode and manages access to processes and files related to an associated anti-malware application. The self-protection application monitors executing processes on the client device and detects the processes that are attempting to access files/processes related to the anti-malware software. These processes and files are verified by the self-protection application using digital signature authentication. Trusted processes such as those originating from the anti-malware software or other authorized programs are allowed access while other processes are restricted access.

Citations

17 Claims

1. A computer-implemented method for managing access to files and processes associated with an anti-malware application, comprising:
- initializing a self-protection application, the self-protection application comprising instructions executed by a processor of a client device, the self protection application executing in kernel mode of an operating system of the client device;
  
  monitoring one or more processes executing on the client device;
  
  detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application;
  
  verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority;
  
  verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate;
  
  determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application;
  
  determining whether to allow the detected process based at least in part on whether the process is a trusted; and
  
  allowing the detected process access to the file or process associated with the anti-malware application subject to the determining.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - requesting one or more updated signature files associated with the self-protection application from a trusted server, the signature files comprising data associated with digital signatures;
      
      downloading the one or more updated signature files from the trusted server; and
      
      installing the one or more updated signature files into the self-protection application.
  - 3. The method of claim 1, wherein the self-protection application is initialized on the client device prior to the installation of the anti-malware application.
  - 4. The method of claim 1, wherein the digital signature identifies the publisher of an application associated with the detected process and the integrity of the application associated with the detected process.
  - 5. The method of claim 1, wherein determining whether the detected process is a trusted process further comprises:
    - receiving a public key complementing a private key associated with the detected process;
      
      extracting a first hash value from the digital signature using the public key;
      
      determining a second hash value by using a cryptographic hash algorithm on the data associated with the detected process; and
      
      comparing the first hash value and the second hash value.
  - 6. The method of claim 1, further comprising denying the detected process access to the file or process associated with the anti-malware application under one or more of the following:
    - no digital signature is associated with the detected process, the associated digital signature is invalid, the first hash value and the second hash value do not match, the associated digital signature indicates an unauthorized publisher, the origin of the process is not trusted or the timestamp associated with the digital signature is invalid.

7. A non-transitory computer-readable storage medium encoded with executable computer program code for managing access to files and processes associated with anti-malware application, the computer program code comprising program code for:
- initializing a self-protection application executing in kernel mode of a client device;
  
  monitoring one or more processes executing on the client device;
  
  detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application;
  
  verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority;
  
  verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate;
  
  determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application;
  
  determining whether to allow the detected process based at least in part on whether the process is a trusted process; and
  
  allowing the detected process access to the file or process associated with the anti-malware application subject to the determining.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory computer-readable storage medium of claim 7, further comprising:
    - requesting one or more updated signature files associated with the self-protection application from a trusted server, the signature files comprising data associated with digital signatures;
      
      downloading the one or more updated signature files from the trusted server; and
      
      installing the one or more updated signature files into the self-protection application.
  - 9. The non-transitory computer-readable storage medium of claim 7, wherein the self-protection application is initialized on the client device prior to the installation of the anti-malware application.
  - 10. The non-transitory computer-readable storage medium of claim 7, wherein determining whether the detected process is a trusted process further comprises:
    - receiving a public key complementing a private key associated with the detected process;
      
      extracting a first hash value from the digital signature using the public key;
      
      determining a second hash value by using a cryptographic hash algorithm on the data associated with the detected process; and
      
      comparing the first hash value and the second hash value.
  - 11. The non-transitory computer-readable storage medium of claim 7, further comprising denying the detected process access to the file or process associated with the anti-malware application under one or more of the following:
    - no digital signature is associated with the detected process, the associated digital signature is invalid, the first hash value and the second hash value do not match, the associated digital signature indicates an unauthorized publisher, the origin of the process is not trusted or the timestamp associated with the digital signature is invalid.

12. A system for managing access to files and processes associated with an anti-malware application, the system comprising:
- a processor;
  
  a computer-readable storage medium storing executable instructions that when executed cause the process to perform steps including;
  
  initializing the self-protection application executing in kernel mode of a client device;
  
  monitoring one or more processes executing on the client device;
  
  detecting, by the self-protection application executing in kernel mode, a process that is attempting to access a file or process associated with the anti-malware application;
  
  verifying a digital certificate contained within a digital signature associated with the detected process by comparing the digital certificate with a digital certificate copy obtained from a certificate authority;
  
  verifying a timestamp of a program associated with the detected process by comparing the timestamp of the program to a period of validity associated with the digital certificate;
  
  determining, by the self-protection application executing in kernel mode, whether the detected process is a trusted process based in part on verifying that the digital certificate matches the digital certificate copy and verifying that the timestamp of the program associated with the detected process is within the period of validity associated with the digital certificate, wherein the trusted process originates from applications authorized to access a file or process associated with the anti-malware application;
  
  determining whether to allow the detected process based at least in part on whether the process is a trusted process; and
  
  allowing the detected process access to the file or process associated with the anti-malware application subject to the determining.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, further comprising:
    - requesting one or more updated signature files associated with the self-protection application from a trusted server, the signature files comprising data associated with digital signatures;
      
      downloading the one or more updated signature files from the trusted server; and
      
      installing the one or more updated signature files into the self-protection application.
  - 14. The system of claim 12, wherein the self-protection program is initialized on the client device prior to the installation of the anti-malware application.
  - 15. The system of claim 12, wherein the digital signature identifies the publisher of an application associated with the detected process and the integrity of the application associated with the detected process.
  - 16. The system of claim 12, wherein determining whether the detected process is a trusted process further comprises:
    - receiving a public key complementing a private key associated with the detected process;
      
      extracting a first hash value from the digital signature using the public key;
      
      determining a second hash value by using a cryptographic hash algorithm on the data associated with the detected process; and
      
      comparing the first hash value and the second hash value.
  - 17. The system of claim 12, further comprising denying the detected process access to the file or process associated with the anti-malware application under one or more of the following:
    - no digital signature is associated with the detected process, the associated digital signature is invalid, the first hash value and the second hash value do not match, the associated digital signature indicates an unauthorized publisher, the origin of the process is not trusted or the timestamp associated with the digital signature is invalid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malwarebytes Corporate Holdco Incorporated
Original Assignee
Malwarebytes Corporation
Inventors
Swanson, Douglas Stuart, Winter, Richard Allan
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/899,565
Time in Patent Office

756 Days
Field of Search

726/30
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

Anti-malware digital-signature verification

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-malware digital-signature verification

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links