Method and apparatus for detecting a malware in files

US 9,129,109 B2
Filed: 12/19/2011
Issued: 09/08/2015
Est. Priority Date: 12/31/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting a malware in files, comprising:

an acquisition unit configured to obtain from a file system information about a first time point when a folder is created by the file system, and information about a second time point when a file is created in the folder by the file system;

a candidate determination unit configured to determine whether the file created by the file system is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point; and

an inspection unit configured to perform the malware inspection on the file created by the file system when it is determined to be the candidate file for the malware inspection,wherein the candidate determination unit is configured to determine that the file created by the file system is the candidate file to be inspected when the second time point is not within a predetermined time interval from the first time point.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for detecting a malware in files includes an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system, a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point, and an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection.

5 Citations

23 Claims

1. An apparatus for detecting a malware in files, comprising:
- an acquisition unit configured to obtain from a file system information about a first time point when a folder is created by the file system, and information about a second time point when a file is created in the folder by the file system;
  
  a candidate determination unit configured to determine whether the file created by the file system is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point; and
  
  an inspection unit configured to perform the malware inspection on the file created by the file system when it is determined to be the candidate file for the malware inspection,wherein the candidate determination unit is configured to determine that the file created by the file system is the candidate file to be inspected when the second time point is not within a predetermined time interval from the first time point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The apparatus of claim 1, wherein the folder is associated with an operating system employing the file system.
  - 3. The apparatus of claim 2, wherein the folder has a folder name that is prohibited from being renamed by the operating system.
  - 4. The apparatus of claim 1, wherein the folder has a parent folder, and wherein the candidate determination unit is configured to determine that the file created by the file system is the candidate file to be inspected when the first time point is within a predetermined time interval from the time when the parent folder was created.
  - 5. The apparatus of claim 1, wherein the folder contains a plurality of files inclusive of the file created by the file system, and the candidate determination unit is configured to determine that the file created by the file system is the candidate file to be inspected when the number of files created within the predetermined time interval from the first time point is larger than a threshold number.
  - 6. The apparatus of claim 1, wherein the predetermined time interval from the first time point is defined on the basis of a size of the folder.
  - 7. The apparatus of claim 1, wherein the folder contains a plurality of files inclusive of said file created by the file system, and wherein the predetermined time interval from the first time point is defined based on a plurality of time points corresponding to creation of the plurality of files.
  - 8. The apparatus of claim 1, wherein the candidate determination unit is further configured to determine that the file created by the file system is the candidate file to be inspected when the first time point precedes the predetermined time interval.
  - 9. The apparatus of claim 1, wherein the acquisition unit is further configured to obtain from the file system information on a third time point when the file created by the file system is changed by the file system, and wherein the candidate determination unit is further configured to determine that the file created by the file system is the candidate file when the third time point is not within a predetermined time interval from the second time point.
  - 10. The apparatus of claim 1, wherein the candidate determination unit is further configured to determine that the file created by the file system is the candidate file when the second time point precedes a second predetermined time point.
  - 11. The apparatus of claim 1, wherein the inspection unit is further configured to receive a request to perform the malware inspection on the file created by the file system when the file created by the file system is determined to be the candidate file, and not to perform the malware inspection on the file created by the file system when it is determined that the file created by the file system is not the candidate file.
  - 12. The apparatus of claim 11, wherein the inspection unit performs the malware inspection when it is requested to perform the malware inspection, and does not perform the malware inspection when it is requested not to perform the malware inspection.

13. A method for detecting a malware in files, the method comprising:
- obtaining from a file system information about a first time point when folder is created by the file system and information about a second time point when a file is created in the folder by the file system;
  
  determining whether or not the file created by the file system is a candidate file to be subjected to a malware inspection based on the information about the first and the second time point; and
  
  performing the malware inspection on the file created by the file system when it is determined to be the candidate file,wherein said determining whether or not the file created by the file system is a candidate file includes determining the file created by the file system is a candidate file to be subjected to the malware inspection when the second time point is not within a predetermined time interval from the first time point.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13, wherein the folder is associated with an operating system employing the file system.
  - 15. The method of claim 14, wherein the folder has a folder name that is prohibited from being renamed by the operating system.
  - 16. The method of claim 13, wherein the folder has a parent folder, and wherein said determining whether or not the file created by the file system is a candidate file includes determining when the first time point is within a predetermined time interval from the time when the parent folder was created.
  - 17. The method of claim 13, wherein the folder contains a plurality of files inclusive of the file created by the file system, and the number of files created within a predetermined time interval from the first time point is larger than a threshold number.
  - 18. The method of claim 13, wherein said determining whether or not the file created by the file system is a candidate file includes determining when the predetermined time interval from the first time point is defined on the basis of a size of the folder.
  - 19. The method of claim 13, wherein the folder contains a plurality of files inclusive of the file created by the file system, and wherein the predetermined time interval from the first time point is defined based on a plurality of time points corresponding to creation of the plurality of files.
  - 20. The method of claim 13, wherein said determining whether or not the file created by the file system is a candidate file further includes determining that the file created by the file system is the candidate file when the first time point precedes the predetermined time interval.
  - 21. The method of claim 13, further comprising:
    - obtaining from the file system information about a third time point when the file created by the file system is changed; and
      
      determining that the file created by the file system is the candidate file when the third time point is not within a predetermined time interval from the second time point.
  - 22. The method of claim 13, wherein said determining whether or not the file created by the file system is a candidate file further includes determining that the file created by the file system is the candidate file when the second time point precedes a second predetermined time.
  - 23. A non-transitory computer-readable storage medium storing a computer program configured to perform the method of claim 13.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ahnlab Incorporated
Original Assignee
Anhlab Incorporated
Inventors
Hwang, Kyu Beom
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US13/977,275
Publication Number

US 20130276117A1
Time in Patent Office

1,359 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 2221/2151   Time stamp

Method and apparatus for detecting a malware in files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting a malware in files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links