Remote malware remediation

US 9,143,519 B2
Filed: 03/15/2013
Issued: 09/22/2015
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

identify a request for remediation of a file at a remote particular host device, wherein the request is received from an antimalware client on the particular host device based on a determination that the antimalware client lacks functionality for remediating the file;

determine one or more remediation scripts from a plurality of remediation scripts for remediation of the file; and

provide the one or more remediation scripts to the particular host device for execution on the particular host device using the antimalware client, wherein the one or more remediation scripts are provided in response to the request and the one or more remediation scripts extend the functionality of the antimalware client to remediate the file.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An opportunity to assist with remediation of a file at a remote particular host device is identified. One or more remediation techniques are identified that can be applied to assist with remediation of the file at the particular host device. In one aspect, one or more remediation scripts are identified from a plurality of remediation scripts for remediation of the file and provided to the particular host device for execution on the particular host device. In another aspect, a remediation tool is identified and launched on a computing device remote from the particular host device with operations of the remediation tool applied to resources of the particular host device. In another aspect, at least a portion of the remediation techniques are remotely initiated to be performed locally at the particular host device.

Citations

28 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- identify a request for remediation of a file at a remote particular host device, wherein the request is received from an antimalware client on the particular host device based on a determination that the antimalware client lacks functionality for remediating the file;
  
  determine one or more remediation scripts from a plurality of remediation scripts for remediation of the file; and
  
  provide the one or more remediation scripts to the particular host device for execution on the particular host device using the antimalware client, wherein the one or more remediation scripts are provided in response to the request and the one or more remediation scripts extend the functionality of the antimalware client to remediate the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The storage medium of claim 1, wherein the plurality of remediation scripts includes other remediation scripts for remediation of other files.
  - 3. The storage medium of claim 2, wherein the instructions, when executed, further cause the machine to:
    - identify another opportunity to assist with remediation of a second file; and
      
      determine a second remediation script from the plurality of remediation scripts, the second remediation script corresponding to remediation of the second file.
  - 4. The storage medium of claim 3, wherein the other opportunity to assist is an opportunity to assist with remediation of the second file on the particular host device, the method further comprising sending the second remediation script to the particular host device.
  - 5. The storage medium of claim 3, wherein the other opportunity to assist is an opportunity to assist with remediation of the second file on another host device, and the instructions, when executed, further cause the machine to send the second remediation script to the other host device.
  - 6. The storage medium of claim 2, wherein the instructions, when executed, further cause the machine to:
    - identify an opportunity to assist with remediation of the file on a second host device;
      
      determine a second remediation script from the plurality of remediation scripts, the second remediation script corresponding to remediation of the file on the second host device; and
      
      send the second remediation script to the second host device, wherein the second remediation script is different from the first remediation script.
  - 7. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to collect feedback data from the particular host device regarding results of the execution of the remediation scripts on the particular host device.
  - 8. The storage medium of claim 7, wherein determining whether to use at least one of the one or more remediation scripts in response to a subsequent opportunity to remediate the file is based at least in part on the feedback data.

9. A method comprising:
- identifying an opportunity to assist with remediation of a file at a remote particular host device, wherein the request is received from an antimalware client on the particular host device based on a determination that the antimalware client lacks functionality for remediating the file;
  
  determining one or more remediation scripts from a plurality of remediation scripts for remediation of the file; and
  
  providing the one or more remediation scripts to the particular host device for execution on the particular host device using the antimalware client, wherein the one or more remediation scripts are provided in response to the request and the one or more remediation scripts extend the functionality of the antimalware client to remediate the file.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the opportunity is identified based on a query from the particular host device for additional reputation information for the file.
  - 11. The method of claim 10, wherein the query is a basis for a determination by an antimalware support system remote from the particular host device that the file should be remediated.
  - 12. The method of claim 9, wherein identifying the opportunity includes receiving a request for remediation of the file from the host device.
  - 13. The method of claim 12, wherein the request for remediation is based on a determination at the host device that the file should be remediated.
  - 14. The method of claim 13, wherein the determination of the host device is in response to receiving reputation information for the file from an antimalware support system remote from the particular host device.
  - 15. The method of claim 14, further comprising:
    - receiving a query from the particular host device; and
      
      returning response data including the reputation information in response to the query.

16. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- identify a file on a host device;
  
  determine that the file should be remediated;
  
  determine that a antimalware client local to the host device lacks functionality for remediating the file;
  
  send a request for remediation assistance to a remote antimalware support system based on determining that the antimalware client local to the host device lacks functionality for remediating the file;
  
  receive one or more malware remediation scripts from the antimalware support system, wherein the malware remediation scripts are selected by the antimalware support system from a plurality of malware remediation scripts; and
  
  execute the one or more malware remediation scripts at the host device using the antimalware client.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The storage medium of claim 16, wherein the instructions, when executed, further cause the machine to dispose of the remediation scripts following execution of the remediation scripts.
  - 18. The storage medium of claim 17, wherein the remediation scripts are to be disposed in response to identifying successful remediation of the file.
  - 19. The storage medium of claim 16, wherein the instructions, when executed, further cause the machine to:
    - send a query to the antimalware support system for reputation information for the file more information; and
      
      receive results for the query from the antimalware support system.
  - 20. The storage medium of claim 19, wherein determining that the file should be remediated is based at least in part on the received results.
  - 21. The storage medium of claim 20, wherein the determining that the file should be remediated is further based on an assessment of the file using the antimalware client local to the host device.
  - 22. The storage medium of claim 21, wherein the file comprises a first file and the instructions, when executed, further cause the machine to:
    - identify a second file on the host device;
      
      determine that the second file should be remediated;
      
      send a request for remediation assistance to the remote antimalware support system relating to the second file;
      
      receive a second malware remediation script from the antimalware support system, wherein the second malware remediation script is not included in the one or more malware remediation scripts selected by the antimalware support system for the first file; and
      
      execute the second remediation script at the host device.

23. A method comprising:
- identifying a file on a host device;
  
  determining that the file should be remediated;
  
  determining that a antimalware client local to the host device lacks functionality for remediating the file;
  
  sending a request for remediation assistance to a remote antimalware support system based on determining that the antimalware client local to the host device lacks functionality for remediating the file;
  
  receiving one or more malware remediation scripts from the antimalware support system, wherein the malware remediation scripts are selected by the antimalware support system from a plurality of malware remediation scripts; and
  
  executing the one or more malware remediation scripts at the host device device using the antimalware client to remediate the file.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, wherein the file is identified by the antimalware client on the host device.
  - 25. The method of claim 23, wherein the antimalware client is configured to remediate other files.
  - 26. The method of claim 23, wherein the antimalware client is configured to execute any one of the plurality of remediation scripts.

27. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  an antimalware support server adapted when executed by the at least one processor device to;
  
  identify a request for remediation of a file at a remote particular host device, wherein the request is received from an antimalware client on the particular host device based on a determination that the antimalware client lacks functionality for remediating the file;
  
  determine one or more remediation scripts from a plurality of remediation scripts for remediation of the file; and
  
  provide the one or more remediation scripts to the particular host device for execution on the particular host device using the antimalware client, wherein the one or more remediation scripts are provided in response to the request and the one or more remediation scripts extend the functionality of the antimalware client to remediate the file.
- View Dependent Claims (28)
- - 28. The system of claim 27, further comprising a plurality of host devices including the particular host device, wherein each of the plurality of host devices comprises an instance of an antimalware client capable of executing remediation scripts in the plurality of remediation scripts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Teddy, John, Bean, James Douglas, Dalcher, Gregory William, Hetzler, Jeff
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US13/977,003
Publication Number

US 20140289853A1
Time in Patent Office

921 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2115   Third party

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Remote malware remediation

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Remote malware remediation

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links