Removal of fake anti-virus software
First Claim
1. A method of detecting fake antivirus software, said method comprising:
- collecting keywords that are comprehensible words by scanning a plurality of executing fake antivirus software samples in a second memory of a second computer and storing said keywords in a keyword database;
identifying an executing process in a computer;
retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software;
retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software;
applying said rule to said executing process and determining that said keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory;
determining, after said step of applying, that said process is not a legitimate process when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and
displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining.
1 Assignment
0 Petitions
Accused Products
Abstract
Lists of keywords by type are collected that are associated with fake antivirus software. One more rules are created including the keywords that likely indicate fake antivirus software. The keywords and rules are stored in a local database on a computer. Each executing process of a computer is scanned using the rules. A match indicates that the scanned process is likely fake antivirus software. A check is then performed to determine if the scanned process is actually legitimate antivirus software (using a digital certificate, a white list, or a call to a function). If the check fails a determination is made that the identified process is fake antivirus software. The process may then be displayed, cleaned, quarantined, or permanently removed from the computer. The cursor may be dragged into the window of an executing process in order to selectively scan that process only. Or, any number of executing processes may be selected to be scanned by the rules. A log function allows a computer user to view a history of actions taken by the above technique.
-
Citations
24 Claims
-
1. A method of detecting fake antivirus software, said method comprising:
-
collecting keywords that are comprehensible words by scanning a plurality of executing fake antivirus software samples in a second memory of a second computer and storing said keywords in a keyword database; identifying an executing process in a computer; retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software; retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software; applying said rule to said executing process and determining that said keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory; determining, after said step of applying, that said process is not a legitimate process when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of detecting fake antivirus software, said method comprising:
-
collecting keywords that are comprehensible words by scanning memory dumps of a plurality of executing fake antivirus software samples and storing said keywords in a keyword database; identifying an executing process in a computer; retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software; retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software; applying said rule to said executing process and determining that keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory; determining, after said step of applying, that said process is legitimate antivirus software when a digital certificate of said process is valid, when an identification of said process does exist in a white list of valid processes, or when a company name associated with said process does exist in a white list of valid company names; and displaying, on said computer, an indication that said process is legitimate antivirus software based on said applying and said determining. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method of detecting fake antivirus software, said method comprising:
-
collecting keywords that are comprehensible words by monitoring system behavior of a plurality of executing fake antivirus software samples and storing said keywords in a keyword database; identifying an executing process in a computer, said process being legitimate antivirus software; retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software; retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software; applying said rule to said executing process and determining that keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory; determining, after said step of applying, that said process is not legitimate antivirus software when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A method of detecting fake antivirus software, said method comprising:
-
collecting keywords that are comprehensible words by using optical character recognition software on images dropped by a plurality of executing fake antivirus software samples and storing said keywords in a keyword database; identifying an executing process in a computer; retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software; retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software; applying said rule to said executing process and determining that said keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory; determining, after said step of applying, that said process is not a legitimate process when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining. - View Dependent Claims (24)
-
Specification