Removal of fake anti-virus software

US 9,152,791 B1
Filed: 05/11/2011
Issued: 10/06/2015
Est. Priority Date: 05/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting fake antivirus software, said method comprising:

collecting keywords that are comprehensible words by scanning a plurality of executing fake antivirus software samples in a second memory of a second computer and storing said keywords in a keyword database;

identifying an executing process in a computer;

retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software;

retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software;

applying said rule to said executing process and determining that said keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory;

determining, after said step of applying, that said process is not a legitimate process when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and

displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Lists of keywords by type are collected that are associated with fake antivirus software. One more rules are created including the keywords that likely indicate fake antivirus software. The keywords and rules are stored in a local database on a computer. Each executing process of a computer is scanned using the rules. A match indicates that the scanned process is likely fake antivirus software. A check is then performed to determine if the scanned process is actually legitimate antivirus software (using a digital certificate, a white list, or a call to a function). If the check fails a determination is made that the identified process is fake antivirus software. The process may then be displayed, cleaned, quarantined, or permanently removed from the computer. The cursor may be dragged into the window of an executing process in order to selectively scan that process only. Or, any number of executing processes may be selected to be scanned by the rules. A log function allows a computer user to view a history of actions taken by the above technique.

Citations

24 Claims

1. A method of detecting fake antivirus software, said method comprising:
- collecting keywords that are comprehensible words by scanning a plurality of executing fake antivirus software samples in a second memory of a second computer and storing said keywords in a keyword database;
  
  identifying an executing process in a computer;
  
  retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software;
  
  retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software;
  
  applying said rule to said executing process and determining that said keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory;
  
  determining, after said step of applying, that said process is not a legitimate process when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and
  
  displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1 further comprising:
    - cleaning said process from said computer by placing a file corresponding to said process into a folder not accessible by a user of said computer.
  - 3. The method as recited in claim 2 comprising:
    - restoring said file by moving said file from said non-accessible folder back to an original location of said file.
  - 4. The method as recited in claim 1 further comprising:
    - cleaning said process from said computer by permanently removing a file associated with said process from said computer.
  - 5. The method as recited in claim 1 further comprising:
    - performing a memory dump of said memory; and
      
      scanning said memory dump in order to perform said determining of whether said keywords in said rule match said data.
  - 6. The method as recited in claim 1 wherein said keyword database exists on said computer.
  - 7. The method as recited in claim 1 further comprising:
    - identifying a plurality of executing processes in said computer; and
      
      applying said rule to said executing processes by scanning said processes in said memory.
  - 8. The method as recited in claim 1 further comprising:
    - scanning said process in said memory without scanning a memory dedicated to display of said process.
  - 9. A method as recited in claim 1 further comprising:
    - using statistical analysis to determine the most common keywords to be stored in said keyword database.

10. A method of detecting fake antivirus software, said method comprising:
- collecting keywords that are comprehensible words by scanning memory dumps of a plurality of executing fake antivirus software samples and storing said keywords in a keyword database;
  
  identifying an executing process in a computer;
  
  retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software;
  
  retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software;
  
  applying said rule to said executing process and determining that keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory;
  
  determining, after said step of applying, that said process is legitimate antivirus software when a digital certificate of said process is valid, when an identification of said process does exist in a white list of valid processes, or when a company name associated with said process does exist in a white list of valid company names; and
  
  displaying, on said computer, an indication that said process is legitimate antivirus software based on said applying and said determining.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as recited in claim 10 wherein said step of displaying indicates that said process is legitimate antivirus software by not displaying any information concerning said process.
  - 12. The method as recited in claim 10 wherein said step of displaying indicates that said process is legitimate antivirus software by displaying a name of said process and a notice that said process is legitimate.
  - 13. The method as recited in claim 10 further comprising:
    - performing a memory dump of said memory; and
      
      scanning said memory dump in order to perform said determining of whether said keywords in said rule match said data.
  - 14. The method as recited in claim 10 wherein said keyword database exists on said computer.
  - 15. A method as recited in claim 10 further comprising:
    - using statistical analysis to determine the most common keywords to be stored in said keyword database.

16. A method of detecting fake antivirus software, said method comprising:
- collecting keywords that are comprehensible words by monitoring system behavior of a plurality of executing fake antivirus software samples and storing said keywords in a keyword database;
  
  identifying an executing process in a computer, said process being legitimate antivirus software;
  
  retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software;
  
  retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software;
  
  applying said rule to said executing process and determining that keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory;
  
  determining, after said step of applying, that said process is not legitimate antivirus software when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and
  
  displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method as recited in claim 16 further comprising:
    - cleaning said process from said computer by placing a file corresponding to said process into a folder not accessible by a user of said computer.
  - 18. The method as recited in claim 17 further comprising:
    - restoring said file by moving said file from said non-accessible folder back to an original location of said file.
  - 19. The method as recited in claim 16 further comprising:
    - displaying, on said computer, registry information associated with said process; and
      
      cleaning said registry information from said computer.
  - 20. The method as recited in claim 16 further comprising:
    - performing a memory dump of said memory; and
      
      scanning said memory dump in order to perform said determining of whether said keywords in said rule match said data.
  - 21. The method as recited in claim 16 wherein said keyword database exists on said computer.
  - 22. A method as recited in claim 16 further comprising:
    - using statistical analysis to determine the most common keywords to be stored in said keyword database.

23. A method of detecting fake antivirus software, said method comprising:
- collecting keywords that are comprehensible words by using optical character recognition software on images dropped by a plurality of executing fake antivirus software samples and storing said keywords in a keyword database;
  
  identifying an executing process in a computer;
  
  retrieving a rule from a rule database, said rule using two or more of said keywords to identify fake software;
  
  retrieving said keywords from said keyword database, each of said keywords being indicative of fake antivirus software;
  
  applying said rule to said executing process and determining that said keywords of said rule match data in said process executing in a memory of said computer by scanning said process in said memory;
  
  determining, after said step of applying, that said process is not a legitimate process when a digital certificate of said process is nonexistent or is invalid, when an identification of said process does not exist in a white list of valid processes, or when a company name associated with said process does not exist in a white list of valid company names; and
  
  displaying, on said computer, an indication that said process is fake antivirus software based on said applying and said determining.
- View Dependent Claims (24)
- - 24. A method as recited in claim 23 further comprising:
    - using statistical analysis to determine the most common keywords to be stored in said keyword database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Shih, Ming-Chang, Kuo, Ping Ju, Han, Shuang-Fu
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US13/105,496
Time in Patent Office

1,609 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/2101   Auditing as a secondary aspect

Removal of fake anti-virus software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Removal of fake anti-virus software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links