Windows registry modification verification

US 9,183,386 B2
Filed: 09/27/2012
Issued: 11/10/2015
Est. Priority Date: 11/27/2007
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:

prepare entry data of a registry entry for a computer system;

create one or more identifiers based on the entry data, wherein the one or more identifiers indicate an attempted change to a registry of the computer system;

package the one or more identifiers;

send the packaged one or more identifiers to a client for verification, wherein the client comprises software configured to process the one or more identifiers in order to determine whether the registry entry is authorized and whether the registry entry is associated with data that is free from malware,wherein the one or more identifiers are merged with at least one other identifier of a different registry entry in order to package the one or more identifiers and the at least one other identifier as either desirable or undesirable registry entries.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided by which unauthorized changes to the registry may be detected and that provides the capability to verify whether registry, or other system configuration data, changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system. A method for verifying changes to system configuration data in a computer system comprises generating an identifier representing an entry in the system configuration data, packaging the identifier, and sending the packaged identifier to a client for verification. The identifier may be generated by hashing the first portion of the entry and the second portion of the entry to generate the identifier, or by filtering the first portion of the entry and hashing the filtered first portion of the entry and the second portion of the entry to generate the identifier.

Citations

20 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:
- prepare entry data of a registry entry for a computer system;
  
  create one or more identifiers based on the entry data, wherein the one or more identifiers indicate an attempted change to a registry of the computer system;
  
  package the one or more identifiers;
  
  send the packaged one or more identifiers to a client for verification, wherein the client comprises software configured to process the one or more identifiers in order to determine whether the registry entry is authorized and whether the registry entry is associated with data that is free from malware,wherein the one or more identifiers are merged with at least one other identifier of a different registry entry in order to package the one or more identifiers and the at least one other identifier as either desirable or undesirable registry entries.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 18)
- - 2. The at least one non-transitory computer-readable medium of claim 1, comprising one or more further instructions that when executed by a processor:
    - provide known identifier data to the client to validate a plurality of particular identifiers.
  - 3. The at least one non-transitory computer-readable medium of claim 1, wherein each of the one or more identifiers is created by a different hash function.
  - 4. The at least one non-transitory computer-readable medium of claim 1, wherein the one or more identifiers are created by a hashing activity.
  - 5. The at least one non-transitory computer-readable medium of claim 4, wherein the entry data comprises a first portion identifying the registry entry and a second portion including a value of the registry entry, and wherein the hashing activity is configured to:
    - hash the first portion of the entry data and the second portion of the entry data.
  - 6. The at least one non-transitory computer-readable medium of claim 5, wherein the first portion is filtered when the entry data is prepared.
  - 7. The at least one non-transitory computer-readable medium of claim 1, wherein each of the one or more other identifiers is created for a sub-entry of a partial path of the registry entry.
  - 18. The at least one non-transitory computer-readable medium of claim 1, wherein the attempted change is prevented when the registry entry is not authorized.

8. A method for verifying changes to a registry in a computer system comprising:
- preparing entry data of a registry entry for a computer system;
  
  creating one or more identifiers based on the entry data, wherein the one or more identifiers indicate an attempted change to a registry of the computer system;
  
  packaging the one or more identifiers;
  
  sending the packaged one or more identifiers to a client for verification, wherein the client comprises software configured to process the one or more identifiers in order to determine whether the registry entry is authorized and whether the registry entry is associated with data that is free from malware,wherein the one or more identifiers are merged with at least one other identifier of a different registry entry in order to package the one or more identifiers and the at least one other identifier as either desirable or undesirable registry entries.
- View Dependent Claims (9, 10, 11, 19)
- - 9. The method of claim 8, wherein the one or more identifiers are created by a hashing activity.
  - 10. The method of claim 9, wherein the entry data comprises a first portion identifying the registry entry and a second portion including a value of the registry entry, and wherein the hashing activity includes:
    - hashing the first portion of the entry data and the second portion of the entry data.
  - 11. The method of claim 10, wherein the preparing the entry data includes filtering the first portion.
  - 19. The method of claim 8, wherein the attempted change is prevented when the registry entry is not authorized.

12. A system for verifying changes to a registry in a computer system, comprising:
- a memory configured to store data;
  
  a processor configured to execute instructions associated with the data, wherein the instructions, when executed by the processor;
  
  prepare entry data of a registry entry for a computer system;
  
  create one or more identifiers based on the entry data, wherein the one or more identifiers indicate an attempted change to a registry of the computer system;
  
  package the one or more identifiers;
  
  send the packaged one or more identifiers to a client for verification, wherein the client comprises software configured to process the one or more identifiers in order to determine whether the registry entry is authorized and whether the registry entry is associated with data that is free from malware,wherein the one or more identifiers are merged with at least one other identifier of a different registry entry in order to package the one or more identifiers and the at least one other identifier as either desirable or undesirable registry entries.
- View Dependent Claims (13, 14, 15, 16, 17, 20)
- - 13. The system of claim 12, wherein each of the one or more identifiers is created by a different hash function.
  - 14. The system of claim 12, wherein the one or more identifiers are created by a hashing activity.
  - 15. The system of claim 14, wherein the entry data comprises a first portion identifying the registry entry and a second portion including a value of the registry entry, and wherein the hashing activity is configured to:
    - hash the first portion of the entry data and the second portion of the entry data.
  - 16. The system of claim 15, wherein the first portion is filtered when the entry data is prepared.
  - 17. The system of claim 12, wherein each of the one or more other identifiers is created for a sub-entry of a partial path of the registry entry.
  - 20. The system of claim 12, wherein the attempted change is prevented when the registry entry is not authorized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Faieta, Alessandro, Beach, Jameson, Bell, Douglas
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Almeida, Devin

Application Number

US13/628,607
Publication Number

US 20130024941A1
Time in Patent Office

1,139 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

Windows registry modification verification

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Windows registry modification verification

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links