Protecting anti-malware processes

US 9,208,313 B2
Filed: 06/11/2013
Issued: 12/08/2015
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

signing an anti-malware driver by one or more computing devices with a signature verifiable to determine authenticity of the anti-malware driver through comparison of the signature to a verified signature from a trusted source to determine if the anti-malware driver originated from the trusted source;

based on the verified signature, associating the anti-malware driver with at least one of a plurality of protection levels associated with anti-malware process protection techniques of the anti-malware driver, the plurality of protection levels defining which processes are permitted access to the anti-malware driver during execution by a computing device; and

providing the anti-malware driver by the one or more computing devices to the computing device for execution.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anti-malware process protection techniques are described. In one or more implementations, an anti-malware driver is signed using a hash that identifies a manufacturer of the anti-malware driver. The anti-malware driver is then provided to a computing device. The anti-malware driver may be assigned a protection level based on an agreement between the anti-malware manufacturer and an operating system manufacturer, and this protection level effects the operation of the anti-malware program on the computing device.

20 Citations

20 Claims

1. A method comprising:
- signing an anti-malware driver by one or more computing devices with a signature verifiable to determine authenticity of the anti-malware driver through comparison of the signature to a verified signature from a trusted source to determine if the anti-malware driver originated from the trusted source;
  
  based on the verified signature, associating the anti-malware driver with at least one of a plurality of protection levels associated with anti-malware process protection techniques of the anti-malware driver, the plurality of protection levels defining which processes are permitted access to the anti-malware driver during execution by a computing device; and
  
  providing the anti-malware driver by the one or more computing devices to the computing device for execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the providing includes supplying a hash that identifies a manufacturer of the anti-malware driver.
  - 3. The method of claim 1, wherein the signing is performed utilizing a public certificate authority (CA).
  - 4. The method of claim 1, wherein the signing is performed utilizing a private certificate authority (CA).
  - 5. The method of claim 4, wherein the providing includes supplying a hash of the private certificate authority (CA) and a format of further definitions related to the private certificate authority (CA).
  - 6. The method of claim 5, wherein the further definitions comprise one or more Extended Key Usages.
  - 7. The method of claim 1, wherein the protection level associated with the anti-malware driver is selected from the plurality of protection levels arranged in a hierarchy.
  - 8. The method of claim 7, wherein the protection level is granted based at least in part on an agreement between a manufacturer of the anti-malware driver and a manufacturer of an operating system.
  - 9. The method of claim 1, wherein the anti-malware driver is platform independent.

10. A computing device comprising:
- one or more processors;
  
  one or more modules implemented at least partially in hardware and configured to cause the one or more processors to perform operations comprising;
  
  signing an anti-malware driver with a signature verifiable to determine authenticity of the anti-malware driver through comparing the signature to a verified signature from a trusted source to determine if the anti-malware driver originated from the trusted source;
  
  based on the verified signature, associating the anti-malware driver with at least one of a plurality of protection levels associated with anti-malware process protection techniques of the anti-malware drive, the plurality of protection levels defining which processes of a computing device are permitted to gain an invasive handle to a process executing the anti-malware driver; and
  
  providing the anti-malware driver to the computing device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computing device as described in claim 10, wherein said providing includes supplying a hash that identifies a manufacturer of the anti-malware driver.
  - 12. The computing device as described in claim 10, wherein said signing is performed utilizing a public certificate authority (CA).
  - 13. The computing device as described in claim 10, wherein said signing is performed utilizing a private certificate authority (CA).
  - 14. The computing device as described in claim 13, wherein said providing includes supplying a hash of the private certificate authority (CA) and a format of further definitions related to the private certificate authority (CA).
  - 15. The computing device as described in claim 14, wherein the further definitions comprise one or more Extended Key Usages.
  - 16. The computing device as described in claim 10, wherein the protection level associated with the anti-malware driver is selected from the plurality of protection levels arranged in a hierarchy.
  - 17. The computing device as described in claim 16, wherein the protection level is granted based at least in part on an agreement between a manufacturer of the anti-malware driver and manufacturer of an operating system.
  - 18. The computing device as described in claim 10, wherein the anti-malware driver is platform independent.

19. One or more computer-readable storage media comprising instructions stored thereon that, responsive to execution by computing device, cause the computing device to perform operations comprising:
- signing a platform independent anti-malware driver with a signature utilizing a hash that identifies a manufacturer of the anti-malware driver, the signature being verifiable to determine authenticity of the anti-malware driver by comparing the signature to a verified signature from the manufacturer to determine if the anti-malware driver originated from the manufacturer;
  
  associating the anti-malware driver with a protection level based at least in part on an agreement between the manufacturer of the anti-malware driver and a manufacturer of an operating system, the associated protection level taken from a plurality of protection levels that define which processes are permitted access to the anti-malware driver during execution by a computing device; and
  
  providing the anti-malware driver to the computing device.
- View Dependent Claims (20)
- - 20. One or more computer readable storage media as described in claim 19, wherein the hash comprises:
    - a public certificate authority (CA);
      
      ora private certificate authority (CA) and a format of further definitions related to the private certificate authority (CA).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Pulapaka, Hari, Judge, Nicholas S., Kishan, Arun U., Schwartz, James A. Jr., Kinshumann, Kinshumann, Linsley, David J., Majmudar, Niraj V., Anderson, Scott D.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US13/915,590
Publication Number

US 20140359775A1
Time in Patent Office

910 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/0823   using certificates cryptogr...

H04L 63/14   for detecting or protecting...

Protecting anti-malware processes

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting anti-malware processes

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links