System and method for securing memory and storage of an electronic device with a below-operating system security agent
First Claim
1. A method for securing an electronic device, comprising:
- accessing one or more security rules to determine a criteria by which an attempted access involving a transfer of content between memory and disk storage of an electronic device will be trapped;
based on meeting the criteria, trapping, at a higher priority than all of the one or more operating systems of the electronic device, attempted access of data between memory and disk storage of the electronic device; and
analyzing, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware;
wherein analyzing information associated with the attempted access comprises;
determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source;
analyzing content of virtualized memory written to the disk storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and
permitting the attempted access based at least upon;
a determination that the particular portion of the disk storage is a trusted source; and
a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map.
10 Assignments
0 Petitions
Accused Products
Abstract
A security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory or a storage of the electronic device may be further configured to: (i) access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and the storage of an electronic device will be trapped; (ii) if the criteria is met, trap, at a level below all of the operating systems of the electronic device, attempted access of data between memory and storage of an electronic device; and (iii) analyze, at a level below all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware
166 Citations
27 Claims
-
1. A method for securing an electronic device, comprising:
-
accessing one or more security rules to determine a criteria by which an attempted access involving a transfer of content between memory and disk storage of an electronic device will be trapped; based on meeting the criteria, trapping, at a higher priority than all of the one or more operating systems of the electronic device, attempted access of data between memory and disk storage of the electronic device; and analyzing, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware; wherein analyzing information associated with the attempted access comprises; determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source; analyzing content of virtualized memory written to the disk storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and permitting the attempted access based at least upon; a determination that the particular portion of the disk storage is a trusted source; and a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for securing an electronic device, comprising:
-
a memory; a processor; one or more operating systems residing in the memory for execution by the processor; a security agent configured to execute on the electronic device at a higher priority than all of the operating systems of the electronic device, the security agent further configured to; access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between memory and disk storage of an electronic device will be trapped; based on a determination that the criteria is met, trap, at a higher priority than all of the operating systems of the electronic device, attempted access of data between memory and disk storage of an electronic device; and analyze, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware; wherein analyzing information associated with the attempted access comprises; determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source; analyze content of virtualized memory written to the disk storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and permitting the attempted access based at least upon; a determination that the particular portion of the disk storage is a trusted source; and a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An article of manufacture, comprising:
a non-transitory computer readable medium;
computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when executed, for causing the processor to, at a higher priority than all of the one or more operating systems of the electronic device;access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and disk storage of an electronic device will be trapped; based on a determination that the criteria is met, trap, at a higher priority than all of the operating systems of the electronic device, attempted access of data between memory and disk storage of an electronic device; and analyze, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware; wherein analyzing information associated with the attempted access comprises; determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source; analyzing content of virtualized memory written to storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and permitting the attempted access based at least upon; a determination that the particular portion of the disk storage is a trusted source; and a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
Specification