System and method for securing memory and storage of an electronic device with a below-operating system security agent

US 9,262,246 B2
Filed: 03/31/2011
Issued: 02/16/2016
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method for securing an electronic device, comprising:

accessing one or more security rules to determine a criteria by which an attempted access involving a transfer of content between memory and disk storage of an electronic device will be trapped;

based on meeting the criteria, trapping, at a higher priority than all of the one or more operating systems of the electronic device, attempted access of data between memory and disk storage of the electronic device; and

analyzing, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware;

wherein analyzing information associated with the attempted access comprises;

determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source;

analyzing content of virtualized memory written to the disk storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and

permitting the attempted access based at least upon;

a determination that the particular portion of the disk storage is a trusted source; and

a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory or a storage of the electronic device may be further configured to: (i) access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and the storage of an electronic device will be trapped; (ii) if the criteria is met, trap, at a level below all of the operating systems of the electronic device, attempted access of data between memory and storage of an electronic device; and (iii) analyze, at a level below all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware

166 Citations

27 Claims

1. A method for securing an electronic device, comprising:
- accessing one or more security rules to determine a criteria by which an attempted access involving a transfer of content between memory and disk storage of an electronic device will be trapped;
  
  based on meeting the criteria, trapping, at a higher priority than all of the one or more operating systems of the electronic device, attempted access of data between memory and disk storage of the electronic device; and
  
  analyzing, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware;
  
  wherein analyzing information associated with the attempted access comprises;
  
  determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source;
  
  analyzing content of virtualized memory written to the disk storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and
  
  permitting the attempted access based at least upon;
  
  a determination that the particular portion of the disk storage is a trusted source; and
  
  a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein analyzing information associated with the attempted access to determine if the attempted access was affected by malware comprises determining an identity of an entity requesting the attempted access.
  - 3. The method of claim 2, wherein analyzing information associated with the attempted access to determine if the attempted access was affected by malware further comprises determining if the entity has been affected by malware.
  - 4. The method of claim 2, wherein analyzing information associated with the attempted access to determine if the attempted access was affected by malware further comprises determining if the entity is authorized to request the attempted access.
  - 5. The method of claim 1, further comprising storing a record of the attempted access in a log of previous attempted accesses.
  - 6. The method of claim 1, wherein the criteria defines a particular portion of memory for which the attempted access to the particular portion of memory will be trapped.
  - 7. The method of claim 1, wherein the criteria defines a particular portion of disk storage for which the attempted access to the particular portion of disk storage will be trapped.
  - 8. The method of claim 1, the attempted access comprising a transfer of content from the disk storage to the memory in connection with loading of executable code from the disk storage.
  - 9. The method of claim 1, the attempted access comprising a transfer of content from the memory to the disk storage in connection with a virtual memory page swap.

10. A system for securing an electronic device, comprising:
- a memory;
  
  a processor;
  
  one or more operating systems residing in the memory for execution by the processor;
  
  a security agent configured to execute on the electronic device at a higher priority than all of the operating systems of the electronic device, the security agent further configured to;
  
  access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between memory and disk storage of an electronic device will be trapped;
  
  based on a determination that the criteria is met, trap, at a higher priority than all of the operating systems of the electronic device, attempted access of data between memory and disk storage of an electronic device; and
  
  analyze, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware;
  
  wherein analyzing information associated with the attempted access comprises;
  
  determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source;
  
  analyze content of virtualized memory written to the disk storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and
  
  permitting the attempted access based at least upon;
  
  a determination that the particular portion of the disk storage is a trusted source; and
  
  a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, the security agent further configured to analyze information associated with the attempted access to determine if the attempted access was affected by malware by determining an identity of an entity requesting the attempted access.
  - 12. The system of claim 11, the security agent further configured to analyze information associated with the attempted access to determine if the attempted access was affected by malware by determining if the entity has been affected by malware.
  - 13. The system of claim 11, the security agent further configured to analyze information associated with the attempted access to determine if the attempted access was affected by malware by determining if the entity is authorized to request the attempted access.
  - 14. The system of claim 10, the security agent further configured to store a record of the attempted access in a log of previous attempted accesses.
  - 15. The system of claim 10, wherein the criteria defines a particular portion of memory for which the attempted access to the particular portion of memory will be trapped.
  - 16. The system of claim 10, wherein the criteria defines a particular portion of disk storage for which the attempted access to the particular portion of disk storage will be trapped.
  - 17. The system of claim 10, the attempted access comprising a transfer of content from the disk storage to the memory in connection with loading of executable code from the disk storage.
  - 18. The system of claim 10, the attempted access comprising a transfer of content from the memory to the disk storage in connection with a virtual memory page swap.

19. An article of manufacture, comprising:
- a non-transitory computer readable medium;
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when executed, for causing the processor to, at a higher priority than all of the one or more operating systems of the electronic device;
  
  access one or more security rules to determine a criteria by which an attempted access involving a transfer of content between the memory and disk storage of an electronic device will be trapped;
  
  based on a determination that the criteria is met, trap, at a higher priority than all of the operating systems of the electronic device, attempted access of data between memory and disk storage of an electronic device; and
  
  analyze, at a higher priority than all of the operating systems of the electronic device, information associated with the attempted access to determine if the attempted access was affected by malware;
  
  wherein analyzing information associated with the attempted access comprises;
  
  determining whether a particular portion of the disk storage of the electronic device from which content is to be transferred is a trusted source;
  
  analyzing content of virtualized memory written to storage and associated with the attempted access upon an attempted transfer to determine whether the content has been affected by malware, the analysis of the content based upon a memory map and at least one of the security rules; and
  
  permitting the attempted access based at least upon;
  
  a determination that the particular portion of the disk storage is a trusted source; and
  
  a determination whether the content has been affected by malware based upon the analysis of the content of virtualized memory written to disk storage and upon the memory map.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The article of claim 19, the processor further caused to analyze information associated with the attempted access to determine if the attempted access was affected by malware by determining an identity of an entity requesting the attempted access.
  - 21. The article of claim 20, the processor further caused to analyze information associated with the attempted access to determine if the attempted access was affected by malware by determining if the entity has been affected by malware.
  - 22. The article of claim 20, the processor further caused to analyze information associated with the attempted access to determine if the attempted access was affected by malware by determining if the entity is authorized to request the attempted access.
  - 23. The article of claim 19, the processor further caused to store a record of the attempted access in a log of previous attempted accesses.
  - 24. The article of claim 19, wherein the criteria defines a particular portion of memory for which the attempted access to the particular portion of memory will be trapped.
  - 25. The article of claim 19, wherein the criteria defines a particular portion of disk storage for which the attempted access to the particular portion of disk storage will be trapped.
  - 26. The article of claim 19, the attempted access comprising a transfer of content from the disk storage to the memory in connection with loading of executable code from the disk storage.
  - 27. The article of claim 19, the attempted access comprising a transfer of content from the memory to the disk storage in connection with a virtual memory page swap.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US13/077,270
Publication Number

US 20120255018A1
Time in Patent Office

1,783 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 12/14   Protection against unauthor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

System and method for securing memory and storage of an electronic device with a below-operating system security agent

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

System and method for securing memory and storage of an electronic device with a below-operating system security agent

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others