Protecting anti-malware processes

US 9,424,425 B2
Filed: 05/31/2013
Issued: 08/23/2016
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

launching an anti-malware process associated with an anti-malware drive;

verifying the anti-malware process based at least in part on certificates contained in the anti-malware driver;

responsive to extracting the certificates from the anti-malware driver, registering the certificates with an operating system;

assigning a protection level defined by a signer and a protection type to the process based at least in part on said verification of the anti-malware process, wherein the anti-malware process has a higher protection level if both the signer and the protection type associated with the anti-malware process have a higher protection level than a signer and a protection type associated with another process; and

preventing the user from altering the anti-malware process, the altering including terminating the anti-malware process, injecting code, or loading binaries related to the anti-malware process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificates which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

20 Citations

19 Claims

1. A method comprising:
- launching an anti-malware process associated with an anti-malware drive;
  
  verifying the anti-malware process based at least in part on certificates contained in the anti-malware driver;
  
  responsive to extracting the certificates from the anti-malware driver, registering the certificates with an operating system;
  
  assigning a protection level defined by a signer and a protection type to the process based at least in part on said verification of the anti-malware process, wherein the anti-malware process has a higher protection level if both the signer and the protection type associated with the anti-malware process have a higher protection level than a signer and a protection type associated with another process; and
  
  preventing the user from altering the anti-malware process, the altering including terminating the anti-malware process, injecting code, or loading binaries related to the anti-malware process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising preventing an administrative user from altering the anti-malware process.
  - 3. The method of claim 2, wherein the altering includes terminating the anti-malware process.
  - 4. The method of claim 2, wherein the altering includes injecting code.
  - 5. The method of claim 2, wherein the altering includes loading binaries related to the anti-malware process.
  - 6. The method of claim 1, wherein said verifying the anti-malware process comprises:
    - receiving a trusted certificate from a verified source;
      
      extracting an identity from the anti-malware driver; and
      
      determining that the identity is signed with the trusted certificate.
  - 7. The method of claim 1, wherein the anti-malware process is launched during a boot process.
  - 8. The method of claim 1, wherein the certificates are registered with a kernel of the operating system.
  - 9. The method of claim 1, wherein verifying the anti-malware process occurs without regard to a user account that is attempting to load the process.

10. A computing device comprising:
- one or more processors;
  
  critical operating system components;
  
  regular operating system components;
  
  anti-malware components;
  
  components associated with applications signed by recognized entities;
  
  DRM hosting components; and
  
  unprotected components.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computing device as described in claim 10, wherein the one or more modules are further configured to extract the certificates from the anti-malware driver.
  - 12. The computing device as described in claim 10, wherein the anti-malware process cannot be altered by a different process with a lower protection level.
  - 13. The computing device as described in claim 10, wherein the signer is associated with one of:
    - verifying execution of an anti-malware process associated with the anti-malware program based at least in part on the registered certificates and without regard to a permission level associated with a user associated with the anti-malware process;
      
      assigning a protection level defined by a signer and a protection type to the process based at least in part on said verifying the execution of the anti-malware process, wherein the anti-malware process has a higher protection level if both the signer and the protection type associated with the anti-malware process have a higher protection level than a signer and a protection type associated with another process; and
      
      preventing the user from altering the anti-malware process, the altering including terminating the anti-malware process, injecting code, or loading binaries related to the anti-malware process.
  - 14. The computing device as described in claim 10, wherein the protection type is associated with a signing method required for confirming that the identity is signed with a trusted certificate.

15. A system comprising:
- one or more hardware-based processors; and
  
  computer-readable storage media comprising instructions stored thereon that, responsive to execution by the one or more processors, cause operations to be performed comprising;
  
  verifying, during a boot process, an anti-malware driver associated with an anti-malware program based at least in part on certificates contained in the anti-malware driver, the certificates containing an identity that is signed with a trusted certificate from a verified source;
  
  responsive to extracting the certificates from the anti-malware driver, registering the certificates with a kernel of an operating system;
  
  one or more modules implemented at least partially in hardware configured to;
  
  launch an anti-malware process;
  
  assign a protection level defined by a signer and a protection type to the anti-malware process based at least in part on anti-malware-verification certificates that are contained in an anti-malware driver and registered with an operating system of the computing device, wherein the anti-malware process has a higher protection level if both the signer and the protection type associated with the anti-malware process have a higher protection level than a signer and a protection type associated with another process; and
  
  execute the anti-malware process on the computing device.
- View Dependent Claims (16, 17, 18, 19)
- - 16. A system as described in claim 15, wherein the operations further comprise allowing the anti-malware process to load binaries, wherein the binaries inherit the protection level of the anti-malware process.
  - 17. A system as described in claim 15, wherein the anti-malware process must explicitly pass handles to child processes.
  - 18. A system as described in claim 15, wherein the operations further comprise blocking the anti-malware process based at least in part on the anti-malware process failing said verifying the execution of the anti-maiware process.
  - 19. A system as described in claim 15, wherein the operations further comprise preventing said verifying of the anti-malware driver from utilizing path data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Pulapaka, Hari, Judge, Nicholas S., Kishan, Arun U., Schwartz, James A. Jr., Kinshumann, Kinshumann, Linsley, David J., Majmudar, Niraj V., Anderson, Scott D.
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
NGUYEN, NGOC THACH D

Application Number

US13/907,331
Publication Number

US 20140359774A1
Time in Patent Office

1,180 Days
Field of Search

726/24, 713/194
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/0823   using certificates cryptogr...

H04L 63/14   for detecting or protecting...

Protecting anti-malware processes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting anti-malware processes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links