Rollback feature

US 9,607,150 B2
Filed: 05/11/2015
Issued: 03/28/2017
Est. Priority Date: 11/03/2009
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a computer, cause the computer to:

scan to determine that a file in at least a portion of a computer memory is a malicious file;

make a copy of the file that can be restored;

delete the file from the portion of memory;

responsive to an indication that the determination of the file as malicious is a false positive, prompt the user to initiate a reboot; and

in response to the reboot initiation, cause the file to be restored to the computer using the copy.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file.

Citations

20 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a computer, cause the computer to:
- scan to determine that a file in at least a portion of a computer memory is a malicious file;
  
  make a copy of the file that can be restored;
  
  delete the file from the portion of memory;
  
  responsive to an indication that the determination of the file as malicious is a false positive, prompt the user to initiate a reboot; and
  
  in response to the reboot initiation, cause the file to be restored to the computer using the copy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The storage medium of claim 1, wherein the copy of the file is to be stored in another portion of memory.
  - 3. The storage medium of claim 2, wherein the other portion of memory comprises a quarantine.
  - 4. The storage medium of claim 2, wherein restoring the file comprises moving the file from the other portion of memory to the particular portion of memory.
  - 5. The storage medium of claim 1, wherein determining that the determination of the file as malicious is a false positive is performed during a boot sequence.
  - 6. The storage medium of claim 1, wherein determining that the determination of the file as malicious is a false positive is based on false positive data.
  - 7. The storage medium of claim 6, wherein the instructions, when executed, further cause the computer to receive, from a remote system over a network, the false positive data.
  - 8. The storage medium of claim 7, wherein the false positive data comprises signatures of files identified as corresponding to false positive determinations of malware.
  - 9. The storage medium of claim 8, wherein determining that the determination of the file as malicious is a false positive is based at least in part on determining that a signature of the file substantially matches at least one of the signatures of files included in the false positive data.
  - 10. The storage medium of claim 7, wherein the instructions, when executed, further cause the computer to send, to the remote system, an indication that a set of files, including the file, has been determined to be malicious at the computer.
  - 11. The storage medium of claim 10, wherein the indication comprises signatures of the set of files.
  - 12. The storage medium of claim 10, wherein the false positive data is received in response to the indication and indicates which of the set of files corresponds to a false positive.
  - 13. The storage medium of claim 6, wherein false positive data comprises information received from a user via a graphical user interface.
  - 14. The storage medium of claim 1, wherein determining that another determination of another file as malicious is not to be false positives causes all copies of the other file to be deleted.
  - 15. The storage medium of claim 1, wherein scanning to determine that a file in at least a portion of a computer memory is a malicious file comprises performing a scan according to a set of malware definitions.

16. A method comprising:
- scanning to determine that a file in at least a portion of a computer memory is a malicious file;
  
  making a copy of the file that can be restored;
  
  deleting the file from the portion of memory;
  
  responsive to an indication that the determination of the file as malicious is a false positive, prompting the user to initiate a reboot; and
  
  in response to the reboot initiation, causing the file to be restored to the computer using the copy.

17. A system comprising:
- at least one processor;
  
  one or more memory elements; and
  
  rollback logic, executable by the at least one processor, to;
  
  scan to determine that a file in at least a portion of a computer memory is a malicious file;
  
  make a copy of the file that can be restored;
  
  delete the file from the portion of the computer memory;
  
  responsive to an indication that the determination of the file as malicious is a false positive, prompt the user to initiate a reboot; and
  
  in response to the reboot initiation, cause the file to be restored to the computer using the copy.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the portion of the computer memory comprises a particular portion, the computer memory further comprises another portion, the copy of the file is to be stored in the other portion of the computer memory prior to deleting the file from the particular portion of the computer memory, and restoring the file comprises moving the copy of the file from the other portion to the particular portion of the computer memory.
  - 19. The system of claim 17, wherein the rollback logic is further to:
    - indicate to a server system the determination of the file as malicious; and
      
      receive false positive data from the server system, wherein determining that the determination of the file as malicious is a false positive is based at least in part on the false positive data.
  - 20. The system of claim 17, wherein the rollback logic is further to receive user feedback data via a graphical user interface, the user feedback data corresponds to the determination of the file as malicious, and determining that the determination of the file as malicious is a false positive is based at least in part on the user feedback data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Singh, Prabhat Kumar, Jyoti, Nitin, Srinivasa, Gangadharasa
Primary Examiner(s)
McNally, Michael S

Application Number

US14/708,589
Publication Number

US 20150347755A1
Time in Patent Office

687 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 11/1417   Boot up procedures

G06F 11/1446   Point-in-time backing up or...

G06F 11/1451   by selection of backup cont...

G06F 16/152   using file content signatur...

G06F 16/162   Delete operations erasing i...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/568   eliminating virus, restorin...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/10   in which an application is ...

Rollback feature

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Rollback feature

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links