Systems and methods for generating repair scripts that facilitate remediation of malware side-effects
First Claim
1. A computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a potentially malicious file located on a computing system;
determining at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file;
generating, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by;
identifying all known variants of a family of malware that includes the potentially malicious file;
performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and
determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; and
remedying the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to;
compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect;
determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold;
in response to determining that the heuristic distance is below the certain threshold;
classify the registry key or the other file as a side-effect of the potentially malicious file; and
remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects may include (1) identifying a potentially malicious file located on a computing system, (2) determining at least one potential side-effect of the potentially malicious file, (3) generating, based at least in part on the potential side-effect of the potentially malicious file, a repair script that facilitates remediation of the potential side-effect, and then (4) remedying the potential side-effect by directing the computing system to execute the repair script. Various other methods, systems, and computer-readable media are also disclosed.
27 Citations
20 Claims
-
1. A computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying a potentially malicious file located on a computing system; determining at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file; generating, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by; identifying all known variants of a family of malware that includes the potentially malicious file; performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; and remedying the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to; compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect; determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold; in response to determining that the heuristic distance is below the certain threshold; classify the registry key or the other file as a side-effect of the potentially malicious file; and remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for generating repair scripts that facilitate remediation of malware side-effects, the system comprising:
-
at least one memory; an identification module, stored in the memory, that identifies a potentially malicious file located on a computing system; a determination module, stored in the memory, that determines at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file; a generation module, stored in the memory, that generates, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by; identifying all known variants of a family of malware that includes the potentially malicious file; performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; a remediation module, stored in the memory, that remedies the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to; compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect; determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold; in response to determining that the heuristic distance is below the certain threshold; classify the registry key or the other file as a side-effect of the potentially malicious file; and remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file; and at least one physical processor that executes the identification module, the determination module, the generation module, and the remediation module. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify a potentially malicious file located on a computing system; determine at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file; generate, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by; identifying all known variants of a family of malware that includes the potentially malicious file; performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; and determining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; and remedy the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to; compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect; determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold; in response to determining that the heuristic distance is below the certain threshold; classify the registry key or the other file as a side-effect of the potentially malicious file; and remedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file.
-
Specification