Rollback feature

US 9,703,958 B2
Filed: 09/25/2015
Issued: 07/11/2017
Est. Priority Date: 11/03/2009
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

receive, at a server, data corresponding to a file determined by a malware protection program to be malicious;

compare malware definitions used by the malware protection program with malware definitions used by one or more other malware protection programs known to incorrectly identify files as malicious;

perform signature analysis on the file to determine whether the file was incorrectly determined to be malicious; and

forward to the malware protection program data indicating a false positive detection based on the signature analysis and comparison of the malware definitions used by the malware protection program with malware definitions used by the other malware protection programs.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file.

Citations

22 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive, at a server, data corresponding to a file determined by a malware protection program to be malicious;
  
  compare malware definitions used by the malware protection program with malware definitions used by one or more other malware protection programs known to incorrectly identify files as malicious;
  
  perform signature analysis on the file to determine whether the file was incorrectly determined to be malicious; and
  
  forward to the malware protection program data indicating a false positive detection based on the signature analysis and comparison of the malware definitions used by the malware protection program with malware definitions used by the other malware protection programs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The storage medium of claim 1, wherein the malware protection program is hosted at a particular remote computing device.
  - 3. The storage medium of claim 2, wherein the instructions, when executed, further cause the computer to receive one or more signatures of files over a network from the particular computing device.
  - 4. The storage medium of claim 3, wherein the one or more signatures of files are received in a request by the particular computing device and the malware protection program data is forwarded to the particular computing device in response to the request.
  - 5. The storage medium of claim 4, wherein the request corresponds to a pre-boot sequence of the particular computing device.
  - 6. The storage medium of claim 2, wherein the malware protection program data is forwarded to another remote computing device.
  - 7. The storage medium of claim 6, wherein the malware protection program data is pushed to the other remote computing device based on results of the signature analysis.
  - 8. The storage medium of claim 6, wherein the instructions, when executed, further cause the computer to receive a query by the other computing device and the query identifies at least one of the files.
  - 9. The storage medium of claim 8, wherein the malware protection program data is forwarded to the other computing device based on the query.
  - 10. The storage medium of claim 2, wherein the instructions, when executed, further cause the computer to:
    - receive, at the server, one or more signatures of other files determined to be malicious by a malware protection program hosted on another computing device;
      
      perform signature analysis on the one or more signatures of the other files to determine whether they match signatures of files known to not be malicious.
  - 11. The storage medium of claim 10, wherein the malware protection program data is further based on results of the signature analysis of the one or more signatures of the other files.
  - 12. The storage medium of claim 2, wherein the computing device is to use the malware protection program data to restore a copy of at least one of the files.
  - 13. The storage medium of claim 1, wherein the malware protection program data further confirms at least one determination that one or more of the files is malicious.
  - 14. The storage medium of claim 1, wherein the instructions, when executed, further cause the computer to:
    - determine a similarity between the malware protection program and a particular one of the other malware protection programs; and
      
      determine that a determination, by the malware protection program, that a particular one of the files is malicious is a false positive based on a similar false positive being identified for a determination of the particular other malware protection program.
  - 15. The storage medium of claim 14, wherein the other malware protection program and the malware protection program each comprise a distinct instance of the same program.
  - 16. The storage medium of claim 1, wherein the malware protection program data indicates whether the determination that the file is malicious is a false positive.
  - 17. The storage medium of claim 1, wherein the data comprises a signature of the file.

18. A method comprising:
- receiving, at a server, data corresponding to a file determined by a malware protection program to be malicious;
  
  comparing malware definitions used by the malware protection program with malware definitions used by one or more other malware protection programs known to incorrectly identify files as malicious;
  
  performing signature analysis on the file to determine whether the file was incorrectly determined to be malicious; and
  
  forwarding to the malware protection program data indicating a false positive detection based on the signature analysis and comparison of the malware definitions used by the malware protection program with malware definitions used by the other malware protection programs.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising:
    - receiving, at the server, data corresponding to another file determined by another malware protection program to be malicious;
      
      wherein the signature analysis is also performed on the other file.
  - 20. The method of claim 18, wherein the data comprises a signature of the file.

21. A system comprising:
- at least one processor;
  
  computer memory; and
  
  a security server to;
  
  receive, at a server, data corresponding to a file determined by a malware protection program to be malicious;
  
  compare malware definitions used by the malware protection program with malware definitions used by one or more other malware protection programs known to incorrectly identify files as malicious;
  
  perform signature analysis on the file to determine whether the file was incorrectly determined to be malicious; and
  
  forward to the malware protection program data indicating a false positive detection based on the signature analysis and comparison of the malware definitions used by the malware protection program with malware definitions used by the other malware protection programs.
- View Dependent Claims (22)
- - 22. The system of claim 21, wherein the malware protection program is hosted by a remote computing device and the malware protection program data is forwarded to the remote computing device over a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Singh, Prabhat Kumar, Jyoti, Nitin, Srinivasa, Gangadharasa
Primary Examiner(s)
McNally, Michael S

Application Number

US14/866,509
Publication Number

US 20160021129A1
Time in Patent Office

655 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 11/1417   Boot up procedures

G06F 11/1446   Point-in-time backing up or...

G06F 11/1451   by selection of backup cont...

G06F 16/152   using file content signatur...

G06F 16/162   Delete operations erasing i...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/568   eliminating virus, restorin...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/10   in which an application is ...

Rollback feature

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Rollback feature

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links