Malware management through kernel detection during a boot sequence

US 9,754,102 B2
Filed: 10/06/2014
Issued: 09/05/2017
Est. Priority Date: 08/07/2006
Status: Active Grant

First Claim

Patent Images

1. A device-comprising:

at least one processor; and

a memory encoding computer executable instructions that, when executed by the at least one processor, perform a method comprising;

monitoring events during a boot sequence of the computer;

managing pestware-related events during a first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem of an operating system is loaded, and after a kernel is loaded;

managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications;

generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;

analyzing the record of events so as to identify the pestware-related events;

modifying the set of behavior rules so as to prevent the pestware related events;

andscanning a registry of the computer for pestware during the second period in the boot sequence.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing pestware on a protected computer is described. The method in one variation includes monitoring events during a boot sequence of the computer; managing pestware-related events before native applications can run and after a kernel is loaded; managing pestware-related events when native applications can run; and scanning a registry of the computer for pestware when native applications can run. In variations, a pestware management engine is initialized after an operating system of the protected computer is initialized and the pestware management system both receives an event log of the monitored events and compiles the set of behavior rules utilized by kernel-level monitor.

Citations

15 Claims

1. A device-comprising:
- at least one processor; and
  
  a memory encoding computer executable instructions that, when executed by the at least one processor, perform a method comprising;
  
  monitoring events during a boot sequence of the computer;
  
  managing pestware-related events during a first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem of an operating system is loaded, and after a kernel is loaded;
  
  managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications;
  
  generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;
  
  analyzing the record of events so as to identify the pestware-related events;
  
  modifying the set of behavior rules so as to prevent the pestware related events;
  
  andscanning a registry of the computer for pestware during the second period in the boot sequence.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The device of claim 1, wherein the method further comprises launching, after an operating system is initiated, a pestware management engine;
    - andwherein the set of behavior rules includes behavior rules compiled by the pestware management engine.
  - 3. The device of claim 1, wherein the record of events includes information selected from the group consisting of:
    - process identification information, file identification information, and hook generation information.
  - 4. The device of claim 1, wherein the method further comprises managing pestware-related events after the computer becomes configured to run native applications.
  - 5. The device of claim 1, wherein the monitoring includes monitoring the boot sequence while boot drivers are initiated.

6. A system for managing pestware on a computer comprising:
- at least one processor;
  
  a memory encoding computer executable instructions that, when executed by the at least one processor, perform a method comprising;
  
  monitoring events during a boot sequence of the computer;
  
  managing pestware-related events during first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem is loaded, and after a kernel is loaded;
  
  managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications;
  
  generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;
  
  analyzing the record of events so as to identify the pestware-related events; and
  
  modifying the set of behavior rules so as to prevent the pestware related events; and
  
  scanning a registry of the computer for pestware during the second period in the boot sequence.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the method further comprises launching, after an operating system is initiated, a pestware management engine;
    - and wherein the set of behavior rules includes behavior rules compiled by the pestware management engine.
  - 8. The system of claim 6, wherein the record of events includes information selected from the group consisting of:
    - process identification information, file identification information, and hook generation information.
  - 9. The system of claim 6, wherein the method further comprisesmanaging pestware-related events after the computer becomes configured to run native applications.
  - 10. The system of claim 6, wherein the method further comprises monitoring the boot sequence while boot drivers are initiated.

11. A hard drive comprising computer executable instructions that, when executed by at least one processor, perform a method comprising:
- monitoring events during a boot sequence of a computer;
  
  managing pestware-related events during a first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem is loaded, and after a kernel is loaded;
  
  managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications;
  
  generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;
  
  analyzing the record of events so as to identify the pestware-related events; and
  
  modifying the set of behavior rules so as to prevent the pestware related events; and
  
  scanning a registry of the computer for pestware during the second period in the boot sequence.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The hard drive of claim 11 further comprising program instructions for launching, after an operating system is initiated, a pestware management engine;
    - andwherein the set of behavior rules includes behavior rules compiled by the pestware management engine.
  - 13. The hard drive of claim 11, wherein the record of events includes information selected from the group consisting of:
    - process identification information, file identification information, and hook generation information.
  - 14. The hard drive of claim 11 further comprising program instructions for:
    - managing pestware-related events after the computer becomes configured to run native applications.
  - 15. The hard drive of claim 11, wherein the monitoring includes monitoring the boot sequence while boot drivers are initiated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Schneider, Jerome L.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US14/507,657
Publication Number

US 20150089648A1
Time in Patent Office

1,065 Days
Field of Search

713 2, 713193, 726 22, 726 23
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

Malware management through kernel detection during a boot sequence

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Malware management through kernel detection during a boot sequence

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links