Malware management through kernel detection during a boot sequence
First Claim
Patent Images
1. A device-comprising:
- at least one processor; and
a memory encoding computer executable instructions that, when executed by the at least one processor, perform a method comprising;
monitoring events during a boot sequence of the computer;
managing pestware-related events during a first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem of an operating system is loaded, and after a kernel is loaded;
managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications;
generating, in response to the monitoring, a record of events, the record of events including the pestware-related events;
analyzing the record of events so as to identify the pestware-related events;
modifying the set of behavior rules so as to prevent the pestware related events;
andscanning a registry of the computer for pestware during the second period in the boot sequence.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for managing pestware on a protected computer is described. The method in one variation includes monitoring events during a boot sequence of the computer; managing pestware-related events before native applications can run and after a kernel is loaded; managing pestware-related events when native applications can run; and scanning a registry of the computer for pestware when native applications can run. In variations, a pestware management engine is initialized after an operating system of the protected computer is initialized and the pestware management system both receives an event log of the monitored events and compiles the set of behavior rules utilized by kernel-level monitor.
-
Citations
15 Claims
-
1. A device-comprising:
-
at least one processor; and a memory encoding computer executable instructions that, when executed by the at least one processor, perform a method comprising; monitoring events during a boot sequence of the computer;
managing pestware-related events during a first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem of an operating system is loaded, and after a kernel is loaded;managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications; generating, in response to the monitoring, a record of events, the record of events including the pestware-related events; analyzing the record of events so as to identify the pestware-related events;
modifying the set of behavior rules so as to prevent the pestware related events;and scanning a registry of the computer for pestware during the second period in the boot sequence. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for managing pestware on a computer comprising:
-
at least one processor; a memory encoding computer executable instructions that, when executed by the at least one processor, perform a method comprising; monitoring events during a boot sequence of the computer; managing pestware-related events during first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem is loaded, and after a kernel is loaded; managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications; generating, in response to the monitoring, a record of events, the record of events including the pestware-related events; analyzing the record of events so as to identify the pestware-related events; and modifying the set of behavior rules so as to prevent the pestware related events; and scanning a registry of the computer for pestware during the second period in the boot sequence. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A hard drive comprising computer executable instructions that, when executed by at least one processor, perform a method comprising:
-
monitoring events during a boot sequence of a computer; managing pestware-related events during a first period in a boot sequence of the computer, the first period in the boot sequence occurring before the computer becomes configured to run native applications, before a subsystem is loaded, and after a kernel is loaded; managing pestware-related events in accordance with a set of behavior rules during a second period in the boot sequence occurring when the computer is configured to run native applications; generating, in response to the monitoring, a record of events, the record of events including the pestware-related events; analyzing the record of events so as to identify the pestware-related events; and modifying the set of behavior rules so as to prevent the pestware related events; and scanning a registry of the computer for pestware during the second period in the boot sequence. - View Dependent Claims (12, 13, 14, 15)
-
Specification