Techniques for remediating an infected file

US 9,792,436 B1
Filed: 04/29/2013
Issued: 10/17/2017
Est. Priority Date: 04/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method for remediating an infected file comprising the steps of:

maintaining a plurality of file identities within a remediation repository each associated with a file, wherein for each file identity one or more regions of interest of the associated file are selectively identified, the one or more regions of interest for each file collectively representing less than all of the file;

in response to identifying an infected file, selecting a file associated with a file identity from the remediation repository that matches the infected file;

selectively comparing at least one of a plurality of portions of the one or more regions of interest of the matching file with one or more corresponding portions of regions of the infected file; and

based on selectively comparing the portions of the regions, replacing at least one of the plurality of portions of the one or more regions of the infected file with the at least one corresponding portion of the one or more regions of interest of the matching file,wherein portions of the one or more regions of interest that are particularly likely to be infected by a virus are divided into smaller portions than less vulnerable portions prior to the file being identified as infected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for remediating an infected file are disclosed. In one embodiment, a method may have the steps of maintaining a plurality of file identities within a remediation repository each associated with a file, wherein for each file identity one or more regions of interest of the associated file are selectively identified, the one or more regions of interest for each file collectively representing less than all of the file; in response, selecting a file associated with a file identity from the remediation repository that matches the infected file; selectively comparing the one or more regions of interest of the matching file with one or more corresponding regions of the infected file; and based on comparing the regions, replacing at least one portion of the one or more regions of the infected file with at least one corresponding portion of the one or more regions of interest of the matching file.

Citations

18 Claims

1. A method for remediating an infected file comprising the steps of:
- maintaining a plurality of file identities within a remediation repository each associated with a file, wherein for each file identity one or more regions of interest of the associated file are selectively identified, the one or more regions of interest for each file collectively representing less than all of the file;
  
  in response to identifying an infected file, selecting a file associated with a file identity from the remediation repository that matches the infected file;
  
  selectively comparing at least one of a plurality of portions of the one or more regions of interest of the matching file with one or more corresponding portions of regions of the infected file; and
  
  based on selectively comparing the portions of the regions, replacing at least one of the plurality of portions of the one or more regions of the infected file with the at least one corresponding portion of the one or more regions of interest of the matching file,wherein portions of the one or more regions of interest that are particularly likely to be infected by a virus are divided into smaller portions than less vulnerable portions prior to the file being identified as infected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1,wherein the file identity for the matching file includes one or more hash values for one or more portions of the plurality of portions of the one or more regions of interest of the matching file;
    - wherein selectively comparing the plurality of portions of the one or more regions of interest comprises comparing one or more hash values for the one or more corresponding portions of the one or more corresponding regions of the infected file with the one or more hash values stored in the file identity for the one or more portions of the one or more regions of interest of the matching file; and
      
      wherein replacing the at least one portion of the plurality of portions based on comparing the regions comprises identifying and replacing each portion where the corresponding hash values between the infected file and the matching file are different.
  - 3. The method of claim 2,wherein the matching file includes at least a first portion with a first hash value and a second portion with a second hash value;
    - andwherein the first portion and the second portion are different sizes.
  - 4. The method of claim 3,wherein the first portion is part of a first region of interest, and the second portion is part of a second region of interest;
    - andwherein the sizes of the first and second portions are based on the sizes of the first and second regions of interest.
  - 5. The method of claim 3, wherein the sizes of the first and second portions are based on a maximum number of hash values permitted for the file identity associated with the matching file.
  - 6. The method of claim 1, wherein the matching file is an executable file, and wherein at least one region of the one or more regions of interest represents a main entry point.
  - 7. The method of claim 1, wherein the matching file is a shared library file, and wherein at least one region of the one or more regions of interest represents a function entry point.
  - 8. The method of claim 1, wherein selecting the matching file associated with a file identity from the remediation repository comprises matching a file name and at least one of a file version, file size, file header information, and file path of the file identity of the matching file with the corresponding parameters of the infected file.
  - 9. The method of claim 1, wherein replacing the at least one portion based on comparing the regions comprises:
    - identifying a client device having the matching file;
      
      requesting a copy of the matching file from the client device;
      
      receiving a copy of the matching file from the client device in response to the request; and
      
      copying the at least one portion from the received copy.
  - 10. The method of claim 9, wherein the client device is identified based on file information within the file identity.
  - 11. The method of claim 1,wherein the remediation repository includes a file identity associated with the infected file;
    - andwherein the method further comprises, in response to identifying the infected file as infected, designating the file as infected within the associated file identity.
  - 12. The method of claim 11, further comprising:
    - after replacing the at least one portion of the plurality of portions based on comparing the regions, removing the designation of the file as infected from within the associated file identity.

13. A method for remediating an infected file comprising the steps of:
- maintaining a plurality of file identities within a remediation repository each associated with a file, wherein for each file identity one or more regions of interest of the associated file are selectively identified, the one or more regions of interest for each file collectively representing less than all of the file and wherein each of the one or more regions of interest comprises a plurality of portions of the region of interest;
  
  in response to identifying an infected file, searching for a file associated with a file identity from the remediation repository that matches the infected file;
  
  selecting a matching file that is not associated with a file identity from the remediation repository;
  
  in response to selecting the matching file, creating a file identity and associating the file identity with the matching file;
  
  selectively identifying one or more regions of interest of the matching file, the one or more regions of interest collectively representing less than all of the file;
  
  selectively comparing a plurality of portions of the one or more regions of interest of the matching file with one or more corresponding portions of the corresponding regions of the infected file; and
  
  based on selectively comparing the portions of regions, replacing at least one portion of the plurality of portions of the one or more regions of the infected file with at least one corresponding portion of the one or more regions of interest of the matching file,wherein portions of the one or more regions of interest that are particularly likely to be infected by a virus are divided into smaller portions than less vulnerable portions prior to the file being identified as infected.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the matching file is downloaded from a file source associated with the infected file.
  - 15. The method of claim 14, wherein the file source is referenced in a file identity within the remediation repository that is associated with the infected file.
  - 16. The method of claim 13, wherein the matching file is located in a file repository.
  - 17. The method of claim 13,wherein the file identity for the matching file includes one or more hash values for one or more portions of the one or more regions of interest of the matching file;
    - wherein selectively comparing the plurality of portions of the one or more regions of interest comprises comparing one or more hash values for portions of the one or more corresponding regions of the infected file with the one or more hash values stored in the file identity for the one or more portions of the one or more regions of interest of the matching file; and
      
      wherein replacing the at least one portion based on comparing the regions comprises identifying and replacing each portion where the corresponding hash values between the infected file and the matching file are different.

18. A system for remediating an infected file comprising:
- one or more hardware processors communicatively coupled to a network;
  
  wherein the one or more processors are configured to;
  
  maintain a plurality of file identities within a remediation repository each associated with a file, wherein for each file identity a plurality of portions of one or more regions of interest of the associated file are selectively identified, the one or more regions of interest for each file collectively representing less than all of the file;
  
  in response to identifying an infected file, select a file associated with a file identity from the remediation repository that matches the infected file;
  
  selectively compare at least one of the plurality of portions of the one or more regions of interest of the matching file with one or more corresponding portions of regions of the infected file; and
  
  based on selectively comparing the portions of regions, replace at least one portion of a plurality of portions of the one or more regions of the infected file with at least one corresponding portion of the one or more regions of interest of the matching file,wherein portions of the one or more regions of interest that are particularly likely to be infected by a virus are divided into smaller portions than less vulnerable portions prior to the file being identified as infected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sankruthi, Anand D.
Primary Examiner(s)
Leung, Robert

Application Number

US13/872,623
Time in Patent Office

1,632 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/568 eliminating virus, restorin...

G06F 21/64 Protecting data integrity, ...

Techniques for remediating an infected file

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for remediating an infected file

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links