Protecting anti-malware processes

US 9,836,601 B2
Filed: 08/08/2016
Issued: 12/05/2017
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. A system for preventing the alteration of a process, comprising:

a process alteration preventer comprising one or more hardware computer processors, and a computer program having a plurality of sub-programs executable by said computer processors, wherein the sub-programs configure said computer processors to,launch a first process,assign a protection level defined by a signer and a protection type to the first process, wherein the first process has a higher or equal protection level if both the signer and the protection type associated with the first process have a higher or equal protection level than a signer and a protection type associated with another process, andprevent said other process from altering the first process whenever the protection level assigned to the first process is higher or equal to the other process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

28 Citations

View as Search Results

16 Claims

1. A system for preventing the alteration of a process, comprising:
- a process alteration preventer comprising one or more hardware computer processors, and a computer program having a plurality of sub-programs executable by said computer processors, wherein the sub-programs configure said computer processors to,launch a first process,assign a protection level defined by a signer and a protection type to the first process, wherein the first process has a higher or equal protection level if both the signer and the protection type associated with the first process have a higher or equal protection level than a signer and a protection type associated with another process, andprevent said other process from altering the first process whenever the protection level assigned to the first process is higher or equal to the other process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the sub-program for assigning a protection level defined by a signer and a protection type to the first process, comprises assigning the protection level based at least in part on verification certificates that are contained in a driver associated with the first process.
  - 3. The system of claim 1, wherein the sub-program for preventing the other process from altering the first process comprises preventing the other process from terminating the first process, or injecting code into the first process, or loading binaries related to the first process.
  - 4. The system of claim 1, wherein the first process is an anti-malware process.
  - 5. The system of claim 1, further comprising a sub-program for the first process loading binaries, wherein the binaries inherit the protection level assigned to the first process.
  - 6. The system of claim 1, further comprising a sub-program for preventing said other process from accessing the first process whenever the protection level assigned to the first process is higher or equal to the other process.
  - 7. The system of claim 1, wherein the first process creates a child process which does not have an assigned protection level, and wherein the system further comprising a sub-program for allowing the first process to pass a handle to the child process that cannot be used to altering the first process.
  - 8. The system of claim 1, wherein the first process creates a child process which does not have an assigned protection level, and wherein the system further comprising a sub-program for allowing the first process to pass a handle to the child process that can be used to altering the first process.

9. A computer-implemented method for preventing the alteration of a process, the method comprising the actions of:
- using one or more computing devices to perform the following actions;
  
  launching a first process;
  
  assigning a protection level defined by a signer and a protection type to the first process, wherein the first process has a higher or equal protection level if both the signer and the protection type associated with the first process have a higher or equal protection level than a signer and a protection type associated with another process; and
  
  preventing said other process from altering the first process whenever the protection level assigned to the first process is higher or equal to the other process.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the action of assigning a protection level defined by a signer and a protection type to the first process, comprises assigning the protection level based at least in part on verification certificates that are contained in a driver associated with the first process.
  - 11. The method of claim 9, wherein the action of preventing the other process from altering the first process comprises preventing the other process from terminating the first process, or injecting code into the first process, or loading binaries related to the first process.
  - 12. The method of claim 9, wherein the first process is an anti-malware process.
  - 13. The method of claim 9, further comprising an action of the first process loading binaries, wherein the binaries inherit the protection level assigned to the first process.
  - 14. The method of claim 9, further comprising an action of preventing, said other process from accessing the first process whenever the protection level assigned to the first process is higher or equal to the other process.
  - 15. The method of claim 9, wherein the first process creates a child process which does not have an assigned protection level, and wherein the method further comprising an action for allowing the first process to pass a handle to the child process that cannot be used to alter the first process.
  - 16. The method of claim 9, wherein the first process creates a child process which does not have an assigned protection level, and wherein the method further comprising an action of allowing the first process to pass a handle to the child process that can be used to alter the first process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Pulapaka, Hari, Judge, Nicholas S., Kishan, Arun U., Schwartz, Jr., James A., Kinshumann, Kinshumann, Linsley, David J., Majmudar, Niraj V., Anderson, Scott D.
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
Nguyen, Ngoc D

Application Number

US15/231,394
Publication Number

US 20160342790A1
Time in Patent Office

484 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/0823   using certificates cryptogr...

H04L 63/14   for detecting or protecting...

Protecting anti-malware processes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting anti-malware processes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links