Reversion of system objects affected by a malware

US 9,871,809 B2
Filed: 08/26/2014
Issued: 01/16/2018
Est. Priority Date: 08/26/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method of reverting system data effected by a malware, comprising:

monitoring, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;

logging in an event log, in run time, said plurality of events;

classifying, in run time, a first process of said plurality of processes as a malware;

identifying a set of events of said first process from said plurality of events using said event log; and

identifying at least one system object of said OS which is hosted in said computing device and affected by said set of events;

matching between a signature of said at least one system object and a plurality of signatures of a plurality of system object templates to identify at least one matching system object template of an OS update version suitable to said at least one system object; and

using said at least one system object template for removing, in response to said classification, an effect of said malware which is caused by said set of events to said at least one system object;

wherein said removing comprises deleting or modifying a registry value added by said first process;

wherein said plurality of events comprises a plurality of write commands.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method of reverting system data affected by a malware. The method comprises monitoring, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, logging in an event log, in run time, the plurality of events, classifying, in run time, a first process of the plurality of processes as a malware, identifying a set of events of the first process from the plurality of events using the event log, and reverting, in response to the classification, at least one system object hosted in the computing device to remove an effect of the set of events on the OS.

18 Citations

View as Search Results

17 Claims

1. A computerized method of reverting system data effected by a malware, comprising:
- monitoring, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;
  
  logging in an event log, in run time, said plurality of events;
  
  classifying, in run time, a first process of said plurality of processes as a malware;
  
  identifying a set of events of said first process from said plurality of events using said event log; and
  
  identifying at least one system object of said OS which is hosted in said computing device and affected by said set of events;
  
  matching between a signature of said at least one system object and a plurality of signatures of a plurality of system object templates to identify at least one matching system object template of an OS update version suitable to said at least one system object; and
  
  using said at least one system object template for removing, in response to said classification, an effect of said malware which is caused by said set of events to said at least one system object;
  
  wherein said removing comprises deleting or modifying a registry value added by said first process;
  
  wherein said plurality of events comprises a plurality of write commands.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computerized method of claim 1, wherein said classifying comprises calculating a plurality of scores each for another of said plurality of processes according to an analysis of respective associated events from said plurality of events in run time and performing said classifying according to said plurality of scores.
  - 3. The computerized method of claim 2, wherein said removing comprises a reverting action selected according to a score from said plurality of scores of said first score.
  - 4. The computerized method of claim 1, wherein said removing comprises deleting a file added by said first process.
  - 5. The computerized method of claim 1, wherein said removing comprises deleting said at least one system object;
    - further comprising identifying a regeneration of said at least one system object and preemptively blocking said regeneration.
  - 6. The computerized method of claim 1, wherein said removing comprises disabling said first process.
  - 7. The computerized method of claim 1, wherein said at least one system object template is at least one specific system object template adapted for said OS.
  - 8. The computerized method of claim 1, wherein said at least one system object template is at least one generic system object template adapted for an update version of said OS.
  - 9. A non transitory computer readable medium comprising computer executable instructions adapted to perform the method of claim 1.
  - 10. The computerized method of claim 1, wherein said at least one system object template comprises at least one of a copy of local OS file, a shell setting and a registry setting.
  - 11. The computerized method of claim 1, wherein an effect of said set of events is changing at least one of:
    - domain name service (DNS) setting, a shell setting and a registry setting.
  - 12. The computerized method of claim 1, wherein said at least one system object template is a template of a member of a group consisting of an object file, a registry value, and a setting value.

13. A system of reverting system data effected by a malware, comprising:
- a memory hosting an event log and a code;
  
  a processor coupled to the memory for executing the code, the code comprising;
  
  instructions to monitor, in run, a plurality of events of a plurality of processes executed by an installed operating system (OS) running on a computing device and logs said plurality of events in said event log;
  
  instructions to classify, in run time, a first process of said plurality of processes as a malware and to identify a set of events of said first process from said plurality of events using said event log; and
  
  instructions to identify at least one system object of said OS which is hosted in said computing device and affected by said set of events;
  
  instructions to match between a signature of said at least one system object and a plurality of signatures of a plurality of system object templates to identify at least one matching system object template of an OS update version suitable to said at least one system object; and
  
  instructions to use, in response to said classification, said at least one system object template for removing an effect of said malware which is caused by said set of events to said at least one system object;
  
  wherein said removing comprises deleting or modifying a registry value added by said first process;
  
  wherein said plurality of events comprises a plurality of write commands.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, further comprising a generic template database which stores a plurality generic system object templates of a plurality of different versions of an operating system, said processor is adapted to execute said code for selecting at least one of said plurality generic system object templates for a replacement of said at least one system object according to a version of said installed OS.
  - 15. The system of claim 13, further comprising a specific template database which stores a plurality specific system object templates generated to replicate a plurality of different system objects of said installed OS, said processor is adapted to execute said code for selecting at least one of said plurality specific system object templates for a replacement of said at least one system object.

16. A computerized method of repairing damage caused by malware operations, comprising:
- monitoring in run time a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device;
  
  classifying, in run time, a first process of said plurality of processes as a malware by an analysis of a set of events associated with said first process from said plurality of events;
  
  detecting, in run time, an additional event performed by said first process on said computing device; and
  
  identifying at least one system object of said OS which is hosted in said computing device and affected by said set of events;
  
  matching between a signature of said at least one system object and a plurality of signatures of a plurality of system object templates to identify at least one matching system object template of an OS update version suitable to said at least one system object; and
  
  using said at least one system object template for removing an effect of said malware caused by said set of events to said at least one system object;
  
  wherein said removing comprises deleting or modifying a registry value added by said first process;
  
  wherein said plurality of events comprises a plurality of write commands.

17. A computer program product for reverting system data effected by a malware, comprising:
- a non-transitory computer readable storage medium;
  
  first program instructions to monitor, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on said computing device;
  
  second program instructions to log in an event log, in run time, said plurality of events;
  
  third program instructions to classify, in run time, a first process of said plurality of processes as a malware;
  
  fourth program instructions to identify a set of events of said first process from said plurality of events using said event log; and
  
  fifth program instructions to identifying at least one system object of said OS which is hosted in said computing device and affected by said set of events;
  
  sixth program instructions matching between a signature of said at least one system object and a plurality of signatures of a plurality of system object templates to identify at least one matching system object template of an OS update version suitable to said at least one system object; and
  
  wherein said removing comprises deleting or modifying a registry value added by said first process;
  
  wherein said plurality of events comprises a plurality of write commands;
  
  seventh program instructions to use, in response to said classification, said at least one system object template for removing an effect of said malware caused by said set of events to said at least one system object wherein said first, second, third, fourth, fifth, sixth and seventh program instructions are stored on said non-transitory computer readable storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shine Security Ltd.
Original Assignee
Shine Security Ltd.
Inventors
Katz, Itay, Ideses, Ianir, Porat, Ron, Blayer-Gat, Alon, Farage, Oren
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US14/468,374
Publication Number

US 20150058988A1
Time in Patent Office

1,239 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Reversion of system objects affected by a malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Reversion of system objects affected by a malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links