Rollback Feature

US 20110107424A1
Filed: 11/03/2009
Published: 05/05/2011
Est. Priority Date: 11/03/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

determining, by a malware protection program executing on a computer, that a file stored in first portion of a computer memory of the computer is a malicious file;

storing a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory;

performing, by the malware protection program, one or more protection processes on the file;

determining whether the determination that the file is a malicious file is a false positive determination;

in response to determining that the determination that the file is a malicious file is a false positive determination;

restoring the file by a pre-boot rollback process executing on the computer during a boot sequence to a state prior to the one or more protection processes performed on the file; and

booting the computer with the restored file; and

in response to determining that the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rolling back protection processes. In one aspect, a method includes determining that a file is a malicious file, storing a duplicate of the file in a quarantine area, performing one or more protection processes on the file, if the determination that the file is a malicious file is a false positive determination, restoring the file by a pre-boot rollback process to a state prior to the one or more protection processes performed on the file, and booting the computer with the restored file, and if the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file, and booting the computer.

48 Citations

View as Search Results

17 Claims

1. A computer-implemented method, comprising:
- determining, by a malware protection program executing on a computer, that a file stored in first portion of a computer memory of the computer is a malicious file;
  
  storing a duplicate of the file in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory;
  
  performing, by the malware protection program, one or more protection processes on the file;
  
  determining whether the determination that the file is a malicious file is a false positive determination;
  
  in response to determining that the determination that the file is a malicious file is a false positive determination;
  
  restoring the file by a pre-boot rollback process executing on the computer during a boot sequence to a state prior to the one or more protection processes performed on the file; and
  
  booting the computer with the restored file; and
  
  in response to determining that the determination that the file is a malicious file is not a false positive determination, not restoring the file to a state prior to the one or more protection processes performed on the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein determining whether the determination that the file is a malicious file is a false positive determination occurs during the pre-boot rollback process.
  - 3. The method of claim 1, wherein determining that the determination that the file is a malicious file is a false positive determination comprises receiving data specifying that the determination that the file is a malicious file is a false positive determination.
  - 4. The computer-implemented method of claim 1, further comprising, in response to determining that the determination that the file is a malicious file is a false positive determination:
    - storing, in the computer memory, false positive data indicating that the file is not a malicious file; and
      
      wherein the malware protection program executing on the computer accesses the false positive data, and the false positive data causes the malware protection program to determine that the file is not a malicious file.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving a keyboard command from a user during a boot process; and
      
      interrupting the boot process and initiating the pre-boot rollback process in response to receiving the keyboard command; and
      
      wherein determining whether the determination that the file is a malicious file is a false positive determination comprises presenting, in a pre-boot user interface environment, a selection menu, the selection menu displaying a representation of the file stored in the quarantine area and a selection option to restore the file; and
      
      restoring the file in the computer memory to a state prior to the one or more protection processes being performed on the file in response to receiving a selection of the selection option to restore the file.
  - 6. The computer-implemented method of claim 1, further comprising:
    - establishing a communication with a rollback server; and
      
      receiving, from the rollback server, false positive data indicating false positive detections; and
      
      wherein determining whether the determination that the file is a malicious file is a false positive determination comprises determining whether the false positive data indicates that the determination that the file is a malicious file is a false positive determination.
  - 7. The computer-implemented method of claim 4, wherein:
    - the false positive data comprises signatures of files; and
      
      wherein determining whether the false positive data indicates that the determination that the file is a malicious file is a false positive determination comprises;
      
      generating a signature of the file;
      
      comparing the signature of the file to the signatures of files in the false positive data;
      
      determining, in response to the signature of the file matching one of the signatures of the files, that the determination that the file is a malicious file is a false positive determination; and
      
      determining, in response to the signature of the file not matching one of the signatures of the files, that the determination that the file is a malicious file is not a false positive determination.
  - 8. The computer-implemented method of claim 1, whereinthe one or more protection processes include deleting the file from the first portion of the computer memory;
    - andrestoring the file in the computer memory to the state prior to the one or more protection processes being performed on the file comprises moving the file from the quarantine area to the first portion of computer memory.
  - 9. The computer-implemented method of claim 1, wherein:
    - the one or more protection processes include modifying the content of the file in the first portion of the computer memory; and
      
      restoring the file in the computer memory to the state prior to the one or more protection processes being performed on the file comprises;
      
      deleting the modified file from the first portion of computer memory; and
      
      moving the file from the quarantine area to the first portion of computer memory.

10. A computer-implemented method, comprising:
- storing a duplicate file in a quarantine area, the duplicate file being a copy of a candidate malicious file that was repaired by a malware protection program, wherein the candidate malicious file consists of one or more files that were identified by the malware protection program as containing malicious content;
  
  performing, by the malware protection program, a protection process on the candidate malicious file, wherein the protection process results in modification of at least some portion of the candidate malicious file from a first portion of the computer memory;
  
  receiving a false positive data, wherein the false positive data is used to determine whether to restore the candidate malicious file; and
  
  in response to determining to restore the candidate malicious file, restoring, through a pre-boot scan during a boot sequence, the candidate malicious file to the first portion of the computer memory by replacing the candidate malicious file with the duplicate file from the quarantine area.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, wherein receiving a false positive data comprises receiving data specifying a determination from a host computer to restore the candidate malicious file.
  - 12. The method of claim 10, wherein modification of at least some portion of the candidate malicious file from a first portion of the computer memory comprises deleting the candidate malicious file from the first portion of the computer memory.

13. A system, comprising:
- a memory component configured to store data for a computer, the memory component including a first memory component and a second memory component, wherein the first memory component is logically separate from the second memory component;
  
  a quarantine configured to store data for the computer in the first memory component;
  
  malware protection program configured to identify a malicious file and perform a protection process on the malicious file; and
  
  data processing apparatus configured to store a copy of the malicious file identified by the malware protection program in the quarantine, determine if a false positive determination has occurred; and
  
  if it is determined that a false positive determination has occurred, restore the copy of the malicious file from the quarantine to the second part of the memory component.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the data processing apparatus further comprises a pre-boot processor configured to restore the copy of the malicious file from the quarantine to the second part of the memory component, the pre-boot processor operable during the boot sequence.
  - 15. The system of claim 13, further comprising a server interface configured to receive false positive data from a rollback server, the false positive data indicating false positive detections.
  - 16. The system of claim 13, further comprising a user server interface configured to receive false positive data from a user, the false positive data indicating false positive detections.
  - 17. The system of claim 13, wherein the data processing apparatus is further configured to store in the memory component false positive data indicating that the identification of the malicious file is a false positive detection, wherein when the malware protection program accesses the false positive data, and the false positive data causes the malware protection program to determine that the file is not a malicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Srinivasa, Gangadharasa, Singh, Prabhat Kumar, Jyoti, Nitin

Granted Patent

US 8,539,583 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 11/1417   Boot up procedures

G06F 11/1446   Point-in-time backing up or...

G06F 11/1451   by selection of backup cont...

G06F 16/152   using file content signatur...

G06F 16/162   Delete operations erasing i...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/568   eliminating virus, restorin...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/10   in which an application is ...

Rollback Feature

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Rollback Feature

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links