SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR CONTEXT-DRIVEN BEHAVIORAL HEURISTICS

US 20110179491A1
Filed: 03/28/2011
Published: 07/21/2011
Est. Priority Date: 01/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to open a file in a computer;

scanning the file;

determining whether unwanted data is present in the file by;

comparing data in the file with a plurality of signatures representative of certain types of unwanted data; and

evaluating a context associated with the scanning activities, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.

112 Citations

View as Search Results

19 Claims

1. A method, comprising:
- receiving a request to open a file in a computer;
  
  scanning the file;
  
  determining whether unwanted data is present in the file by;
  
  comparing data in the file with a plurality of signatures representative of certain types of unwanted data; and
  
  evaluating a context associated with the scanning activities, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - indicating a presence of the unwanted data based on both the scanning of the file and the evaluating of the context.
  - 3. The method of claim 1, further comprising:
    - detecting additional unwanted data by monitoring a behavior of data in the computer and determining an additional context based on the monitoring of the behavior of data.
  - 4. The method of claim 1, wherein a presence of the unwanted data triggers a selected one of a group of responses, the group consisting of:
    - a) a quarantine operation;
      
      b) an alert;
      
      c) a cleaning operation for the computer; and
      
      d) log reporting related to the unwanted data.
  - 5. The method of claim 1, wherein writing of data to a location in the computer triggers a registry monitoring rule that blocks a change at the location.
  - 6. The method of claim 1, wherein opening a port associated with the computer triggers a registry monitoring rule that blocks this activity, and wherein a second context ID is created based on attempting to open the port.
  - 7. The method of claim 6, wherein the file is rescanned in conjunction with evaluating both of the context IDs such that any new activity initiated by the file is terminated.
  - 8. The method of claim 1, further comprising:
    - communicating information associated with the file to a virus signature service provider in order to generate an exact signature for the file.
  - 9. The method of claim 1, wherein the unwanted data comprises malware.

10. An apparatus, comprising:
- a server computer coupled to an end user computer over a network connection, the server computer providing software to the end user computer such that the end user computer is configured for;
  
  scanning a file received by the end user computer;
  
  determining whether unwanted data is present in the file by;
  
  comparing data in the file with a plurality of signatures representative of certain types of unwanted data; and
  
  evaluating a context associated with the scanning activities, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the end user computer.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus of claim 10, wherein writing of data to a location in the end user computer triggers a registry monitoring rule that blocks a change at the location.
  - 12. The apparatus of claim 10, wherein opening a port associated with the end user computer triggers a registry monitoring rule that blocks this activity, and wherein a second context ID is created based on attempting to open the port.
  - 13. The apparatus of claim 12, wherein the file is rescanned in conjunction with evaluating both of the context IDs such that any new activity initiated by the file is terminated.
  - 14. The apparatus of claim 10, further comprising:
    - receiving information associated with the file from the end user computer in order to generate an exact signature for the file.

15. Logic encoded in non-transitory media that includes code for execution and when executed by a processor operable to perform operations comprising:
- receiving a request to open a file in a computer;
  
  scanning the file;
  
  determining whether unwanted data is present in the file by;
  
  comparing data in the file with a plurality of signatures representative of certain types of unwanted data; and
  
  evaluating a context associated with the scanning activities, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The logic of claim 15, the operations further comprising:
    - detecting additional unwanted data by monitoring a behavior of data in the computer and determining an additional context based on the monitoring of the behavior of data.
  - 17. The logic of claim 15, wherein a presence of the unwanted data triggers a selected one of a group of responses, the group consisting of:
    - a) a quarantine operation;
      
      b) an alert;
      
      c) a cleaning operation for the computer; and
      
      d) log reporting related to the unwanted data.
  - 18. The logic of claim 15, wherein opening a port associated with the computer triggers a registry monitoring rule that blocks this activity, and wherein a second context ID is created based on attempting to open the port.
  - 19. The logic of claim 18, wherein the file is rescanned in conjunction with evaluating both of the context IDs such that any new activity initiated by the file is terminated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Spurlock, Joel Robert, Schmugar, Craig D., Howard, Fraser Peter

Granted Patent

US 8,392,994 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/564 by virus signature recognition

SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR CONTEXT-DRIVEN BEHAVIORAL HEURISTICS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR CONTEXT-DRIVEN BEHAVIORAL HEURISTICS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links