ROBUST MALWARE DETECTOR
First Claim
1. A malware detection and diffusion system comprising:
- at least one server side computer; and
at least one client side computer;
wherein;
at least one malware sample is processed in at least one server side computer;
at least one signature is formed for each malware sample by a server side computer having at least one stop call at a fixing moment;
the signature is distributed by the server side computer to at least one client side computer,wherein;
a driver hooks all of the system calls of the operating system of the client side computer;
the systems calls are processed by a filter to remove system calls not associated with malware;
the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call;
the thread associated with the stop call is compared to the signature for a match with malware; and
the thread that is matched with malware is addressed at the fixing moment.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer readable medium for detecting and diffusing malware on a computer. Malware is analysed to generate signatures and determine a fixing moment. All of the system calls of the operating system of a client computer are hooked and processed without emulation or the need for unpackers or decrypters, and a multi-level filter removes all system calls that are not associated with malware. The resulting system calls are accumulated on a per-thread basis and scanned, and the relevant threads are compared with the signatures to match with malware. The threads associated with malware are addressed at the fixing moment before the malware can operate to cause undesirable effects on the client computer.
33 Citations
30 Claims
-
1. A malware detection and diffusion system comprising:
-
at least one server side computer; and at least one client side computer; wherein; at least one malware sample is processed in at least one server side computer; at least one signature is formed for each malware sample by a server side computer having at least one stop call at a fixing moment; the signature is distributed by the server side computer to at least one client side computer, wherein; a driver hooks all of the system calls of the operating system of the client side computer; the systems calls are processed by a filter to remove system calls not associated with malware; the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call; the thread associated with the stop call is compared to the signature for a match with malware; and the thread that is matched with malware is addressed at the fixing moment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for detecting and diffusing malware on a computer, the method comprising the steps of:
-
processing at least one malware sample on at least one server side computer; forming a signature for each malware sample having at least one stop call at a fixing moment; distributing the signature to at least one client side computer; hooking all of the system calls of the operating system of the client side computer; processing all of the hooked system calls through a filter to remove system calls not associated with malware; accumulating the system calls not removed by the filter process on a per-thread basis; checking the system calls not removed by the filter for a stop call; comparing the thread associated with the stop call to the signature for a match with malware; and addressing the thread matched with malware at the fixing moment. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable medium comprising software comprising:
-
code for processing at least one malware sample on at least one server side computer; code for forming a signature for each malware sample having at least one stop call at a fixing moment; code for distributing the signature to at least one client side computer; code for hooking all of the system calls of the operating system of the client side computer; code for processing all of the hooked system calls through a filter to remove system calls not associated with malware; code for accumulating the system calls not removed by the filter process on a per-thread basis; code for checking the system calls not removed by the filter for a stop call; code for comparing the threads associated with the stop call to the signature for a match with malware; and code for addressing the thread matched with malware at the fixing moment. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification