System and method for scanning memory for pestware
First Claim
1. A method for scanning executable memory of a protected computer for pestware comprising:
- enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory, and the at least one dependency includes encrypted code;
identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and
scanning at least one portion of memory for unencrypted code spawned from the encrypted code, the unencrypted code located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the at least one portion of memory.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for managing multiple related pestware processes on a protected computer are described. One embodiment is configured to identify a location of each of a plurality of files in at least one file storage device of the protected computer and store a list of the location of each of the plurality of files. The list of the plurality of files is then sorted so as to generate a sorted list. Each of the plurality of files is then sequentially accessed as listed in the sorted list so as to retrieve information from each of the plurality of files. Information from the plurality of files is then analyzed to determine whether any of the plurality of files are potential pestware files. In variations, the files in the file storage device are enumerated, and information from the files is accessed, by circumventing the operating system of the protected computer.
-
Citations
20 Claims
-
1. A method for scanning executable memory of a protected computer for pestware comprising:
-
enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory, and the at least one dependency includes encrypted code; identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and scanning at least one portion of memory for unencrypted code spawned from the encrypted code, the unencrypted code located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the at least one portion of memory. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for managing pestware comprising:
-
a protected computer including at least one file storage device and executable memory; a pestware detection module configured to detect pestware on the protected computer, wherein the pestware detection module is configured to; enumerate a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory and the at least one dependency includes encrypted code; identify a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and scan at least one portion of memory for unencrypted code spawned from the encrypted code, the unencrypted code located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the at least one portion of memory. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A computer readable storage medium having stored thereon instructions to scan for pestware on a protected computer including an executable memory, the instructions including:
-
enumerating a process and at least one dependency related to the process, wherein the process and the at least one dependency are running in the executable memory and the at least one dependency includes encrypted code; identifying a reference point in the executable memory for the process and at least one other reference point in the executable memory for the at least one dependency; and scanning at least one portion of memory for unencrypted code spawned from the encrypted code, the unencrypted code located at an offset from the at least one other reference point in the executable memory so as to identify whether code indicative of a pestware process resides in the executable memory at the least one portion of memory. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification