Feedback-driven malware detector

US 7,730,040 B2
Filed: 07/27/2005
Issued: 06/01/2010
Est. Priority Date: 07/27/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to determine whether an application program contains malware, comprising:

employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts;

monitoring an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants;

determining whether the application program is scheduled to be installed and added to the extensibility point;

informing the user that the application program is scheduled to be installed and added to the extensibility point;

sending one or more portions of information regarding the application program that is scheduled to be installed and added to the extensibility point to a remote computer, wherein the remote computer is a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants;

receiving from a remote computer aggregated application program information indicating the number of other malware prevention service participants who previously allowed and declined the application to be installed;

displaying to the user the number of malware prevention service participants that allowed installation of the application program and the number of malware prevention service participants that declined installation of the application program;

obtaining decision input from the user regarding whether the application program should be installed, where the user'"'"'s decision is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program; and

transmitting a set of data that includes the input obtained from the user to a remote computer, wherein the set of data includes;

a signature of an object that is scheduled to be executed when the application program is added to the extensibility point;

metadata that describes attributes of the object; and

run-time attributes that identify the state of the computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of a feedback-driven malware detector are directed to protecting a computer from programs that perform actions that are malicious or not expected by a user. In one embodiment, the feedback-driven malware detector performs a method that initially determines whether the state of an application program scheduled to be added to an extensibility point on a computer is already known. If the state of the object is not already known, the user is informed that an application program is being installed on the computer and that the application program is being added to an extensibility point. Then, input is obtained from the user that assists in determining whether the application program is malware.

96 Citations

View as Search Results

17 Claims

1. A computer-implemented method to determine whether an application program contains malware, comprising:
- employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts;
  
  monitoring an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants;
  
  determining whether the application program is scheduled to be installed and added to the extensibility point;
  
  informing the user that the application program is scheduled to be installed and added to the extensibility point;
  
  sending one or more portions of information regarding the application program that is scheduled to be installed and added to the extensibility point to a remote computer, wherein the remote computer is a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants;
  
  receiving from a remote computer aggregated application program information indicating the number of other malware prevention service participants who previously allowed and declined the application to be installed;
  
  displaying to the user the number of malware prevention service participants that allowed installation of the application program and the number of malware prevention service participants that declined installation of the application program;
  
  obtaining decision input from the user regarding whether the application program should be installed, where the user'"'"'s decision is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program; and
  
  transmitting a set of data that includes the input obtained from the user to a remote computer, wherein the set of data includes;
  
  a signature of an object that is scheduled to be executed when the application program is added to the extensibility point;
  
  metadata that describes attributes of the object; and
  
  run-time attributes that identify the state of the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - if the input obtained from the user indicates that the application program should not be installed, preventing the application program from being installed on the computer; and
      
      if the input obtained from the user indicates that the application program should be installed, allowing the application program to be installed on the computer.
  - 3. The method claim 1, wherein informing the user that the application program is scheduled to be installed and added to the extensibility point includes generating a signature of an object that will be automatically executed if the application program is added to the extensibility point.
  - 4. The method of claim 3, wherein the object from which the signature is generated is added to the program code from a file.
  - 5. The method of claim 3, further comprising:
    - comparing the signature to signatures generated from objects that are known to be associated with malware; and
      
      if the signature matches a signature that is known to be associated with malware, informing the user that the application program is malware.
  - 6. The method of claim 1, wherein the signature is generated using a hashing algorithm.
  - 7. The method of claim 1, wherein transmitting a set of data that includes the input obtained from the user includes satisfying requests for additional data;
    - andwherein the additional data include program code that implements the application program.

8. A computer-implemented method of determining whether an application program is malware, comprising:
- employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts;
  
  receiving a set of data at a remote computer system when an application program is scheduled to be installed and added to an extensibility point on a remote computer, the data set being received from a computer system that is monitored for changes to an extensibility point that allows the application program to execute without input from a user, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants, the remote computer being a trusted entity that is trusted by the user, the remote computer being configured to aggregate application program data from each of the plurality of malware prevention service participants, wherein the data set includes;
  
  a signature of an object that is scheduled to be executed when the application program is added to the extensibility point;
  
  metadata that describes attributes of the object; and
  
  run-time attributes that identify the state of the computer;
  
  aggregating data that was obtained from a plurality of malware prevention service participants at remote computers including a plurality of indicators regarding whether malware prevention service participants allowed or did not allow the application program to be installed on their respective remote computers; and
  
  performing an analysis of the aggregated data to determine whether the application program is malware, wherein the analysis is based upon the aggregated application data indicating whether other malware prevention service participants allowed or declined installation of the application program.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, further comprising:
    - generating a signature from the set of data;
      
      if the analysis indicates that the application program is malware, causing the signature to be added to a list of signatures of known malware that is distributed to the plurality of remote computers; and
      
      if the analysis reveals that the application program is benevolent, causing the signature to be added to a list of signatures associated with benevolent application programs that is distributed to the plurality of remote computers.
  - 10. The method of claim 8, wherein aggregating together the data that was obtained from the plurality of remote computers includes using a database application to create a view that identifies the number of users who allowed or did not allow the application program to be installed on their computer(s).
  - 11. The method of claim 8, wherein performing an analysis of the aggregated data to determine whether the application program is malware is performed without reverse engineering program code that implements the application program.
  - 12. The method of claim 8, wherein performing an analysis of the aggregated data to determine whether the application program is malware includes re-creating the run-time attributes of a computer in a laboratory setting and observing the functions performed by the application program.

13. A computer-implemented system for determining whether an application program is malware, comprising:
- a processor;
  
  a computer readable storage medium operationally coupled to the processor and storing computer executable instructions, the computer executable instructions, when executed by the processor, implement components comprising;
  
  a reporting module that causes a set of data to be transmitted to the backend server when the application program is scheduled to be added to an extensibility point on the client computer including an indication regarding whether a user of the client computer allowed or did not allow the application program to be installed, the user being a participant in a malware prevention service that is configured to receive input from a plurality of different malware prevention service participants, wherein the set of data includes;
  
  a signature of an object that is scheduled to be executed when the application program is added to the extensibility point;
  
  metadata that describes attributes of the object; and
  
  run-time attributes that identify the state of the computer;
  
  an analysis module that is operative to receive the set of data generated by the reporting module and use the data to determine whether the application program is malware; and
  
  a database application that aggregates the set of data generated by the reporting module together with data previously received from other computers in the computer networking environment whose users are participants of the malware prevention service, the previously received data includes the number of malware prevention service participants who allowed and did not allow the application program to be installed on their computer, wherein the database application is a trusted entity that is trusted by the malware prevention service participants and wherein the determination as to whether the application program is malware is based upon the received aggregated application information indicating whether other malware prevention service participants allowed or declined installation of the application program.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, further comprising a backend database that is operative to store the set of data transmitted to the backend server;
    - andwherein the database application is further configured to aggregate a view of the data in the backend server that calculates the number of users who allowed or did not allow the application program to be installed on their computer.
  - 15. The system of claim 13, further comprising a signature database operative to store:
    - a list of signatures generated from known malware; and
      
      a list of signatures generated from known benevolent application programs.
  - 16. The system of claim 15, wherein the signature database is updated with signatures generated from application programs that are being installed in the computer networking environment.
  - 17. The system of claim 15, wherein the reporting module is further configured to compare a signature generated from the application program to signatures stored in the signature database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jones, Christopher Ryan, Franczyk, Ronald A, Newman, Andrew J, Reasor, Sterling M, Garms, Jason
Primary Examiner(s)
Jalil; Neveen Abel
Assistant Examiner(s)
Syed; Farhan M

Application Number

US11/190,749
Publication Number

US 20070038677A1
Time in Patent Office

1,770 Days
Field of Search

None
US Class Current

707/690
CPC Class Codes

G06F 21/565 by checking file integrity

Feedback-driven malware detector

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Feedback-driven malware detector

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links