Centralized scanner database with optimal definition distribution using network queries

US 8,214,977 B2
Filed: 05/21/2008
Issued: 07/10/2012
Est. Priority Date: 05/21/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malware, comprising:

locally storing on a client device, a filter based on a set of known malware definitions, and locally storing on the client device a subset of known malware definitions from the set of known malware definitions, the subset selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device;

applying the filter to an input file to detect if the input file has characteristics matching those of a malware definition in the set of known malware definitions;

responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally in the subset of known malware definitions;

responsive to the input file having characteristics matching those of the malware definition and the malware definition not being stored locally, obtaining the malware definition from a central server;

scanning the input file using the obtained malware definition;

determining if the input file comprises malware based on the scanning; and

responsive to the input file not comprising the malware based on the scanning, sending a report to the central server identifying the input file; and

receiving from the central server in response to the report, a modified filter to reduce a likelihood of a false positive occurring in a future application of the filter if the input file is determined not to comprise the malware based on the scanning.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method detects malware on client devices based on partially distributed malware definitions from a central server. A server stores malware definitions for known malware. The server generates one or more filters based on the malware definitions and distributes the filter(s) to client devices. The server also distributes full definitions to the clients for a subset of the most commonly detected malware. The client device scans files for malware by first applying the filter to a file. If the filter outputs a positive detection, the client scans the file using the full definition to determine if the file comprises malware. If the full definition is not stored locally by the client, the client queries the server for the definition and then continues the scanning process.

Citations

20 Claims

1. A computer-implemented method for detecting malware, comprising:
- locally storing on a client device, a filter based on a set of known malware definitions, and locally storing on the client device a subset of known malware definitions from the set of known malware definitions, the subset selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device;
  
  applying the filter to an input file to detect if the input file has characteristics matching those of a malware definition in the set of known malware definitions;
  
  responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally in the subset of known malware definitions;
  
  responsive to the input file having characteristics matching those of the malware definition and the malware definition not being stored locally, obtaining the malware definition from a central server;
  
  scanning the input file using the obtained malware definition;
  
  determining if the input file comprises malware based on the scanning; and
  
  responsive to the input file not comprising the malware based on the scanning, sending a report to the central server identifying the input file; and
  
  receiving from the central server in response to the report, a modified filter to reduce a likelihood of a false positive occurring in a future application of the filter if the input file is determined not to comprise the malware based on the scanning.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the malware definition comprises a characteristic byte pattern known to be present in the malware and wherein scanning the input file comprises determining whether the characteristic byte pattern is present in the input file.
  - 3. The method of claim 1, further comprising:
    - receiving from the central server, the subset of known malware definitions from the set of known malware definitions; and
      
      receiving the filter from the central server.
  - 4. The method of claim 1, further comprising:
    - receiving an update from the central server comprising an updated filter generated based on an updated set of known malware.
  - 5. The method of claim 1, wherein the filter comprises a Bloom filter adapted to compute hash functions on the input file, wherein the output of the hash functions indicate if the input file has characteristics matching any of the set of known malware definitions.
  - 6. The method of claim 5, wherein applying the Bloom filter to the input file can produce a false positive detection of malware but cannot produce a false negative detection.
  - 7. The method of claim 1, wherein the filter is generated according to steps comprising:
    - computing hash functions on each malware definition; and
      
      defining the filter based on the outputs of the hash functions.
  - 8. The method of claim 1, wherein the subset of known malware definition comprises malware definitions most likely to be detected on the client device.

9. A computer program product for detecting malware, the computer program product comprising a non-transitory computer-readable storage medium containing computer program code for:
- locally storing on a client device, a filter based on a set of known malware definitions, and locally storing on the client device a subset of known malware definitions from the set of known malware definitions, the subset selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device;
  
  applying the filter to an input file to detect if the input file has characteristics matching those of a malware definition in the set of known malware definitions;
  
  responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally in the subset of known malware definitions;
  
  responsive to the input file having characteristics matching those of the malware definition and the malware definition not being stored locally, obtaining the malware definition from a central server;
  
  scanning the input file using the obtained malware definition;
  
  determining if the input file comprises malware based on the scanning;
  
  responsive to the input file not comprising the malware based on the scanning, sending a report to the central server identifying the input file; and
  
  receiving from the central server in response to the report, a modified filter to reduce a likelihood of a false positive occurring in a future application of the filter if the input file is determined not to comprise the malware based on the scanning.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein the malware definition comprises a characteristic byte pattern known to be present in the malware and wherein scanning the input file comprises determining whether the characteristic byte pattern is present in the input file.
  - 11. The computer program product of claim 9, wherein the computer-readable storage medium further contains computer program code for:
    - receiving from the central server, the subset of known malware definitions from the set of known malware definitions; and
      
      receiving the filter from the central server.
  - 12. The computer program product of claim 9, wherein the computer-readable storage medium further contains computer program code for:
    - receiving an update from the central server comprising an updated filter generated based on an updated set of known malware.
  - 13. The computer program product of claim 9, wherein the filter comprises a Bloom filter adapted to compute hash functions on the input file, wherein the output of the hash functions indicate if the input file has characteristics matching any of the set of known malware definitions.
  - 14. The computer program product of claim 13, wherein applying the Bloom filter to the input file can produce a false positive detection of malware but cannot produce a false negative detection.
  - 15. The computer program product of claim 9, wherein the filter is generated according to steps comprising:
    - computing hash functions on each malware definition; and
      
      defining the filter based on the outputs of the hash functions.
  - 16. The non-transitory computer-readable storage medium of claim 9, wherein the subset of known malware definition comprises malware definitions most likely to be detected on the client device.

17. A method for distributing malware definitions to a client device, comprising:
- generating a filter from a set of known malware definitions, wherein the filter detects if an input file has characteristics matching those of the set of known malware definitions;
  
  distributing the filter to the client device;
  
  selecting a subset of malware definitions from the set of known malware definitions used to generate the filter distributed to the client device, wherein the subset of malware comprises fewer than all of the set of known malware definitions, and wherein the subset is selected based on a determined likelihood of malware corresponding to the known malware definitions being detected on the client device;
  
  distributing by a server, the selected subset of malware definitions to the client device together with the filter;
  
  receiving a query from the client device for a malware definition which is not found in the subset of known malware definitions distributed to the client upon applying the filter to an input file by the client device; and
  
  responsive to the query, transmitting the queried malware definition to the client device to be used in scanning of the input file;
  
  receiving a report from the client device indicating that the queried malware definition is not present in the input file;
  
  responsive to the receiving the report, modifying the filter to reduce a likelihood of a false positive occurring in a future application of the filter; and
  
  transmitting the modified filter to the client device.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - updating the subset of known malware definitions to distribute to the client device based on a frequency of queries for malware definitions from the client device.
  - 19. The method of claim 17, wherein the filter comprises a Bloom filter adapted to compute hash functions on the input file, wherein the output of the hash functions indicate if the input file has characteristics matching any of the set of known malware definitions.
  - 20. The method of claim 17, wherein the subset of malware definition comprises malware definitions most likely to be detected on the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US12/124,458
Publication Number

US 20090293125A1
Time in Patent Office

1,511 Days
Field of Search

726 22- 27, 713/165, 713/187, 713/188
US Class Current

26/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

Centralized scanner database with optimal definition distribution using network queries

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized scanner database with optimal definition distribution using network queries

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links