System, method and computer program product for context-driven behavioral heuristics
First Claim
Patent Images
1. A method, comprising:
- receiving a request to open a file in a computer;
scanning the file;
determining whether unwanted data is present in the file by;
comparing data in the file with a plurality of signatures representative of certain types of unwanted data;
evaluating a context associated with the scanning activities using a state machine,wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and
detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and
communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file.
9 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.
87 Citations
15 Claims
-
1. A method, comprising:
-
receiving a request to open a file in a computer; scanning the file; determining whether unwanted data is present in the file by; comparing data in the file with a plurality of signatures representative of certain types of unwanted data; evaluating a context associated with the scanning activities using a state machine, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
a server computer coupled to an end user computer over a network connection, the server computer providing software to the end user computer such that the end user computer is configured for; scanning a file received by the end user computer; determining whether unwanted data is present in the file by; comparing data in the file with a plurality of signatures representative of certain types of unwanted data; evaluating a context associated with the scanning activities using a state machine, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the end user computer; and receiving additional data through monitoring of a behavior of data in the computer and through a determination of an additional context, using a state machine, based on the monitoring of the behavior of data; and receiving a sample of the file to be used in generating an exact signature that encompasses all of the contexts associated with the file. - View Dependent Claims (9, 10, 11)
-
-
12. Logic encoded in non-transitory media that includes code for execution and when executed by a processor operable to perform operations comprising:
-
receiving a request to open a file in a computer; scanning the file; determining whether unwanted data is present in the file by; comparing data in the file with a plurality of signatures representative of certain types of unwanted data; evaluating a context associated with the scanning activities using a state machine, wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file. - View Dependent Claims (13, 14, 15)
-
Specification