System, method and computer program product for context-driven behavioral heuristics

US 8,392,994 B2
Filed: 03/28/2011
Issued: 03/05/2013
Est. Priority Date: 01/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to open a file in a computer;

scanning the file;

determining whether unwanted data is present in the file by;

comparing data in the file with a plurality of signatures representative of certain types of unwanted data;

evaluating a context associated with the scanning activities using a state machine,wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and

detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and

communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for detecting unwanted data. A scan for unwanted data is performed to generate results of the scan. A context of the scan is then identified. Further, the presence of unwanted data is conditionally indicated based on both the results of the scan and the context of the scan.

87 Citations

View as Search Results

15 Claims

1. A method, comprising:
- receiving a request to open a file in a computer;
  
  scanning the file;
  
  determining whether unwanted data is present in the file by;
  
  comparing data in the file with a plurality of signatures representative of certain types of unwanted data;
  
  evaluating a context associated with the scanning activities using a state machine,wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and
  
  detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and
  
  communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - indicating a presence of the unwanted data based on both the scanning of the file and the evaluating of the context.
  - 3. The method of claim 1, wherein a presence of the unwanted data triggers a selected one of a group of responses, the group consisting of:
    - a) a quarantine operation;
      
      b) an alert;
      
      c) a cleaning operation for the computer; and
      
      d) log reporting related to the unwanted data.
  - 4. The method of claim 1, wherein writing of data to a location in the computer triggers a registry monitoring rule that blocks a change at the location.
  - 5. The method of claim 1, wherein opening a port associated with the computer triggers a registry monitoring rule that blocks this activity, and wherein a second context ID is created based on attempting to open the port.
  - 6. The method of claim 5, wherein the file is rescanned in conjunction with evaluating both of the context IDs such that any new activity initiated by the file is terminated.
  - 7. The method of claim 1, wherein the unwanted data comprises malware.

8. An apparatus, comprising:
- a server computer coupled to an end user computer over a network connection, the server computer providing software to the end user computer such that the end user computer is configured for;
  
  scanning a file received by the end user computer;
  
  determining whether unwanted data is present in the file by;
  
  comparing data in the file with a plurality of signatures representative of certain types of unwanted data;
  
  evaluating a context associated with the scanning activities using a state machine,wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the end user computer; and
  
  receiving additional data through monitoring of a behavior of data in the computer and through a determination of an additional context, using a state machine, based on the monitoring of the behavior of data; and
  
  receiving a sample of the file to be used in generating an exact signature that encompasses all of the contexts associated with the file.
- View Dependent Claims (9, 10, 11)
- - 9. The apparatus of claim 8, wherein writing of data to a location in the end user computer triggers a registry monitoring rule that blocks a change at the location.
  - 10. The apparatus of claim 8, wherein opening a port associated with the end user computer triggers a registry monitoring rule that blocks this activity, and wherein a second context ID is created based on attempting to open the port.
  - 11. The apparatus of claim 10, wherein the file is rescanned in conjunction with evaluating both of the context IDs such that any new activity initiated by the file is terminated.

12. Logic encoded in non-transitory media that includes code for execution and when executed by a processor operable to perform operations comprising:
- receiving a request to open a file in a computer;
  
  scanning the file;
  
  determining whether unwanted data is present in the file by;
  
  comparing data in the file with a plurality of signatures representative of certain types of unwanted data;
  
  evaluating a context associated with the scanning activities using a state machine,wherein a context ID is established for the context and associated with the file, the context ID being related to attempts by the file to initiate activities in the computer; and
  
  detecting additional data, which is unwanted, by monitoring a behavior of data in the computer and determining an additional context, using a state machine, based on the monitoring of the behavior of data; and
  
  communicating a sample of the file to a virus signature service provider to be used in generating an exact signature that encompasses all of the contexts associated with the file.
- View Dependent Claims (13, 14, 15)
- - 13. The logic of claim 12, wherein a presence of the unwanted data triggers a selected one of a group of responses, the group consisting of:
    - a) a quarantine operation;
      
      b) an alert;
      
      c) a cleaning operation for the computer; and
      
      d) log reporting related to the unwanted data.
  - 14. The logic of claim 12, wherein opening a port associated with the computer triggers a registry monitoring rule that blocks this activity, and wherein a second context ID is created based on attempting to open the port.
  - 15. The logic of claim 14, wherein the file is rescanned in conjunction with evaluating both of the context IDs such that any new activity initiated by the file is terminated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Spurlock, Joel Robert, Schmugar, Craig D., Howard, Fraser Peter
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US13/073,674
Publication Number

US 20110179491A1
Time in Patent Office

708 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/564 by virus signature recognition

System, method and computer program product for context-driven behavioral heuristics

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for context-driven behavioral heuristics

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links