Method and apparatus for removing harmful software

US 8,646,080 B2
Filed: 09/16/2005
Issued: 02/04/2014
Est. Priority Date: 09/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of protection from harmful software on a computer, comprising:

using a graph rule processor, tracking a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing;

a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes;

a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships;

modifying a set of one or more characteristics based upon the set of one or more relationships;

tracking the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph;

based at least on a change in the set of characteristics, classifying as to be cleaned, at the computer, at least one node of the plurality of nodes;

comparing the at least one node to be cleaned against a plurality of rules, each of the plurality of rules comprising a condition and an action for each relationship;

based upon the comparison of the at least one node to be cleaned, classifying the at least one node to be cleaned as change and placing the node in a node change queue for processing by the graph rule processor;

determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed;

if the determined score satisfies a score trigger, classifying the at least one changed node as harmful software; and

removing, at runtime, effects of the harmful software from the computer.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention address the problem of removing malicious code from infected computers.

284 Citations

26 Claims

1. A method of protection from harmful software on a computer, comprising:
- using a graph rule processor, tracking a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing;
  
  a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes;
  
  a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships;
  
  modifying a set of one or more characteristics based upon the set of one or more relationships;
  
  tracking the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph;
  
  based at least on a change in the set of characteristics, classifying as to be cleaned, at the computer, at least one node of the plurality of nodes;
  
  comparing the at least one node to be cleaned against a plurality of rules, each of the plurality of rules comprising a condition and an action for each relationship;
  
  based upon the comparison of the at least one node to be cleaned, classifying the at least one node to be cleaned as change and placing the node in a node change queue for processing by the graph rule processor;
  
  determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed;
  
  if the determined score satisfies a score trigger, classifying the at least one changed node as harmful software; and
  
  removing, at runtime, effects of the harmful software from the computer.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 3. The method of claim 1, wherein said classifying is further based at least on receiving, at the computer, input from a user of the computer classifying as harmful software at least one node of the plurality of nodes.
  - 4. The method of claim 1, further comprising:
    - reversing configuration changes made to the computer by the harmful software.
  - 5. The method of claim 1, further comprising:
    - restoring configuration parts of the computer affected by the harmful software to system defaults.
  - 6. The method of claim 1, wherein said removing includes:
    - removing files associated with the harmful software from the computer.
  - 7. The method of claim 1, wherein said removing includes:
    - removing processes associated with the harmful software from the computer.
  - 8. The method of claim 1, wherein said method occurs independent of the computer receiving a security update subsequent to installation of code performing the method, the security update being generated specifically for the harmful software by a security vendor of the code performing the method.
  - 9. The method of claim 1, wherein said tracking the set of one or more relationships and said tracking the set of one or more characteristics includes tracking changes made by the set of one or more processes and the set of one or more files with approval by a user of the computer, and said classifying and said removing occur despite the approval by the user.
  - 10. The method of claim 1, wherein said set of one or more relationships further includes:
    - another subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said another subset of one or more relationships are instance of-type relationships.
  - 11. The method of claim 1, wherein said set of one or more relationships further includes:
    - another subset of one or more relationships among at least two processes of the plurality of processes.
  - 12. The method of claim 1, wherein said set of one or more relationships further includes:
    - another subset of one or more relationships among at least two files of the plurality of files.
  - 13. The method of claim 1, wherein said set of one or more relationships further includes:
    - a second subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said another subset of one or more relationships are instance of-type relationships;
      
      a third subset of one or more relationships among at least two processes of the plurality of processes; and
      
      a fourth subset of one or more relationships among at least two files of the plurality of files.
  - 14. The method of claim 1, wherein changes to said set of one or more characteristics at said each node on a first end of the set of one or more relationships are controlled by:
    - the set of one or more relationships, and said set of one or more characteristics at said each node on a second end of the set of one or more relationships.
  - 15. The method of claim 1, wherein changes to said set of one or more characteristics at said each node on a first end of the set of one or more relationships are controlled by:
    - the set of one or more relationships, said set of one or more characteristics at said each node on a second end of the set of one or more relationships,wherein said changes are determined iteratively.
  - 16. The method of claim 1, wherein at least one of the plurality of relationships has a set of one or more rules that control how one or more changes in at least one of the characteristics of a first subset of the nodes affects at least one of the characteristics of a second set of nodes related to the first set of nodes.
  - 17. The method of claim 1, wherein at least one of the plurality of relationships has a set of one or more rules that control how one or more changes in at least one of the characteristics of a first subset of the nodes affects at least one of the characteristics of a second set of nodes related to the first set of nodes,wherein the set of one or more rules is extensible.
  - 18. The method of claim 1, wherein the set of one or more characteristics is extensible.
  - 19. The method of claim 1, wherein the set of one or more characteristics of at least one of the files is defined by one or more properties of said at least one of the files.
  - 20. The method of claim 1, wherein the set of one or more characteristics of at least one of the processes is defined by one more properties of said at least one of the processes.
  - 21. The method of claim 1, wherein the set of one or more characteristics of at least one of the files is defined by at least one action performed on said at least one of the files.
  - 22. The method of claim 1, wherein the set of one or more characteristics of at least one of the processes is defined by at least one action performed by said at least one of the processes.
  - 23. The method of claim 1, wherein the set of one or more characteristics of at least one of the nodes is defined by at least one rule for at least one relationship between said at least one of the nodes and at least one related node.
  - 24. The method of claim 1, wherein said removing is performed despite an absence of uninstall capability by the harmful software.

2. The method of clam 1, wherein said classifying is further based on at least autonomous action by the computer, including said tracking.

25. A computer having a method of protection from harmful software on the computer, comprising:
- the computer having the method, the method including;
  
  using a graph rule processor, tracking a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing;
  
  a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes;
  
  a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships;
  
  modifying a set of one or more characteristics based upon the set of one or more relationships;
  
  tracking the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph;
  
  based at least on a change in the set of characteristics, classifying as to be cleaned, at the computer, at least one node of the plurality of nodes;
  
  comparing the at least one node to be cleaned against a plurality of rules, each of the plurality of rules comprising a condition and an action for each relationship;
  
  based upon the comparison of the at least one node to be cleaned, classifying the at least one node to be cleaned as change and placing the node in a node change queue for processing by the graph rule processor;
  
  determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed;
  
  if the determined score satisfies a score trigger, classifying the at least one changed node as harmful software; and
  
  removing, at runtime, effects of the harmful software from the computer.

26. A non-transitory computer readable storage medium having a method of protection from harmful software on a computer, comprising:
- the computer readable storage medium operably connected to a graph rule processor and having the method, the method including instructions for causing the graph rule processor to;
  
  track a set of one or more relationships based upon the occurrence of one or more events among a plurality of nodes, the plurality of nodes representing;
  
  a set of one or more processes on the computer and a set of one or more files on the computer, wherein the set of one or more relationships includes;
  
  a first subset of one or more relationships among at least one process of the set of one or more processes and at least one file of the set of one or more files, wherein said first subset of one or more relationships excludes instance of-type relationships;
  
  modify a set of one or more characteristics based upon the set of one or more relationships;
  
  track the set of one or more characteristics at each node of the plurality of nodes, wherein the set of one or more characteristics is passed around a graph;
  
  based at least on a change in the set of one or more characteristics, classify as to be cleaned, at the computer, at least one node of the plurality of nodes;
  
  compare the at least one node to be cleaned against a plurality of rub rules, each of the plurality of rules comprising a condition and an action for reach relationship;
  
  based upon the comparison of the at least one node to be cleaned, classify the at least one node to be cleaned as changed and placing the node in a node change queue for processing by the graph rule processor;
  
  determining a score for the at least one changed node, wherein the score is based upon one or more potentially malicious actions the at least one changed node has performed;
  
  if the determined score satisfies a score trigger, classify the at least one changed node as harmful software; and
  
  remove, at runtime, effects of the harmful software from the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avast Software SRO (Gen Digital Inc.)
Original Assignee
AVG Technologies N.V. (Gen Digital Inc.)
Inventors
Williamson, Matthew, Gorelik, Vladimir
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US11/229,013
Publication Number

US 20070067843A1
Time in Patent Office

3,063 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/568 eliminating virus, restorin...

G06F 2221/2101 Auditing as a secondary aspect

Method and apparatus for removing harmful software

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

284 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for removing harmful software

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

284 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links