System and method for removal of malicious software from computer systems and management of treatment side-effects

US 8,752,179 B2
Filed: 10/16/2012
Issued: 06/10/2014
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A security arrangement for removing malware from a computer system, the security arrangement comprising:

computing hardware, including a processor, a data store, and input/output facilities;

an operating system and application programs executable on the computing hardware;

an inspection module that monitors operation of the operating system and application programs for a presence of malware, and generates an inspection log representing operational history of the operating system and the application programs;

wherein the inspection module passes the inspection log to a log analyzer module operating on a remote service that responds by detecting a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs; and

a treatment scenario execution module that obtains, from the remote service a pre-evaluated treatment scenario which contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected by the log analyzer module, the pre-evaluated treatment scenario having been generated specifically for use by the computer system by a scenario generator module based on the information contained in the inspection log and on a knowledge base of malware removal rules, the generated treatment scenario having been further pre-evaluated by a scenario side-effect evaluation module based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk; and

wherein the treatment scenario execution module executes the pre-evaluated treatment scenario using the computing hardware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Removing malware from a computer system. An inspection module obtains an inspection log representing operational history of the operating system and the application programs of the computer system. The inspection log is analyzed to detect a presence of any malware on the computer system. A treatment scenario is generated that defines a plurality of actions to be executed for removing any malware present on the computer system, as detected in the analyzing. The treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules. The generated treatment scenario is evaluated to assess the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system. A modified treatment scenario can be created to reduce the risk in response to an assessment of the risk.

98 Citations

View as Search Results

18 Claims

1. A security arrangement for removing malware from a computer system, the security arrangement comprising:
- computing hardware, including a processor, a data store, and input/output facilities;
  
  an operating system and application programs executable on the computing hardware;
  
  an inspection module that monitors operation of the operating system and application programs for a presence of malware, and generates an inspection log representing operational history of the operating system and the application programs;
  
  wherein the inspection module passes the inspection log to a log analyzer module operating on a remote service that responds by detecting a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs; and
  
  a treatment scenario execution module that obtains, from the remote service a pre-evaluated treatment scenario which contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected by the log analyzer module, the pre-evaluated treatment scenario having been generated specifically for use by the computer system by a scenario generator module based on the information contained in the inspection log and on a knowledge base of malware removal rules, the generated treatment scenario having been further pre-evaluated by a scenario side-effect evaluation module based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk; and
  
  wherein the treatment scenario execution module executes the pre-evaluated treatment scenario using the computing hardware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The security arrangement of claim 1, wherein the inspection log further comprises configuration information about the computer system sufficient for configuring a virtual machine emulator to emulate at least a portion of the computer system.
  - 3. The security arrangement of claim 1, wherein the remote service executes the log analyzer module, the scenario generator module, and the scenario side-effect evaluation module.
  - 4. The security arrangement of claim 1, wherein the inspection module causes the inspection log to be transmitted to a local service executing on the computing hardware, and wherein the treatment scenario execution module receives the pre-evaluated treatment scenario from the remote service, wherein the remote service executes the log analyzer module, the scenario generator module, and the scenario side-effect evaluation module.
  - 5. The security arrangement of claim 1, wherein the generated treatment scenario is pre-evaluated by an emulation process that models the computer system while it executes the generated treatment scenario, wherein in the emulation process a risk of damage to the operating system or application programs is detected and, as a result of detection of any such risk of damage, the generated treatment scenario is modified to change a malware treatment action such that the risk of damage is reduced.
  - 6. The security arrangement of claim 1, wherein the generated treatment scenario is pre-evaluated such that the risk of damaging the operating system or the application programs of the computer system is represented as a numerical sum of individually-assessed risk values, and wherein that numerical sum is compared against a threshold to determine whether the generated treatment scenario may be provided to the treatment scenario execution module for execution.
  - 7. The security arrangement of claim 1, wherein the generated treatment scenario is pre-evaluated by the scenario side-effect evaluation module such that the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk if an assessed risk level exceeds a reference risk threshold.
  - 8. The security arrangement of claim 1, wherein the inspection log generates a follow-up inspection log in response to execution of the treatment scenario by the treatment scenario execution module, and passes the follow-up inspection log to the log analyzer module, wherein the log analyzer module detects a further presence of any malware on the computer system based on information contained in the follow-up inspection log and in accordance with the malware knowledge base, and wherein an effectiveness is determined based on a comparison of detected malware prior to the execution of the treatment scenario, and subsequent to the execution of the treatment scenario.
  - 9. The security arrangement of claim 1, wherein the generated treatment scenario is pre-evaluated by the scenario side-effect evaluation module such that the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk if an assessed risk level exceeds a reference risk threshold;
    - wherein the inspection module generates a follow-up inspection log in response to execution of the treatment scenario by the treatment scenario execution module, and passes the follow-up inspection log to the log analyzer module, wherein the log analyzer module detects a further presence of any malware on the computer system based on information contained in the follow-up inspection log and in accordance with the malware knowledge base, and wherein an effectiveness is determined based on a comparison between detected malware prior to the execution of the treatment scenario, and subsequent to the execution of the treatment scenario; and
      
      wherein in response to an effectiveness determination falling below an effectiveness threshold, the reference risk threshold is automatically increased to reduce a sensitivity of risk determination.

10. A method for removing malware from a remote computer system having computing hardware, an operating system, and application programs executable on the computing hardware, the method comprising:
- obtaining, from an inspection module having access to the remote computer system, an inspection log representing operational history of the operating system and the application programs, the inspection log being produced as a result of monitoring of the operating system and application programs for a presence of malware;
  
  analyzing the inspection log to detect a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs;
  
  generating a treatment scenario that contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected in the analyzing, wherein the treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules;
  
  evaluating the generated treatment scenario based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are assessed;
  
  in response to an assessment of the risk, creating a modified treatment scenario to reduce the risk; and
  
  providing the modified treatment scenario for execution by a treatment scenario execution module operating on the remote computer system.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further comprising:
    - in the evaluating of the generated treatment scenario, configuring a virtual machine emulator to emulate at least a portion of the computer system.
  - 12. The method of claim 10, wherein the obtaining, the analyzing, the generating, the evaluating, and the creating of the modified treatment scenario is performed on a security server situated remotely from the computer system.
  - 13. The method of claim 10, wherein the generated treatment scenario is pre-evaluated by an emulation process that models the computer system while it executes the generated treatment scenario, wherein in the emulation process a risk of damage to the operating system or application programs is detected and, as a result of detection of any such risk of damage, the generated treatment scenario is modified to change a malware treatment action such that the risk of damage is reduced.
  - 14. The method of claim 10, wherein in the evaluating, the generated treatment scenario is evaluated such that the risk of damaging the operating system or the application programs of the computer system is represented as a numerical sum of individually-assessed risk values, and wherein that numerical sum is compared against a threshold to determine whether the generated treatment scenario may be provided to the treatment scenario execution module for execution.
  - 15. The method of claim 10, wherein in the evaluating, the generated treatment scenario is evaluated by the scenario side-effect evaluation module such that the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk if an assessed risk level exceeds a reference risk threshold.
  - 16. The method of claim 10, further comprising:
    - obtaining, from the inspection module, a follow-up inspection log in response to execution of the treatment scenario by the treatment scenario execution module; and
      
      detecting a further presence of any malware on the computer system based on information contained in the follow-up inspection log and in accordance with the malware knowledge base, and wherein an effectiveness is determined based on a comparison of detected malware prior to the execution of the treatment scenario, and subsequent to the execution of the treatment scenario.
  - 17. The method of claim 10, wherein in the evaluating, the generated treatment scenario is evaluated such that the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are automatically modified to reduce the risk if an assessed risk level exceeds a reference risk threshold;
    - wherein the inspection module generates a follow-up inspection log in response to execution of the treatment scenario by the treatment scenario execution module, and further comprising;
      
      detecting a further presence of any malware on the computer system based on information contained in the follow-up inspection log and in accordance with the malware knowledge base, anddetermining an effectiveness based on a comparison between detected malware prior to the execution of the treatment scenario, and subsequent to the execution of the treatment scenario; and
      
      in response to an effectiveness determination falling below an effectiveness threshold, increasing the reference risk threshold to reduce a sensitivity of risk determination.

18. A system for removing malware from a computer system having computing hardware, an operating system, and application programs executable on the computing hardware, the system comprising:
- means for obtaining, from an inspection module having access to the computer system, an inspection log representing operational history of the operating system and the application programs, the inspection log being produced as a result of monitoring of the operating system and application programs for a presence of malware;
  
  means for analyzing the inspection log to detect a presence of any malware on the computer system based on information contained in the inspection log and in accordance with a malware knowledge base containing indicia of known malware or non-malware programs;
  
  means for generating a treatment scenario that contains a specific set of instructions that represent a sequence of actions to be executed for removing any malware present on the computer system, as detected in the analyzing, wherein the treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules;
  
  means for evaluating the generated treatment scenario based on a knowledge base of side-effects relating to malware treatment actions and on the information contained in the inspection log, such that the actions represented by the instructions of the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system are assessed;
  
  means for creating a modified treatment scenario to reduce the risk in response to an assessment of the risk; and
  
  means for providing the modified treatment scenario for execution by a treatment scenario execution module operating for the benefit of the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
Zaitsev, Oleg V.
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/652,948
Publication Number

US 20130247193A1
Time in Patent Office

602 Days
Field of Search

726/24, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/568 eliminating virus, restorin...

System and method for removal of malicious software from computer systems and management of treatment side-effects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for removal of malicious software from computer systems and management of treatment side-effects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links