Preventing and responding to disabling of malware protection software
First Claim
Patent Images
1. A computer-implemented method, comprising:
- installing a particular code hook on a computing system, wherein the computing system comprises an operating system providing an execution environment and the computing system further comprises one or more programs to execute in the execution environment, the one or more programs include a malware protection program, and the particular code hook is installed using the malware protection program and is configured to intercept application programming interface (API) calls to the operating system;
detecting that a particular one of the calls, intercepted by the particular code hook, comprises an attempt to disable the malware protection program;
identifying, using a first computer, a first process that generated the attempt to disable the malware protection program, wherein identifying the first process includes collecting identification data describing characteristics of the first process;
preventing the first process from disabling the malware protection program, wherein the preventing includes blocking the attempt to disable the malware protection program; and
determining, in response to blocking the attempt to disable the malware protection program, whether the first process is an approved process based at least in part on the collected identification data;
wherein determining that the first process is an approved process causes a user prompt to be presented to provide a user an option to terminate the first process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the first process.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for responding to an attempt to disable a malware protection program and performing an identification process and one or more protection processes to prevent the execution of potentially malicious code. In one aspect, a method includes monitoring for attempts to disable a malware protection program, identifying a process that generated an attempt to disable the malware protection program, determining whether the process is an approved process, and in response, performing one or more protection processes on the process so as to prevent the execution of potentially malicious code.
15 Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
installing a particular code hook on a computing system, wherein the computing system comprises an operating system providing an execution environment and the computing system further comprises one or more programs to execute in the execution environment, the one or more programs include a malware protection program, and the particular code hook is installed using the malware protection program and is configured to intercept application programming interface (API) calls to the operating system; detecting that a particular one of the calls, intercepted by the particular code hook, comprises an attempt to disable the malware protection program; identifying, using a first computer, a first process that generated the attempt to disable the malware protection program, wherein identifying the first process includes collecting identification data describing characteristics of the first process; preventing the first process from disabling the malware protection program, wherein the preventing includes blocking the attempt to disable the malware protection program; and determining, in response to blocking the attempt to disable the malware protection program, whether the first process is an approved process based at least in part on the collected identification data; wherein determining that the first process is an approved process causes a user prompt to be presented to provide a user an option to terminate the first process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the first process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer storage medium encoded with a computer program, the program comprising instructions that when executed by a data processing apparatus cause the data processing apparatus to:
-
install a particular code hook on a computing system, wherein the computing system comprises an operating system providing an execution environment and the computing system further comprises one or more programs to execute in the execution environment, the one or more programs include a malware protection program, and the particular code hook is installed using the malware protection program and is configured to intercept application programming interface (API) calls to the operating system; detect that a particular one of the calls, intercepted by the particular code hook, comprises an attempt to disable the malware protection program; identify, using a first computer, a first process that generated the attempt to disable the malware protection program, wherein identifying the first process includes collecting identification data describing characteristics of the first process; prevent the first process from disabling the malware protection program, wherein the preventing includes blocking the attempt to disable the malware protection program; and determine, in response to blocking the attempt to disable the malware protection program, whether the first process is an approved process based at least in part on the collected identification data; wherein determining that the first process is an approved process causes a user prompt to be presented to provide a user an option to terminate the first process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the first process. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
at least one data processing device; at least one memory element; an operating system to provide an execution environment; and a plurality of programs to execute within the execution environment, wherein the plurality of programs comprise a malware protection program to; install software hooks within the system, wherein the hooks are each configured to intercept application programming interface (API) calls to the operating system; detect malware affecting other programs in the plurality of programs; determine that a particular API call intercepted by one of the hooks comprises an attempt to disable the malware protection program; identify a particular process that generated the particular intercepted call, wherein identifying the particular process includes collecting identification data describing characteristics of the particular process; prevent the particular process from disabling the malware protection program by at least blocking the attempt to disable the malware protection program; and determine, in response to blocking the attempt to disable the malware protection program, whether the particular process is an approved process based at least in part on the collected identification data, wherein determining that the particular process is an approved process causes a user prompt to be presented to provide a user an option to terminate the particular process and determining that the first process is not an approved process causes one or more malware protection processes to be performed on the particular process.
-
Specification