-
公开(公告)号:US08776227B1
公开(公告)日:2014-07-08
申请号:US12968206
申请日:2010-12-14
申请人: Adam L. Glick , Spencer Smith , Nicholas R. Graf
发明人: Adam L. Glick , Spencer Smith , Nicholas R. Graf
CPC分类号: G06F21/566 , G06F2221/032
摘要: Malware with fake or misleading anti-malware user interfaces (UIs) are detected. Processes running on a computer system are monitored and their window creation events are detected. The structures of the created windows are retrieved to detect presence of UI features that are commonly presented in known fake or misleading anti-malware UIs (“fakeAVUIs”). If a window includes a UI feature commonly presented in known fakeAVUIs, that window is determined suspicious and additional tests are applied to determine the validity of information in the window. If the information in the window is determined invalid, then the process that created the window is determined to be malware and a remediating action is applied to the process.
摘要翻译: 检测到具有假或误导性的反恶意软件用户界面(UI)的恶意软件。 监视在计算机系统上运行的进程,并检测其窗口创建事件。 检索创建的窗口的结构以检测通常在已知的假的或误导的反恶意软件UI(“假的AVI”)中呈现的UI特征的存在。 如果窗口包含通常在已知的假AVA中呈现的UI特征,则该窗口被确定为可疑,并且应用附加测试来确定窗口中的信息的有效性。 如果窗口中的信息被确定为无效,则创建该窗口的进程被确定为恶意软件,并且将修复操作应用于该进程。
-
公开(公告)号:US08495741B1
公开(公告)日:2013-07-23
申请号:US11694711
申请日:2007-03-30
IPC分类号: G06F21/00
CPC分类号: G06F21/575
摘要: A computer has a storage device that is infected with malicious software (malware). The malware uses stealth or rootkit techniques to hide itself in the storage device. A security module within the storage device detects the malware by comparing the files read from the storage device to those reported by the operating system. Upon detecting the malware, the security module prepares the computer for malware obfuscation by storing information describing the location of the malware, deploying an executable file, and configuring it to run on reboot. The executable file executes upon reboot and locates the data on the storage device associated with the malware. The executable file obfuscates the data so that the malware no longer loads at boot time, thereby disabling the rootkit technique. The computer reboots and the security module remediates the malware infection.
摘要翻译: 计算机有一个被恶意软件(恶意软件)感染的存储设备。 恶意软件使用隐身或rootkit技术将自身隐藏在存储设备中。 存储设备内的安全模块通过比较从存储设备读取的文件与操作系统报告的文件来检测恶意软件。 在检测到恶意软件时,安全模块通过存储描述恶意软件位置的信息,部署可执行文件,并将其配置为在重新启动时运行来准备计算机恶意软件混淆。 可执行文件在重新启动时执行,并将数据定位到与恶意软件相关联的存储设备上。 可执行文件会混淆数据,以便在引导时不再加载恶意软件,从而禁用rootkit技术。 计算机重新启动,安全模块可以修复恶意软件感染。
-
公开(公告)号:US08065730B1
公开(公告)日:2011-11-22
申请号:US12059790
申请日:2008-03-31
申请人: William E. Sobel , Mark K. Kennedy , Adam L. Glick
发明人: William E. Sobel , Mark K. Kennedy , Adam L. Glick
CPC分类号: G06F21/56
摘要: A computer includes a file system that supports virtualization. A scanning module identifies a file to be scanned for malware and a virtualized file detection module determines whether the file is virtualized. A file retrieval module locates a virtualized version of the file if the file is determined to be virtualized, and a malware detection module determines whether the virtualized version of the file contains malware. If malware is found, the malware detection module takes remedial action to address any security threat posed by the malware.
摘要翻译: 计算机包括支持虚拟化的文件系统。 扫描模块识别要扫描的恶意软件的文件,虚拟文件检测模块确定文件是否被虚拟化。 如果文件被确定为虚拟化,则文件检索模块定位文件的虚拟版本,并且恶意软件检测模块确定文件的虚拟版本是否包含恶意软件。 如果发现恶意软件,则恶意软件检测模块采取补救措施来解决恶意软件造成的任何安全威胁。
-
4.
公开(公告)号:US20110067101A1
公开(公告)日:2011-03-17
申请号:US12560261
申请日:2009-09-15
申请人: Vijay Seshadri , Zulfikar Ramzan , James Hoagland , Adam L. Glick , Adam Wright
发明人: Vijay Seshadri , Zulfikar Ramzan , James Hoagland , Adam L. Glick , Adam Wright
CPC分类号: H04L63/1416 , G06F21/552 , G06F21/56 , G06F21/577 , G06F2221/2101 , G06F2221/2115
摘要: An individualized time-to-live (TTL) is determined for a reputation score of a computer file. The TTL is determined based on the reputation score and the confidence in the reputation score. The confidence can be determined based on attributes such as the reputation score, an age of the file, and a prevalence of the file. The reputation score is used to determine whether the file is malicious during a validity period defined by the TTL, and discarded thereafter.
摘要翻译: 针对计算机文件的信誉分数确定个性化的生存时间(TTL)。 TTL是根据信誉评分和对信誉评分的信心确定的。 信心可以根据诸如信誉评分,文件的年龄以及文件的普遍性等属性来确定。 信誉分数用于确定在由TTL定义的有效期内文件是否恶意,之后丢弃。
-
5.
公开(公告)号:US08800030B2
公开(公告)日:2014-08-05
申请号:US12560261
申请日:2009-09-15
申请人: Vijay Seshadri , Zulfikar Ramzan , James Hoagland , Adam L. Glick , Adam Wright
发明人: Vijay Seshadri , Zulfikar Ramzan , James Hoagland , Adam L. Glick , Adam Wright
CPC分类号: H04L63/1416 , G06F21/552 , G06F21/56 , G06F21/577 , G06F2221/2101 , G06F2221/2115
摘要: An individualized time-to-live (TTL) is determined for a reputation score of a computer file. The TTL is determined based on the reputation score and the confidence in the reputation score. The confidence can be determined based on attributes such as the reputation score, an age of the file, and a prevalence of the file. The reputation score is used to determine whether the file is malicious during a validity period defined by the TTL, and discarded thereafter.
摘要翻译: 针对计算机文件的信誉分数确定个性化的生存时间(TTL)。 TTL是根据信誉评分和对信誉评分的信心确定的。 信心可以根据诸如信誉评分,文件的年龄以及文件的普遍性等属性来确定。 信誉分数用于确定在由TTL定义的有效期内文件是否恶意,之后丢弃。
-
-
-
-