公开(公告)号：US08387139B2

公开(公告)日：2013-02-26

申请号：US12025142

申请日：2008-02-04

Applicant: Michael S. Jarrett ,  Adrian M Marinescu ,  Marius Gheorghe Gheorghescu ,  George C. Chicioreanu

Inventor： Michael S. Jarrett ,  Adrian M Marinescu ,  Marius Gheorghe Gheorghescu ,  George C. Chicioreanu

IPC: G06F12/14 ,  G06F12/16 ,  G06F11/00

CPC classification number: G06F21/566

Abstract: An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.

Abstract translation: 提供扫描和修补在计算机系统上运行的其他合法进程中执行的注入的恶意软件代码的布置，​​其中通过提取进程的线程的开始地址然后在这些地址附近进行搜索，其中恶意代码位于进程的存储器中。 由每个起始地址识别的代码调用的内存中的其他代码块也被识别，然后将块与已知恶意软件线程相关的扫描签名进行匹配。 如果整个签名可以与块的子集进行匹配，则确定线程被感染。 受感染的线程被暂停，并且执行内存中的修改来修补注入的代码以使其无害化。 可以恢复或终止线程以禁用恶意软件的保护机制，而不会对注入线程的进程造成任何损害。

公开(公告)号：US07877802B2

公开(公告)日：2011-01-25

申请号：US12019479

申请日：2008-01-24

Applicant: Adrian M. Marinescu

Inventor： Adrian M. Marinescu

IPC: G06F11/00

CPC classification number: G06F21/566

Abstract: A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.

Abstract translation: 提供了用于在接收应用程序接口（API）调用的操作系统中主动检测恶意软件的系统，方法和计算机可读介质。 用于模拟程序的执行并确定程序是否是恶意软件的虚拟操作环境被创建。 虚拟操作环境限制潜在的恶意软件，使得主机操作环境的系统不会受到不利影响。 在仿真期间，根据潜在恶意软件发出的API调用生成行为签名。 行为签名适用于分析，以确定模拟的可执行文件是否为恶意软件。

公开(公告)号：US07844700B2

公开(公告)日：2010-11-30

申请号：US11097060

申请日：2005-03-31

Applicant: Adrian M Marinescu ,  Marc E Seinfeld ,  Michael Kramer ,  Yigal Edery

Inventor： Adrian M Marinescu ,  Marc E Seinfeld ,  Michael Kramer ,  Yigal Edery

IPC: G06F15/173 ,  G06F11/30

CPC classification number: H04L63/0209 ,  H04L63/1416 ,  H04L63/145

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware at a network transit point such as a computer that serves as a gateway to an internal or private network is provided. A network transmission is scanned for malware at a network transit point without introducing additional latency to the transmission of data over the network. In accordance with one aspect of the present invention, a computer-implemented method for identifying malware at a network transit point is provided. More specifically, when a packet in a transmission is received at the network transit point, the packet is immediately forwarded to the target computer. Simultaneously, the packet and other data in the transmission are scanned for malware by an antivirus engine. If malware is identified in the transmission, the target computer is notified that the transmission contains malware.

Abstract translation: 根据本发明，提供了一种系统，方法和计算机可读介质，用于在诸如用作内部或专用网络的网关的计算机之类的网络转接点处识别恶意软件。 在网络传输点扫描网络传输恶意软件，而不会对网络上的数据传输造成额外的延迟。 根据本发明的一个方面，提供了一种用于在网络中转点识别恶意软件的计算机实现的方法。 更具体地，当在网络转接点接收到传输中的分组时，该分组立即被转发到目标计算机。 同时，传输中的数据包和其他数据由防病毒引擎扫描恶意软件。 如果在传输中识别到恶意软件，则通知目标计算机该传输包含恶意软件。

公开(公告)号：US07730530B2

公开(公告)日：2010-06-01

申请号：US10769097

申请日：2004-01-30

Applicant: Daniel M. Bodorin ,  Adrian M. Marinescu

Inventor： Daniel M. Bodorin ,  Adrian M. Marinescu

IPC: G06F11/00

CPC classification number: H04L63/1408 ,  G06F21/563 ,  G06F21/564 ,  G06F21/566

Abstract: A system and method for gathering exhibited behaviors of a .NET executable module in a secure manner is presented. In operation, a .NET behavior evaluation module presents a virtual .NET environment to a Microsoft Corporation .NET code module. The .NET behavior evaluation module implements a sufficient number of aspects of an actual Microsoft Corporation .NET environment that a .NET code module can execute. As the .NET code module executes, the .NET behavior evaluation module records some of the exhibited behaviors, i.e., .NET system supplied libraries/subroutines, that are associated with known malware. The recorded behaviors are placed in a behavior signature for an external determination as to whether the .NET code module is malware, i.e., an unwanted computer attack.

Abstract translation: 提出了以安全的方式收集.NET可执行模块的展示行为的系统和方法。 在运行中，.NET行为评估模块向Microsoft Corporation .NET代码模块呈现虚拟.NET环境。 .NET行为评估模块实现.NET代码模块可以执行的实际Microsoft Corporation .NET环境的足够数量的方面。 当.NET代码模块执行时，.NET行为评估模块记录与已知恶意软件相关联的一些展示行为，即.NET系统提供的库/子程序。 记录的行为被放置在行为签名中，以便外部确定.NET代码模块是否是恶意软件，即不需要的计算机攻击。

公开(公告)号：US07660797B2

公开(公告)日：2010-02-09

申请号：US11139409

申请日：2005-05-27

Applicant: Adrian M Marinescu ,  George C Chicioreanu ,  Marius Gheorghe Gheorghescu ,  Scott A Field

Inventor： Adrian M Marinescu ,  George C Chicioreanu ,  Marius Gheorghe Gheorghescu ,  Scott A Field

IPC: G06F7/00 ,  G06F17/30 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC classification number: G06F21/56

Abstract: The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.

Abstract translation: 本发明涉及一种系统，方法和计算机可读介质，其扫描文件以维护限制对该文件的访问的限制性访问属性的恶意软件。 根据本发明的一个方面，当计算机上的防病毒软件遇到具有阻止文件被扫描的限制性访问属性的文件时，提供了用于执行恶意软件扫描的方法。 更具体地，该方法包括识别限制对文件的访问的限制性访问属性; 绕过限制访问属性访问文件中的数据; 并使用扫描引擎来扫描文件中的恶意软件数据。

公开(公告)号：US07624443B2

公开(公告)日：2009-11-24

申请号：US11018412

申请日：2004-12-21

Applicant: Michael Kramer ,  Scott A. Field ,  Marc E. Seinfeld ,  Carl Carter-Schwendler ,  Paul Luber ,  Adrian M. Marinescu

Inventor： Michael Kramer ,  Scott A. Field ,  Marc E. Seinfeld ,  Carl Carter-Schwendler ,  Paul Luber ,  Adrian M. Marinescu

IPC: G06F11/00 ,  G06F17/30 ,  G06F15/177 ,  G06F1/24 ,  H04L29/06 ,  G06F11/30 ,  G06F15/173 ,  G06F12/00

CPC classification number: G06F21/568 ,  G06F21/554 ,  Y10S707/99953

Abstract: A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.

Abstract translation: 提供了一种自愈设备，其中，可以在至少部分地恢复在检测到由设备的攻击引起的感染的时间与设备能够恢复到的较早时间点之间进行的改变 关于什么样的变化，这些变化是真正的还是恶意软件引起的，这些变化是否在感染可能发生的时间之后进行，以及是否安装了新的软件。

公开(公告)号：US07478237B2

公开(公告)日：2009-01-13

申请号：US10984207

申请日：2004-11-08

Applicant: Mihai Costea ,  David Allen Goebel ,  Adrian M Marinescu ,  Anil Francis Thomas

Inventor： Mihai Costea ,  David Allen Goebel ,  Adrian M Marinescu ,  Anil Francis Thomas

IPC: H04L9/00 ,  H04L9/32 ,  G06F11/30

CPC classification number: G06F21/566 ,  G06F21/564

Abstract: In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.

Abstract translation: 根据本发明，提供了聚合多个防病毒软件应用的知识库的系统，方法和计算机可读介质。 诸如防病毒软件应用程序之类的用户模式应用程序通过通用信息模型获得对文件系统操作的访问，从而避免了防病毒软件供应商创建内核模式过滤器的需要。 当文件系统操作可用于防病毒软件应用时，本发明可以使得安装在计算设备上的每个防病毒软件应用程序执行扫描以确定数据是否是恶意软件。

公开(公告)号：US08973135B2

公开(公告)日：2015-03-03

申请号：US13248867

申请日：2011-09-29

Applicant: Anil Francis Thomas ,  Adrian M. Marinescu ,  Ajith Kumar ,  Jonathan M. Keller ,  Omer Ben Bassat

Inventor： Anil Francis Thomas ,  Adrian M. Marinescu ,  Ajith Kumar ,  Jonathan M. Keller ,  Omer Ben Bassat

IPC: G06F12/14 ,  G06F21/00

CPC classification number: G06F21/00 ,  G06F21/564 ,  G06F21/568

Abstract: Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.

Abstract translation: 本文描述了能够选择性地扫描物体以感染恶意软件（即，确定一个或多个对象是否被恶意软件感染）的技术。 例如，可以检查与对象相关联的元数据，以确定是否已经对对象进行了更新，因为确定对象未被恶意软件感染。 更新可以涉及增加对象的数量，修改对象之一等。可以扫描自确定以来已被更新（例如，添加和/或修改）的对象。 自确定以来尚未更新的对象不必一定被扫描。 例如，可以在不首先扫描物体以感染恶意软件的情况下，进行从确定以来未进行更新的对象的操作。

公开(公告)号：US08799190B2

公开(公告)日：2014-08-05

申请号：US13163010

申请日：2011-06-17

Applicant: Jack W. Stokes ,  Nikos Karampatziakis ,  John C. Platt ,  Anil Francis Thomas ,  Adrian M. Marinescu

Inventor： Jack W. Stokes ,  Nikos Karampatziakis ,  John C. Platt ,  Anil Francis Thomas ,  Adrian M. Marinescu

IPC: G06F21/56 ,  G06K9/62

CPC classification number: G06K9/62 ,  G06F21/56 ,  G06F21/563 ,  G06K9/6224 ,  Y10S707/952

Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.

Abstract translation: 提供了一种可靠的自动恶意软件分类方法，具有极低的假阳性率。 基于图形的本地和/或全局文件关系用于改进恶意软件分类以及特征选择算法。 使用诸如包含，创建，复制，下载，修改等的文件关系来分配恶意软件概率，并同时减少可执行文件上的假正负率。

公开(公告)号：US20130160126A1

公开(公告)日：2013-06-20

申请号：US13327223

申请日：2011-12-15

Applicant: Vishal Kapoor ,  Jason J. Joyce ,  Gregory W. Nichols ,  Joshua W. Dunn ,  Michael S. Jarrett ,  Adrian M. Marinescu ,  Marc E. Seinfeld ,  Axel Andrejs ,  Jayaraman Kalyana Sundaram

Inventor： Vishal Kapoor ,  Jason J. Joyce ,  Gregory W. Nichols ,  Joshua W. Dunn ,  Michael S. Jarrett ,  Adrian M. Marinescu ,  Marc E. Seinfeld ,  Axel Andrejs ,  Jayaraman Kalyana Sundaram

IPC: G06F21/00 ,  G06F15/16

CPC classification number: G06F21/568 ,  G06F2221/2115

Abstract: A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application support system in response to determining that the antimalware program has detected and attempted to remediate the malicious modern application, and the application support system that can perform remediation operations beyond those that can be performed by the antimalware program.

Abstract translation: 描述了一种用于修复安装在最终用户设备上的恶意现代应用程序的系统。 在一个实施例中，系统包括在最终用户设备上执行的可以检测并尝试修复恶意现代应用的反恶意软件程序，该终端用户设备上执行的被配置为与反恶意软件程序交互的操作系统， 响应于确定反恶意软件程序已经检测并尝试修复恶意现代应用程序，以及能够执行补救操作的应用程序支持系统，超出可以执行的修复操作，便于建立最终用户设备和应用程序支持系统之间的连接 由反恶意程序执行。