-
公开(公告)号:US07660797B2
公开(公告)日:2010-02-09
申请号:US11139409
申请日:2005-05-27
CPC分类号: G06F21/56
摘要: The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.
摘要翻译: 本发明涉及一种系统,方法和计算机可读介质,其扫描文件以维护限制对该文件的访问的限制性访问属性的恶意软件。 根据本发明的一个方面,当计算机上的防病毒软件遇到具有阻止文件被扫描的限制性访问属性的文件时,提供了用于执行恶意软件扫描的方法。 更具体地,该方法包括识别限制对文件的访问的限制性访问属性; 绕过限制访问属性访问文件中的数据; 并使用扫描引擎来扫描文件中的恶意软件数据。
-
公开(公告)号:US07861296B2
公开(公告)日:2010-12-28
申请号:US11154267
申请日:2005-06-16
申请人: Mihai Costea , Adrian Bivol , Adrian M. Marinescu , Anil Francis Thomas , Cenk Ergan , David Goebel , George C. Chicioreanu , Marius Gheorghe Gheorghescu , Michael R. Fortin
发明人: Mihai Costea , Adrian Bivol , Adrian M. Marinescu , Anil Francis Thomas , Cenk Ergan , David Goebel , George C. Chicioreanu , Marius Gheorghe Gheorghescu , Michael R. Fortin
IPC分类号: G06F11/00
CPC分类号: G06F21/51 , G06F21/566
摘要: The present invention is directed toward a system, method, and a computer-readable medium for efficiently loading data into memory in order to scan the data for malware. The logic provided in the present invention improves the experience of a user when operating a computer protected with antivirus software. One aspect of the present invention is a method that identifies a pattern in which data in a file is loaded into memory from a computer-readable medium. Then the method identifies a pattern in which data in the file may be loaded into memory in a way that minimizes the time required to read data in the file. When a subsequent scan of the file is scheduled to occur, the method causes data in the file to be loaded in memory using the pattern that minimizes the time required to read data in the file.
摘要翻译: 本发明涉及一种用于将数据有效地加载到存储器中以便扫描恶意软件的数据的系统,方法和计算机可读介质。 本发明提供的逻辑提高了用户在操作受防病毒软件保护的计算机时的体验。 本发明的一个方面是从计算机可读介质中识别文件中的数据被加载到存储器中的模式的方法。 然后,该方法识别可以以最小化在文件中读取数据所需的时间的方式将文件中的数据加载到存储器中的模式。 当调度文件的后续扫描时,该方法会使文件中的数据使用最小化文件中读取数据所需的时间的模式加载到内存中。
-
公开(公告)号:US20090199297A1
公开(公告)日:2009-08-06
申请号:US12025142
申请日:2008-02-04
IPC分类号: G06F21/24
CPC分类号: G06F21/566
摘要: An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.
摘要翻译: 提供扫描和修补在计算机系统上运行的其他合法进程中执行的注入的恶意软件代码的布置,其中通过提取进程的线程的开始地址然后在这些地址附近进行搜索,其中恶意代码位于进程的存储器中。 由每个起始地址识别的代码调用的内存中的其他代码块也被识别,然后将块与已知恶意软件线程相关的扫描签名进行匹配。 如果整个签名可以与块的子集进行匹配,则确定线程被感染。 受感染的线程被暂停,并且执行内存中的修改来修补注入的代码以使其无害化。 可以恢复或终止线程以禁用恶意软件的保护机制,而不会对注入线程的进程造成任何损害。
-
公开(公告)号:US08387139B2
公开(公告)日:2013-02-26
申请号:US12025142
申请日:2008-02-04
CPC分类号: G06F21/566
摘要: An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.
摘要翻译: 提供扫描和修补在计算机系统上运行的其他合法进程中执行的注入的恶意软件代码的布置,其中通过提取进程的线程的开始地址然后在这些地址附近进行搜索,其中恶意代码位于进程的存储器中。 由每个起始地址识别的代码调用的内存中的其他代码块也被识别,然后将块与已知恶意软件线程相关的扫描签名进行匹配。 如果整个签名可以与块的子集进行匹配,则确定线程被感染。 受感染的线程被暂停,并且执行内存中的修改来修补注入的代码以使其无害化。 可以恢复或终止线程以禁用恶意软件的保护机制,而不会对注入线程的进程造成任何损害。
-
-
-
搜索结果
4 条记录 (耗时 0.021 秒)
