公开(公告)号：US07571482B2

公开(公告)日：2009-08-04

申请号：US11170792

申请日：2005-06-28

申请人： Alexey A. Polyakov ,  Gretchen L. Loihle ,  Mihai Costea ,  Robert J. Hensing, Jr. ,  Scott A. Field ,  Vincent R. Orgovan ,  Yi-Min Wang ,  Yun Lin

发明人： Alexey A. Polyakov ,  Gretchen L. Loihle ,  Mihai Costea ,  Robert J. Hensing, Jr. ,  Scott A. Field ,  Vincent R. Orgovan ,  Yi-Min Wang ,  Yun Lin

IPC分类号： G06F12/14 ,  G06F11/00

CPC分类号： G06F21/566

摘要： Embodiments of a RootKit detector are directed to identifying a RootKit on a computer that is designed to conceal malware. Aspects of the RootKit detector leverage services provided by kernel debugger facilities to automatically obtain data in specified data structures that are maintained by an operating system. Then the data obtained from the kernel debugger facilities is processed with an integrity checker that determines whether the data contains properties sufficient to declare that a RootKit is resident on the computer.

摘要翻译： RootKit检测器的实施例旨在识别被设计为隐藏恶意软件的计算机上的RootKit。 RootKit检测器的各个方面利用内核调试工具提供的服务来自动获取由操作系统维护的指定数据结构中的数据。 然后，使用完整性检查器处理从内核调试器设备获取的数据，该检查器确定数据是否包含足以声明RootKit驻留在计算机上的属性。

公开(公告)号：US20080005797A1

公开(公告)日：2008-01-03

申请号：US11480774

申请日：2006-06-30

申请人： Scott A Field ,  Rohan R. Phillips ,  Alexey A. Polyakov

发明人： Scott A Field ,  Rohan R. Phillips ,  Alexey A. Polyakov

IPC分类号： G06F12/14

CPC分类号： G06F21/562 ,  G06F21/575

摘要： Generally described, the present invention is directed at identifying malware. In one embodiment, a method is provided that performs a search for malware during the boot process. More specifically, the method causes a software module configured to scan for malware to be initialized at computer start up. Then, in response to identifying the occurrence of a scanning event, the method causes the software module to search computer memory for data that is characteristic of malware. If data characteristic of malware is identified, the method handles the malware infection.

摘要翻译： 通常描述，本发明涉及识别恶意软件。 在一个实施例中，提供了一种在引导过程中执行恶意软件搜索的方法。 更具体地，该方法使软件模块被配置为扫描在计算机启动时被初始化的恶意软件。 然后，响应于识别扫描事件的发生，该方法使得软件模块搜索计算机存储器中是恶意软件特征的数据。 如果识别出恶意软件的数据特征，该方法会处理恶意软件感染。

公开(公告)号：US07636946B2

公开(公告)日：2009-12-22

申请号：US11377713

申请日：2006-03-15

申请人： Surendra Verma ,  Dana D. Groff ,  Jonathan M. Cargille ,  Andrew M. Herron ,  Christian G. Allred ,  Neal R. Christiansen ,  Alexey A. Polyakov

发明人： Surendra Verma ,  Dana D. Groff ,  Jonathan M. Cargille ,  Andrew M. Herron ,  Christian G. Allred ,  Neal R. Christiansen ,  Alexey A. Polyakov

IPC分类号： G06F12/14 ,  G06F17/30

CPC分类号： G06F21/566 ,  G06F21/56 ,  Y10S707/99945 ,  Y10S707/99953

摘要： Aspects of the subject matter described herein relate to antivirus protection and transactions. In aspects, a filter detects that a file is participating in a transaction and then may cause the file to be scanned together with any changes that have made to the file during the transaction. After a file is scanned, a cache entry may be updated to indicate that the file is clean. The cache entry may be used subsequently for like-type states. For example, if the file was scanned inside a transaction, the cache entry may be used later in the transaction. If the file was scanned outside a transaction, the cache entry may be used later for requests pertaining to files not in a transaction. Cache entries may be discarded when they are invalid or no longer useful.

摘要翻译： 本文所述主题的方面涉及防病毒保护和交易。 在方面，过滤器检测到文件正在参与事务，然后可能导致文件与事务中对文件所做的任何更改一起进行扫描。 扫描文件后，可能会更新缓存条目以指示文件干净。 缓存条目可以随后用于类型状态。 例如，如果文件在事务中被扫描，则高速缓存条目可以在事务中稍后使用。 如果文件在事务之外被扫描，则缓存条目可以稍后用于与不在事务中的文件相关的请求。 缓存条目无效或不再有用时可能会被丢弃。

公开(公告)号：US20110173698A1

公开(公告)日：2011-07-14

申请号：US12684719

申请日：2010-01-08

申请人： Alexey A. Polyakov ,  Ravi Bikkula

发明人： Alexey A. Polyakov ,  Ravi Bikkula

IPC分类号： G06F11/00

CPC分类号： G06F21/564 ,  G06F11/0748 ,  G06F11/0751 ,  G06F21/565

摘要： An anti-malware system that reduces the likelihood of detecting a false positive. The system is applied in an enterprise network in which a server receives reports of suspected malware from multiple hosts. Files on hosts suspected of containing malware are compared to control versions of those files. A match between a suspected file and a control version is used as an indication that the malware report is a false positive. Such an indication may be used in conjunction with other information, such as whether other hosts similarly report suspect files that match control versions or whether the malware report is generated by a recently changed component of the anti-malware system.

摘要翻译： 一种防恶意软件系统，可以降低检测到假阳性的可能性。 该系统应用在企业网络中，其中服务器从多个主机接收可疑恶意软件的报告。 将怀疑含有恶意软件的主机上的文件与这些文件的控制版本进行比较。 可疑文件和控制版本之间的匹配被用作指示恶意软件报告是假阳性。 这样的指示可以与其他信息一起使用，诸如其他主机是否类似地报告与控制版本相匹配的可疑文件，或者恶意软件报告是否由反恶意软件系统的最近更改的组件生成。

公开(公告)号：US08719935B2

公开(公告)日：2014-05-06

申请号：US12684719

申请日：2010-01-08

申请人： Alexey A. Polyakov ,  Ravi Bikkula

发明人： Alexey A. Polyakov ,  Ravi Bikkula

IPC分类号： G06F21/00 ,  G06F21/56

CPC分类号： G06F21/564 ,  G06F11/0748 ,  G06F11/0751 ,  G06F21/565

摘要： An anti-malware system that reduces the likelihood of detecting a false positive. The system is applied in an enterprise network in which a server receives reports of suspected malware from multiple hosts. Files on hosts suspected of containing malware are compared to control versions of those files. A match between a suspected file and a control version is used as an indication that the malware report is a false positive. Such an indication may be used in conjunction with other information, such as whether other hosts similarly report suspect files that match control versions or whether the malware report is generated by a recently changed component of the anti-malware system.

摘要翻译： 一种防恶意软件系统，可以降低检测到假阳性的可能性。 该系统应用在企业网络中，其中服务器从多个主机接收可疑恶意软件的报告。 将怀疑含有恶意软件的主机上的文件与这些文件的控制版本进行比较。 可疑文件和控制版本之间的匹配被用作指示恶意软件报告是假阳性。 这样的指示可以与其他信息一起使用，诸如其他主机是否类似地报告与控制版本相匹配的可疑文件，或者恶意软件报告是否由反恶意软件系统的最近更改的组件生成。

公开(公告)号：US08042186B1

公开(公告)日：2011-10-18

申请号：US13096227

申请日：2011-04-28

申请人： Alexey A. Polyakov ,  Vladislav V. Martynenko ,  Yuri G. Slobodyanuk ,  Denis A. Nazarov ,  Mikhail A. Pavlyushchik

发明人： Alexey A. Polyakov ,  Vladislav V. Martynenko ,  Yuri G. Slobodyanuk ,  Denis A. Nazarov ,  Mikhail A. Pavlyushchik

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： G06F21/564 ,  G06F21/552

摘要： Disclosed are systems, methods and computer program products for detection of malware with complex infection patterns. The system provides enhanced protection against malware by identifying potentially harmful software objects, monitoring execution of various processes and threads of potentially harmful objects, compiling contexts of events of execution of the monitored processes and threads, and merging contexts of related processes and threads. Based on the analysis of the individual and merged object contexts using malware behavior rules, the system allows detection of malicious objects that have simple and complex behavior patterns.

摘要翻译： 公开了用于检测具有复杂感染模式的恶意软件的系统，方法和计算机程序产品。 该系统通过识别潜在有害的软件对象，监视潜在有害对象的各种进程和线程的执行，编译监视的进程和线程的执行事件的上下文以及合并相关进程和线程的上下文来增强对恶意软件的保护。 基于对使用恶意软件行为规则的个人和合并对象上下文的分析，系统允许检测具有简单和复杂行为模式的恶意对象。

公开(公告)号：US07809670B2

公开(公告)日：2010-10-05

申请号：US11608625

申请日：2006-12-08

申请人： Tony Lee ,  Jigar J. Mody ,  Ying Lena Lin ,  Adrian M. Marinescu ,  Alexey A. Polyakov

发明人： Tony Lee ,  Jigar J. Mody ,  Ying Lena Lin ,  Adrian M. Marinescu ,  Alexey A. Polyakov

IPC分类号： G06F17/00

CPC分类号： G06F21/564

摘要： The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.

摘要翻译： 本发明涉及一种将应用程序自动分类为先前分类为知识库的应用组的方法和系统。 更具体地，应用程序的运行时行为被捕获为在应用程序的执行期间被监视和记录的一系列事件。 分析一系列事件，以找到与应用程序共享公共运行时行为模式的正确应用程序组。 基于大量示例应用程序，先前构建了应用程序组的知识库。 基于知识库中的一组分类规则，完成知识库的构建，使得每个样本应用程序可以分类为应用组。 将一组分类规则应用于新应用程序，以便将新应用程序分类到其中一个应用程序组中。

公开(公告)号：US07647636B2

公开(公告)日：2010-01-12

申请号：US11210565

申请日：2005-08-24

申请人： Alexey A. Polyakov ,  Neil A. Cowie

发明人： Alexey A. Polyakov ,  Neil A. Cowie

IPC分类号： G06F11/00

CPC分类号： G06F21/566

摘要： A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.

摘要翻译： 公开了通用的RootKit检测器，其识别通常称为RootKit的恶意软件何时驻留在计算机上。 在一个实施例中，通用RootKit检测器执行一种比较操作系统使用的库的不同版本的属性以向应用程序提供服务的方法。 在这方面，当一个库加载到内存中时，通用RootKit检测器的一个方面比较了库的两个版本; 存储器中的潜在受感染版本和存储在存储设备上的受保护状态的第二版本。 如果库的第一个版本的某些属性与第二个版本不同，则确定RootKit会感染计算机。

公开(公告)号：US08201253B1

公开(公告)日：2012-06-12

申请号：US11183318

申请日：2005-07-15

申请人： Lee Guang Yan ,  Alexey A. Polyakov

发明人： Lee Guang Yan ,  Alexey A. Polyakov

IPC分类号： H04L29/06

CPC分类号： G06F21/51 ,  G06F21/562 ,  H04L63/1416

摘要： A method and system in a computing device for performing security related functions as part of a process created to execute a software component that may be unrelated to security is provided. The security system provides security code that performs one or more security related functions. When a process is created to execute the code of a software component, the security system causes the security code to be executed before the execution of the code of the software component. One security related function of the security code may be to cause the operating system to maintain information about the process as long as the process exists. If the operating system later reports that the process no longer exists but the information is still being maintained, then the security system can assume that malware is attempting to hide the process.

摘要翻译： 提供了一种用于执行安全相关功能的计算设备中的方法和系统，作为创建用于执行可能与安全性无关的软件组件的过程的一部分。 安全系统提供执行一个或多个安全相关功能的安全代码。 当创建用于执行软件组件的代码的过程时，安全系统使得在执行软件组件的代码之前执行安全代码。 只要该过程存在，安全代码的一个安全相关功能可能是导致操作系统维护有关进程的信息。 如果操作系统稍后报告该进程不再存在，但信息仍在维护中，则安全系统可以假设恶意软件试图隐藏进程。