摘要:
The present invention provides a system, method, and computer-readable medium for quarantining a file. Embodiments of the present invention are included in antivirus software that maintains a user interface. From the user interface, a user may issue a command to quarantine a file or the quarantine process may be initiated automatically by the antivirus software after malware is identified. When a file is marked for quarantine, aspects of the present invention encode file data with a function that is reversible. Then a set of metadata is identified that describes attributes of the file including any heightened security features that are used to limit access to the file. The metadata is moved to a quarantine folder, while the encoded file remains at the same location in the file system. As a result, the encoded file maintains the same file attributes as the original, non-quarantined file, including any heightened security features.
摘要:
The present invention is directed toward a system, method, and a computer-readable medium for efficiently loading data into memory in order to scan the data for malware. The logic provided in the present invention improves the experience of a user when operating a computer protected with antivirus software. One aspect of the present invention is a method that identifies a pattern in which data in a file is loaded into memory from a computer-readable medium. Then the method identifies a pattern in which data in the file may be loaded into memory in a way that minimizes the time required to read data in the file. When a subsequent scan of the file is scheduled to occur, the method causes data in the file to be loaded in memory using the pattern that minimizes the time required to read data in the file.
摘要:
In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed.
摘要:
In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed.
摘要:
In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed.
摘要:
The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.
摘要:
The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.
摘要:
Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.
摘要:
Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.
摘要:
A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.