摘要:
An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.
摘要:
An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.
摘要:
Methods, systems, and computer-readable media are disclosed for identifying telemetry data. A particular method scans a file and compares the file to at least one attribute to be used for telemetry collection. When the file is identified as a telemetry candidate, an offer to submit a sample of the file is sent to a server. A response to the offer is received from the server. If the response to the offer indicates an acceptance, a sample of the file is sent to the server.
摘要:
The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online.
摘要:
Methods, systems, and computer-readable media are disclosed for identifying telemetry data. A particular method scans a file and compares the file to at least one attribute to be used for telemetry collection. When the file is identified as a telemetry candidate, an offer to submit a sample of the file is sent to a server. A response to the offer is received from the server. If the response to the offer indicates an acceptance, a sample of the file is sent to the server.
摘要:
The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online.