公开(公告)号：US20090100520A1

公开(公告)日：2009-04-16

申请号：US11974457

申请日：2007-10-12

申请人： Sterling Reasor ,  Jonathan Keller ,  Jason Joyce ,  Ahmed Hussain ,  Kanwaljit Marok ,  Nizan Manor ,  Santanu Chakraborty

发明人： Sterling Reasor ,  Jonathan Keller ,  Jason Joyce ,  Ahmed Hussain ,  Kanwaljit Marok ,  Nizan Manor ,  Santanu Chakraborty

IPC分类号： G06F21/00

CPC分类号： G06F21/566 ,  G06F2221/2101 ,  G06F2221/2145

摘要： An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.

摘要翻译： 提供了一种用于在计算机系统上执行之前动态识别和拦截潜在软件威胁的布置，其中文件系统过滤器驱动程序（称为“微型过滤器”）与反恶意软件服务接口以选择性地生成警报事件并允许 除了产生警报事件和暂停威胁之外，运行的威胁。 暂停威胁或允许其运行的决定是通过应用级联逻辑层次结构来实现的，层级逻辑层次结构包括相应的策略定义的动作，用户定义的动作和签名定义的动作。 微型过滤器在打开或修改和关闭文件时，向反恶意软件服务生成警报事件。 该服务使用引擎来扫描文件，以识别通过应用逻辑层次结构处理的潜在威胁，逻辑层次结构提供在层次结构的较低层中定义的配置将被包含在较高层中的层覆盖。

公开(公告)号：US08341736B2

公开(公告)日：2012-12-25

申请号：US11974457

申请日：2007-10-12

申请人： Sterling Reasor ,  Jonathan Keller ,  Jason Joyce ,  Ahmed Hussain ,  Kanwaljit Marok ,  Nizan Manor ,  Santanu Chakraborty

发明人： Sterling Reasor ,  Jonathan Keller ,  Jason Joyce ,  Ahmed Hussain ,  Kanwaljit Marok ,  Nizan Manor ,  Santanu Chakraborty

IPC分类号： G06F21/00

CPC分类号： G06F21/566 ,  G06F2221/2101 ,  G06F2221/2145

摘要： An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.

摘要翻译： 提供了在计算机系统上执行之前动态识别和拦截潜在软件威胁的安排，其中文件系统过滤器驱动程序（称为微型过滤器）与反恶意软件服务接口以选择性地生成警报事件并允许威胁 运行，除了生成警报事件和暂停威胁。 暂停威胁或允许其运行的决定是通过应用级联逻辑层次结构来实现的，层级逻辑层次结构包括相应的策略定义的动作，用户定义的动作和签名定义的动作。 微型过滤器在打开或修改和关闭文件时，向反恶意软件服务生成警报事件。 该服务使用引擎来扫描文件，以识别通过应用逻辑层次结构处理的潜在威胁，逻辑层次结构提供在层次结构的较低层中定义的配置将被包含在较高层中的层覆盖。

公开(公告)号：US20100242094A1

公开(公告)日：2010-09-23

申请号：US12405252

申请日：2009-03-17

申请人： Ahmed S. Hussain ,  Ajith Kumar ,  Catalin D. Sandu ,  Alvin Loh ,  Sterling M. Reasor ,  Santanu Chakraborty ,  Joseph L. Faulhaber

发明人： Ahmed S. Hussain ,  Ajith Kumar ,  Catalin D. Sandu ,  Alvin Loh ,  Sterling M. Reasor ,  Santanu Chakraborty ,  Joseph L. Faulhaber

IPC分类号： G06F21/00 ,  H04L9/32

CPC分类号： G06F21/564

摘要： Methods, systems, and computer-readable media are disclosed for identifying telemetry data. A particular method scans a file and compares the file to at least one attribute to be used for telemetry collection. When the file is identified as a telemetry candidate, an offer to submit a sample of the file is sent to a server. A response to the offer is received from the server. If the response to the offer indicates an acceptance, a sample of the file is sent to the server.

摘要翻译： 公开了用于识别遥测数据的方法，系统和计算机可读介质。 特定方法扫描文件，并将该文件与要用于遥测收集的至少一个属性进行比较。 当文件被识别为遥测候选者时，将提交文件样本的报价发送到服务器。 从服务器收到对该报价的响应。 如果对提议的响应表示接受，则将该文件的样本发送到服务器。

公开(公告)号：US09767282B2

公开(公告)日：2017-09-19

申请号：US12967596

申请日：2010-12-14

申请人： Sterling M. Reasor ,  Kumi N. Hilwa ,  Eddy S. Hsia ,  Santanu Chakraborty ,  Joseph Leo Faulhaber ,  Vishal Kapoor ,  Michael Sean Jarrett ,  Charles Turner ,  Jeremy D. Croy

发明人： Sterling M. Reasor ,  Kumi N. Hilwa ,  Eddy S. Hsia ,  Santanu Chakraborty ,  Joseph Leo Faulhaber ,  Vishal Kapoor ,  Michael Sean Jarrett ,  Charles Turner ,  Jeremy D. Croy

IPC分类号： G06F21/56

CPC分类号： G06F21/564 ,  G06F21/565 ,  G06F21/568

摘要： The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online.

公开(公告)号：US09208315B2

公开(公告)日：2015-12-08

申请号：US12405252

申请日：2009-03-17

申请人： Ahmed S. Hussain ,  Ajith Kumar ,  Catalin D. Sandu ,  Alvin Loh ,  Sterling M. Reasor ,  Santanu Chakraborty ,  Joseph L. Faulhaber

发明人： Ahmed S. Hussain ,  Ajith Kumar ,  Catalin D. Sandu ,  Alvin Loh ,  Sterling M. Reasor ,  Santanu Chakraborty ,  Joseph L. Faulhaber

IPC分类号： G06F11/00 ,  G06F21/56

CPC分类号： G06F21/564

摘要： Methods, systems, and computer-readable media are disclosed for identifying telemetry data. A particular method scans a file and compares the file to at least one attribute to be used for telemetry collection. When the file is identified as a telemetry candidate, an offer to submit a sample of the file is sent to a server. A response to the offer is received from the server. If the response to the offer indicates an acceptance, a sample of the file is sent to the server.

摘要翻译： 公开了用于识别遥测数据的方法，系统和计算机可读介质。 特定方法扫描文件，并将该文件与要用于遥测收集的至少一个属性进行比较。 当文件被识别为遥测候选者时，将提交文件样本的报价发送到服务器。 从服务器收到对该报价的响应。 如果对提议的响应表示接受，则将该文件的样本发送到服务器。

公开(公告)号：US20120151582A1

公开(公告)日：2012-06-14

申请号：US12967596

申请日：2010-12-14

申请人： Sterling M. Reasor ,  Kumi N. Hilwa ,  Eddy S. Hsia ,  Santanu Chakraborty ,  Joseph Leo Faulhaber ,  Vishal Kapoor ,  Michael Sean Jarrett ,  Charles Turner ,  Jeremy D. Croy

发明人： Sterling M. Reasor ,  Kumi N. Hilwa ,  Eddy S. Hsia ,  Santanu Chakraborty ,  Joseph Leo Faulhaber ,  Vishal Kapoor ,  Michael Sean Jarrett ,  Charles Turner ,  Jeremy D. Croy

IPC分类号： G06F21/00

CPC分类号： G06F21/564 ,  G06F21/565 ,  G06F21/568

摘要： The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online.

摘要翻译： 主题公开涉及反恶意软件扫描，更具体地涉及经由替代的已知安全操作系统的主机环境的离线反恶意软件扫描。 脱机扫描产品获得先前由主机环境在线反恶意软件扫描工具写入的数据，例如在脱机和在线产品可访问的共享数据存储器中的配置数据和反恶意软件签名，并使用该数据执行脱机反恶意软件扫描。 离线扫描产品将结果信息和任何隔离文件写入其他共享数据存储，从而在重新启动时，在线环境可以访问信息，例如查看信息，并将遥测信息上传到在线服务进行分析。 还描述了在线时不能清理或删除的操作系统文件的离线替换。