公开(公告)号：US08918873B1

公开(公告)日：2014-12-23

申请号：US12550198

申请日：2009-08-28

Applicant: Sourabh Satish ,  Shane Pereira ,  Wilson Meng ,  Yoshihiro Yasuda

Inventor： Sourabh Satish ,  Shane Pereira ,  Wilson Meng ,  Yoshihiro Yasuda

IPC: G06F12/14

CPC classification number: G06F21/57 ,  G06F2221/2145

Abstract: The instant disclosure describes various exemplary systems and methods for exonerating an untrusted software component based solely on a trusted software component's non-optional or “hard” dependency on the untrusted software component. In one example, a method for exonerating untrusted software components in this manner may include: 1) identifying a dependent software component, 2) determining that the dependent software component is a non-optional dependent component of at least one trusted software component, and then 3) classifying the dependent software component as a trusted software component. As detailed herein, such a method may enable security software to quickly and efficiently exonerate untrusted components by association without having to scan or perform other intrusive and/or resource-intensive security operations on such untrusted software components.

Abstract translation: 本公开描述了仅基于可信软件组件对不可信软件组件的非可选或“硬”依赖性来排除不可信软件组件的各种示例性系统和方法。 在一个示例中，以这种方式排除不信任软件组件的方法可以包括：1）识别从属软件组件，2）确定依赖软件组件是至少一个可信软件组件的非可选依赖组件，然后 3）将依赖软件组件分类为可信软件组件。 如这里所详细描述的，这种方法可以使得安全软件能够通过关联来快速有效地排除不信任的组件，而不必扫描或执行对这种不受信任的软件组件的其他侵入和/或资源密集型安全操作。

公开(公告)号：US08615805B1

公开(公告)日：2013-12-24

申请号：US12203788

申请日：2008-09-03

Applicant: Mark Obrecht ,  Shane Pereira

Inventor： Mark Obrecht ,  Shane Pereira

IPC: G06F11/00

CPC classification number: G06F21/566 ,  G06F11/3003 ,  G06F11/3051 ,  G06F2201/865 ,  G06F2221/033 ,  G06F2221/034

Abstract: A method for classifying a process that modifies a registry attribute is described. At least one attribute associated with a registry is monitored. A determination is made that the at least one attribute has been modified. The process that modified the at least one attribute is identified. One or more characteristics of the identified process is evaluated. The identified process is classified based on the evaluation of the one or more characteristics of the identified process.

Abstract translation: 描述了一种用于分类修改注册表属性的进程的方法。 与注册表关联的至少一个属性被监视。 确定至少一个属性已被修改。 识别修改至少一个属性的过程。 评估识别过程的一个或多个特征。 基于对所识别的过程的一个或多个特征的评估来对识别的过程进行分类。

公开(公告)号：US08191147B1

公开(公告)日：2012-05-29

申请号：US12109253

申请日：2008-04-24

Applicant: Patrick Gardner ,  Shane Pereira

Inventor： Patrick Gardner ,  Shane Pereira

IPC: G06F12/14

CPC classification number: G06F21/552 ,  G06F21/564

Abstract: A network communication corresponding to a malicious network signature associated with malicious code is detected on a host computer system. A determination is made whether or not the malicious network signature is validated as associated with a non-malicious code process. Upon a determination that the malicious network signature is not validated, the corresponding network communication is blocked, and the associated malicious code is located on the host computer system and removed from the host computer system. In some embodiments, the host computer system is further evaluated for the presence of residual artifacts of the malicious code on the host computer system.

Abstract translation: 在主计算机系统上检测到与恶意代码相关联的恶意网络签名的网络通信。 确定恶意网络签名是否被验证为与非恶意代码进程相关联。 在确定恶意网络签名未被验证的情况下，相应的网络通信被阻止，并且相关联的恶意代码位于主机计算机系统上并从主机系统中移除。 在一些实施例中，进一步评估主计算机系统在主计算机系统上是否存在恶意代码的残余伪影。

公开(公告)号：US08931086B2

公开(公告)日：2015-01-06

申请号：US12239185

申请日：2008-09-26

Applicant: Shane Pereira ,  Mark Kennedy ,  Pieter Viljoen

Inventor： Shane Pereira ,  Mark Kennedy ,  Pieter Viljoen

IPC: H04L29/06 ,  G06F21/56

CPC classification number: G06F21/562

Abstract: Method and apparatus for detecting malware are described. In some examples, files of unknown trustworthiness are identified as potential threats on the computer. A trustworthiness level for each of the files is received from a backend. The trustworthiness level of each of the files is compared to a threshold level. Each of the files where the trustworthiness level thereof satisfies the threshold level is designated as a false positive threat. Each of the files where the trustworthiness level thereof does not satisfy the threshold level is designated as a true positive threat.

Abstract translation: 描述用于检测恶意软件的方法和装置。 在一些示例中，未知可信性的文件被识别为计算机上的潜在威胁。 从后端接收每个文件的可信度级别。 将每个文件的可信度级别与阈值级别进行比较。 其可信赖性级别满足阈值水平的每个文件被指定为假阳性威胁。 其可信度级别不满足阈值水平的每个文件被指定为真正的正面威胁。

公开(公告)号：US08230499B1

公开(公告)日：2012-07-24

申请号：US12129170

申请日：2008-05-29

Applicant: Shane Pereira

Inventor： Shane Pereira

IPC: G06F21/00

CPC classification number: G06F21/51

Abstract: A hook is set for one or more downloading functions. Subsequently, code is executed within an application process. Responsive to the executed code calling one of the hooked functions, a return address of the called function is examined. If the return address is within a heap memory area of the application process, a remedial action, such as returning an error code or displaying an alert, is taken.

Abstract translation: 挂钩设置为一个或多个下载功能。 随后，在应用程序进程中执行代码。 响应于执行的代码调用一个挂钩函数，调用函数的返回地址。 如果返回地址在应用程序进程的堆内存区域内，则会采取补救措施，如返回错误代码或显示警报。

公开(公告)号：US08209757B1

公开(公告)日：2012-06-26

申请号：US12163747

申请日：2008-06-27

Applicant: Mark Kennedy ,  Shane Pereira

Inventor： Mark Kennedy ,  Shane Pereira

IPC: G06F21/00

CPC classification number: G06F21/53

Abstract: A method includes creating an intercept function for a tracked DLL function of a DLL being loaded into a suspicious module. Upon a determination that the tracked DLL function is invoked, a determination is made as to whether a return address of a caller of the tracked DLL function is within a legitimate return address range. The legitimate return address range includes an address range of the intercept function and excludes an address range of the suspicious module. If the return address is within the suspicious module, the suspicious module called the tracked DLL function directly. This indicates that the suspicious module is malicious and so protective action is taken.

Abstract translation: 一种方法包括为被加载到可疑模块中的DLL的跟踪DLL功能创建拦截函数。 在确定跟踪的DLL功能被调用时，确定跟踪的DLL功能的调用者的返回地址是否在合法返回地址范围内。 合法返回地址范围包括拦截功能的地址范围，并排除可疑模块的地址范围。 如果返回地址在可疑模块内，则可疑模块直接称为跟踪DLL函数。 这表明可疑模块是恶意的，因此采取了保护措施。

公开(公告)号：US20100083376A1

公开(公告)日：2010-04-01

申请号：US12239185

申请日：2008-09-26

Applicant: Shane Pereira ,  Mark Kennedy ,  Pieter Viljoen

Inventor： Shane Pereira ,  Mark Kennedy ,  Pieter Viljoen

IPC: G06F21/00

CPC classification number: G06F21/562

Abstract: Method and apparatus for detecting malware are described. In some examples, files of unknown trustworthiness are identified as potential threats on the computer. A trustworthiness level for each of the files is received from a backend. The trustworthiness level of each of the files is compared to a threshold level. Each of the files where the trustworthiness level thereof satisfies the threshold level is designated as a false positive threat. Each of the files where the trustworthiness level thereof does not satisfy the threshold level is designated as a true positive threat.

Abstract translation: 描述用于检测恶意软件的方法和装置。 在一些示例中，未知可信性的文件被识别为计算机上的潜在威胁。 从后端接收每个文件的可信度级别。 将每个文件的可信度级别与阈值级别进行比较。 其可信赖性级别满足阈值水平的每个文件被指定为假阳性威胁。 其可信度级别不满足阈值水平的每个文件被指定为真正的正面威胁。