Remediating malware infections through obfuscation
    1.
    发明授权
    Remediating malware infections through obfuscation 有权
    通过混淆来修复恶意软件感染

    公开(公告)号:US08495741B1

    公开(公告)日:2013-07-23

    申请号:US11694711

    申请日:2007-03-30

    IPC分类号: G06F21/00

    CPC分类号: G06F21/575

    摘要: A computer has a storage device that is infected with malicious software (malware). The malware uses stealth or rootkit techniques to hide itself in the storage device. A security module within the storage device detects the malware by comparing the files read from the storage device to those reported by the operating system. Upon detecting the malware, the security module prepares the computer for malware obfuscation by storing information describing the location of the malware, deploying an executable file, and configuring it to run on reboot. The executable file executes upon reboot and locates the data on the storage device associated with the malware. The executable file obfuscates the data so that the malware no longer loads at boot time, thereby disabling the rootkit technique. The computer reboots and the security module remediates the malware infection.

    摘要翻译: 计算机有一个被恶意软件(恶意软件)感染的存储设备。 恶意软件使用隐身或rootkit技术将自身隐藏在存储设备中。 存储设备内的安全模块通过比较从存储设备读取的文件与操作系统报告的文件来检测恶意软件。 在检测到恶意软件时,安全模块通过存储描述恶意软件位置的信息,部署可执行文件,并将其配置为在重新启动时运行来准备计算机恶意软件混淆。 可执行文件在重新启动时执行,并将数据定位到与恶意软件相关联的存储设备上。 可执行文件会混淆数据,以便在引导时不再加载恶意软件,从而禁用rootkit技术。 计算机重新启动,安全模块可以修复恶意软件感染。

    Anti-malware scanning in a virtualized file system environment
    2.
    发明授权
    Anti-malware scanning in a virtualized file system environment 有权
    虚拟化文件系统环境中的恶意软件扫描

    公开(公告)号:US08065730B1

    公开(公告)日:2011-11-22

    申请号:US12059790

    申请日:2008-03-31

    IPC分类号: G06F11/00 G06F11/30

    CPC分类号: G06F21/56

    摘要: A computer includes a file system that supports virtualization. A scanning module identifies a file to be scanned for malware and a virtualized file detection module determines whether the file is virtualized. A file retrieval module locates a virtualized version of the file if the file is determined to be virtualized, and a malware detection module determines whether the virtualized version of the file contains malware. If malware is found, the malware detection module takes remedial action to address any security threat posed by the malware.

    摘要翻译: 计算机包括支持虚拟化的文件系统。 扫描模块识别要扫描的恶意软件的文件,虚拟文件​​检测模块确定文件是否被虚拟化。 如果文件被确定为虚拟化,则文件检索模块定位文件的虚拟版本,并且恶意软件检测模块确定文件的虚拟版本是否包含恶意软件。 如果发现恶意软件,则恶意软件检测模块采取补救措施来解决恶意软件造成的任何安全威胁。

    User interface based malware detection
    3.
    发明授权
    User interface based malware detection 有权
    基于用户界面的恶意软件检测

    公开(公告)号:US08776227B1

    公开(公告)日:2014-07-08

    申请号:US12968206

    申请日:2010-12-14

    CPC分类号: G06F21/566 G06F2221/032

    摘要: Malware with fake or misleading anti-malware user interfaces (UIs) are detected. Processes running on a computer system are monitored and their window creation events are detected. The structures of the created windows are retrieved to detect presence of UI features that are commonly presented in known fake or misleading anti-malware UIs (“fakeAVUIs”). If a window includes a UI feature commonly presented in known fakeAVUIs, that window is determined suspicious and additional tests are applied to determine the validity of information in the window. If the information in the window is determined invalid, then the process that created the window is determined to be malware and a remediating action is applied to the process.

    摘要翻译: 检测到具有假或误导性的反恶意软件用户界面(UI)的恶意软件。 监视在计算机系统上运行的进程,并检测其窗口创建事件。 检索创建的窗口的结构以检测通常在已知的假的或误导的反恶意软件UI(“假的AVI”)中呈现的UI特征的存在。 如果窗口包含通常在已知的假AVA中呈现的UI特征,则该窗口被确定为可疑,并且应用附加测试来确定窗口中的信息的有效性。 如果窗口中的信息被确定为无效,则创建该窗口的进程被确定为恶意软件,并且将修复操作应用于该进程。