METHOD AND SYSTEM TO DETECT MALWARE THAT REMOVES ANTI-VIRUS FILE SYSTEM FILTER DRIVER FROM A DEVICE STACK
    2.
    发明申请
    METHOD AND SYSTEM TO DETECT MALWARE THAT REMOVES ANTI-VIRUS FILE SYSTEM FILTER DRIVER FROM A DEVICE STACK 审中-公开
    检测从设备堆栈中移除病毒文件系统过滤器驱动程序的恶意软件的方法和系统

    公开(公告)号:US20110283358A1

    公开(公告)日:2011-11-17

    申请号:US12781263

    申请日:2010-05-17

    IPC分类号: G06F21/00 G06F11/00

    摘要: A method for detecting removal of a filter driver includes performing an operation on an element of a kernel mode of an operating system, the operation initiated by a user mode entity, obtaining the result of performing the operation, and comparing the result of performing the operation against an expected result of the operation. If the result of performing the operation matches the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system is working correctly. If the result of performing the operation does not match the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system has been compromised by malware.

    摘要翻译: 用于检测去除过滤器驱动器的方法包括对操作系统的内核模式的元素执行操作,由用户模式实体发起的操作,获得执行操作的结果以及执行操作的结果 反对预期的操作结果。 如果执行操作的结果与操作的预期结果相符合,则确定操作系统的内核模式中的文件系统过滤驱动器正常工作。 如果执行操作的结果与操作的预期结果不符,则确定操作系统的内核模式中的文件系统过滤器驱动程序已被恶意软件破坏。

    Obfuscated malware detection
    3.
    发明授权
    Obfuscated malware detection 有权
    混淆的恶意软件检测

    公开(公告)号:US08176559B2

    公开(公告)日:2012-05-08

    申请号:US12639465

    申请日:2009-12-16

    CPC分类号: G06F21/52 G06F21/577

    摘要: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.

    摘要翻译: 方法,系统和装置,包括在计算机存储介质上编码的计算机程序,用于混淆的恶意软件。 一方面,一种方法包括从二进制可执行程序执行呼叫指令和跟随呼叫指令的目标之后的多个指令,确定由所述调用堆栈的堆栈指针识别的值是否等于存储在所述调用堆栈中的默认值 在仿真之前的呼叫堆栈,确定是否存在由执行呼叫指令和多个指令而产生的非混淆信号,并且如果由堆栈指针识别的值是默认值并且没有混淆信号, 将呼叫指令识别为可能的模糊化呼叫指令。 另外,该方法包括确定被识别为可能的模糊化呼叫指令的呼叫指令的数量是否超过阈值数,将二进制可执行文件识别为混淆的可执行文件。

    Obfuscated malware detection
    4.
    发明授权
    Obfuscated malware detection 有权
    混淆的恶意软件检测

    公开(公告)号:US08499352B2

    公开(公告)日:2013-07-30

    申请号:US13440595

    申请日:2012-04-05

    CPC分类号: G06F21/52 G06F21/577

    摘要: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable.

    摘要翻译: 方法,系统和装置,包括在计算机存储介质上编码的计算机程序,用于检测混淆的恶意软件。 一方面,一种方法包括识别二进制可执行文件中的调用指令; 执行呼叫指令; 执行所述呼叫指令的目标之后的指令; 确定由堆栈指针识别的地址不同于返回地址; 响应于地址不同的确定,确定是否存在非混淆信号; 如果存在非混淆信号,则将该呼叫指令识别为非混淆呼叫指令; 如果没有非混淆信号,则将该呼叫指令识别为可能的模糊化呼叫指令; 确定被识别为可能的模糊化呼叫指令的呼叫指令是否超过阈值; 响应于确定被识别为可能的模糊化呼叫指令的呼叫指令超过阈值,将可执行文件识别为混淆的可执行文件。

    Obfuscated Malware Detection
    5.
    发明申请
    Obfuscated Malware Detection 有权
    混淆恶意软件检测

    公开(公告)号:US20120198554A1

    公开(公告)日:2012-08-02

    申请号:US13440595

    申请日:2012-04-05

    IPC分类号: G06F21/00 G06F11/28

    CPC分类号: G06F21/52 G06F21/577

    摘要: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable.

    摘要翻译: 方法,系统和装置,包括在计算机存储介质上编码的计算机程序,用于检测混淆的恶意软件。 一方面,一种方法包括识别二进制可执行文件中的调用指令; 执行呼叫指令; 执行所述呼叫指令的目标之后的指令; 确定由堆栈指针识别的地址不同于返回地址; 响应于地址不同的确定,确定是否存在非混淆信号; 如果存在非混淆信号,则将该呼叫指令识别为非混淆呼叫指令; 如果没有非混淆信号,则将该呼叫指令识别为可能的模糊化呼叫指令; 确定被识别为可能的模糊化呼叫指令的呼叫指令是否超过阈值; 响应于确定被识别为可能的模糊化呼叫指令的呼叫指令超过阈值,将可执行文件识别为混淆的可执行文件。

    OBFUSCATED MALWARE DETECTION
    6.
    发明申请
    OBFUSCATED MALWARE DETECTION 有权
    OBFUSCATED恶意软件检测

    公开(公告)号:US20110145921A1

    公开(公告)日:2011-06-16

    申请号:US12639465

    申请日:2009-12-16

    IPC分类号: G06F11/00 G06F21/00

    CPC分类号: G06F21/52 G06F21/577

    摘要: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.

    摘要翻译: 方法,系统和装置,包括在计算机存储介质上编码的计算机程序,用于混淆的恶意软件。 一方面,一种方法包括从二进制可执行程序执行呼叫指令和跟随呼叫指令的目标之后的多个指令,确定由所述调用堆栈的堆栈指针识别的值是否等于存储在所述调用堆栈中的默认值 在仿真之前的呼叫堆栈,确定是否存在由执行呼叫指令和多个指令而产生的非混淆信号,并且如果由堆栈指针识别的值是默认值并且没有混淆信号, 将呼叫指令识别为可能的模糊化呼叫指令。 另外,该方法包括确定被识别为可能的模糊化呼叫指令的呼叫指令的数量是否超过阈值数,将二进制可执行文件识别为混淆的可执行文件。

    SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR APPLYING A REGULAR EXPRESSION TO CONTENT BASED ON REQUIRED STRINGS OF THE REGULAR EXPRESSION
    7.
    发明申请
    SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR APPLYING A REGULAR EXPRESSION TO CONTENT BASED ON REQUIRED STRINGS OF THE REGULAR EXPRESSION 有权
    根据正常表达要求将正常表达适用于内容的系统,方法和计算机程序产品

    公开(公告)号:US20120311529A1

    公开(公告)日:2012-12-06

    申请号:US12714324

    申请日:2010-02-26

    IPC分类号: G06F9/44 G06N5/02

    CPC分类号: G06F17/30985

    摘要: A system, method, and computer program product are provided for applying a regular expression to content based on required strings of the regular expression. In use, all required strings included in a regular expression are identified, the required strings including strings required by the regular expression. Additionally, it is determined whether the required strings match content. Furthermore, the regular expression is applied to the content, based on the determination.

    摘要翻译: 提供了一种系统,方法和计算机程序产品,用于根据正则表达式的所需字符串将正则表达式应用于内容。 在使用中,正则表达式中包含的所有必需字符串都将被标识,所需字符串包括正则表达式所需的字符串。 另外,确定所需的字符串是否匹配内容。 此外,基于确定,将正则表达式应用于内容。

    SYSTEMS AND METHODS FOR MALWARE DETECTION AND REMEDIATION
    9.
    发明申请
    SYSTEMS AND METHODS FOR MALWARE DETECTION AND REMEDIATION 审中-公开
    用于恶意软件检测和恢复的系统和方法

    公开(公告)号:US20160180087A1

    公开(公告)日:2016-06-23

    申请号:US14580784

    申请日:2014-12-23

    IPC分类号: G06F21/56

    摘要: Provided in some embodiments are systems and methods for remediating malware. Embodiments include receiving (from a process) a request to access data, determining that the process is an unknown process, providing the process with access to one or more data tokens in response to determining that the process is an unknown process, determining whether the process is engaging in suspicious activity with the one or more data tokens, and inhibiting execution of the process in response to determining that the process is engaging in suspicious activity with the one or more data tokens.

    摘要翻译: 在一些实施例中提供了用于修复恶意软件的系统和方法。 实施例包括:(从处理)接收访问数据的请求,确定该进程是未知进程,响应于确定该进程是未知进程,向该进程提供对一个或多个数据令牌的访问,确定进程 正在与一个或多个数据令牌进行可疑活动,并且响应于确定该进程与一个或多个数据令牌进行可疑活动而禁止该进程的执行。

    System, method, and computer program product for applying a regular expression to content based on required strings of the regular expression
    10.
    发明授权
    System, method, and computer program product for applying a regular expression to content based on required strings of the regular expression 有权
    基于正则表达式的所需字符串将正则表达式应用于内容的系统,方法和计算机程序产品

    公开(公告)号:US08522199B2

    公开(公告)日:2013-08-27

    申请号:US12714324

    申请日:2010-02-26

    IPC分类号: G06F9/44

    CPC分类号: G06F17/30985

    摘要: A system, method, and computer program product are provided for applying a regular expression to content based on required strings of the regular expression. In use, all required strings included in a regular expression are identified, the required strings including strings required by the regular expression. Additionally, it is determined whether the required strings match content. Furthermore, the regular expression is applied to the content, based on the determination.

    摘要翻译: 提供了一种基于正则表达式的所需字符串将正则表达式应用于内容的系统,方法和计算机程序产品。 在使用中,正则表达式中包含的所有必需字符串都将被标识,所需字符串包括正则表达式所需的字符串。 另外,确定所需的字符串是否匹配内容。 此外,基于确定,将正则表达式应用于内容。