WO2006121572A3 - System and method for scanning obfuscated files for pestware - Google Patents

System and method for scanning obfuscated files for pestware Download PDF

Info

Publication number
WO2006121572A3
WO2006121572A3 PCT/US2006/014004 US2006014004W WO2006121572A3 WO 2006121572 A3 WO2006121572 A3 WO 2006121572A3 US 2006014004 W US2006014004 W US 2006014004W WO 2006121572 A3 WO2006121572 A3 WO 2006121572A3
Authority
WO
WIPO (PCT)
Prior art keywords
pestware
obfuscated
files
file
scanning
Prior art date
Application number
PCT/US2006/014004
Other languages
French (fr)
Other versions
WO2006121572A2 (en
Inventor
Jefferson Delk Horne
Original Assignee
Webroot Software Inc
Jefferson Delk Horne
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Webroot Software Inc, Jefferson Delk Horne filed Critical Webroot Software Inc
Priority to EP06769824A priority Critical patent/EP1872224A4/en
Publication of WO2006121572A2 publication Critical patent/WO2006121572A2/en
Publication of WO2006121572A3 publication Critical patent/WO2006121572A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Abstract

Systems and methods for managing multiple related pestware processes on a protected computer are described. In one implementation, a plurality of files in a file storage device of a protected computer are scanned and obfuscated files are identified from amont the plurality of files. To identify whether the obfuscated file is a pestware file, one or more potential pestware processes are identified as being associated with the obfuscated file, and the one or more associated processes are scanned so as to determine whether the process, and hence, the obfuscated file, are pestware.
PCT/US2006/014004 2005-04-14 2006-04-14 System and method for scanning obfuscated files for pestware WO2006121572A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP06769824A EP1872224A4 (en) 2005-04-14 2006-04-14 System and method for scanning obfuscated files for pestware

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/105,978 US7349931B2 (en) 2005-04-14 2005-04-14 System and method for scanning obfuscated files for pestware
US11/105,978 2005-04-14

Publications (2)

Publication Number Publication Date
WO2006121572A2 WO2006121572A2 (en) 2006-11-16
WO2006121572A3 true WO2006121572A3 (en) 2007-03-22

Family

ID=37110126

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/014004 WO2006121572A2 (en) 2005-04-14 2006-04-14 System and method for scanning obfuscated files for pestware

Country Status (3)

Country Link
US (1) US7349931B2 (en)
EP (1) EP1872224A4 (en)
WO (1) WO2006121572A2 (en)

Families Citing this family (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8539063B1 (en) 2003-08-29 2013-09-17 Mcafee, Inc. Method and system for containment of networked application client software by explicit human input
US7840968B1 (en) * 2003-12-17 2010-11-23 Mcafee, Inc. Method and system for containment of usage of language interfaces
US7873955B1 (en) * 2004-09-07 2011-01-18 Mcafee, Inc. Solidifying the executable software set of a computer
US7591016B2 (en) * 2005-04-14 2009-09-15 Webroot Software, Inc. System and method for scanning memory for pestware offset signatures
US20070006311A1 (en) * 2005-06-29 2007-01-04 Barton Kevin T System and method for managing pestware
US7856661B1 (en) 2005-07-14 2010-12-21 Mcafee, Inc. Classification of software on networked systems
US20070074289A1 (en) * 2005-09-28 2007-03-29 Phil Maddaloni Client side exploit tracking
US20070094733A1 (en) * 2005-10-26 2007-04-26 Wilson Michael C System and method for neutralizing pestware residing in executable memory
US20070094726A1 (en) * 2005-10-26 2007-04-26 Wilson Michael C System and method for neutralizing pestware that is loaded by a desirable process
US20080281772A2 (en) * 2005-11-30 2008-11-13 Webroot Software, Inc. System and method for managing access to storage media
US8255992B2 (en) * 2006-01-18 2012-08-28 Webroot Inc. Method and system for detecting dependent pestware objects on a computer
US7757269B1 (en) 2006-02-02 2010-07-13 Mcafee, Inc. Enforcing alignment of approved changes and deployed changes in the software change life-cycle
US20070192761A1 (en) * 2006-02-15 2007-08-16 Ravi Sahita Method for adding integrity information to portable executable (PE) object files after compile and link steps
US7895573B1 (en) 2006-03-27 2011-02-22 Mcafee, Inc. Execution environment file inventory
US8555404B1 (en) 2006-05-18 2013-10-08 Mcafee, Inc. Connectivity-based authorization
US7814544B1 (en) * 2006-06-22 2010-10-12 Symantec Corporation API-profile guided unpacking
US20080028462A1 (en) * 2006-07-26 2008-01-31 Michael Burtscher System and method for loading and analyzing files
US8578495B2 (en) * 2006-07-26 2013-11-05 Webroot Inc. System and method for analyzing packed files
US8065664B2 (en) * 2006-08-07 2011-11-22 Webroot Software, Inc. System and method for defining and detecting pestware
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US7797746B2 (en) 2006-12-12 2010-09-14 Fortinet, Inc. Detection of undesired computer files in archives
US8332929B1 (en) 2007-01-10 2012-12-11 Mcafee, Inc. Method and apparatus for process enforced configuration management
US9424154B2 (en) 2007-01-10 2016-08-23 Mcafee, Inc. Method of and system for computer system state checks
KR100942795B1 (en) * 2007-11-21 2010-02-18 한국전자통신연구원 A method and a device for malware detection
US7836174B2 (en) * 2008-01-30 2010-11-16 Commvault Systems, Inc. Systems and methods for grid-based data scanning
US8701189B2 (en) 2008-01-31 2014-04-15 Mcafee, Inc. Method of and system for computer system denial-of-service protection
US8782615B2 (en) * 2008-04-14 2014-07-15 Mcafee, Inc. System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing
US8615502B2 (en) 2008-04-18 2013-12-24 Mcafee, Inc. Method of and system for reverse mapping vnode pointers
US8938806B1 (en) 2008-06-26 2015-01-20 Emc Corporation Partial pattern detection with commonality factoring
KR101027928B1 (en) * 2008-07-23 2011-04-12 한국전자통신연구원 Apparatus and Method for detecting obfuscated web page
TWI401582B (en) * 2008-11-17 2013-07-11 Inst Information Industry Monitor device, monitor method and computer program product thereof for hardware
US8544003B1 (en) 2008-12-11 2013-09-24 Mcafee, Inc. System and method for managing virtual machine configurations
US8205263B1 (en) * 2008-12-16 2012-06-19 Symantec Corporation Systems and methods for identifying an executable file obfuscated by an unknown obfuscator program
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
US9087195B2 (en) * 2009-07-10 2015-07-21 Kaspersky Lab Zao Systems and methods for detecting obfuscated malware
NO2460075T3 (en) 2009-07-29 2018-04-21
US8381284B2 (en) 2009-08-21 2013-02-19 Mcafee, Inc. System and method for enforcing security policies in a virtual environment
US8832829B2 (en) * 2009-09-30 2014-09-09 Fireeye, Inc. Network-based binary file extraction and analysis for malware detection
US9552497B2 (en) * 2009-11-10 2017-01-24 Mcafee, Inc. System and method for preventing data loss using virtual machine wrapped applications
US8938800B2 (en) 2010-07-28 2015-01-20 Mcafee, Inc. System and method for network level protection against malicious software
US8925101B2 (en) 2010-07-28 2014-12-30 Mcafee, Inc. System and method for local protection against malicious software
US8549003B1 (en) 2010-09-12 2013-10-01 Mcafee, Inc. System and method for clustering host inventories
US9075993B2 (en) 2011-01-24 2015-07-07 Mcafee, Inc. System and method for selectively grouping and managing program files
US9112830B2 (en) 2011-02-23 2015-08-18 Mcafee, Inc. System and method for interlocking a host and a gateway
US9594881B2 (en) 2011-09-09 2017-03-14 Mcafee, Inc. System and method for passive threat detection using virtual memory inspection
US8694738B2 (en) 2011-10-11 2014-04-08 Mcafee, Inc. System and method for critical address space protection in a hypervisor environment
US8973144B2 (en) 2011-10-13 2015-03-03 Mcafee, Inc. System and method for kernel rootkit protection in a hypervisor environment
US9069586B2 (en) 2011-10-13 2015-06-30 Mcafee, Inc. System and method for kernel rootkit protection in a hypervisor environment
US8800024B2 (en) 2011-10-17 2014-08-05 Mcafee, Inc. System and method for host-initiated firewall discovery in a network environment
US8713668B2 (en) 2011-10-17 2014-04-29 Mcafee, Inc. System and method for redirected firewall discovery in a network environment
US8739272B1 (en) 2012-04-02 2014-05-27 Mcafee, Inc. System and method for interlocking a host and a gateway
US20140150101A1 (en) * 2012-09-12 2014-05-29 Xecure Lab Co., Ltd. Method for recognizing malicious file
US8973146B2 (en) 2012-12-27 2015-03-03 Mcafee, Inc. Herd based scan avoidance system in a network environment
CN105580023B (en) 2013-10-24 2019-08-16 迈克菲股份有限公司 The malicious application of agency's auxiliary in network environment prevents
US9208314B1 (en) * 2013-12-19 2015-12-08 Symantec Corporation Systems and methods for distinguishing code of a program obfuscated within a packed program
US10922189B2 (en) 2016-11-02 2021-02-16 Commvault Systems, Inc. Historical network data-based scanning thread generation
US10389810B2 (en) 2016-11-02 2019-08-20 Commvault Systems, Inc. Multi-threaded scanning of distributed file systems
US20220269807A1 (en) * 2021-02-22 2022-08-25 EMC IP Holding Company LLC Detecting unauthorized encryptions in data storage systems

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030074573A1 (en) * 2001-10-15 2003-04-17 Hursey Nell John Malware scanning of compressed computer files
US20030110391A1 (en) * 2001-12-06 2003-06-12 Wolff Daniel Joseph Techniques for performing malware scanning of files stored within a file storage device of a computer network
US20030115479A1 (en) * 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20030120952A1 (en) * 2001-12-26 2003-06-26 Tarbotton Lee Codel Lawson Malware scanning to create clean storage locations
US20050021994A1 (en) * 2003-07-21 2005-01-27 Barton Christopher Andrew Pre-approval of computer files during a malware detection

Family Cites Families (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5442669A (en) 1993-12-27 1995-08-15 Medin; David L. Perishable good integrity indicator
US5485575A (en) 1994-11-21 1996-01-16 International Business Machines Corporation Automatic analysis of a computer virus structure and means of attachment to its hosts
US5812848A (en) 1995-08-23 1998-09-22 Symantec Corporation Subclassing system for computer that operates with portable-executable (PE) modules
US5826013A (en) 1995-09-28 1998-10-20 Symantec Corporation Polymorphic virus detection module
US5696822A (en) 1995-09-28 1997-12-09 Symantec Corporation Polymorphic virus detection module
US6357008B1 (en) 1997-09-23 2002-03-12 Symantec Corporation Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases
US6400476B1 (en) * 1997-12-31 2002-06-04 Cisco Photonics Italy S.R.L. Method and apparatus for transparent optical communication with two-fiber bidirectional ring with autoprotection and management of low priority traffic
US6192512B1 (en) 1998-09-24 2001-02-20 International Business Machines Corporation Interpreter with virtualized interface
JP3837244B2 (en) 1998-10-23 2006-10-25 松下電器産業株式会社 Program linking apparatus and method
US6851057B1 (en) 1999-11-30 2005-02-01 Symantec Corporation Data driven detection of viruses
US6971019B1 (en) 2000-03-14 2005-11-29 Symantec Corporation Histogram-based virus detection
US6775780B1 (en) 2000-03-16 2004-08-10 Networks Associates Technology, Inc. Detecting malicious software by analyzing patterns of system calls generated during emulation
US6735703B1 (en) 2000-05-08 2004-05-11 Networks Associates Technology, Inc. Multi-platform sequence-based anomaly detection wrapper
US6973577B1 (en) 2000-05-26 2005-12-06 Mcafee, Inc. System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state
US6973578B1 (en) 2000-05-31 2005-12-06 Networks Associates Technology, Inc. System, method and computer program product for process-based selection of virus detection actions
US6931540B1 (en) 2000-05-31 2005-08-16 Networks Associates Technology, Inc. System, method and computer program product for selecting virus detection actions based on a process by which files are being accessed
US7069583B2 (en) * 2000-07-14 2006-06-27 Computer Associates Think, Inc. Detection of polymorphic virus code using dataflow analysis
US6954861B2 (en) 2000-07-14 2005-10-11 America Online, Inc. Identifying unauthorized communication systems based on their memory contents
US7093239B1 (en) 2000-07-14 2006-08-15 Internet Security Systems, Inc. Computer immune system and method for detecting unwanted code in a computer system
US7178166B1 (en) 2000-09-19 2007-02-13 Internet Security Systems, Inc. Vulnerability assessment and authentication of a computer by a local scanner
US7150045B2 (en) 2000-12-14 2006-12-12 Widevine Technologies, Inc. Method and apparatus for protection of electronic media
US7328453B2 (en) 2001-05-09 2008-02-05 Ecd Systems, Inc. Systems and methods for the prevention of unauthorized use and manipulation of digital content
US7421587B2 (en) 2001-07-26 2008-09-02 Mcafee, Inc. Detecting computer programs within packed computer files
US20040010703A1 (en) 2001-08-01 2004-01-15 Networks Associates Technology, Inc. Persistent storage access system and method for a wireless malware scan engine
US7234167B2 (en) 2001-09-06 2007-06-19 Mcafee, Inc. Automatic builder of detection and cleaning routines for computer viruses
US7506374B2 (en) 2001-10-31 2009-03-17 Computer Associates Think, Inc. Memory scanning system and method
US6681972B1 (en) 2002-03-19 2004-01-27 J&C Tapocik, Inc. Hands-free holder which will hold an airline ticket, an identification, credit cards and cash while worn around a user's neck
JP2005522800A (en) 2002-04-13 2005-07-28 コンピュータ アソシエイツ シンク,インコーポレイテッド System and method for detecting malicious code
US7370360B2 (en) 2002-05-13 2008-05-06 International Business Machines Corporation Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US7155742B1 (en) 2002-05-16 2006-12-26 Symantec Corporation Countering infections to communications modules
US7409717B1 (en) 2002-05-23 2008-08-05 Symantec Corporation Metamorphic computer virus detection
US7418729B2 (en) 2002-07-19 2008-08-26 Symantec Corporation Heuristic detection of malicious computer code by page tracking
GB2391965B (en) 2002-08-14 2005-11-30 Messagelabs Ltd Method of, and system for, heuristically detecting viruses in executable code
US7337471B2 (en) 2002-10-07 2008-02-26 Symantec Corporation Selective detection of malicious computer code
US7216367B2 (en) 2003-02-21 2007-05-08 Symantec Corporation Safe memory scanning
WO2004077294A1 (en) 2003-02-26 2004-09-10 Secure Ware Inc. Unauthorized processing judgment method, data processing device, computer program, and recording medium
US8171551B2 (en) 2003-04-01 2012-05-01 Mcafee, Inc. Malware detection using external call characteristics
GB2400197B (en) 2003-04-03 2006-04-12 Messagelabs Ltd System for and method of detecting malware in macros and executable scripts
US7231667B2 (en) 2003-05-29 2007-06-12 Computer Associates Think, Inc. System and method for computer virus detection utilizing heuristic analysis
US7644441B2 (en) 2003-09-26 2010-01-05 Cigital, Inc. Methods for identifying malicious software
US8627458B2 (en) 2004-01-13 2014-01-07 Mcafee, Inc. Detecting malicious computer program activity using external program calls with dynamic rule sets
US7620990B2 (en) 2004-01-30 2009-11-17 Microsoft Corporation System and method for unpacking packed executables for malware evaluation
US7913305B2 (en) 2004-01-30 2011-03-22 Microsoft Corporation System and method for detecting malware in an executable code module according to the code module's exhibited behavior
US7707634B2 (en) 2004-01-30 2010-04-27 Microsoft Corporation System and method for detecting malware in executable scripts according to its functionality
US20050262567A1 (en) 2004-05-19 2005-11-24 Itshak Carmona Systems and methods for computer security
US20050268112A1 (en) 2004-05-28 2005-12-01 Microsoft Corporation Managing spyware and unwanted software through auto-start extensibility points
US7568230B2 (en) 2004-06-09 2009-07-28 Lieberman Software Corporation System for selective disablement and locking out of computer system objects
US7596809B2 (en) 2004-06-14 2009-09-29 Lionic Corporation System security approaches using multiple processing units
US7401184B2 (en) 2004-11-19 2008-07-15 Intel Corporation Matching memory transactions to cache line boundaries
US7636856B2 (en) 2004-12-06 2009-12-22 Microsoft Corporation Proactive computer malware protection through dynamic translation
US7836504B2 (en) 2005-03-01 2010-11-16 Microsoft Corporation On-access scan of memory for malware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030074573A1 (en) * 2001-10-15 2003-04-17 Hursey Nell John Malware scanning of compressed computer files
US20030110391A1 (en) * 2001-12-06 2003-06-12 Wolff Daniel Joseph Techniques for performing malware scanning of files stored within a file storage device of a computer network
US20030115479A1 (en) * 2001-12-14 2003-06-19 Jonathan Edwards Method and system for detecting computer malwares by scan of process memory after process initialization
US20030120952A1 (en) * 2001-12-26 2003-06-26 Tarbotton Lee Codel Lawson Malware scanning to create clean storage locations
US20050021994A1 (en) * 2003-07-21 2005-01-27 Barton Christopher Andrew Pre-approval of computer files during a malware detection

Also Published As

Publication number Publication date
WO2006121572A2 (en) 2006-11-16
US7349931B2 (en) 2008-03-25
EP1872224A4 (en) 2010-05-26
EP1872224A2 (en) 2008-01-02
US20060236397A1 (en) 2006-10-19

Similar Documents

Publication Publication Date Title
WO2006121572A3 (en) System and method for scanning obfuscated files for pestware
WO2006110921A3 (en) System and method for scanning memory for pestware offset signatures
WO2006004670A3 (en) Methods and systems for managing data
DE602006012098D1 (en) METHOD AND SYSTEM FOR ORGANIZING INCLUDED RECORDS IN A MOBILE RADIO DEVICE
ATE484144T1 (en) SYSTEM AND METHOD FOR PROCESSING SECURE TRANSMISSIONS
JP2005303981A5 (en)
TW200634622A (en) Register file regions for a processing system
DE602006007019D1 (en) RENEWABLE TRANSPORT TRACKING
WO2008085708A3 (en) Data backup system and method associated therewith
WO2006029032A3 (en) Methods, systems, and computer program products for implementing single-node and cluster snapshots
WO2007005048A3 (en) Methods and apparatus for implementing context-dependent file security
WO2008115670A3 (en) System and method for identifying content
WO2009105702A3 (en) License auditing for distributed applications
EP1796002A3 (en) Method and apparatus for efficiently storing and managing historical versions and replicas of computer data files
WO2005022321A3 (en) Method, system, and program for personal data management using content-based replication
WO2006118896A3 (en) Method and apparatus for detecting the falsification of metadata
WO2007126996A3 (en) System and methods for enhanced metadata entry
WO2006104507A3 (en) Systems and methods for using machine attributes to deter software piracy in an enterprise environment
WO2006039401A3 (en) Method and system for filtering, organizing and presenting selected information technology information as a function of business dimensions
BRPI0713385A2 (en) data storage, data collection and telemonitoring method, and telemonitoring system
IN2012DN03035A (en)
WO2005101186A3 (en) System, method and computer program product for extracting metadata faster than real-time
WO2007027211A3 (en) System and method for scanning memory for pestware
EP1845471A3 (en) Web-based method for accessing licensed products and features
NO20050051D0 (en) Authentication information method and system fed into computer systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2006769824

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: RU