WO2006121572A3 - System and method for scanning obfuscated files for pestware - Google Patents
System and method for scanning obfuscated files for pestware Download PDFInfo
- Publication number
- WO2006121572A3 WO2006121572A3 PCT/US2006/014004 US2006014004W WO2006121572A3 WO 2006121572 A3 WO2006121572 A3 WO 2006121572A3 US 2006014004 W US2006014004 W US 2006014004W WO 2006121572 A3 WO2006121572 A3 WO 2006121572A3
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- pestware
- obfuscated
- files
- file
- scanning
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
Systems and methods for managing multiple related pestware processes on a protected computer are described. In one implementation, a plurality of files in a file storage device of a protected computer are scanned and obfuscated files are identified from amont the plurality of files. To identify whether the obfuscated file is a pestware file, one or more potential pestware processes are identified as being associated with the obfuscated file, and the one or more associated processes are scanned so as to determine whether the process, and hence, the obfuscated file, are pestware.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06769824A EP1872224A4 (en) | 2005-04-14 | 2006-04-14 | System and method for scanning obfuscated files for pestware |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/105,978 US7349931B2 (en) | 2005-04-14 | 2005-04-14 | System and method for scanning obfuscated files for pestware |
US11/105,978 | 2005-04-14 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2006121572A2 WO2006121572A2 (en) | 2006-11-16 |
WO2006121572A3 true WO2006121572A3 (en) | 2007-03-22 |
Family
ID=37110126
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2006/014004 WO2006121572A2 (en) | 2005-04-14 | 2006-04-14 | System and method for scanning obfuscated files for pestware |
Country Status (3)
Country | Link |
---|---|
US (1) | US7349931B2 (en) |
EP (1) | EP1872224A4 (en) |
WO (1) | WO2006121572A2 (en) |
Families Citing this family (58)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8539063B1 (en) | 2003-08-29 | 2013-09-17 | Mcafee, Inc. | Method and system for containment of networked application client software by explicit human input |
US7840968B1 (en) * | 2003-12-17 | 2010-11-23 | Mcafee, Inc. | Method and system for containment of usage of language interfaces |
US7873955B1 (en) * | 2004-09-07 | 2011-01-18 | Mcafee, Inc. | Solidifying the executable software set of a computer |
US7591016B2 (en) * | 2005-04-14 | 2009-09-15 | Webroot Software, Inc. | System and method for scanning memory for pestware offset signatures |
US20070006311A1 (en) * | 2005-06-29 | 2007-01-04 | Barton Kevin T | System and method for managing pestware |
US7856661B1 (en) | 2005-07-14 | 2010-12-21 | Mcafee, Inc. | Classification of software on networked systems |
US20070074289A1 (en) * | 2005-09-28 | 2007-03-29 | Phil Maddaloni | Client side exploit tracking |
US20070094733A1 (en) * | 2005-10-26 | 2007-04-26 | Wilson Michael C | System and method for neutralizing pestware residing in executable memory |
US20070094726A1 (en) * | 2005-10-26 | 2007-04-26 | Wilson Michael C | System and method for neutralizing pestware that is loaded by a desirable process |
US20080281772A2 (en) * | 2005-11-30 | 2008-11-13 | Webroot Software, Inc. | System and method for managing access to storage media |
US8255992B2 (en) * | 2006-01-18 | 2012-08-28 | Webroot Inc. | Method and system for detecting dependent pestware objects on a computer |
US7757269B1 (en) | 2006-02-02 | 2010-07-13 | Mcafee, Inc. | Enforcing alignment of approved changes and deployed changes in the software change life-cycle |
US20070192761A1 (en) * | 2006-02-15 | 2007-08-16 | Ravi Sahita | Method for adding integrity information to portable executable (PE) object files after compile and link steps |
US7895573B1 (en) | 2006-03-27 | 2011-02-22 | Mcafee, Inc. | Execution environment file inventory |
US8555404B1 (en) | 2006-05-18 | 2013-10-08 | Mcafee, Inc. | Connectivity-based authorization |
US7814544B1 (en) * | 2006-06-22 | 2010-10-12 | Symantec Corporation | API-profile guided unpacking |
US20080028462A1 (en) * | 2006-07-26 | 2008-01-31 | Michael Burtscher | System and method for loading and analyzing files |
US8578495B2 (en) * | 2006-07-26 | 2013-11-05 | Webroot Inc. | System and method for analyzing packed files |
US8065664B2 (en) * | 2006-08-07 | 2011-11-22 | Webroot Software, Inc. | System and method for defining and detecting pestware |
US8190868B2 (en) | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
US7797746B2 (en) | 2006-12-12 | 2010-09-14 | Fortinet, Inc. | Detection of undesired computer files in archives |
US8332929B1 (en) | 2007-01-10 | 2012-12-11 | Mcafee, Inc. | Method and apparatus for process enforced configuration management |
US9424154B2 (en) | 2007-01-10 | 2016-08-23 | Mcafee, Inc. | Method of and system for computer system state checks |
KR100942795B1 (en) * | 2007-11-21 | 2010-02-18 | 한국전자통신연구원 | A method and a device for malware detection |
US7836174B2 (en) * | 2008-01-30 | 2010-11-16 | Commvault Systems, Inc. | Systems and methods for grid-based data scanning |
US8701189B2 (en) | 2008-01-31 | 2014-04-15 | Mcafee, Inc. | Method of and system for computer system denial-of-service protection |
US8782615B2 (en) * | 2008-04-14 | 2014-07-15 | Mcafee, Inc. | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing |
US8615502B2 (en) | 2008-04-18 | 2013-12-24 | Mcafee, Inc. | Method of and system for reverse mapping vnode pointers |
US8938806B1 (en) | 2008-06-26 | 2015-01-20 | Emc Corporation | Partial pattern detection with commonality factoring |
KR101027928B1 (en) * | 2008-07-23 | 2011-04-12 | 한국전자통신연구원 | Apparatus and Method for detecting obfuscated web page |
TWI401582B (en) * | 2008-11-17 | 2013-07-11 | Inst Information Industry | Monitor device, monitor method and computer program product thereof for hardware |
US8544003B1 (en) | 2008-12-11 | 2013-09-24 | Mcafee, Inc. | System and method for managing virtual machine configurations |
US8205263B1 (en) * | 2008-12-16 | 2012-06-19 | Symantec Corporation | Systems and methods for identifying an executable file obfuscated by an unknown obfuscator program |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US9087195B2 (en) * | 2009-07-10 | 2015-07-21 | Kaspersky Lab Zao | Systems and methods for detecting obfuscated malware |
NO2460075T3 (en) | 2009-07-29 | 2018-04-21 | ||
US8381284B2 (en) | 2009-08-21 | 2013-02-19 | Mcafee, Inc. | System and method for enforcing security policies in a virtual environment |
US8832829B2 (en) * | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US9552497B2 (en) * | 2009-11-10 | 2017-01-24 | Mcafee, Inc. | System and method for preventing data loss using virtual machine wrapped applications |
US8938800B2 (en) | 2010-07-28 | 2015-01-20 | Mcafee, Inc. | System and method for network level protection against malicious software |
US8925101B2 (en) | 2010-07-28 | 2014-12-30 | Mcafee, Inc. | System and method for local protection against malicious software |
US8549003B1 (en) | 2010-09-12 | 2013-10-01 | Mcafee, Inc. | System and method for clustering host inventories |
US9075993B2 (en) | 2011-01-24 | 2015-07-07 | Mcafee, Inc. | System and method for selectively grouping and managing program files |
US9112830B2 (en) | 2011-02-23 | 2015-08-18 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US9594881B2 (en) | 2011-09-09 | 2017-03-14 | Mcafee, Inc. | System and method for passive threat detection using virtual memory inspection |
US8694738B2 (en) | 2011-10-11 | 2014-04-08 | Mcafee, Inc. | System and method for critical address space protection in a hypervisor environment |
US8973144B2 (en) | 2011-10-13 | 2015-03-03 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US9069586B2 (en) | 2011-10-13 | 2015-06-30 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US8800024B2 (en) | 2011-10-17 | 2014-08-05 | Mcafee, Inc. | System and method for host-initiated firewall discovery in a network environment |
US8713668B2 (en) | 2011-10-17 | 2014-04-29 | Mcafee, Inc. | System and method for redirected firewall discovery in a network environment |
US8739272B1 (en) | 2012-04-02 | 2014-05-27 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US20140150101A1 (en) * | 2012-09-12 | 2014-05-29 | Xecure Lab Co., Ltd. | Method for recognizing malicious file |
US8973146B2 (en) | 2012-12-27 | 2015-03-03 | Mcafee, Inc. | Herd based scan avoidance system in a network environment |
CN105580023B (en) | 2013-10-24 | 2019-08-16 | 迈克菲股份有限公司 | The malicious application of agency's auxiliary in network environment prevents |
US9208314B1 (en) * | 2013-12-19 | 2015-12-08 | Symantec Corporation | Systems and methods for distinguishing code of a program obfuscated within a packed program |
US10922189B2 (en) | 2016-11-02 | 2021-02-16 | Commvault Systems, Inc. | Historical network data-based scanning thread generation |
US10389810B2 (en) | 2016-11-02 | 2019-08-20 | Commvault Systems, Inc. | Multi-threaded scanning of distributed file systems |
US20220269807A1 (en) * | 2021-02-22 | 2022-08-25 | EMC IP Holding Company LLC | Detecting unauthorized encryptions in data storage systems |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030074573A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Nell John | Malware scanning of compressed computer files |
US20030110391A1 (en) * | 2001-12-06 | 2003-06-12 | Wolff Daniel Joseph | Techniques for performing malware scanning of files stored within a file storage device of a computer network |
US20030115479A1 (en) * | 2001-12-14 | 2003-06-19 | Jonathan Edwards | Method and system for detecting computer malwares by scan of process memory after process initialization |
US20030120952A1 (en) * | 2001-12-26 | 2003-06-26 | Tarbotton Lee Codel Lawson | Malware scanning to create clean storage locations |
US20050021994A1 (en) * | 2003-07-21 | 2005-01-27 | Barton Christopher Andrew | Pre-approval of computer files during a malware detection |
Family Cites Families (51)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5442669A (en) | 1993-12-27 | 1995-08-15 | Medin; David L. | Perishable good integrity indicator |
US5485575A (en) | 1994-11-21 | 1996-01-16 | International Business Machines Corporation | Automatic analysis of a computer virus structure and means of attachment to its hosts |
US5812848A (en) | 1995-08-23 | 1998-09-22 | Symantec Corporation | Subclassing system for computer that operates with portable-executable (PE) modules |
US5826013A (en) | 1995-09-28 | 1998-10-20 | Symantec Corporation | Polymorphic virus detection module |
US5696822A (en) | 1995-09-28 | 1997-12-09 | Symantec Corporation | Polymorphic virus detection module |
US6357008B1 (en) | 1997-09-23 | 2002-03-12 | Symantec Corporation | Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases |
US6400476B1 (en) * | 1997-12-31 | 2002-06-04 | Cisco Photonics Italy S.R.L. | Method and apparatus for transparent optical communication with two-fiber bidirectional ring with autoprotection and management of low priority traffic |
US6192512B1 (en) | 1998-09-24 | 2001-02-20 | International Business Machines Corporation | Interpreter with virtualized interface |
JP3837244B2 (en) | 1998-10-23 | 2006-10-25 | 松下電器産業株式会社 | Program linking apparatus and method |
US6851057B1 (en) | 1999-11-30 | 2005-02-01 | Symantec Corporation | Data driven detection of viruses |
US6971019B1 (en) | 2000-03-14 | 2005-11-29 | Symantec Corporation | Histogram-based virus detection |
US6775780B1 (en) | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
US6735703B1 (en) | 2000-05-08 | 2004-05-11 | Networks Associates Technology, Inc. | Multi-platform sequence-based anomaly detection wrapper |
US6973577B1 (en) | 2000-05-26 | 2005-12-06 | Mcafee, Inc. | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
US6973578B1 (en) | 2000-05-31 | 2005-12-06 | Networks Associates Technology, Inc. | System, method and computer program product for process-based selection of virus detection actions |
US6931540B1 (en) | 2000-05-31 | 2005-08-16 | Networks Associates Technology, Inc. | System, method and computer program product for selecting virus detection actions based on a process by which files are being accessed |
US7069583B2 (en) * | 2000-07-14 | 2006-06-27 | Computer Associates Think, Inc. | Detection of polymorphic virus code using dataflow analysis |
US6954861B2 (en) | 2000-07-14 | 2005-10-11 | America Online, Inc. | Identifying unauthorized communication systems based on their memory contents |
US7093239B1 (en) | 2000-07-14 | 2006-08-15 | Internet Security Systems, Inc. | Computer immune system and method for detecting unwanted code in a computer system |
US7178166B1 (en) | 2000-09-19 | 2007-02-13 | Internet Security Systems, Inc. | Vulnerability assessment and authentication of a computer by a local scanner |
US7150045B2 (en) | 2000-12-14 | 2006-12-12 | Widevine Technologies, Inc. | Method and apparatus for protection of electronic media |
US7328453B2 (en) | 2001-05-09 | 2008-02-05 | Ecd Systems, Inc. | Systems and methods for the prevention of unauthorized use and manipulation of digital content |
US7421587B2 (en) | 2001-07-26 | 2008-09-02 | Mcafee, Inc. | Detecting computer programs within packed computer files |
US20040010703A1 (en) | 2001-08-01 | 2004-01-15 | Networks Associates Technology, Inc. | Persistent storage access system and method for a wireless malware scan engine |
US7234167B2 (en) | 2001-09-06 | 2007-06-19 | Mcafee, Inc. | Automatic builder of detection and cleaning routines for computer viruses |
US7506374B2 (en) | 2001-10-31 | 2009-03-17 | Computer Associates Think, Inc. | Memory scanning system and method |
US6681972B1 (en) | 2002-03-19 | 2004-01-27 | J&C Tapocik, Inc. | Hands-free holder which will hold an airline ticket, an identification, credit cards and cash while worn around a user's neck |
JP2005522800A (en) | 2002-04-13 | 2005-07-28 | コンピュータ アソシエイツ シンク,インコーポレイテッド | System and method for detecting malicious code |
US7370360B2 (en) | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US7155742B1 (en) | 2002-05-16 | 2006-12-26 | Symantec Corporation | Countering infections to communications modules |
US7409717B1 (en) | 2002-05-23 | 2008-08-05 | Symantec Corporation | Metamorphic computer virus detection |
US7418729B2 (en) | 2002-07-19 | 2008-08-26 | Symantec Corporation | Heuristic detection of malicious computer code by page tracking |
GB2391965B (en) | 2002-08-14 | 2005-11-30 | Messagelabs Ltd | Method of, and system for, heuristically detecting viruses in executable code |
US7337471B2 (en) | 2002-10-07 | 2008-02-26 | Symantec Corporation | Selective detection of malicious computer code |
US7216367B2 (en) | 2003-02-21 | 2007-05-08 | Symantec Corporation | Safe memory scanning |
WO2004077294A1 (en) | 2003-02-26 | 2004-09-10 | Secure Ware Inc. | Unauthorized processing judgment method, data processing device, computer program, and recording medium |
US8171551B2 (en) | 2003-04-01 | 2012-05-01 | Mcafee, Inc. | Malware detection using external call characteristics |
GB2400197B (en) | 2003-04-03 | 2006-04-12 | Messagelabs Ltd | System for and method of detecting malware in macros and executable scripts |
US7231667B2 (en) | 2003-05-29 | 2007-06-12 | Computer Associates Think, Inc. | System and method for computer virus detection utilizing heuristic analysis |
US7644441B2 (en) | 2003-09-26 | 2010-01-05 | Cigital, Inc. | Methods for identifying malicious software |
US8627458B2 (en) | 2004-01-13 | 2014-01-07 | Mcafee, Inc. | Detecting malicious computer program activity using external program calls with dynamic rule sets |
US7620990B2 (en) | 2004-01-30 | 2009-11-17 | Microsoft Corporation | System and method for unpacking packed executables for malware evaluation |
US7913305B2 (en) | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
US7707634B2 (en) | 2004-01-30 | 2010-04-27 | Microsoft Corporation | System and method for detecting malware in executable scripts according to its functionality |
US20050262567A1 (en) | 2004-05-19 | 2005-11-24 | Itshak Carmona | Systems and methods for computer security |
US20050268112A1 (en) | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Managing spyware and unwanted software through auto-start extensibility points |
US7568230B2 (en) | 2004-06-09 | 2009-07-28 | Lieberman Software Corporation | System for selective disablement and locking out of computer system objects |
US7596809B2 (en) | 2004-06-14 | 2009-09-29 | Lionic Corporation | System security approaches using multiple processing units |
US7401184B2 (en) | 2004-11-19 | 2008-07-15 | Intel Corporation | Matching memory transactions to cache line boundaries |
US7636856B2 (en) | 2004-12-06 | 2009-12-22 | Microsoft Corporation | Proactive computer malware protection through dynamic translation |
US7836504B2 (en) | 2005-03-01 | 2010-11-16 | Microsoft Corporation | On-access scan of memory for malware |
-
2005
- 2005-04-14 US US11/105,978 patent/US7349931B2/en active Active
-
2006
- 2006-04-14 EP EP06769824A patent/EP1872224A4/en not_active Withdrawn
- 2006-04-14 WO PCT/US2006/014004 patent/WO2006121572A2/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030074573A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Nell John | Malware scanning of compressed computer files |
US20030110391A1 (en) * | 2001-12-06 | 2003-06-12 | Wolff Daniel Joseph | Techniques for performing malware scanning of files stored within a file storage device of a computer network |
US20030115479A1 (en) * | 2001-12-14 | 2003-06-19 | Jonathan Edwards | Method and system for detecting computer malwares by scan of process memory after process initialization |
US20030120952A1 (en) * | 2001-12-26 | 2003-06-26 | Tarbotton Lee Codel Lawson | Malware scanning to create clean storage locations |
US20050021994A1 (en) * | 2003-07-21 | 2005-01-27 | Barton Christopher Andrew | Pre-approval of computer files during a malware detection |
Also Published As
Publication number | Publication date |
---|---|
WO2006121572A2 (en) | 2006-11-16 |
US7349931B2 (en) | 2008-03-25 |
EP1872224A4 (en) | 2010-05-26 |
EP1872224A2 (en) | 2008-01-02 |
US20060236397A1 (en) | 2006-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006121572A3 (en) | System and method for scanning obfuscated files for pestware | |
WO2006110921A3 (en) | System and method for scanning memory for pestware offset signatures | |
WO2006004670A3 (en) | Methods and systems for managing data | |
DE602006012098D1 (en) | METHOD AND SYSTEM FOR ORGANIZING INCLUDED RECORDS IN A MOBILE RADIO DEVICE | |
ATE484144T1 (en) | SYSTEM AND METHOD FOR PROCESSING SECURE TRANSMISSIONS | |
JP2005303981A5 (en) | ||
TW200634622A (en) | Register file regions for a processing system | |
DE602006007019D1 (en) | RENEWABLE TRANSPORT TRACKING | |
WO2008085708A3 (en) | Data backup system and method associated therewith | |
WO2006029032A3 (en) | Methods, systems, and computer program products for implementing single-node and cluster snapshots | |
WO2007005048A3 (en) | Methods and apparatus for implementing context-dependent file security | |
WO2008115670A3 (en) | System and method for identifying content | |
WO2009105702A3 (en) | License auditing for distributed applications | |
EP1796002A3 (en) | Method and apparatus for efficiently storing and managing historical versions and replicas of computer data files | |
WO2005022321A3 (en) | Method, system, and program for personal data management using content-based replication | |
WO2006118896A3 (en) | Method and apparatus for detecting the falsification of metadata | |
WO2007126996A3 (en) | System and methods for enhanced metadata entry | |
WO2006104507A3 (en) | Systems and methods for using machine attributes to deter software piracy in an enterprise environment | |
WO2006039401A3 (en) | Method and system for filtering, organizing and presenting selected information technology information as a function of business dimensions | |
BRPI0713385A2 (en) | data storage, data collection and telemonitoring method, and telemonitoring system | |
IN2012DN03035A (en) | ||
WO2005101186A3 (en) | System, method and computer program product for extracting metadata faster than real-time | |
WO2007027211A3 (en) | System and method for scanning memory for pestware | |
EP1845471A3 (en) | Web-based method for accessing licensed products and features | |
NO20050051D0 (en) | Authentication information method and system fed into computer systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006769824 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: RU |