[go: up one dir, main page]

WO2007123492A1 - Method of safeguarding against malicious software (malware) - Google Patents

Method of safeguarding against malicious software (malware) Download PDF

Info

Publication number
WO2007123492A1
WO2007123492A1 PCT/SG2007/000113 SG2007000113W WO2007123492A1 WO 2007123492 A1 WO2007123492 A1 WO 2007123492A1 SG 2007000113 W SG2007000113 W SG 2007000113W WO 2007123492 A1 WO2007123492 A1 WO 2007123492A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
files
user
file
virus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/SG2007/000113
Other languages
French (fr)
Other versions
WO2007123492A8 (en
Inventor
Khee Seng Chua
Poh Teck Alex Choong
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of WO2007123492A1 publication Critical patent/WO2007123492A1/en
Publication of WO2007123492A8 publication Critical patent/WO2007123492A8/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity

Definitions

  • the present invention relates to methods to safeguard computer systems from malicious software such as rootkits, spyware, viruses with minimal disruption to the user.
  • This method involves the verification of the integrity of executable files, drivers, plug-in etc, by comparing their checksum with a library of known good checksums of the respective files stored on a secondary storage media such as a mobile phone, CD-Rom or server. If a mismatch is detected, the user is alerted and allowed to retrieve the original file from the secondary storage media.
  • Rootkits are able to hide themselves from existing solutions because they are activated upon startup and hijack system controls to conceal their presence.
  • Windows has a built in feature to check the integrity of critical system files using their Windows File Protection mechanism.
  • the problem with this method is that the checksum for the integrity of the system is stored in the same PC as the system files, thus making it susceptible to attack by the virus.
  • a virus changes a critical system file such kernel.dll, and changes the checksum of kernel.dll in NT5.DLL (the checksum file)
  • the system can be compromised whilst bypassing the Windows File Protection mechanism.
  • the virus or rootkit might just disable Windows File Protection mechanism by modifying entries in the registry.
  • an integrity scan is performed using an operating system other than the operating system installed of the user PC. This ensure that the operating system installed on the user's PC is clean at startup and can be used in conjunction with existing antivirus software solutions to ensure that the entire system is free from malware, virus and rootkits.
  • This invention will scan the places mentioned above to check the integrity of the individual programs. If any changes are detected, the user will be alerted and will be allowed to retrieve the data from a secondary storage.
  • the secondary storage can be on a central server shared by many users. In this case, only one copy of the same checksum will be stored on the server.
  • the rationale for this is that most of the files in Windows folder will be similar across all the computers, therefore, to conserve space, only one copy of the file which has the same checksums will be stored on the server. (Note : There can be instances of two files of the same name but with different checksums).
  • the entire registry or portion of it can also be stored onto the secondary storage for safekeeping and retrieval when the need arises.
  • checksums such as MD5
  • this method can also be used on a peer to peer network in case the users are concerned about privacy issues.
  • This invention will scan the places mentioned above to check the integrity of the individual programs. If any changes are detected, the user will be alerted and will be allowed to retrieve the data from a secondary storage.
  • the secondary storage can be on a central server shared by many users. In this case, only one copy of the same checksum will be stored on the server.
  • the rationale for this is that most of the files in Windows folder will be similar across all the computers, therefore, to conserve space, only one copy of the file which has the same checksums will be stored on the server. (Note : There can be instances of two files of the same name but with different checksums).
  • the entire registry or portion of it can also be stored onto the secondary storage for safekeeping and retrieval when the need arises.
  • checksums such as MD5
  • this method can also be used on a peer to peer network in case the users are concerned about privacy issues.
  • Example usage (assuming the secondary storage is on a central network server)
  • the server will scan the logged in users to see who has a file with the matching checksum
  • the server will scan the logged in users to see who has a file with the matching checksum 8) If the change requires the sending of files to the server, the files which are sent to the server will be scanned for virus
  • the network administrator will add the latest file (eg KERNEL.DLL) to the network and obtain the checksum for the file 4) The network administrator will then change the checksum for the old file (KERNEL.DLL) of the user to the new checksum
  • the user puts the CD into the drive and powers up the computer 2)
  • the CD scans the system folders executable files, registry etc and gets the checksum
  • the invention offers safe and low cost methods to safeguard personal computers against damage caused by malicious software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Several methods for checking the virus spread in a computer are proposed, such as checking and verifying the integrity of Windows system files to prevent malicious program from infecting the files either by comparing byte for byte or by checksum such as MD5. A method to store the essential computer files, programs and registries into a secondary storage and allow for retrieval when required is also proposed.

Description

METHOD OF SAFEGUARDING AGAINST MALICIOUS SOFTWARE (MALWARE)
TECHNICAL FIELD OF INVENTION
The present invention relates to methods to safeguard computer systems from malicious software such as rootkits, spyware, viruses with minimal disruption to the user. This method involves the verification of the integrity of executable files, drivers, plug-in etc, by comparing their checksum with a library of known good checksums of the respective files stored on a secondary storage media such as a mobile phone, CD-Rom or server. If a mismatch is detected, the user is alerted and allowed to retrieve the original file from the secondary storage media.
BACKGROUND OF THE INVENTION
Viruses and worms spread mainly due to putting itself in
1. certain parts of the registry which launches program when Windows start up, such as
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run
2. certain parts of the registry such that it launches when a legitimate program is called such as HKCR\exefile\shell\open\command 3. certain files such that it launches together with Windows such as %SYSTEMROOT%\SYSTEM.INI
4. certain files such that it launches at the dos prompt eg AUTOEXEC.BAT, COMMAND.COM
5. Attacking the boot sector, File Allocation Table (FAT), MFT of the system
It is anticipated that in the future, instead of just creating entries in the registry, SYSTEM. INI files, malicious software will be scan the registry and start up files in Windows and attach the virus to the programs detected. This will launch legitimate programs as well as the virus thus propagating the spread of the virus.
Currently, existing solutions are unable to handle unknown virus. This is due to the nature of the design of existing solution in which they identify virus by comparing with a library of known virus signatures. Thus, when a i new virus is out in the wild, vendors of existing solutions must first scramble to identify the virus, get the new signatures and push it out to the users PC. The delay induced by such a method can cause the virus to spread in the wild quickly. Another problem with existing antivirus solution is that because the virus is already in the system and load at startup, it can do one of these things to prevent identification of itself by existing antivirus solutions
1. Turn off the antivirus engine
2. Prevent access to the update site 3. Corrupt the new signature updates when it is downloaded
This effectively cripples the existing antivirus solutions and allow the virus to continue with its malicious intent. This is the same problem faced by existing solutions when they encounter rootkits. Rootkits are able to hide themselves from existing solutions because they are activated upon startup and hijack system controls to conceal their presence.
To beef up their solutions, most existing antivirus vendors also have backup capabilities feature in their solutions. The problem with this is that if the system is contaminated with a virus when the user performs a backup, the virus is also being archived, and upon restoration of the backup, the virus will reinfect the system again. This is a common problem using the Windows System Restore feature in Windows XP, which is why antivirus software vendors recommend turning off System Restore before scanning for virus.
Windows has a built in feature to check the integrity of critical system files using their Windows File Protection mechanism. However, the problem with this method is that the checksum for the integrity of the system is stored in the same PC as the system files, thus making it susceptible to attack by the virus. Hence, if a virus changes a critical system file such kernel.dll, and changes the checksum of kernel.dll in NT5.DLL (the checksum file), the system can be compromised whilst bypassing the Windows File Protection mechanism. Alternatively, the virus or rootkit might just disable Windows File Protection mechanism by modifying entries in the registry.
The biggest problem currently, is that the user might not even know that their system has been compromised. This is because most of the virus and rootkits startup together with Windows and might compromise existing antivirus software solutions without the user knowing it. Through one of the methods of this invention, an integrity scan is performed using an operating system other than the operating system installed of the user PC. This ensure that the operating system installed on the user's PC is clean at startup and can be used in conjunction with existing antivirus software solutions to ensure that the entire system is free from malware, virus and rootkits.
MEANS TO SOLVE THE PROBLEM
This invention will scan the places mentioned above to check the integrity of the individual programs. If any changes are detected, the user will be alerted and will be allowed to retrieve the data from a secondary storage.
The secondary storage can be on a central server shared by many users. In this case, only one copy of the same checksum will be stored on the server. The rationale for this is that most of the files in Windows folder will be similar across all the computers, therefore, to conserve space, only one copy of the file which has the same checksums will be stored on the server. (Note : There can be instances of two files of the same name but with different checksums).
In addition, the entire registry or portion of it can also be stored onto the secondary storage for safekeeping and retrieval when the need arises.
The purpose of using checksums such as MD5 is such that only files which have been changed by the virus will be downloaded and restored instead of downloading everything.
Instead of storing the files on a central server, this method can also be used on a peer to peer network in case the users are worried about privacy issues.
DESCRIPTION OF EMBODIMENTS OF THE INVENTION
This invention will scan the places mentioned above to check the integrity of the individual programs. If any changes are detected, the user will be alerted and will be allowed to retrieve the data from a secondary storage. The secondary storage can be on a central server shared by many users. In this case, only one copy of the same checksum will be stored on the server. The rationale for this is that most of the files in Windows folder will be similar across all the computers, therefore, to conserve space, only one copy of the file which has the same checksums will be stored on the server. (Note : There can be instances of two files of the same name but with different checksums).
In addition, the entire registry or portion of it can also be stored onto the secondary storage for safekeeping and retrieval when the need arises.
The purpose of using checksums such as MD5 is such that only files which have been changed by the virus will be downloaded and restored instead of downloading everything.
Instead of storing the files on a central server, this method can also be used on a peer to peer network in case the users are worried about privacy issues.
Example usage (assuming the secondary storage is on a central network server)
1 ) The user will do an initial scan of the system to gather the checksums of all the files in the Windows folder and files identified in the location above 2) The registry and checksums will be sent to network server
3) If the checksum doesn't exist, the files will be uploaded into the server with the corresponding checksum
4) The user will perform regular scanning of the PC
5) If a change has been detected , the user can either accept the change or revert back to the original data which was stored on the server.
Example usage (peer to peer network)
1 ) The user will do an initial scan of the system to gather the checksums of all the files in the Windows folder and files identified in the location above
2) The registry and checksums will be sent to network server
3) The user will perform regular scanning of the PC
4) If a change has been detected, the user can choose to accept the change or revert back to the original data 5) If the user chooses to revert back to the original data, the server will scan the logged in users to see who has a file with the matching checksum
6) The owner of the file with the matching checksum will be sent to the user
Example of checking for virus
1 ) The user will do an initial scan of the system to gather the checksums of all the files in the Windows folder and files identified in the location above 2) The registry and checksums will be sent to network server
3) If the checksum doesn't exist, the files will be uploaded into the server with the corresponding checksum
4) Files uploaded into the server will be scanned for virus
5) The user will perform regular scanning of the PC 6) If a change has been detected, the user can choose to accept the change or revert back to the original data
7) If the user chooses to revert back to the original data, the server will scan the logged in users to see who has a file with the matching checksum 8) If the change requires the sending of files to the server, the files which are sent to the server will be scanned for virus
Example of updating security patches
1 ) The user will do an initial scan of the system to gather the checksums of all the files in the Windows folder and files identified in the location above
2) The registry and checksums will be sent to network server
3) The network administrator will add the latest file (eg KERNEL.DLL) to the network and obtain the checksum for the file 4) The network administrator will then change the checksum for the old file (KERNEL.DLL) of the user to the new checksum
5) When the user next logs in, they will be alerted of the difference of the checksum on their system and the one on the central server
6) The user can then choose to update the file on their system with the one on the central server
Example of Boot up and scan
1 ) The user puts the CD into the drive and powers up the computer 2) The CD scans the system folders executable files, registry etc and gets the checksum
3) It then logs in to the server with the read-only password of the user and submits the checksum to the server for comparison with the server's library
4) If there are any mismatch, the user will be notified and can either
1. update the server's information of the file (this can only be done using the administrator password of the user id), or
2. download the original file from the server 5) Upon completion of the scan, the program transfer control over to the operating system, such as Windows XP to boot up as normal.
This ensures that every time the system is started up, it is not contaminated with any malware, rootkits or virus.
The description of the system, procedures and workings of the methods described herein has been given for purpose of illustration herein. The embodiments are merely preferred examples and not to be construed as limiting the scope of the present invention.
Having described preferred embodiments of the invention, it is to be understood that the invention is not limited to those precise embodiments, and that various changes and modifications may be effected therein by one skilled in the art without departing from the scope or spirit of the invention as defined in the claims.
ADVANTAGEOUS EFFECTS OF THE INVENTION
1 . The invention offers safe and low cost methods to safeguard personal computers against damage caused by malicious software
(eg computer viruses, rootkits, spyware, adware etc).
2. By checking file integrity instead of identifying virus by signature, unknown viruses can be identified . In addition, if a file is corrupted or deleted by a virus, its original file can be retrieved. 3. By storing the checksum of files and registry data on a server, it makes it easy to restore the system to the last working good state. For example, in the case for disaster recovery, a system at the secondary business site could be formatted and restored by scanning the system and updating the files and registry in accordance to the data on the server.
4. By using different password for different access level for the same user id to log in, it allows for the logging in without user intervention by storing the read-only password on the PC and yet it is able to prevent virus from automatically updating itself in the server by requiring the user to enter the "update" password when an update is invoked by the user.
5. By calculating the necessary file checksums and transferring the checksum obtained to a server for comparison, less time is required for this operation as compared to traditional solutions where comparison is done on the PC itself. This minimises disruption to the user whilst ensuring that their system in which they are using is free from malware at startup. 6. The process of transferring the checksum to the server for comparison as opposed to downloading the checksum from the server make the checking more secure as virus may be smart enough to attack the checksum or signature files downloaded from a server.

Claims

1. A method for checking for computer viruses by scanning the files detected in certain parts of the registry (eg startup locations, browser plug-ins) and Windows startup files (eg Win.ini, System.ini, autoexec.bat, config.sys), comparing their checksums with a baseline in the event that a virus may scan the said locations to specifically infect the files identified in those location.
2. A method for checking for virus by comparing the checksums of files with a whitelist. The whitelist contains the checksums of all legitimate versions of the files and can be stored on the PC itself or the secondary storage media such as a mobile phone, CD-ROM or server. In addition, the whitelist, can also contain a list of files allowed and should in the respective folder.
3. The method as claimed in Claim 2 to check and verify the integrity of Windows system folders to prevent malicious program from being deposited in there.
4. A method as claimed in Claim 2 to check and verify the integrity of Windows system folders and essential files from being deleted by malicious programs.
5. A method to store the files Window system files, Window System folders and essential files into a secondary storage such as a mobile phone, or server and allow for retrieval when required.
6. A method for verifying the integrity Windows File Protection catalog file (eg NT5.CAT, NT5INF.CAT in WinXP system) by comparing it with the whitelist on the PC or by sending the catalog file to a server to be compared to the whitelist at the server.
7. A method for identifying virus in a computer system as claimed in any one of the preceding Claims where the file being uploaded to the server is scanned at the server end for viruses.
8. A method for identifying a virus in a computer system as claimed in any one of the preceding claims based on the checksum sent to the server.
9. A method for allowing system administrators to check whether the appropriate patches have been installed into the system by observing the checksums of the system files uploaded by the user
10. A method for detecting malicious software in a computer system by downloading the whitelist of checksums from secondary storage and comparing it with the checksums obtained from the files in the system.
1 1 . A method for updating patches or reverting to an earlier version of a file by changing the value of the checksum of the respective file on the server to the value of the version required. Thus, when a scan is performed as specified in the preceding claims, the software will detect the mismatch and download the required version to the users system,
12. A Method for the use of two or more password for a single user id which gives different access levels for the respective password for logging into the server or into the local PC.
Eg 1 : A user might have an id "useri " with password "1234" to log in and have access to read and make changes to his files on the server. Another password eg "2345" might be added on to the same user id to have access to read the files, but not make any changes to it. The reason for this is that when the automated process of scanning the file is done and transmitted to the network, the read-only password can be stored in the PC such that the user does not need to keep keying it in every time the program does a scan. Only if changes need to be made to the data in the network, then only will the user key in the supervisory password to allow the change. This will provide a hassle free experience for the user by storing a lower level password on the local PC and yet, maintain the security of the account on the server.
Eg 2 : A user might have an id "useri " with password "1234" to log in and have access to read and write emails. Another password eg "2345" might be added on to the same user id to have only read access to read new emails. The advantage of this is that if the read only password has been compromised when the user visits a cyber cafe, the damage will be contained and the read only password can be reset using the supervisory password "1234"
13. A Method for detecting computer virus and malicious software by further including a method to scan running processes, calculate the checksum and transfer it to the server for comparison. This serves to ensure that the integrity of the running processes are not compromise as well as to inform the user of suspicious processes that may be running in the background by comparing it with a library of legitimate processes in the server.
14. A Method for detecting computer virus and malicious software by further including a method to upload a list of approved programs allowed to pass through the firewall to the server for comparison with the server database, thereby allowing the server to compare the list with its database and notify the user if any of the programs in the list appears suspicious
15. A Method for sharing the quota based on the number of users who has the same file in the server such that the quota consumed by the individual user is less that of the original file.
Example : User A uploads a file of 10 Mb with checksum ABCDE to the server, thereby using 10Mb of his allocated quota. The file is stored in the server and a link is created to point to it. At a later point in time, User B uploads the same file of 10Mb with the same checksum ABCDE to the server. A link can be created to point to the same file which User A has uploaded earlier. Now, instead of having two exact same files on the server, only one copy of the file is stored in the server and links are created to it. The quota used for both User A and User B can be reduced to 1 0/2 = 5Mb (or some other formula can be used), thus a means of splitting the quota between two users can be achieved.
16. A Method for detecting computer virus and malicious software by further including a method for the system to boot up first from a secondary media (eg CD, DVD, USB drive, mobile phone) to i. Scan the integrity of the system files, registry and user selected files ii. Transfer the data obtained in (i) to the server for comparison iii. Transfer control to the operating system on the PC all without user intervention
17. A Method for detecting computer virus and malicious software by further including a method for the system prior to shutting down to i. Reboot the system ii. Boot up from a secondary media (eg CD, DVD, USB drive, mobile phone) to a. Scan the integrity of the system files, registry and user selected files b. Transfer the data obtained in (ii)(a) to the server for comparison c. Shut down the system
18. A method for converting a mobile phone or PDA into a USB thumbdrive. This can then be used to store the system files, registry and user selected files on the mobile phone or PDA which can be used later to recover the respective files and registry data in the event of data corruption or virus attack. In addition, it can also be used to store user data such as "My Documents" in Windows or "/usr/home/user" in Linux/Unix on the mobile phone to act as a backup in the event of data corruption due to virus attack and/or to allow for portability of data such that the user will be able to carry the data to function as a thumb drive.
19. A method for detecting computer virus and malicious software further including a method for converting the mobile phone or PDA to function as a bootable USB drive. This will serve to perform the functions stated in claims 16 and 17 with the additional advantage of being able to transfer the checksums via the mobile phone or PDA's connection to the Internet (e.g. 3G, GPRS) to the server. In addition, it can also serve as a bootable USB drive to allow for recovery in the event of a system crash.
20. A method for detecting computer virus and malicious software further including a method for a server or PC to scan a client PC to check the integrity of the system files, registry data and critical files and compare it with the checksums on the server.
PCT/SG2007/000113 2006-04-25 2007-04-24 Method of safeguarding against malicious software (malware) Ceased WO2007123492A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG200602739-5A SG136828A1 (en) 2006-04-25 2006-04-25 Method of safeguarding against malicious software (malware)
SG200602739-5 2006-04-25

Publications (2)

Publication Number Publication Date
WO2007123492A1 true WO2007123492A1 (en) 2007-11-01
WO2007123492A8 WO2007123492A8 (en) 2008-06-19

Family

ID=38625295

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2007/000113 Ceased WO2007123492A1 (en) 2006-04-25 2007-04-24 Method of safeguarding against malicious software (malware)

Country Status (2)

Country Link
SG (1) SG136828A1 (en)
WO (1) WO2007123492A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090083852A1 (en) * 2007-09-26 2009-03-26 Microsoft Corporation Whitelist and Blacklist Identification Data
CN102855439A (en) * 2012-07-26 2013-01-02 深圳市赛格导航科技股份有限公司 Executable file self-checking method and device
CN109977669A (en) * 2017-12-28 2019-07-05 腾讯科技(深圳)有限公司 Viral recognition methods, device and computer equipment
CN116611068A (en) * 2023-07-21 2023-08-18 北京安天网络安全技术有限公司 File scanning method based on confusion path, electronic equipment and storage medium
CN119603054A (en) * 2024-12-05 2025-03-11 中国工商银行股份有限公司 Mobile storage device protection method, device, equipment and medium for intranet

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5613002A (en) * 1994-11-21 1997-03-18 International Business Machines Corporation Generic disinfection of programs infected with a computer virus
WO1999038076A1 (en) * 1998-01-22 1999-07-29 Symantec Corporation Computer file integrity verification
WO2002084939A1 (en) * 2001-04-10 2002-10-24 Mark Zielinski System and method for securely executing a executable to preserve the integrity of files from unauthorized access for network security
GB2400933A (en) * 2003-04-25 2004-10-27 Messagelabs Ltd Identifying a file, and checking if it contains a virus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5613002A (en) * 1994-11-21 1997-03-18 International Business Machines Corporation Generic disinfection of programs infected with a computer virus
WO1999038076A1 (en) * 1998-01-22 1999-07-29 Symantec Corporation Computer file integrity verification
WO2002084939A1 (en) * 2001-04-10 2002-10-24 Mark Zielinski System and method for securely executing a executable to preserve the integrity of files from unauthorized access for network security
GB2400933A (en) * 2003-04-25 2004-10-27 Messagelabs Ltd Identifying a file, and checking if it contains a virus

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090083852A1 (en) * 2007-09-26 2009-03-26 Microsoft Corporation Whitelist and Blacklist Identification Data
US8214895B2 (en) * 2007-09-26 2012-07-03 Microsoft Corporation Whitelist and blacklist identification data
CN102855439A (en) * 2012-07-26 2013-01-02 深圳市赛格导航科技股份有限公司 Executable file self-checking method and device
CN109977669A (en) * 2017-12-28 2019-07-05 腾讯科技(深圳)有限公司 Viral recognition methods, device and computer equipment
CN109977669B (en) * 2017-12-28 2022-05-20 腾讯科技(深圳)有限公司 Virus identification method and device and computer equipment
CN116611068A (en) * 2023-07-21 2023-08-18 北京安天网络安全技术有限公司 File scanning method based on confusion path, electronic equipment and storage medium
CN116611068B (en) * 2023-07-21 2023-09-29 北京安天网络安全技术有限公司 File scanning method based on confusion path, electronic equipment and storage medium
CN119603054A (en) * 2024-12-05 2025-03-11 中国工商银行股份有限公司 Mobile storage device protection method, device, equipment and medium for intranet

Also Published As

Publication number Publication date
WO2007123492A8 (en) 2008-06-19
SG136828A1 (en) 2007-11-29

Similar Documents

Publication Publication Date Title
EP3474176B1 (en) System and method of detecting a malicious file
US12013760B2 (en) Methods and systems for recognizing unintended file system changes
EP2156356B1 (en) Trusted operating environment for malware detection
US10291634B2 (en) System and method for determining summary events of an attack
US8181247B1 (en) System and method for protecting a computer system from the activity of malicious objects
Wang et al. Detecting stealth software with strider ghostbuster
US7627898B2 (en) Method and system for detecting infection of an operating system
JP5011436B2 (en) Method and apparatus for detecting malicious acts of a computer program
US7080000B1 (en) Method and system for bi-directional updating of antivirus database
US8775369B2 (en) Computer system architecture and method having isolated file system management for secure and reliable data processing
Matthews et al. Data protection and rapid recovery from attack with a virtual private file server and virtual machine appliances
US8037290B1 (en) Preboot security data update
US8099785B1 (en) Method and system for treatment of cure-resistant computer malware
US20090038011A1 (en) System and method of identifying and removing malware on a computer system
US20090089879A1 (en) Securing anti-virus software with virtualization
US20050015606A1 (en) Malware scanning using a boot with a non-installed operating system and download of malware detection files
US20120030766A1 (en) Method and system for defining a safe storage area for use in recovering a computer system
US9330260B1 (en) Detecting auto-start malware by checking its aggressive load point behaviors
Zhao et al. TEE-aided write protection against privileged data tampering
Butler et al. Rootkit-resistant disks
RU2583714C2 (en) Security agent, operating at embedded software level with support of operating system security level
RU101233U1 (en) SYSTEM OF RESTRICTION OF RIGHTS OF ACCESS TO RESOURCES BASED ON THE CALCULATION OF DANGER RATING
WO2007123492A1 (en) Method of safeguarding against malicious software (malware)
RU2468427C1 (en) System and method to protect computer system against activity of harmful objects
RU96267U1 (en) SYSTEM OF COMPLETING ANTI-VIRUS DATABASES UNDER THE DETECTION OF UNKNOWN MALIGNANT COMPONENTS

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07748658

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07748658

Country of ref document: EP

Kind code of ref document: A1