WO2017216774A1 - Method for identifying and removing malicious software - Google Patents
Method for identifying and removing malicious software Download PDFInfo
- Publication number
- WO2017216774A1 WO2017216774A1 PCT/IB2017/053606 IB2017053606W WO2017216774A1 WO 2017216774 A1 WO2017216774 A1 WO 2017216774A1 IB 2017053606 W IB2017053606 W IB 2017053606W WO 2017216774 A1 WO2017216774 A1 WO 2017216774A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- specific file
- remote server
- file
- identifying
- blacklist
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 103
- 238000005067 remediation Methods 0.000 claims abstract description 25
- 238000012854 evaluation process Methods 0.000 claims abstract description 11
- 238000012360 testing method Methods 0.000 abstract description 4
- 230000006399 behavior Effects 0.000 description 4
- 230000000737 periodic effect Effects 0.000 description 4
- 238000001824 photoionisation detection Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Definitions
- PCT Patent Cooperation Treaty
- the present invention relates generally to a method of protecting a user's web browser from undesired add-ons and extensions. More specifically, the present invention identifies and disables malicious programs, files, and browser extensions.
- extensions When users install browser add-ons or extensions, hereafter referred to as "extensions,” this often results in certain settings being changed in a way that the user potentially did not want or expect.
- settings such as the default search engine and new tab page are changed unexpectedly, it is very frustrating and degrades the overall experience of browsing the Internet for the user.
- some browser extension developers purposefully include these unwanted settings changes, such as changing the default search provider, in their extensions.
- these browser extensions can exhibit other malicious behaviors such as not functioning as advertised, tracking personal information, and installing malware on the user's computer.
- the present invention is a method which monitors and searches for any installation of extensions known to cause problems. For example, one possible scenario occurs when the user is surfing for movies and suddenly receives a popup that contains what looks like, but is not, a video download button. If the user clicks it, the user observes that there is now a toolbar on their browser which changed his/her search settings, etc. unexpectedly.
- the present invention is notable because it checks for such problems at the moment of installation. There are extensions out there that remove all extensions on the user's computer. However, this method is often considered excessive.
- the present invention is a browser extension that resides on the user's PC and monitors other extensions. When an extension that exhibits unwanted/undesirable behavior is installed, it will be disabled and/or uninstalled by the monitoring extension.
- the present invention instead checks the extensions against a database and removes the known bad actors.
- the present invention takes a list of all the browser extension IDs on the user's computer, and sends it over to the remote server. The server checks to see if any of those IDs are known bad actors. It will return the list of matches and dispose of them.
- the present invention can prompt the user to remove or de-activate the offending extension manually.
- the monitoring extension performs this check for extensions that are potentially undesirable. Checks will occur periodically and at other certain points in the extension's lifecycle. This is a more customized solution, compared to the prior art. It is more surgical, and not a blanket solution prone to excess.
- FIG. 1 is a block diagram illustrating the communication between the components of the system required to execute the method of the present invention.
- FIG. 2 is a flowchart illustrating the overall method of the present invention.
- FIG. 3 is a flowchart illustrating the sub-process for selecting one or more personal files to be scanned for malicious code using the present invention.
- FIG. 4 is a flowchart illustrating the sub-process for scanning newly downloaded files using the present invention.
- FIG. 5 is a flowchart illustrating the sub-process for initiating a periodic scan using the present invention.
- FIG. 6 is a flowchart illustrating the sub-process for performing the sandboxed-evaluation process using the present invention.
- FIG. 7 is a flowchart illustrating the sub-process for performing the threat remediation process using the present invention.
- FIG. 8 is a flowchart illustrating the sub-process for selecting and executing a delete command for the threat remediation process using the present invention.
- FIG. 9 is a flowchart illustrating the sub-process for selecting and executing a quarantine command for the threat remediation process using the present invention.
- FIG. 10 is a flowchart illustrating the sub-process for distributing targeted advertisements using the present invention.
- the present invention is a method for keeping a user's computing device free of malicious files including, but not limited to, documents, programs, and browser extensions.
- the present invention makes use of an automated scanning function and a manual scanning function to identify and disable malicious files on the user's computing device.
- malicious files is used herein to refer to malicious code or viruses.
- the present invention can operate as a real-time scanning system that identifies malicious files as they are downloaded or installed onto the user's computing device.
- the present invention can operate as a manual or periodic scanning system that either performs a scan when directed, or performs the scan on a fixed schedule.
- the scanning function of the present invention is designed to identify malicious files by comparing the files to a blacklist. Additionally, the present invention makes use of a sandboxing system that tests files to determine whether or not the files are malicious. Another aspect of the present invention recommends programs and services that the user may find useful.
- the overall method of the present invention makes use of a system that provides a personal computing (PC) device communicably coupled to at least one remote server (Step A).
- the PC devices used to interact with the present invention can be, but is not limited to, a smart-phone, a laptop, a desktop, or a tablet PC.
- the remote server is used to execute a number of internal processes for the present invention and to communicate malicious code information to the PC device.
- the PC device contains a plurality of personal files, each of which is associated with a corresponding program identifier (PID).
- PID program identifier
- the plurality of personal files is a collection of documents, programs, and program extensions that are stored on the user's PC device.
- the PID is the identifier that the present invention uses to differentiate between each of the plurality of personal files.
- the overall method of the present invention also provides a blacklist and a whitelist that are managed by the remote server (Step B).
- the blacklist is a list of PIDs that are associated with personal files which are known to contain malicious code.
- the whitelist is a list of PIDs that are associated with personal files which are known to be free of malicious code.
- the PC device, the remote server, the blacklist, and the whitelist are the elements of the system that are required to execute the method of the present invention.
- the overall method of the present invention continues by receiving a scan request for at least one specific file with the PC device (Step C).
- the scan request is a command that directs the method of the present invention to initiate a malicious code scan of the PC device.
- the at least one specific file is the file that will be scanned for malicious code.
- the at least one specific file is one or more personal files that the method of the present invention will scan for malicious code.
- the overall method of the present invention continues by executing a sandboxed-evaluation process for the specific file with the remote server in order to append the corresponding PID of the specific file to either the blacklist or the whitelist, if the corresponding PID for the specific file is not on either the blacklist or the whitelist (Step D).
- the sandboxed-evaluation process is a sub- process of the overall method of the present invention that determines if the specific file contains malicious code. If the specific file is determined to contain malicious code, then the corresponding PID is added to the blacklist. Conversely, if the specific file is found to be without malicious code, then the corresponding PID is added to the whitelist.
- this sandboxed-evaluation process is executed on an isolated virtual machine that prevents the malicious code from negatively affecting the PC device or the remote server.
- the overall method of the present invention continues by executing a threat remediation process for the specific file with the remote server, if the
- the threat remediation process is a sub-process that is used to remove or disable a personal file that is found to contain malicious code.
- the present invention is designed to give the user multiple options as to what personal files should be scanned and when the scanning should occur.
- the present invention includes a sub-process that enables the user to select at least one file that should be scanned.
- the sub-process begins by prompting to select at least one desired file from the plurality of personal files with the PC device.
- the at least one desired file is one or more personal files that the user would like to have scanned for malicious code.
- the sub-process continues by designating the at least one desired file as the at least one specific file with the PC device before Step C. This step prepares the method of the present invention to scan the desired file for malicious code. Additionally, this sub-process enables the user to manually initiate a malicious code scan on one or more personal files.
- a separate sub-process of the method of the present invention is used to automatically initiate a scan every time the user downloads a new file.
- This sub-process begins when the user completes downloading a new file onto the PC device.
- the sub-process continues by appending the new file into the plurality of personal files with the PC device.
- the sub- process is initiated and the new file is added to the plurality of personal files.
- the new file can be scanned for malicious code.
- the sub-process continues by designating the new file as the at least one specific file with the PC device before Step C. This step prepares the method of the present invention to scan the new file for malicious code.
- another separate sub-process of the overall method of the present invention is used to execute periodic scans of the plurality of personal files stored on the user's PC device.
- the sub-process begins by prompting to select a time interval for the plurality of personal files with the PC device.
- the time interval is the length of time that will elapse between automated scans of the user's PC device. For example, if the user selects a twelve-hour time interval then the system will execute a scan of the plurality of personal files stored on the user's PC device every twelve hours.
- the present invention can be used with a preset time interval that the user does not control.
- the sub-process continues by designating all of the plurality of personal files as the at least one specific file with the PC device before Step C. This directs the method of the present invention to scan all of the personal files that are available on the user's PC device. Finally, the sub-process continues by periodically executing Step C through Step E at the time interval. This step initializes the periodic scan that occurs whenever the time interval has elapsed.
- the present invention is designed with a sub-process that is used to determine if an unrecognized personal file contains malicious code.
- the present invention is designed to perform this characterization in real- time and on demand. This sub-process is initiated when the corresponding PID of the specific file is not on either the blacklist or the whitelist (Step F). If the PID of the specific file is not found in the blacklist or the whitelist, then the method of the present invention designates the specific file as an unrecognized file.
- the sandboxed-evaluation process is designed to identify malicious code within any unrecognized file. Additionally, the sandboxed-evaluation process can be set to periodically check the programs on the black list and the whitelist for malicious code. This functionality maintains the integrity of the blacklist and the whitelist even as programs are updated.
- the sub-process continues by generating a sandboxed virtual machine with the remote server (Step G).
- the sandboxed virtual machine is an isolated virtualized environment that the remote server creates to test the unrecognized file.
- the sub-process continues by installing a virtual copy of the specific file on to the sandboxed virtual machine with the remote server (Step H).
- the virtual copy is a copy of the unrecognized file that is safely installed onto the sandboxed virtual machine. Once installed the virtual copy can be manipulated by the processes of the remote server without damaging the PC device or the remote server.
- the sub-process continues by performing a malicious -code scan on the virtual copy of the specific file with the remote server in order to detect malicious code on the virtual copy of the specific file (Step I).
- the malicious-code scan is a routine that tests the virtual copy to determine if any included code can be classified as malicious. Specifically, the malicious-code scan determines if the specific file that was used to create the virtual copy poses a threat to the user's PC device. Additionally, the malicious code scan determines if the specific file exhibits unauthorized behaviors including, but not limited to, tracking the user's web browsing, reporting personal information, or otherwise impinging on the user's privacy. In this way, the sandboxed- evaluation process protects the user's privacy and personal information.
- the sub-process continues by appending the correspond PID of the specific file onto the blacklist with the remote server, if the malicious-code scan does detect malicious code on the virtual copy of the specific file (Step J).
- the sub-process us used to automatically update the blacklist with the PID of the specific file that was found to contain malicious code.
- the sub-process continues by appending the correspond PID of the specific file onto the whitelist with the remote server, if the malicious-code scan does not detect malicious code on the virtual copy of the specific file during Step D (Step K).
- the sub- process automatically updates the blacklist and the whitelist with PIDs that were once unknown. In this way, the present invention becomes better at recognizing threats as time goes on.
- the method of the present invention initiates the threat remediation process.
- the threat remediation process begins by providing a plurality of remediation commands for the threat-remediation process (Step L).
- the plurality of remediation commands is a collection of commands that instruct the method of the present invention how deal with malicious pieces of code. Additionally, the plurality of remediation commands is stored on the remote server and transmitted to the PC device once the threat remediation process is initiated.
- the sub- process continues by prompting to select a desired command for the specific file with the PC device (Step M).
- the desired command is any one of the plurality of remediation commands that the user would like to execute. This gives the user the choice of how to deal with a personal file that contains malicious code.
- Step N the sub-process continues by executing the desired command for the specific file with the PC device during Step E (Step N).
- the sub-process then performs the user's desired command and the threat remediation is complete.
- the threat remediation process can be automated. That is, the user selects a desired command from the plurality of remediation commands only once. Afterward, all threat remediation processes would automatically implement this remediation command.
- the user would like to delete the personal file found to contain malicious code.
- the user selects the desired command as a delete command.
- the threat remediation command can be preset and the user is never given the option to select a desired command.
- the sub-process then continues by uninstalling the specific file off the PC device during step N. Uninstalling the specific file removes the file from the user's PC device and therefore shields the user from harm.
- the user would like to quarantine the personal file found to contain malicious code. In this instance, the user selects the desired command as a quarantine command.
- the sub-process then continues by disabling the specific file on the PC device during step N. Disabling the specific file does not remove the file from the user's PC device. However, the specific file is disabled and the user is shielded from harm.
- the present invention in addition to identifying malicious code, is designed to suggest products and services that would benefit the user.
- the method of the present invention employs a sub-process for distributing advertisements to the user.
- the sub-process begins by providing a plurality of advertisements stored on the remote server.
- the plurality of advertisements is a collection of promotional notifications that include pictures, videos, hyperlinks, and written information about specific products and services.
- the sub-process continues by retrieving at least one contextual identifier for each of the plurality of personal files with the remote server.
- the contextual identifier is a piece of metadata that is associated with each of the plurality of personal files.
- the sub-process continues by compiling the at least one contextual identifier for each of the plurality of personal files into a user summarization profile with the remote server.
- the summarization profile is created from an analysis of the contextual identifiers that are associated with each of the plurality of personal files. This step turns the disparate pieces of metadata into a profile of the user which reveals what types of products and services would best serve the user.
- the summarization profile may also include information from the user's web browsing history, and tasks that are frequently performed with the PC device.
- the sub-process continues by comparing the user summarization profile to each of the plurality of advertisements in order to identify at least one matching advertisement from the plurality of advertisements.
- the at least one matching advertisement is one or more of the advertisements that are stored in the remote server.
- the sub-process constructs a virtual profile of the user and then finds
- the sub-process continues by displaying the at least one matching advertisement with the PC device after Step E.
- the user is then presented with the matching advertisement in a format that can be easily interacted with.
- the method of the present invention preferably tracks if the user interacts with the matching advertisement. As a result, the method of the present invention can form longitudinal studies of the user's behavior and improve the summarization profile.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA3036007A CA3036007A1 (en) | 2016-06-16 | 2017-06-16 | Method for identifying and removing malicious software |
CN201780050520.5A CN109791586A (en) | 2016-06-16 | 2017-06-16 | Appreciation and the method for removing Malware |
AU2017283818A AU2017283818A1 (en) | 2016-06-16 | 2017-06-16 | Method for identifying and removing malicious software |
EP17812871.6A EP3475867A4 (en) | 2016-06-16 | 2017-06-16 | Method for identifying and removing malicious software |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201662350963P | 2016-06-16 | 2016-06-16 | |
US62/350,963 | 2016-06-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017216774A1 true WO2017216774A1 (en) | 2017-12-21 |
Family
ID=60664432
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2017/053606 WO2017216774A1 (en) | 2016-06-16 | 2017-06-16 | Method for identifying and removing malicious software |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP3475867A4 (en) |
CN (1) | CN109791586A (en) |
AU (1) | AU2017283818A1 (en) |
CA (1) | CA3036007A1 (en) |
WO (1) | WO2017216774A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20240070276A1 (en) * | 2021-02-08 | 2024-02-29 | Hewlett-Packard Development Company, L.P. | Malware scans |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030191966A1 (en) * | 2002-04-09 | 2003-10-09 | Cisco Technology, Inc. | System and method for detecting an infective element in a network environment |
WO2006052714A2 (en) * | 2004-11-09 | 2006-05-18 | Jeffory Atkinson | Apparatus and method for protection of communications systems |
US20060130141A1 (en) * | 2004-12-15 | 2006-06-15 | Microsoft Corporation | System and method of efficiently identifying and removing active malware from a computer |
WO2008017950A2 (en) * | 2006-08-10 | 2008-02-14 | Rudra Technologies Pte Ltd. | System and method for protecting a computer from malware (malicious software) in an executable file based on removal criteria |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8881284B1 (en) * | 2008-06-16 | 2014-11-04 | Symantec Operating Corporation | Method and system for secure network access using a virtual machine |
US8386506B2 (en) * | 2008-08-21 | 2013-02-26 | Yahoo! Inc. | System and method for context enhanced messaging |
US9047441B2 (en) * | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
US9245120B2 (en) * | 2012-07-13 | 2016-01-26 | Cisco Technologies, Inc. | Method and apparatus for retroactively detecting malicious or otherwise undesirable software as well as clean software through intelligent rescanning |
US8739287B1 (en) * | 2013-10-10 | 2014-05-27 | Kaspersky Lab Zao | Determining a security status of potentially malicious files |
CN105491053A (en) * | 2015-12-21 | 2016-04-13 | 用友网络科技股份有限公司 | Web malicious code detection method and system |
-
2017
- 2017-06-16 EP EP17812871.6A patent/EP3475867A4/en not_active Withdrawn
- 2017-06-16 WO PCT/IB2017/053606 patent/WO2017216774A1/en unknown
- 2017-06-16 CA CA3036007A patent/CA3036007A1/en not_active Abandoned
- 2017-06-16 AU AU2017283818A patent/AU2017283818A1/en not_active Abandoned
- 2017-06-16 CN CN201780050520.5A patent/CN109791586A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030191966A1 (en) * | 2002-04-09 | 2003-10-09 | Cisco Technology, Inc. | System and method for detecting an infective element in a network environment |
WO2006052714A2 (en) * | 2004-11-09 | 2006-05-18 | Jeffory Atkinson | Apparatus and method for protection of communications systems |
US20060130141A1 (en) * | 2004-12-15 | 2006-06-15 | Microsoft Corporation | System and method of efficiently identifying and removing active malware from a computer |
WO2008017950A2 (en) * | 2006-08-10 | 2008-02-14 | Rudra Technologies Pte Ltd. | System and method for protecting a computer from malware (malicious software) in an executable file based on removal criteria |
Non-Patent Citations (1)
Title |
---|
See also references of EP3475867A4 * |
Also Published As
Publication number | Publication date |
---|---|
CN109791586A (en) | 2019-05-21 |
AU2017283818A1 (en) | 2019-03-28 |
CA3036007A1 (en) | 2017-12-21 |
EP3475867A4 (en) | 2019-07-03 |
EP3475867A1 (en) | 2019-05-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20170286684A1 (en) | Method for Identifying and Removing Malicious Software | |
JP6644001B2 (en) | Virus processing method, apparatus, system, device, and computer storage medium | |
JP4936294B2 (en) | Method and apparatus for dealing with malware | |
AU2011317734B2 (en) | Computer system analysis method and apparatus | |
JP6916818B2 (en) | Detecting vulnerable applications | |
US20150205960A1 (en) | Method of detecting a malware based on a white list | |
RU2487405C1 (en) | System and method for correcting antivirus records | |
US8732831B2 (en) | Detection of rogue software applications | |
US20060075494A1 (en) | Method and system for analyzing data for potential malware | |
US9288226B2 (en) | Detection of rogue software applications | |
CN105631312B (en) | The processing method and system of rogue program | |
US11227049B1 (en) | Systems and methods of detecting malicious PowerShell scripts | |
CA3002605C (en) | System and methods for detecting domain generation algorithm (dga) malware | |
WO2013037528A1 (en) | Malware scanning | |
US20070006311A1 (en) | System and method for managing pestware | |
CN105791250A (en) | Application detection method and device | |
EP3475867A1 (en) | Method for identifying and removing malicious software | |
Kasama et al. | Malware detection method by catching their random behavior in multiple executions | |
US11188644B2 (en) | Application behaviour control | |
Moreb | Malware Forensics for Volatile and Nonvolatile Memory in Mobile Devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17812871 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2017812871 Country of ref document: EP Effective date: 20190116 |
|
ENP | Entry into the national phase |
Ref document number: 3036007 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2017283818 Country of ref document: AU Date of ref document: 20170616 Kind code of ref document: A |