WO2012143594A1 - Balayage antivirus - Google Patents

Balayage antivirus Download PDF

Info

Publication number
WO2012143594A1
WO2012143594A1 PCT/FI2011/000025 FI2011000025W WO2012143594A1 WO 2012143594 A1 WO2012143594 A1 WO 2012143594A1 FI 2011000025 W FI2011000025 W FI 2011000025W WO 2012143594 A1 WO2012143594 A1 WO 2012143594A1
Authority
WO
WIPO (PCT)
Prior art keywords
scanning mode
passive scanning
software
virus application
computer program
Prior art date
Application number
PCT/FI2011/000025
Other languages
English (en)
Inventor
Pavel Turbin
Kai Nyman
Original Assignee
F-Secure Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F-Secure Corporation filed Critical F-Secure Corporation
Priority to PCT/FI2011/000025 priority Critical patent/WO2012143594A1/fr
Publication of WO2012143594A1 publication Critical patent/WO2012143594A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the exemplary and non-limiting embodiments of the present application relate generally to methods, apparatuses and computer programs and, more specifically, relate to the field of anti-virus scanning.
  • Malware is short for malicious software. It is used as a term to refer to any software that is designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Malware can be a risk for any device, such as a personal computer (PC), laptop, personal data assistant (PDA) or mobile phone.
  • PC personal computer
  • PDA personal data assistant
  • Anti-virus applications are used to detect malware and possibly remove it from infected devices.
  • An anti-virus application detects malware using various methods, such as scanning, integrity checking and heuristic analysis. Of these methods, malware scanning involves examining objects, such as files, for a virus fingerprint or "signature" that is characteristic of a malware program.
  • the key success factor of the software is the performance of its anti-virus application. While files are being created or accessed, the anti-virus application scans them in the background. This background scanning slows down the normal user operations.
  • a method comprising: determining a passive scanning mode of an anti-virus application based on local software categorization and detected user network profile, the passive scanning mode defining adjustable scanning settings of the anti-virus application; and entering the passive scanning mode when configuration changes have not been detected for a predetermined period.
  • an apparatus comprising: at least one processor; and at least one memory including executable instructions, the at least one memory and the executable instructions being configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: determining a passive scanning mode of an anti-virus application based on local software categorization and detected user network profile, the passive scanning mode defining adjustable scanning settings of the anti-virus application; and entering the passive scanning mode when configuration changes have not been detected for a predetermined period.
  • a computer program comprising: code for determining a passive scanning mode of an anti-virus application based on local software categorization and detected user network profile, the passive scanning mode defining adjustable scanning settings of the anti-virus application; and code for entering the passive scanning mode when configuration changes have not been detected for a predetermined period when the computer program is run on a processor.
  • a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer, the computer program code comprising: code for determining a passive scanning mode of an anti-virus application based on local software categorization and detected user network profile, the passive scanning mode that defines adjustable scanning settings of the anti-virus application; and code for entering the passive scanning mode when configuration changes have not been detected for a predetermined period.
  • Figure 1 shows a simplified block diagram that illustrates an example of apparatuses according to the invention.
  • Figure 2 shows an example of a method for anti-virus scanning.
  • Figure 1 illustrates a general example of apparatuses in which the embodiments of the 100 invention may be applied. It only shows the elements and functional entities that are required for understanding the arrangement according to an embodiment of the invention. Other components have been omitted for the sake of simplicity. The implementation of the elements and functional entities may vary from that shown in Figure 1.
  • the connections shown in Figure 1 are logical connections, and the actual physical connections may be 105 different. It is apparent to a person skilled in the field that the arrangement may also comprise other functions and structures.
  • Figure 1 is a schematic illustration of an example of a computer system 1 that is suitable for implementing the methods that are described below.
  • the computer system 1 can be
  • the computer system 1 comprises a memory 2, a processor 3 and a transceiver 4.
  • the memory 2 stores the various programs or executable files that are implemented by the processor 3, and provides a computer system memory 5 that stores any data required by the computer system 1.
  • processor 3 can include an operating system unit 6, a scanning unit 7, a detection unit 8, and an inventory unit 9.
  • the memory 2 also provides a memory 10 that is used by the detection unit 8 and the inventory unit 9.
  • the scanning unit 7, the detection unit 8, the inventory unit 9 and the memory 10 can be sub-units of an anti- virus unit 11.
  • the transceiver 4 is used to communicate over a network 12 such as a LAN or the Internet.
  • the computer typically, the computer
  • FIG. 120 system 1 may be a personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, or any other suitable device.
  • Figure 2 is a flow diagram illustrating an example of an anti-virus scanning process. The method starts in 200 where local software is categorized and the user network profile is
  • the anti-virus application is running with enabled full scanning settings.
  • the anti-virus application may then execute a full system scan to detect infections already present.
  • the anti-virus application may also classify the installed software and perform an inventory of the local software.
  • the categorization of the local software may comprise an inventory of the local software
  • the inventory unit 9 may categorize and store the location of the local software, for example, find office suites, video editing software, music players, browsers, and so on.
  • associations between installed software and file types may be determined, for example, information on .DOC files being handled with MS Office.
  • the inventory may be made using background on
  • the anti-virus unit 11 also defines user network profiles in 200. This process may be handled in the detection unit 8.
  • the detection unit 8 resolves open ports on the 140 current system, for example, accessed URLs (Uniform Resource Locator) and download locations.
  • the results of the categorizations and user network profile definitions may be stored in the memory 10.
  • a passive scanning mode of the anti-virus application is determined based on the local 145 software categorizations and the defined user network profile.
  • the passive scanning mode settings are defined by the scanning unit 7.
  • the scanning unit 7 uses results from 200 to resolve the scanning levels to be used in the passive scanning mode.
  • the scanning levels of the anti-virus process may be reduced in the passive scanning mode.
  • 204 it is detected whether configuration changes are taking place. In an embodiment, where configuration changes are not detected for a predetermined period, 206 is entered where the passive scanning mode is enabled. If configuration changes are still detected, then full scanning mode of the anti-virus application is maintained.
  • the anti-virus application enters the passive scanning mode.
  • the scanning unit 7 has determined the scanning levels that are to be used.
  • the anti-virus scanning may bypass locally created documents when the passive scanning mode is enabled.
  • the anti-virus application may use inventory information to resolve created or opened documents, videos and other content. It is possible that this kind of data is skipped from anti-virus scanning.
  • automatic scheduled tasks may be disabled in the passive scanning mode.
  • the anti-virus application may turn off or reduce the scope of background tasks, such as running of scheduled full system scans, and active process list scanning.
  • heuristic levels for engines may be reduced in the passive scanning mode. Most anti-virus engines allow controlling the depth of its heuristics. In the passive scanning mode, the heuristic level may be set to minimal.
  • the on-access scanning level may be reduced in the passive scanning mode.
  • the anti-virus application scans files, for example, when files are opened, copied, renamed and executed.
  • the anti-virus application may, for example, scan on execution only.
  • the network scanning level may be reduced in the passive scanning mode.
  • the anti-virus application may, for example, perform network scanning only for previously unknown URLs of the current user profile.
  • the anti-virus application may gradually reduce the scanning level when running in passive scanning mode.
  • the scanning level of certain scanning processes may be gradually reduced over time while the scanning level of other scanning processes could be reduced to minimum and/or performing certain scanning processes could be bypassed once the passive scanning mode is enabled.
  • the scanning levels are dynamically reduced or increased in the passive scanning mode.
  • the anti-virus application may exit the passive scanning mode due to several different reasons or triggers. For example, if configuration changes are detected in passive scanning mode, then the anti-virus application enters 208 where the full scanning mode of the anti- virus application is enabled.
  • the anti-virus application may exit the passive scanning mode and enter full scanning mode due to one or more of the following triggers: malware is detected on the local device; suspicious application behavior is found, for example, a PDF-reader drops an executable file; new software is installed; executable data is received from an external media, for example, USB, CD, network source; or a new socket or port is opened locally. It is possible to define any number of triggers that cause the anti-virus application to exit the passive scanning mode and to run full scanning mode. In 208, after the full scanning mode of the anti-virus application has been entered and, for example, malware or suspicious behavior is not detected, the process may return to 200, 202 and 204 and return back to passive scanning mode in 206.
  • triggers malware is detected on the local device
  • suspicious application behavior is found, for example, a PDF-reader drops an executable file
  • new software is installed
  • executable data is received from an external media, for example, USB, CD, network source
  • a new socket or port is opened locally.
  • the categorizations or user profile definitions or both may be updated, for example, the anti-virus application makes Stahlory based on new information. Then, in 202, the passive scanning mode settings may be adjusted accordingly, if required. If configuration changes are not detected for a predetermined period in 204, then 206 is entered where the passive scanning mode is reentered.
  • a typical end user system runs fairly stable system configurations.
  • the installed set of software on any current system usually does not change frequently.
  • the files created on the device are primarily created on the local system or received as external data files for local software.
  • users may create documents, or download video and music files. Similar behavioral patterns may often be observed in networking activity.
  • the set of visited web resources also remains quite stable for a certain user. There is a behavioral pattern of accessed web resources, such as news, video services, search engines, etc.
  • the anti-virus application that is used in the device may reduce its scanning policy settings to scan less files or more superficially without compromising the security level of the current system.
  • the steps, points, signaling messages and related functions described above in relation to Figure 2 are in no absolute chronological order, and some of the steps may be performed simultaneously or in a different order. Other functions may also be executed between the steps or within the steps, and other signaling messages may be sent between the illustrated ones. Some of the steps can also be left out or replaced by a corresponding step.
  • the system functions illustrate a procedure that may be implemented in one or more physical or logical entities.
  • An apparatus or system that implemens one or more functions described with an embodiment comprises not only prior art means, but also means for implementing one or more functions of a corresponding apparatus that is described with an embodiment.
  • An apparatus or system may also comprise separate means for each separate function.
  • These techniques may be implemented in hardware (one or more modules) or combinations thereof.
  • implementation can be through modules, for example, procedures and functions that perform the functions described here.
  • the software codes may be stored in any suitable, data storage medium that is readable by processors or computers or memory unit(s) or articles(s) of manufacture and may be executed by one or more processors or computers.
  • the data storage medium or memory unit may be implemented within the processor or computer, or as an external part of the processor or computer, in which case it can be connected to the processor or computer via various means known in the field.
  • the programming such as executable code or instructions, electronic data, databases or other 250 digital information can be stored into memories and may include a processor-usable medium.
  • a processor-usable medium may be embodied in any computer program product or article of manufacture which can contain, store, or maintain programming, data or digital information for use by or in connection with an instruction execution system including the processor 3 in the exemplary embodiment.
  • An embodiment provides a computer program product that comprises a computer-readable medium bearing computer program code embodied therein for use with a computer.
  • the computer program code comprises code for determining the passive scanning mode of an anti-virus application based on local software categorization and detected user network 260 profile, the passive scanning mode that defines adjustable scanning settings of the anti-virus application; and code for entering the passive scanning mode when configuration changes have not been detected for a predetermined period.
  • Embodiments of the present invention may be implemented in software, hardware, 265 application logic or a combination of these.
  • the application logic, software or a set of instructions is maintained on any conventional computer-readable media.
  • a "computer-readable medium" may be any media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a 270 computer.
  • a computer-readable medium may comprise a computer-readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.
  • the various aspects of the invention are not limited to the combinations explicitly set out in the independent claims. Other aspects of the invention may comprise combinations of features from the described embodiments, the dependent claims and the independent claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Un mode de réalisation de la présente invention, donné à titre d'exemple, concerne un appareil qui comprend : au moins un processeur ; et au moins une mémoire qui comprend des instructions exécutables, la ou les mémoires et les instructions exécutables étant configurées de façon à ce que l'appareil, en coopération avec le ou les processeurs, exécute au moins les étapes consistant à : déterminer un mode de balayage passif d'une application antivirus sur la base d'une catégorisation de logiciel local et d'un profil réseau utilisateur détecté, le mode de balayage passif définissant des réglages de balayage d'application antivirus réglables ; et entrer dans le mode de balayage passif lorsque des modifications de configuration n'ont pas été détectées au cours d'une période de temps prédéterminée.
PCT/FI2011/000025 2011-04-21 2011-04-21 Balayage antivirus WO2012143594A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2011/000025 WO2012143594A1 (fr) 2011-04-21 2011-04-21 Balayage antivirus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2011/000025 WO2012143594A1 (fr) 2011-04-21 2011-04-21 Balayage antivirus

Publications (1)

Publication Number Publication Date
WO2012143594A1 true WO2012143594A1 (fr) 2012-10-26

Family

ID=47041086

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2011/000025 WO2012143594A1 (fr) 2011-04-21 2011-04-21 Balayage antivirus

Country Status (1)

Country Link
WO (1) WO2012143594A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104156665A (zh) * 2014-07-22 2014-11-19 杭州安恒信息技术有限公司 一种网页篡改监测的方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030074574A1 (en) * 2001-10-15 2003-04-17 Hursey Neil John Malware scanning as a low priority task
US20070079377A1 (en) * 2005-09-30 2007-04-05 International Business Machines Corporation Virus scanning in a computer system
US7392544B1 (en) * 2007-12-18 2008-06-24 Kaspersky Lab, Zao Method and system for anti-malware scanning with variable scan settings

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030074574A1 (en) * 2001-10-15 2003-04-17 Hursey Neil John Malware scanning as a low priority task
US20070079377A1 (en) * 2005-09-30 2007-04-05 International Business Machines Corporation Virus scanning in a computer system
US7392544B1 (en) * 2007-12-18 2008-06-24 Kaspersky Lab, Zao Method and system for anti-malware scanning with variable scan settings

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104156665A (zh) * 2014-07-22 2014-11-19 杭州安恒信息技术有限公司 一种网页篡改监测的方法

Similar Documents

Publication Publication Date Title
US10984097B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
EP2486507B1 (fr) Détection de logiciel malveillant par un suivi d'application
US8806641B1 (en) Systems and methods for detecting malware variants
JP5963008B2 (ja) コンピュータシステムの分析方法および装置
EP3002702B1 (fr) Identification d'un objet malveillant d'évitement basé sur un comportement delta
EP3420489B1 (fr) Systèmes et techniques de cyber-sécurité
RU2571723C2 (ru) Система и способ для снижения нагрузки на операционную систему при работе антивирусного приложения
US9336390B2 (en) Selective assessment of maliciousness of software code executed in the address space of a trusted process
US8955121B2 (en) System, method, and computer program product for dynamically adjusting a level of security applied to a system
JP5326062B1 (ja) 非実行ファイル検査装置及び方法
CN109583202B (zh) 用于检测进程的地址空间中的恶意代码的系统和方法
US9087194B2 (en) Providing information to a security application
CN105814577A (zh) 隔离表现网络活动的可执行文件
EP3113059A1 (fr) Système et procédé de prévention de l'installation et l'exécution de programmes indésirables
WO2018017498A1 (fr) Détection inférentielle d'une tentative d'attaque
EP3758330A1 (fr) Système et procédé de détermination d'un niveau de confiance d'un fichier
WO2012143594A1 (fr) Balayage antivirus
US9444765B2 (en) Dynamic categorization of network resources
US11275836B2 (en) System and method of determining a trust level of a file
Nasman Malware Detection Based on Permissions on Android Platform Using Data Mining
Liu et al. Inductive Learning in Malware Detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864098

Country of ref document: EP

Kind code of ref document: A1

DPE2 Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11864098

Country of ref document: EP

Kind code of ref document: A1