Malware identification and profiling
US-2024070261-A1 · Feb 29, 2024 · US
Tracking of files required for running malware processes
US12561433B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12561433-B2 |
| Application number | US-202318300775-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 14, 2023 |
| Priority date | Apr 14, 2023 |
| Publication date | Feb 24, 2026 |
| Grant date | Feb 24, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Processes operating in a computing system are tracked. The tracking data includes or identified child processes, parent processes, and/or files associated with operation of the processes. When a process is determined to be a malware process, protective operations are performed. Protective operations may include removing or purging the malware process and all processes/files associated with the malware process in the tracking data. An infected snapshot may also be generated such that characteristics, operating procedures, and other aspects of the malware can be determined by recovering the infected snapshot to a sandbox environment and allowing the malware to execute therein.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: monitoring, by a malware detection engine, a process operating in a computing system, wherein actions performed by the process are identified in tracking data, wherein the tracking data identifies child processes and parent processes related to the process, and all files created or used by the process, the child processes, and the parent processes; determining that the process is a malware process or is suspected of being the malware process, wherein suspecting that the process is the malware process corresponds to a first threshold score and determining that the process is the malware process corresponds to a second threshold score that is different from the first threshold score, and wherein different protective actions are performed depending on whether the process is suspected to be the malware process or is determined to be the malware process; in response to determining that the process is the malware process, purging the malware process from the computing system; and in response to determining that the process is the malware process, purging the child processes and the parent processes identified in the tracking data that are related to the malware process, and purging all files required for running the malware process and all the files created or used by the malware process, the child processes, and the parent processes identified by the tracking data. 2 . The method of claim 1 , wherein the monitoring the process includes tracking the actions, wherein the tracking data identifies the related processes, wherein the related processes include the child processes of the malware process and the parent processes of the malware process. 3 . The method of claim 2 , wherein the files identified in the tracking data include files associated with operation of the malware process, wherein the files include files moved by the malware process, the child processes and the parent processes, files renamed by the malware process, the child processes and the parent processes, or combinations thereof. 4 . The method of claim 3 , wherein purging further comprises purging, based on the tracking data, executable files and configuration files required for running the malware process, including executable files and configuration files created, moved, or renamed by the malware process, the child processes, or the parent processes, while preserving non-executable user data files not identified by the tracking data. 5 . The method of claim 3 , wherein the malware detection engine operates in a kernel space of the computing system. 6 . The method of claim 1 , further comprising generating an infected snapshot that includes the malware process, the child processes of the malware process, the parent processes of the malware process, and the files associated with operation of the malware process, the child processes, and the parent processes. 7 . The method of claim 6 , further comprising recovering the infected snapshot to a sandbox environment. 8 . The method of claim 7 , further comprising running the malware process unhindered in the sandbox environment. 9 . The method of claim 8 , further comprising learning characteristics, operating protocols, and operations of the malware process from operating the malware process in the sandbox environment. 10 . The method of claim 1 , further comprising monitoring all processes operating in the computing system, generating the tracking data for each of the all processes, and performing the protective operations when any of the all processes is determined to be a malicious process. 11 . A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: monitoring, by a malware detection engine, a process operating in a computing system, wherein actions performed by the process are identified in tracking data, wherein the tracking data identifies child processes and parent processes related to the process, and all files created or used by the process, the child processes, and the parent processes; determining that the process is a malware process or is suspected of being the malware process, wherein suspecting that the process is the malware process corresponds to a first threshold score and determining that the process is the malware process corresponds to a second threshold score that is different from the first threshold score, and wherein different protective actions are performed depending on whether the process is suspected to be the malware process or is determined to be the malware process; in response to determining that the process is the malware process, purging the malware process from the computing system; and in response to determining that the process is the malware process, purging the child processes and the parent processes identified in the tracking data that are related to the malware process, and purging all files required for running the malware process and all the files created or used by the malware process, the child processes, and the parent processes identified by the tracking data. 12 . The non-transitory storage medium of claim 11 , wherein the monitoring the process includes tracking the actions, wherein the tracking data identifies the related processes, wherein the related processes include the child processes of the malware process and the parent processes of the malware process. 13 . The non-transitory storage medium of claim 12 , wherein the files identified in the tracking data include files associated with operation of the malware process, wherein the files include files moved by the malware process, the child processes and the parent processes, files renamed by the malware process, the child processes and the parent processes, or combinations thereof. 14 . The non-transitory storage medium of claim 13 , wherein purging further comprises purging, based on the tracking data, executable files and configuration files required for running the malware process, including executable files and configuration files created, moved, or renamed by the malware process, the child processes, or the parent processes, while preserving non-executable user data files not identified by the tracking data. 15 . The non-transitory storage medium of claim 13 , wherein the malware detection engine operates in a kernel space of the computing system. 16 . The non-transitory storage medium of claim 11 , further comprising generating an infected snapshot that includes the malware process, the child processes of the malware process, the parent processes of the malware process, and the files associated with operation of the malware process, the child processes, and the parent processes. 17 . The non-transitory storage medium of claim 16 , further comprising recovering the infected snapshot to a sandbox environment. 18 . The non-transitory storage medium of claim 17 , further comprising running the malware process unhindered in the sandbox environment. 19 . The non-transitory storage medium of claim 18 , further comprising learning characteristics, operating protocols, and operations of the malware process from operating the malware process in the sandbox environment. 20 . The non-transitory storage medium of claim 11 , further comprising monitoring all processes operating in the computing system, generating the tracking data for each of the all processes, and performing the protective operations when any of the all processes is dete
Assignees
Inventors
Classifications
- G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Test or assess a computer or a system · CPC title
- G06F21/565Primary
by checking file integrity · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12561433B2 cover?
- Processes operating in a computing system are tracked. The tracking data includes or identified child processes, parent processes, and/or files associated with operation of the processes. When a process is determined to be a malware process, protective operations are performed. Protective operations may include removing or purging the malware process and all processes/files associated with the …
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/566. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 24 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).