What technology area does this patent fall under?

Primary CPC classification G06F21/565. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jan 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Method and apparatus for retroactively detecting malicious or otherwise undesirable software as well as clean software through intelligent rescanning

US9245120B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9245120-B2
Application number	US-201313942360-A
Country	US
Kind code	B2
Filing date	Jul 15, 2013
Priority date	Jul 13, 2012
Publication date	Jan 26, 2016
Grant date	Jan 26, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. Accordingly we present novel methods, components, and systems for intelligently rescanning file collections and thereby enabling retroactive detection of malicious software and also retroactive identification of clean software. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file's core disposition might not have changed. More specifically, we describe methods, components, and systems that perform data analytics to intelligently rescan file collections for the purpose of retroactively identifying malware and retroactively identifying clean files. The disclosed invention provides a significant improvement with regard to efficacy and performance compared to previous approaches.

First claim

Opening claim text (preview).

The invention claimed is: 1. A system for intelligently rescanning files previously identified as having a benign, unknown, or malicious disposition, comprising: a plurality of clients and a server which are capable of communicating with each other either directly or indirectly; wherein each client is configured to: identify files of interest from a plurality of files on a file system based upon activity of the files including creating, moving, copying or executing the files; extract meta-data from the files of interest, including the files of interest that have previously been assigned a benign, an unknown or a malicious disposition, and provide the server with the files of interest and an identifier for each of the files of interest indicating respective clients on which the files of interest are located as well as the associated meta-data for each of the files of interest, and wherein the server is configured to: log the files of interest and the associated meta-data into log files, and periodically scan the log files to identify a subset of files whose characteristics indicate a probable disposition change; rescan the identified files against information stored at the server at a time of rescanning to determine whether a disposition change has occurred for each of the identified files; and identify the respective clients corresponding to the rescanned files having a disposition change. 2. The system according to claim 1 , wherein the server is configured to: communicate with a client when it is determined upon rescanning that a file that had been previously assigned a malicious or benign disposition should be assigned a different disposition, and update its database of known malicious and benign applications. 3. The system according to claim 1 , wherein the server is configured to: communicate with a client when it is determined upon rescanning that there is additional information about a file that had been previously assigned a malicious or benign disposition, and update its database of information pertaining to known malicious and known benign applications. 4. The system according to claim 3 , wherein the additional information comprises one or more of: an updated threat name for the file, an updated classification about how to categorize the file, updated information about what the file does, when executed, on different systems. 5. The system according to claim 1 , wherein extracted meta-data is first used to make an immediate disposition and is subsequently used to determine whether a file is a good candidate for subsequent rescanning and is later used to simplify the process of rescanning. 6. The system according to claim 1 , wherein said server is configured to: receive data from a meta-data extraction component, log said data as well as transactional information relating to said data, and maintain a record of software applications and end user systems on which the software applications reside. 7. The system according to claim 1 , wherein said server is configured to examine meta-data gathered on a plurality of files from a plurality of devices on which these files reside and identify a subset of these files that are suitable candidates for rescanning. 8. The system according to claim 7 , wherein file characteristics used to determine whether a file is a suitable candidate for rescanning include information indicating that the file was accessed after one or more known malicious or known clean files were accessed. 9. The system according to claim 7 , wherein file characteristics used to determine whether a file is a suitable candidate for rescanning include information indicating that a parent process that created a file is determined to be malicious. 10. The system according to claim 7 , wherein file characteristics used to determine whether a file is a suitable candidate for rescanning include information indicating that a parent process that created a file is determined to be benign. 11. The system according to claim 7 , wherein file characteristics used to determine whether a file is a suitable candidate for rescanning include information indicating that the file was detected as a threat on a system in a way that might have been specific to that system. 12. The system according to claim 7 , wherein file characteristics used to determine whether a file is a suitable candidate for rescanning include information indicating that there is system-level behavior that is indicative of malicious software running on the system. 13. The system according to claim 7 , wherein file characteristics used to determine whether a file is a suitable candidate for rescanning include information indicating that the file's prevalence among multiple users exceeds a pre-defined threshold. 14. A non-transitory computer readable medium containing computer readable instructions stored thereon, that when executed on a processor, perform the operations of: identifying files of interest from a plurality of files on a file system, from a plurality of clients, based upon activity of the files including creating, moving, copying or executing the files; extracting meta-data from the files of interest, including the files of interest that have previously been assigned a benign, an unknown, or a malicious disposition, providing a server with the files of interest and an identifier for each of the files of interest indicating respective clients on which the files of interest are located as well as the associated meta-data for each of the files of interest, wherein the files of interest and the associated meta-data are logged into log files on said server, and wherein the log files are periodically scanned on the server to identify a subset of files whose characteristics indicate a probable disposition change; wherein the identified files are rescanned by the server against information stored at the server at a time of rescanning to determine whether a disposition change has occurred for each of the identified files; and identifying the respective clients corresponding to the rescanned files having a disposition change. 15. The non-transitory computer readable medium of claim 14 , further containing computer readable instructions stored thereon, that when executed on a processor, perform the operations of: communicating with a client when it is determined upon rescanning that a file that had been previously assigned a malicious or benign disposition should be assigned a different disposition, and updating a database of known malicious and benign applications. 16. The non-transitory computer readable medium of claim 14 , further containing computer readable instructions stored thereon, that when executed on a processor, perform the operations of: communicating with a client when it is determined upon rescanning that there is additional information about a file that had been previously assigned a malicious or benign disposition, and updating a database of information pertaining to known malicious and known benign applications. 17. The non-transitory computer readable medium of claim 16 , wherein the additional information comprises one or more of: an updated threat name for the file, an updated classification about how to categorize the file, updated information about what the file does, when executed, on different systems. 18. The non-transitory computer readable medium of claim 14 , wherein extracted meta-data is first used to make an immediate disposition and is subsequently used to determine whether a file is a good candidate for subsequent rescan

Assignees

Inventors

Classifications

G06F21/564
by virus signature recognition · CPC title
G06F16/13
File access structures, e.g. distributed indices (arrangements of input from, or output to, record carriers G06F3/06) · CPC title
G06F21/565Primary
by checking file integrity · CPC title
G06F16/2358
Change logging, detection, and notification (replication G06F16/27) · CPC title
G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title

Patent family

Related publications grouped by family.

View patent family 49916715

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9245120B2 cover?: The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically perfo…
Who is the assignee on this patent?: Cisco Tech Inc, Cisco Tech Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/565. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jan 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).