Elevated security execution mode for network-accessible devices
US-2024411878-A1 · Dec 12, 2024 · US
Protecting anti-malware processes
US9836601B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9836601-B2 |
| Application number | US-201615231394-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 8, 2016 |
| Priority date | May 31, 2013 |
| Publication date | Dec 5, 2017 |
| Grant date | Dec 5, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.
First claim
Opening claim text (preview).
What is claimed is: 1. A system for preventing the alteration of a process, comprising: a process alteration preventer comprising one or more hardware computer processors, and a computer program having a plurality of sub-programs executable by said computer processors, wherein the sub-programs configure said computer processors to, launch a first process, assign a protection level defined by a signer and a protection type to the first process, wherein the first process has a higher or equal protection level if both the signer and the protection type associated with the first process have a higher or equal protection level than a signer and a protection type associated with another process, and prevent said other process from altering the first process whenever the protection level assigned to the first process is higher or equal to the other process. 2. The system of claim 1 , wherein the sub-program for assigning a protection level defined by a signer and a protection type to the first process, comprises assigning the protection level based at least in part on verification certificates that are contained in a driver associated with the first process. 3. The system of claim 1 , wherein the sub-program for preventing the other process from altering the first process comprises preventing the other process from terminating the first process, or injecting code into the first process, or loading binaries related to the first process. 4. The system of claim 1 , wherein the first process is an anti-malware process. 5. The system of claim 1 , further comprising a sub-program for the first process loading binaries, wherein the binaries inherit the protection level assigned to the first process. 6. The system of claim 1 , further comprising a sub-program for preventing said other process from accessing the first process whenever the protection level assigned to the first process is higher or equal to the other process. 7. The system of claim 1 , wherein the first process creates a child process which does not have an assigned protection level, and wherein the system further comprising a sub-program for allowing the first process to pass a handle to the child process that cannot be used to altering the first process. 8. The system of claim 1 , wherein the first process creates a child process which does not have an assigned protection level, and wherein the system further comprising a sub-program for allowing the first process to pass a handle to the child process that can be used to altering the first process. 9. A computer-implemented method for preventing the alteration of a process, the method comprising the actions of: using one or more computing devices to perform the following actions: launching a first process; assigning a protection level defined by a signer and a protection type to the first process, wherein the first process has a higher or equal protection level if both the signer and the protection type associated with the first process have a higher or equal protection level than a signer and a protection type associated with another process; and preventing said other process from altering the first process whenever the protection level assigned to the first process is higher or equal to the other process. 10. The method of claim 9 , wherein the action of assigning a protection level defined by a signer and a protection type to the first process, comprises assigning the protection level based at least in part on verification certificates that are contained in a driver associated with the first process. 11. The method of claim 9 , wherein the action of preventing the other process from altering the first process comprises preventing the other process from terminating the first process, or injecting code into the first process, or loading binaries related to the first process. 12. The method of claim 9 , wherein the first process is an anti-malware process. 13. The method of claim 9 , further comprising an action of the first process loading binaries, wherein the binaries inherit the protection level assigned to the first process. 14. The method of claim 9 , further comprising an action of preventing, said other process from accessing the first process whenever the protection level assigned to the first process is higher or equal to the other process. 15. The method of claim 9 , wherein the first process creates a child process which does not have an assigned protection level, and wherein the method further comprising an action for allowing the first process to pass a handle to the child process that cannot be used to alter the first process. 16. The method of claim 9 , wherein the first process creates a child process which does not have an assigned protection level, and wherein the method further comprising an action of allowing the first process to pass a handle to the child process that can be used to alter the first process.
Assignees
Inventors
Classifications
Dual mode as a secondary aspect · CPC title
Secure boot · CPC title
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
Detecting local intrusion or implementing counter-measures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9836601B2 cover?
- Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malwa…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/56. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 05 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).