Detection of file modifications performed by malicious codes,申请号US201213711043-传众专利搜索

发明名称	Detection of file modifications performed by malicious codes
摘要	File modifications performed by malicious codes are detected by detecting a file modification for an original file before the file modification is performed on the original file. In response to detecting the file modification, a corresponding shadow file is created. The shadow file represents the original file as modified by the file modification. Before allowing the file modification to be performed on the original file, the original file is compared to the shadow file to determine if the file modification is being performed by malicious codes. The file modification may be deemed to be performed by malicious codes when the file modification involves, for example, entry point append, entry point prepend, entry point obfuscation, cavity, overwriting, or mal-tattoo.
申请公布号	US9378369(B1)	申请公布日期	2016.06.28
申请号	US201213711043	申请日期	2012.12.11
申请人	Trend Micro Incorporated	发明人	Cheng Yi-Hung
分类号	G06F12/00;G06F21/56	主分类号	G06F12/00
代理机构	Okamoto & Benedicto LLP	代理人	Okamoto & Benedicto LLP
主权项	1. A method of detecting file modifications performed by malicious code, the method to be performed by a computer and comprising: detecting a file modification for an original file in a file system before the file modification is performed on the original file in the file system; in response to detecting the file modification, creating a shadow file of the original file before the file modification is performed on the original file in the file system, the shadow file representing the original file as modified with the file modification and how the original file will be if the file modification is allowed to be performed on the original file; before allowing the file modification to be performed on the original file in the file system, comparing the original file to the shadow file to find a difference between the original file and the shadow file, and determining if the file modification is being performed by the malicious code based on the difference; deeming the file modification to be performed by the malicious code when the shadow file includes inconsistent data not present in the original file; and preventing the file modification from being committed to the file system when the file modification is deemed to be performed by the malicious code.
地址	Tokyo JP