Method and apparatus for detecting malware on a computer system

摘要

Method, apparatus, and computer readable medium for detecting malware on a target computer system is described. A threat profile is obtained at the target computer, the threat profile having manifestation information for known malware, the manifestation information including effects of the known malware on computer systems infected by the known malware. Using the threat profile, at least a portion of the manifestation information is detected on the target computer. A confidence level for detection of potential malware is determined based on the at least a portion of the manifestation information detected. The potential malware on the target computer is convicted as malware for remediation if the confidence level satisfies a threshold confidence level.

主权项

1. A computer-implemented method of detecting malware on a target computer system, comprising:
obtaining a threat profile at the target computer, the threat profile having manifestation information for known malware, the manifestation information including post-execution effects of the known malware on computer systems infected by the known malware but not including pre-execution signatures of the known malware or execution behavior of the known malware, wherein the threat profile is generated on an external server by a malware information module that collects the manifestation information from a plurality of sources including the World Wide Web and a database of known effects of malware on computer systems, wherein the threat profile is sent from the external server to the target computer for malware prevention, and wherein the manifestation information collected from the World Wide Web comprises publicly available information related to security; detecting, using the threat profile, at least a portion of the manifestation information on the target computer, the detecting including allowing potential malware to run on the target computer and examining post-execution effects of the potential malware after the potential malware has run on the target computer, wherein the detected manifestation information includes at least an indication that the post-execution effects were caused by a software process of the potential malware; comparing the post-execution effects of the known malware on the infected computer systems with the post-execution effects of the potential malware on the target computer; determining a confidence level for detection of potential malware based on the comparison of the post-execution effects of the known malware on the infected computer systems with the post-execution effects of the potential malware on the target computer, wherein the confidence level is further based on a number of detected post-execution effects matching the effects identified in the threat profile; convicting the potential malware on the target computer as malware for remediation if the confidence level satisfies a threshold confidence level; and sending a sample of the potential malware from the target computer to a server over a network for further analysis if the confidence level does not satisfy the threshold confidence level.