| 发明名称 |
Computer protection against malware affection |
| 摘要 |
A method is provided of protecting a computer against malware affection. The computer has a data storage and an operating system for managing the data storage. The method comprises providing a filter module in the operating system which operates to detect an attempt to store data in the data storage, to determine a data format of the data to be stored in the data storage, and to prevent storage of the data if the data format is determined to relate to a predefined type. The filter module may be provided as a file system filter driver in a kernel of the operating system. The filter module may be arranged to operate between an input/output manager of the operating system and a driver associated with the data storage. The input/output manager and driver associated with the data storage may form part of the kernel of the operating system. |
| 申请公布号 |
US9129111(B2) |
申请公布日期 |
2015.09.08 |
| 申请号 |
US200611814305 |
申请日期 |
2006.01.18 |
| 申请人 |
|
发明人 |
Rothwell William Grant |
| 分类号 |
H04L29/06;G06F21/56;G06F21/00 |
主分类号 |
H04L29/06 |
| 代理机构 |
Renner, Otto, Boisselle & Sklar, LLP |
代理人 |
Renner, Otto, Boisselle & Sklar, LLP |
| 主权项 |
1. A method of thwarting malware at its propagation phase to protect a computer against malware infection, the computer having a permanent or persistent data storage and an operating system for managing the data storage, the method comprising providing a filter module in the operating system wherein the filter module is arranged to operate between an input/output manager of the operating system and a driver associated with the data storage, the filter module operates to detect, prior to storing data in a file in the data storage, an attempt to store the data in the data storage, wherein detecting the attempt to store data in the file in the data storage comprises intercepting a write access request associated with the data from the I/O manager intended for the driver associated with the data storage; the filter module checks if a file name of the file is part of a blocking list; if the file name does not match a name of the blocking list, the filter module checks whether the write access request includes a function code “IRP_MJ_CREATE” or “IRP_MJ_WRITE”; if the request includes a function code “IRP_MJ_CREATE” or “IRP_MJ_WRITE”, the filter module determines, prior to storing the data in the file in the data storage, whether the data to be stored in the data storage via the detected attempt is an executable data format or a non-executable data format, wherein the determination comprises inspecting the write access request to determine if the write access request includes a portion of a file header associated with executable data; and to prevent, prior to storing the data in the file in the data storage, the storage of the data in the file in the data storage via the detected attempt if the data is determined to be an executable data format, thereby blocking an unauthorized attempt to write data to the data storage that could potentially constitute malware without having to examine or screen the data content, and thereby preventing malware from propagating by preventing execution code of the data from being saved to the data storage and wherein, the filter module returns a status code “Status Access Denied” to the I/O manager when the request is denied. |
| 地址 |
|
