Systems and methods for using a reputation indicator to facilitate malware scanning

摘要

Described systems and methods allow protecting a computer system from malware, such as viruses, Trojans, and spyware. A reputation manager executes in conjunction with an anti-malware engine. The reputation manager determines a reputation of a target process executing on the computer system according to a reputation of a set of executable modules, such as shared libraries, loaded by the target process. The anti-malware engine may be configured to employ a process-specific protocol to scan the target process for malware, the protocol selected according to process reputation. Processes trusted to be non-malicious may thus be scanned using a more relaxed protocol than unknown or untrusted processes. The reputation of executable modules may be static; an indicator of module reputation may be stored and/or retrieved by a remote reputation server. Process reputation may be dynamically changeable, i.e. re-computed repeatedly by the reputation manager in response to process life-cycle and/or security events.

主权项

1. A client system comprising:
a memory, and at least one hardware processor connected to the memory and configured to execute an anti-malware engine configured to monitor a target process for malicious activity, wherein the target process executes on the client system, wherein the target process comprises an instance of a main executable module and an instance of a shared library, and wherein the at least one hardware processor is further configured to:
receive from a server a first module reputation indicator of the main executable module and a second module reputation indicator of the shared library, the first module reputation indicator determined according to a behavior of another instance of the main executable module, wherein the server is configured to perform anti-malware transactions with a plurality of client systems including the client system, wherein the first module reputation indicator comprises an indicator of a first set of monitoring rules, and wherein the second module reputation indicator comprises an indicator of a second set of monitoring rules;in response to receiving the first and second module reputation indicators, determine whether the target process is likely to be malicious according to the first and second module reputation indicators; andin response to determining whether the target process is likely to be malicious, when the target process is not likely to be malicious,
combine the first and second sets of monitoring rules into a combined set of monitoring rules, andconfigure the anti-malware engine to monitor the target process according to the combined set of monitoring rules.