System and method for below-operating system trapping of driver filter attachment

摘要

A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver.

主权项

1. A system for protecting against malware, comprising:
a hardware processor; a memory communicatively coupled the hardware processor; a below-operating-system security agent including instructions in the memory to be executed by the hardware processor and configured to:
identify one or more resources for changing filters of a driver;trap an attempted access of the one or more resources, the attempted access to originate from the one of a set of one or more operating systems and including an execution of a subfunction of a function for attaching or detaching a filter to the driver;access one or more security rules to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware includes:
determining that the attempted access included the execution of the subfunction of the function for attaching or detaching a filter to the driver;determining whether an entity making the attempt is authorized to execute the function;determining whether the subfunction was executed without executing the function; andoperate at a level below all of the one or more operating systems to access the one or more resources for changing filters of the driver.