Silent-mode signature testing in anti-malware processing

摘要

Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware.

主权项

1. A silent-mode method for protecting against malware, the method being performed on a client computer having a processor and a memory, the method comprising:
(a) generating a silent-signature that is applied on the client computer without informing a user of the client computer of a match with signatures of objects from a white list or a black list; (b) analyzing the matches for false positive occurrences; (c) turning off the silent-signature on the client computer and sending the matches from the client computer to a server for further analysis, if at least one false positive occurrence is detected; (d) converting the silent-signature into an active signature and subsequently utilizing the silent-signature for malicious object identification if no false positive occurrence is detected; wherein the false positives occur when the silent-signature matches a signature from the white list, wherein the silent-signature reflects heuristic data comprising behavior patterns of an executable component.