Patent · US Active

Method and apparatus for preventing rootkit installation

US7607173B1 · kind B1 · utility

13Cited by

0References

20Claims

0Family size

Assignee

Symantec Corporation · US

Inventors

Peter Szor · San Fernando, US
Peter Ferrie · Los Angeles, US
Matthew Conover · Mountain View, US

Key dates

Filing date	Oct 31, 2005
Grant date	Oct 20, 2009
Priority date	—
Expiry date	Dec 6, 2027

Classification

Technology area (CPC G)Physics
CPC primaryG06F12/1491
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

Call to driver load functions, including associated driver objects to be loaded, are stalled and evaluated for indications of a rootkit. When a rootkit is indicated, protective action is taken, and optionally a user or system administrator are notified. Calls not indicative of a rootkit are released and allowed to load. In one embodiment, calls to currently loaded drivers and calls related to installation of new hardware, are excluded from the evaluation for indications of a rootkit. In additional embodiments, sensitive structures and calls to sensitive structures of a computer system are also evaluated for indications of a rootkit.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.