Detecting and removing rootkits from within an infected computing system
US7631357B1 · kind B1 · utility
Assignee
Inventor
Key dates
| Filing date | Oct 5, 2005 |
| Grant date | Dec 8, 2009 |
| Priority date | — |
| Expiry date | Oct 24, 2027 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/56
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
A computing system configured to detect and/or remove a rootkit. For detection, a snapshot component takes a snapshot of a storage unit. A rootkit detection component accesses an enumeration of individual files stored on the storage unit using an alternative file system I/O to detect the presence of a rootkit. For removal, the location of a rootkit is identified and a computing system shutdown is initiated. A snapshot component pauses the shutdown operation prior to the completion of the shut down and takes a snapshot of a file storage unit. A rootkit repair component accesses the identified location of the portion of the file storage unit containing the rootkit and modifies the portion of the snapshot of the file storage unit so as remove the rootkit.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.