White list creation in behavior monitoring system

Assignee

• Trend Micro Incorporated · JP

Inventors

• Chih-Yao Sun · Taipei, TW
• Yi LU · Nanjing, CN
• Dibin Tang · Nanjing, CN
• Ruifeng Yang · Beijing, CN
• Peng Shu · Shanghai, CN
• Rong-Chin Yang · Taoyuan, TW

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/033
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A white list (or exception list) for a behavior monitoring system for detecting unknown malware on a computing device is maintained automatically without human intervention. A white list contains process IDs and other data relating to processes that are determined to be (or very likely be) free of malware. If a process is on this list, the rule matching operations of a conventional behavior monitor are not performed, thereby saving processing resources on the computing device. When a process start up is detected, the behavior monitor performs a series of checks or tests. If the process has all valid digital signatures and is not launched from a removable storage device (such as a USB key) and is not enabled to make any inbound or outbound connections, it is eligible for being on the white list. The white list is also automatically maintained by removing process IDs for processes that have terminated or which attempt to make a new outbound or inbound connection, such as a TCP/UDP connection. Scheduled integrity checks on the white list are also performed by examining the process stack for each process to ensure that there are no abnormal files in the process stack.