Detection and dynamic alteration of execution of potential software threats

Assignee

• Microsoft Corporation · US

Inventors

• Sterling Reasor · Bellevue, US
• Jonathan M. Keller · Seattle, US
• Jason J. Joyce · Redmond, US
• Ahmed S. Hussain · Redmond, US
• Kanwaljit Marok · Seattle, US
• Nizan Manor · Seattle, US
• Santanu Chakraborty · Bellevue, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/2145
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.