Detection and restoration of files patched by malware

Assignee

• Trend Micro Incorporated · JP

Inventors

• Marvin Ubaldo Cruz · Bulacan, PH
• Kerr Bryner Ang · Caloocan, PH
• Marilyn Melliang · Manila, PH
• Benjamin C. Rivera · Lake Oswego, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/568
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A monitor agent monitors every write request for files that are capable of being patched (executable files). Once a write request is requested for one of these files, the agent creates a copy of the file and also saves the original file version number. If the program that is requesting the write access has not been digitally signed then that program is flagged as being suspicious. The write request is allowed to proceed and the file is modified by the requesting program. After the modification, if the file version number is not higher then the write is flagged as being suspicious. If both the requesting program has been flagged as suspicious and the file version number has been flagged as suspicious, then the requesting program is labeled as being malware. The monitor agent restores the modified file using the original copy. If either the requesting program is flagged as suspicious or the file version number is flagged as suspicious, then the requesting program is labeled as being suspicious.