System and method for using snapshots for rootkit detection
US8856927B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Nov 24, 2010 |
| Grant date | Oct 7, 2014 |
| Priority date | — |
| Expiry date | Dec 20, 2031 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/033
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
A system, method and computer program product for identifying malicious code running on a computer, including an operating system running on the computer with a data storage device; and a trusted software component running simultaneously with the operating system. An online snapshot process of a current state of the data storage device copies data blocks from the storage device to intermediate storage. Processes running under the control of the operating system have access to the data storage device. A scanning procedure runs under control of the trusted software component that has access to data representing the snapshot of the data storage device from the trusted software component. The scanning procedure analyzes the snapshot of the data storage device for the malicious code, and, in response to a “write” directed to a data block in the snapshot area of the storage device, that data block is written to the intermediate storage.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.