Tracking injected threads to remediate malware
US9411953B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | May 24, 2013 |
| Grant date | Aug 9, 2016 |
| Priority date | — |
| Expiry date | Jul 23, 2033 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/566
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Injected threads are tracked to detect malware that injects malicious code into the address space of a legitimate process. Relationships between threads of processes executing on a client and files stored by the client are mapped to identify files that create threads in executing processes. The address space of a process is analyzed to identify legitimate memory regions in the address space. A suspicious thread referencing a suspicious memory region of the address space outside of the legitimate memory regions is identified. The suspicious memory region is scanned to identify malware. The mapped relationships are used to identify the file that created the thread that referenced the address space in which the malware was identified. The malware in the file is remediated.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.