Patent Application
20070300303
Various objects and advantages and a more complete understanding of the present invention are apparent and more readily appreciated by reference to the following Detailed Description and to the appended claims when taken in conjunction with the accompanying Drawings, wherein:
“Pestware,” as used herein, refers to any program that damages or disrupts a computer system or that collects or reports information about a person or an organization. Examples include, without limitation, viruses, worms, Trojan horses, spyware, adware, and downloaders.
In an illustrative embodiment of the invention, pestware is detected on a computer. Before the pestware is removed from the computer, the connectivity of the computer with a network is automatically suspended. While connectivity with the network is suspended, the pestware is removed from the computer. This prevents the pestware from downloading additional pestware from the Internet or other network during the removal process.
The network can be the Internet, a private intranet, or other network. In some embodiments, the computer is connected simultaneously with multiple networks (e.g., a Local Area Network and the Internet). In one embodiment, connectivity with a particular network (e.g., the Internet) or with a subset of the available networks is suspended during pestware removal. In another embodiment, all network activity on the computer is suspended during pestware removal.
In some embodiments, network connectivity is automatically suspended as a matter of course before pestware removal is carried out. In other embodiments, network connectivity is automatically suspended based on information that the detected pestware is a particular type of pestware that has a tendency to download pestware when an attempt is made to remove it from a computer. Such information about the characteristics and behavior of various types of pestware can be stored and accessed by an anti-pestware system as needed.
Automatic suspension of network connectivity can be indefinite (e.g., until a system reboot occurs) or temporary, depending on the embodiment. In one illustrative embodiment, network connectivity is restored automatically after the pestware has been removed from the computer. Automatic suspension and restoration of network connectivity (e.g., under software control) obviates the need to disconnect a physical cable from the computer and reconnect it.
Referring now to the drawings, where like or similar elements are designated with identical reference numerals throughout the several views, and referring in particular to
Input devices 115 can be, for example, a keyboard and a mouse or other pointing device. In an illustrative embodiment, storage device 125 is a magnetic-disk device such as a hard disk drive (HDD). In other embodiments, however, storage device 125 can be any type of computer storage device, including, without limitation, a magnetic-disk drive, an optical-disc drive, and a storage device employing flash-memory-based media such as secure digital (SD) cards or multi-media cards (MMCs). Communication interface 130 connects computer 100 to network 140. Memory 135 may include random-access memory (RAM), read-only memory (ROM), or a combination thereof.
In
For convenience in this Detailed Description, the functionality of anti-pestware system 145 has been divided into three modules: detection module 150, network connectivity control module 155, and removal module 160. In various embodiments of the invention, the functionality of these modules may be combined or subdivided in ways other than that indicated in
Detection module 150 is configured to scan computer 100 (e.g., running processes in memory 135 and files stored on storage device 125) to detect pestware. Detection module 150 can employ any of a wide variety of pestware detection techniques. For example, detection module 150 can detect a particular type of pestware through the use of “signatures” or “definitions,” characteristics that uniquely identify a particular variety of pestware. In some embodiments, detection module 150 employs a combination of pestware detection techniques. Optionally, detection module 150 may store and access specific information about the behavior of particular types of pestware. For example, the stored information may indicate that a particular type of pestware downloads pestware from the Internet when an attempt is made to remove the pestware from a computer.
Network connectivity control module 155 is configured to suspend the connectivity of computer 100 with network 140 (e.g., the Internet) automatically before detected pestware is removed from computer 100. That is, network connectivity control module 155 is configured to disconnect computer 100 from network 140 automatically before pestware removal begins. Network connectivity control module 155 unconditionally suspends network connectivity before pestware removal in some embodiments. In other embodiments, network connectivity control module 155 suspends network connectivity in response to the need to remove a particular type of pestware that detection module 150 has determined has a tendency to download pestware when an attempt is made to remove it from a computer. Network connectivity control module 155 is configured, in some embodiments, to suspend connectivity with network 140 indefinitely (e.g., until computer 100 is restarted). In another illustrative embodiment, network connectivity control module 155 is configured to restore the connectivity of computer 100 with network 140 automatically after the detected pestware has been removed. Where computer 100 is connected with multiple networks simultaneously, network connectivity control module 155 can be configured, depending on the embodiment, to suspend the connectivity of computer 100 with a subset of the networks or with all of the networks.
Those skilled in the art will recognize that there are a variety of ways in which network connectivity control module 155 can automatically suspend the connectivity of computer 100 with network 140. In one embodiment, a hardware switch (e.g., a relay) that can be controlled through software by network connectivity control module 155 is placed between network 140 and communication interface 130. In other embodiments, network connectivity is controlled entirely through software. For example, a firewall or zone alarm application may be used to suspend network connectivity without the need to disconnect a cable from communication interface 130 manually. Alternatively, application program interfaces (APIs) associated with the operating system of computer 100 can also be used to suspend or restore network connectivity automatically. In one embodiment, network connectivity control module 155 accesses these operating system functions through a network settings control panel or similar user interface.
Removal module 160 is configured to remove pestware detected on computer 100 while the connectivity of computer 100 with network 140 is suspended. In removing pestware from computer 100, removal module 160 may use a variety of techniques, including techniques for deleting “locked” pestware files (files protected against deletion by the operating system). Removal of pestware from computer 100 can include, for example, terminating running pestware processes and deleting pestware files from storage device 125.
In conclusion, the present invention provides, among other things, a method and system for removing pestware that downloads pestware in response to a removal attempt. Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed exemplary forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the claims. For example, the principles of the invention can be applied to a variety of operating systems and networks and to a variety of pestware detection and removal techniques.
