Systems and methods for generating repair scripts that facilitate remediation of malware side-effects
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-011/00
G06F-021/56
출원번호
US-0334391
(2014-07-17)
등록번호
US-9659176
(2017-05-23)
발명자
/ 주소
Roter, Michele
Kuei, Chester
출원인 / 주소
Symantec Corporation
대리인 / 주소
FisherBroyles LLP
인용정보
피인용 횟수 :
0인용 특허 :
13
초록▼
The disclosed computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects may include (1) identifying a potentially malicious file located on a computing system, (2) determining at least one potential side-effect of the potentially malicious file, (3
The disclosed computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects may include (1) identifying a potentially malicious file located on a computing system, (2) determining at least one potential side-effect of the potentially malicious file, (3) generating, based at least in part on the potential side-effect of the potentially malicious file, a repair script that facilitates remediation of the potential side-effect, and then (4) remedying the potential side-effect by directing the computing system to execute the repair script. Various other methods, systems, and computer-readable media are also disclosed.
대표청구항▼
1. A computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: identifying a potentially malicious file located on a c
1. A computer-implemented method for generating repair scripts that facilitate remediation of malware side-effects, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: identifying a potentially malicious file located on a computing system;determining at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file;generating, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by: identifying all known variants of a family of malware that includes the potentially malicious file;performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; anddetermining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; andremedying the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to: compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect;determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold;in response to determining that the heuristic distance is below the certain threshold: classify the registry key or the other file as a side-effect of the potentially malicious file; andremedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file. 2. The method of claim 1, wherein the potential side-effect of the potentially malicious file comprises at least one of: a modification to a file name caused by the potentially malicious file;a modification to the registry key caused by the potentially malicious file;a creation of the file caused by the potentially malicious file; anda creation of the registry key caused by the potentially malicious file. 3. The method of claim 1, wherein determining the potential side-effect of the potentially malicious file comprises: executing the potentially malicious file in a controlled software automation environment;upon executing the potentially malicious file, detecting evidence of the potential side-effect; anddetermining, based at least in part on the evidence of the potential side-effect, that the potentially malicious file causes the potential side-effect. 4. The method of claim 1, wherein determining the potential side-effect of the potentially malicious file comprises: collecting behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; andidentifying, by analyzing the behavioral information collected from the group of computing devices, the potential side-effect of the potentially malicious file. 5. The method of claim 1, wherein: determining the potential side-effect of the potentially malicious file comprises determining at least one potential side-effect of at least one variant of the family of malware that includes the potentially malicious file; andgenerating the repair script comprises generating, based at least in part on the potential side-effect of the variant, a repair script that facilitates remediation of the potential side-effect of the variant. 6. The method of claim 5, wherein the variant of the family of malware comprises at least one of: a variant whose file name differs from a file name of the potentially malicious file; anda variant whose attribute differs from a corresponding attribute of the potentially malicious file. 7. The method of claim 1, wherein generating the repair script that facilitates remediation of the potential side-effect comprises generating a generic repair script that: identifies the registry key or the other file as potentially being a side-effect of the potentially malicious file; andfacilitates remediation of the registry key or the other file identified as potentially being a side-effect of the potentially malicious file. 8. The method of claim 1, wherein performing a controlled software automation analysis on all of the known variants of the family of malware comprises: executing at least one variant of the potentially malicious file in a controlled software automation environment;upon executing the variant of the potentially malicious file, detecting evidence suggesting that the registry key or the other file is a side-effect of the potentially malicious file; andcomputing the certain threshold based at least in part on the evidence suggesting that the registry key or the other file is a side-effect of the potentially malicious file. 9. The method of claim 1, wherein performing a field telemetry analysis on all of the known variants of the family of malware comprises: collecting behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file;identifying, by analyzing the behavioral information collected from the group of computing devices, the registry key or the other file as potentially being a side-effect of the potentially malicious file; andcomputing the certain threshold based at least in part on the registry key or the other file potentially being a side-effect of the potentially malicious file. 10. The method of claim 1, wherein generating the repair script comprises generating the repair script based at least in part on the variations in potential side-effects that result from executing or removing the variants from computing systems. 11. A system for generating repair scripts that facilitate remediation of malware side-effects, the system comprising: at least one memory;an identification module, stored in the memory, that identifies a potentially malicious file located on a computing system;a determination module, stored in the memory, that determines at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file;a generation module, stored in the memory, that generates, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by:identifying all known variants of a family of malware that includes the potentially malicious file;performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; anddetermining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems;a remediation module, stored in the memory, that remedies the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to:compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect;determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold;in response to determining that the heuristic distance is below the certain threshold:classify the registry key or the other file as a side-effect of the potentially malicious file; andremedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file; andat least one physical processor that executes the identification module, the determination module, the generation module, and the remediation module. 12. The system of claim 11, wherein the potential side-effect of the potentially malicious file comprises at least one of: a modification to a file name caused by the potentially malicious file;a modification to the registry key caused by the potentially malicious file;a creation of the file caused by the potentially malicious file; anda creation of the registry key caused by the potentially malicious file. 13. The system of claim 11, wherein the determination module determines the potential side-effect of the potentially malicious file by: executing the potentially malicious file in a controlled software automation environment;upon executing the potentially malicious file, detecting evidence of the potential side-effect; anddetermining, based at least in part on the evidence of the potential side-effect, that the potentially malicious file causes the potential side-effect. 14. The system of claim 11, wherein the determination module determines the potential side-effect of the potentially malicious file by: collecting behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; andidentifying, by analyzing the behavioral information collected from the group of computing devices, the potential side-effect of the potentially malicious file. 15. The system of claim 11, wherein: the determination module determines at least one potential side-effect of at least one variant of the family of malware that includes the potentially malicious file; andthe generation module generates, based at least in part on the potential side-effect of the variant, a repair script that facilitates remediation of the potential side-effect of the variant. 16. The system of claim 15, wherein the variant of the family of malware comprises at least one of: a variant whose file name differs from a file name of the potentially malicious file; anda variant whose attribute differs from a corresponding attribute of the potentially malicious file. 17. The system of claim 11, wherein the generation module generates a generic repair script that: identifies the registry key or the other file as potentially being a side-effect of the potentially malicious file; andfacilitates remediation of the registry key or the other file identified as potentially being a side-effect of the potentially malicious file. 18. The system of claim 11, wherein the generation module generates the repair script based at least in part on the variations in potential side-effects that result from executing or removing the variants from computing systems. 19. The system of claim 11, wherein: the determination module:collects behavioral information about the potentially malicious file from a group of computing devices that have executed the potentially malicious file; andidentifies, by analyzing the behavioral information collected from the group of computing devices, the registry key or the other file as potentially being a side-effect of the potentially malicious file; andthe generation module may compute the certain threshold based at least in part on the registry key or the other file potentially being a side-effect of the potentially malicious file. 20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: identify a potentially malicious file located on a computing system;determine at least one potential side-effect of the potentially malicious file, wherein the potential side-effect represents a registry key or another file that has been created or modified on the computing system by executing or removing the potentially malicious file;generate, based at least in part on the potential side-effect, a repair script that facilitates remediation of the potential side-effect by:identifying all known variants of a family of malware that includes the potentially malicious file;performing a controlled software automation analysis or a field telemetry analysis on all of the known variants of the family of malware; anddetermining, based at least in part on the controlled software automation analysis or the field telemetry analysis, one or more variations in potential side-effects that result from executing or removing the variants from computing systems; andremedy the potential side-effect by directing the computing system to execute the repair script such that the repair script causes the computing system to:compute a heuristic distance from a known side-effect of the potentially malicious file to the registry key or the other file that has been created or modified on the computing system by executing or removing the potentially malicious file, wherein the heuristic distance represents an amount of difference between the known-side effect and the potential side-effect;determine that the heuristic distance from the known side-effect to the registry key or the other file is below a certain threshold;in response to determining that the heuristic distance is below the certain threshold:classify the registry key or the other file as a side-effect of the potentially malicious file; andremedy the registry key or the other file due at least in part to the classification as a side-effect of the potentially malicious file.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (13)
Kalinichenko, Michael, Application of nested behavioral rules for anti-malware processing.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.