Dynamic Selection and Loading of Anti-Malware Signatures
Abstract
An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer-implemented method, comprising:
determining which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines that communicate with the device; loading relevant malware detection signatures to a malware scanner; scanning the device using the relevant malware detection signatures; and unloading signatures for threats that are no longer relevant to the device.
2 . The computer-implemented method of claim 1 , further comprising:
determining which malware detection signatures are relevant to the device based upon the device's hardware configuration or software configuration or both.
3 . The computer-implemented method of claim 1 , further comprising:
determining which malware detection signatures are relevant to the device based upon malware detected by one or more other machines that have a logical connection to the device.
4 . The computer-implemented method of claim 1 , further comprising:
determining which malware detection signatures are relevant to the device based upon a configuration of one or more other machines that communicate with the device.
5 . The computer-implemented method of claim 1 , further comprising:
determining which malware detection signatures are relevant to the device based upon data aggregated on a global scale.
6 . The computer-implemented method of claim 1 , further comprising:
determining which malware detection signatures are relevant to the device based upon a geographic location of the device.
7 . The computer-implemented method of claim 1 , wherein at least one of the device and the other machines are virtual machines.
8 . The computer-implemented method of claim 1 , further comprising:
automatically obtaining the relevant malware detection signatures from one or more signature repositories.
9 . The computer-implemented method of claim 1 , further comprising:
automatically obtaining the relevant malware detection signatures from a that has a logical connection to the device.
10 . The computer-implemented method of claim 1 , further comprising:
automatically obtaining the relevant malware detection signatures from a data center signature server.
11 . The computer-implemented method of claim 1 , further comprising:
automatically obtaining the relevant malware detection signatures from a local storage.
12 . The computer-implemented method of claim 1 , further comprising:
loading the relevant malware detection signatures for a specified duration and then unloading the relevant malware detection signatures.
13 . The computer-implemented method of claim 1 , further comprising:
blocking one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded.
14 . A computer system, comprising:
one or more processors; system memory; one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the processors to perform a method for automatically determining and loading relevant malware detection signatures, the processor operating to: determine which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines that communicate with the device; load relevant malware detection signatures to a malware scanner; scan the device using the relevant malware detection signatures; and unload signatures for threats that are no longer relevant to the device.
15 . The computer system of claim 15 , the processor further operating to:
determine which malware detection signatures are relevant to the device based upon a hardware configuration or a software configuration of the device.
16 . The computer system of claim 15 , the processor further operating to:
determine which malware detection signatures are relevant to the device based upon a configuration of one or more other machines has a logical connection to the device.
17 . The computer system of claim 15 , wherein at least one of the device and the other machines are virtual machines.
18 . The computer system of claim 15 , the processor further operating to:
block one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded.
19 . The computer system of claim 15 , wherein the logical connection is used over a network environment selected from the group consisting of:
a local area network (LAN), a wide area network (WAN), an enterprise-wide computer network, and an intranet.
20 . A computer-readable storage device comprising instructions that, when executed by a computer, cause the computer system to:
determine which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines on a local network that includes the device, wherein the relevant malware detection signatures are determined based upon one or more of:
a hardware configuration or a software configuration of the device,
malware detected by one or more other machines that have a logical connection to the device,
a configuration of one or more other machines that have a logical connection to the device,
data aggregated on a global scale, and
a geographic location of the device;
block one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded; obtain the relevant malware detection signatures; load the relevant malware detection signatures to a malware scanner; scan the device using the relevant malware detection signatures; and unload signatures for threats that are no longer relevant to the device.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.