US2015096029A1PendingUtilityA1

Dynamic Selection and Loading of Anti-Malware Signatures

53
Assignee: MICROSOFT CORPPriority: Nov 15, 2012Filed: Dec 5, 2014Published: Apr 2, 2015
Est. expiryNov 15, 2032(~6.3 yrs left)· nominal 20-yr term from priority
G06F 21/564
53
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method, comprising:
 determining which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines that communicate with the device;   loading relevant malware detection signatures to a malware scanner;   scanning the device using the relevant malware detection signatures; and   unloading signatures for threats that are no longer relevant to the device.   
     
     
         2 . The computer-implemented method of  claim 1 , further comprising:
 determining which malware detection signatures are relevant to the device based upon the device's hardware configuration or software configuration or both.   
     
     
         3 . The computer-implemented method of  claim 1 , further comprising:
 determining which malware detection signatures are relevant to the device based upon malware detected by one or more other machines that have a logical connection to the device.   
     
     
         4 . The computer-implemented method of  claim 1 , further comprising:
 determining which malware detection signatures are relevant to the device based upon a configuration of one or more other machines that communicate with the device.   
     
     
         5 . The computer-implemented method of  claim 1 , further comprising:
 determining which malware detection signatures are relevant to the device based upon data aggregated on a global scale.   
     
     
         6 . The computer-implemented method of  claim 1 , further comprising:
 determining which malware detection signatures are relevant to the device based upon a geographic location of the device.   
     
     
         7 . The computer-implemented method of  claim 1 , wherein at least one of the device and the other machines are virtual machines. 
     
     
         8 . The computer-implemented method of  claim 1 , further comprising:
 automatically obtaining the relevant malware detection signatures from one or more signature repositories.   
     
     
         9 . The computer-implemented method of  claim 1 , further comprising:
 automatically obtaining the relevant malware detection signatures from a that has a logical connection to the device.   
     
     
         10 . The computer-implemented method of  claim 1 , further comprising:
 automatically obtaining the relevant malware detection signatures from a data center signature server.   
     
     
         11 . The computer-implemented method of  claim 1 , further comprising:
 automatically obtaining the relevant malware detection signatures from a local storage.   
     
     
         12 . The computer-implemented method of  claim 1 , further comprising:
 loading the relevant malware detection signatures for a specified duration and then unloading the relevant malware detection signatures.   
     
     
         13 . The computer-implemented method of  claim 1 , further comprising:
 blocking one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded.   
     
     
         14 . A computer system, comprising:
 one or more processors;   system memory;   one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, causes the processors to perform a method for automatically determining and loading relevant malware detection signatures, the processor operating to:   determine which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines that communicate with the device;   load relevant malware detection signatures to a malware scanner;   scan the device using the relevant malware detection signatures; and   unload signatures for threats that are no longer relevant to the device.   
     
     
         15 . The computer system of  claim 15 , the processor further operating to:
 determine which malware detection signatures are relevant to the device based upon a hardware configuration or a software configuration of the device.   
     
     
         16 . The computer system of  claim 15 , the processor further operating to:
 determine which malware detection signatures are relevant to the device based upon a configuration of one or more other machines has a logical connection to the device.   
     
     
         17 . The computer system of  claim 15 , wherein at least one of the device and the other machines are virtual machines. 
     
     
         18 . The computer system of  claim 15 , the processor further operating to:
 block one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded.   
     
     
         19 . The computer system of  claim 15 , wherein the logical connection is used over a network environment selected from the group consisting of:
 a local area network (LAN), a wide area network (WAN), an enterprise-wide computer network, and an intranet.   
     
     
         20 . A computer-readable storage device comprising instructions that, when executed by a computer, cause the computer system to:
 determine which malware detection signatures are relevant to a device, including signatures for malware that is not capable of running on the device, but that may affect other machines on a local network that includes the device, wherein the relevant malware detection signatures are determined based upon one or more of:
 a hardware configuration or a software configuration of the device, 
 malware detected by one or more other machines that have a logical connection to the device, 
 a configuration of one or more other machines that have a logical connection to the device, 
 data aggregated on a global scale, and 
 a geographic location of the device; 
   block one or more programs from accessing files on the device until the relevant malware detection signatures have been loaded;   obtain the relevant malware detection signatures;   load the relevant malware detection signatures to a malware scanner;   scan the device using the relevant malware detection signatures; and   unload signatures for threats that are no longer relevant to the device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.