US2018139218A1PendingUtilityA1

Reversion of system objects affected by a malware

48
Assignee: SHINE SECURITY LTDPriority: Aug 26, 2013Filed: Jan 15, 2018Published: May 17, 2018
Est. expiryAug 26, 2033(~7.1 yrs left)· nominal 20-yr term from priority
H04L 63/145H04L 63/1416
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A computerized method of reverting system data affected by a malware. The method comprises monitoring, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, logging in an event log, in run time, the plurality of events, classifying, in run time, a first process of the plurality of processes as a malware, identifying a set of events of the first process from the plurality of events using the event log, and reverting, in response to the classification, at least one system object hosted in the computing device to remove an effect of the set of events on the OS.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computerized method of reverting system data effected by a malware, comprising:
 monitoring, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device:   logging in an event log, in run time, said plurality of events;   classifying, in run time, a first process of said plurality of processes as a malware;   identifying a set of events of said first process from said plurality of events using said event log; and   reverting, in response to said classification, at least one system object hosted in said computing device to remove an effect of said set of events on said OS.   
     
     
         2 . The computerized method of  claim 1 , wherein said classifying comprises calculating a plurality of scores each for another of said plurality of processes according to an analysis of respective associated events from said plurality of events in run time and performing said classifying according to said plurality of scores. 
     
     
         3 . The computerized method of  claim 2 , wherein said reverting comprises a reverting action selected according to a score from said plurality of scores of said first score. 
     
     
         4 . The computerized method of  claim 1 , wherein said reverting comprises deleting a file added by said first process. 
     
     
         5 . The computerized method of  claim 1 , wherein said reverting comprises deleting said at least one system object; further comprising identifying a regeneration of said at least one system object and preemptively blocking said regeneration. 
     
     
         6 . The computerized method of  claim 1 , wherein said reverting comprises deleting a registry value added by said first process. 
     
     
         7 . The computerized method of  claim 1 , wherein said reverting comprises disabling said first process. 
     
     
         8 . The computerized method of  claim 1 , wherein said reverting comprises identifying a match between said at least one system object and at least one system object template and using said at least one system object template to revert said at least one system object for removing said effect on said OS. 
     
     
         9 . The computerized method of  claim 8 , wherein said at least one system object template is at least one specific system object template adapted for said OS. 
     
     
         10 . The computerized method of  claim 8 , wherein said at least one system object template is at least one generic system object template adapted for an update version of said OS. 
     
     
         11 . A computer readable medium comprising computer executable instructions adapted to perform the method of  claim 1 . 
     
     
         12 . A system of reverting system data effected by a malware, comprising:
 a memory hosting a an event log wherein a;   a processor;   a threat monitoring module which monitors, in run time, a plurality of events of a plurality of processes executed by an installed operating system (OS) running on a computing device and logs said plurality of events in said event log, said threat monitoring module uses said processor to classify, in run time, a first process of said plurality of processes as a malware and to identify a set of events of said first process from said plurality of events using said event log; and   a data reverting module which reverts at least one system object hosted in said computing device and affected by said set of events in response to said classification.   
     
     
         13 . The system of  claim 12 , further comprising a generic template database which stores a plurality generic system object templates of a plurality of different versions of an operating system, said data reverting module selects at least one of said plurality generic system object templates for a replacement of said at least one system object according to a version of said installed OS. 
     
     
         14 . The system of  claim 12 , further comprising a specific template database which stores a plurality specific system object templates generated to replicate a plurality of different system objects of said installed OS, said data reverting module selects at least one of said plurality specific system object templates for a replacement of said at least one system object. 
     
     
         15 . A computerized method of repairing damage caused by malware operations, comprising:
 monitoring in run time a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device:   classifying, in run time, a first process of said plurality of processes as a malware by an analysis of a set of events associated with said first process from said plurality of events;   detecting, in run time, an additional event performed by said first process on said computing device; and   reverting at least one system object hosted in said computing device and affected by said additional event.   
     
     
         16 . A computer program product for reverting system data effected by a malware, comprising:
 a computer readable storage medium;   first program instructions to monitor, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on said computing device:   second program instructions to log in an event log, in run time, said plurality of events;   third program instructions to classify, in run time, a first process of said plurality of processes as a malware;   fourth program instructions to identify a set of events of said first process from said plurality of events using said event log; and   fifth program instructions to revert, in response to said classification, at least one system object hosted in said computing device to remove an effect of said set of events on said OS   wherein said first, second, third, fourth, and fifth program instructions are stored on said computer readable storage medium.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.