Abstract: A system and method for gathering exhibited behaviors of a .NET executable module in a secure manner is presented. In operation, a .NET behavior evaluation module presents a virtual .NET environment to a Microsoft Corporation .NET code module. The .NET behavior evaluation module implements a sufficient number of aspects of an actual Microsoft Corporation .NET environment that a .NET code module can execute. As the .NET code module executes, the .NET behavior evaluation module records some of the exhibited behaviors, i.e., .NET system supplied libraries/subroutines, that are associated with known malware. The recorded behaviors are placed in a behavior signature for an external determination as to whether the .NET code module is malware, i.e., an unwanted computer attack.

Abstract: The present invention provides a system, method, and computer-readable medium for quarantining a file. Embodiments of the present invention are included in antivirus software that maintains a user interface. From the user interface, a user may issue a command to quarantine a file or the quarantine process may be initiated automatically by the antivirus software after malware is identified. When a file is marked for quarantine, aspects of the present invention encode file data with a function that is reversible. Then a set of metadata is identified that describes attributes of the file including any heightened security features that are used to limit access to the file. The metadata is moved to a quarantine folder, while the encoded file remains at the same location in the file system. As a result, the encoded file maintains the same file attributes as the original, non-quarantined file, including any heightened security features.

Abstract: A malware detection system and method for determining whether an executable script is malware is presented. The malware detection system determines whether the executable script is malware by comparing the functional contents of the executable script to the functional contents of known malware. In practice, the executable script is obtained. The executable script is normalized, thereby generating a script signature corresponding to the functionality of the executable script. The script signature is compared to known malware script signatures in a malware signature store to determine whether the executable script is malware. If a complete match is made, the executable script is considered to be malware. If a partial match is made, the executable script is considered to likely be malware. The malware detection system may perform two normalizations, each normalization generating a script signature which is compared to similarly normalized known malware script signatures in the malware signature store.

Abstract: The present invention provides a system, method, and computer-readable medium for identifying and removing active malware from a computer. Aspects of the present invention are included in a cleaner tool that may be obtained automatically with an update service or may be downloaded manually from a Web site or similar distribution system. The cleaner tool includes a specialized scanning engine that searches a computer for active malware. Since the scanning engine only searches for active malware, the amount of data downloaded and resource requirements of the cleaner tool are less than traditional antivirus software. The scanning engine searches specific locations on a computer, such as data mapped in memory, configuration files, and file metadata for data characteristic of malware. If malware is detected, the cleaner tool removes the malware from the computer.

Abstract: The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.

Abstract: In general, embodiments of the present invention provide protection for anti-malware software programs (also referred to herein as anti-malware) that is in addition to the protection that currently exists. In particular, instead of only protecting anti-malware programs from malware attacks by attempting to detect the malware software programs (also referred to herein as malware) before they can accomplish their malicious task, embodiments of the present invention obfuscate, or hide, the anti-malware and/or files associated with the anti-malware. Obfuscating files makes it difficult for malware to locate the information needed to accomplish its malware tasks. Additionally, because obfuscation makes file location difficult, malware that attempts to overcome this protection technique will likely include or use a detection engine.

Abstract: The present invention includes a system and method for translating potential malware devices into safe program code. The potential malware is translated from any one of a number of different types of source languages, including, but not limited to, native CPU program code, platform independent .NET byte code, scripting program code, and the like. Then the translated program code is compiled into program code that may be understood and executed by the native CPU. Before and/or during execution, the present invention causes a scanner to search for potential malware stored in memory. If malware is not detected, the computing device causes the CPU to execute the translated program code. However, execution and/or analysis of potential malware may be interrupted if computer memory that stores potential malware is altered during execution. In this instance, the potential malware now stored in memory is translated into safe program code before being executed.

Abstract: A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.

Abstract: A system and method for determining whether a packed executable is malware is presented. In operation, a malware evaluator intercepts incoming data directed to a computer. The malware evaluator evaluates the incoming data to determine whether the incoming data is a packed executable. If the incoming data is a packed executable, the malware evaluator passes the packed executable to an unpacking module. The unpacking module includes a set of unpacker modules for unpacking a packed executable of a particular type. The unpacking module selects an unpacker module according to the type of the packed executable, and executes the selected unpacker module. Executing the unpacker module generates an unpacked executable corresponding to the packed executable. The unpacked executable is returned to the malware evaluator where it is evaluated to determine whether the packed executable is malware.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware in a request to a Web service is provided. One aspect of the present invention is a computer-implemented method for protecting a computer that provides a Web service from malware made in a Web request. When a request is received, an on-demand compilation system compiles high-level code associated with the request into binary code that may be executed. However, before the code is executed, antivirus software designed to identify malware scans the binary code for malware. If malware is identified, the antivirus software prevents the binary code associated with the request from being executed.

Abstract: An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.

Abstract: In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.

Abstract: A system and method that facilitates and effectuates detection of malware secreted and/or hidden in plain sight on a machine. The system and method in order to achieve its aims generates a list of all loaded modules, identifies from the list a set of modules common to more than a threshold number of processes, and eliminates from the list those modules included in an authentication list. The resultant list is prioritized based, in one instance, on the number of occurrences a particular module makes in the resultant list, and thereafter the list is distributed analyst workstations.

Abstract: A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.

Abstract: A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.