Patents by Inventor Anil Francis Thomas
Anil Francis Thomas has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9436826Abstract: The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.Type: GrantFiled: June 16, 2011Date of Patent: September 6, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Vishal Kapoor, Jonathan Mark Keller, Ajith Kumar, Adrian M. Marinescu, Marc E. Seinfeld, Anil Francis Thomas, Michael Sean Jarrett, Joseph J. Johnson, Joseph L. Faulhaber
-
Patent number: 9262423Abstract: Storing and retrieving files based on hashes for the files. One method for storing files includes: identifying a file; identifying a hash calculated based on the file; renaming the file based on the hash based on the file; and storing the file in a particular location based on the hash calculated based on the file. Another method for retrieving files includes: identifying a hash for a given file; using the hash, traversing a hierarchical file structure to find a location where the given file should be stored; determining that the file is at the location; and as a result, retrieving the file.Type: GrantFiled: September 27, 2012Date of Patent: February 16, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Ronen Borshack, Anil Francis Thomas, Erez Einav, Philip Ernst Taron
-
Patent number: 9043869Abstract: Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented.Type: GrantFiled: August 14, 2013Date of Patent: May 26, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Anil Francis Thomas, Michael Kramer, Mihai Costea, Efim Hudis, Pradeep Bahl, Rajesh K. Dadhia, Yigal Edery
-
Patent number: 8973135Abstract: Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.Type: GrantFiled: September 29, 2011Date of Patent: March 3, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Anil Francis Thomas, Adrian M. Marinescu, Ajith Kumar, Jonathan M. Keller, Omer Ben Bassat
-
Patent number: 8955133Abstract: The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.Type: GrantFiled: June 9, 2011Date of Patent: February 10, 2015Assignee: Microsoft CorporationInventors: Ajith Kumar, Timothy Jon Fraser, Adrian M. Marinescu, Marc E. Seinfeld, Jack Wilson Stokes, III, Anil Francis Thomas
-
Patent number: 8938618Abstract: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.Type: GrantFiled: April 5, 2013Date of Patent: January 20, 2015Assignee: Microsoft CorporationInventors: Mark F. Novak, Robert Karl Spiger, Stefan Thom, David J. Linsley, Scott A. Field, Anil Francis Thomas
-
Patent number: 8799190Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.Type: GrantFiled: June 17, 2011Date of Patent: August 5, 2014Assignee: Microsoft CorporationInventors: Jack W. Stokes, Nikos Karampatziakis, John C. Platt, Anil Francis Thomas, Adrian M. Marinescu
-
Publication number: 20140089273Abstract: Storing and retrieving files based on hashes for the files. One method for storing files includes: identifying a file; identifying a hash calculated based on the file; renaming the file based on the hash based on the file; and storing the file in a particular location based on the hash calculated based on the file. Another method for retrieving files includes: identifying a hash for a given file; using the hash, traversing a hierarchical file structure to find a location where the given file should be stored; determining that the file is at the location; and as a result, retrieving the file.Type: ApplicationFiled: September 27, 2012Publication date: March 27, 2014Applicant: MICROSOFT CORPORATIONInventors: Ronen Borshack, Anil Francis Thomas, Erez Einav, Philip Ernst Taron
-
Patent number: 8621628Abstract: In one embodiment, a malware protection system may protect a computing system from a malware event. A data storage device 150 may store a watchdog filter driver 240 integrated with an operating system kernel 210. A processor 120 may intercept a process access to an application process 220 with the watchdog filter driver 240 to detect a malware event. The processor 120 may use the watchdog filter driver 240 to determine an originating process for the malware event.Type: GrantFiled: February 25, 2010Date of Patent: December 31, 2013Assignee: Microsoft CorporationInventors: Eli Zeitlin, Arnon Axelrod, Anil Francis Thomas, Kanwaljit Marok
-
Publication number: 20130332988Abstract: Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented.Type: ApplicationFiled: August 14, 2013Publication date: December 12, 2013Inventors: Anil Francis Thomas, Michael Kramer, Mihai Costea, Efim Hudis, Pradeep Bahl, Rajesh K. Dadhia, Yigal Edery
-
Patent number: 8516583Abstract: In accordance with the present invention, a system, method, and computer-readable medium for aggregating the knowledge base of a plurality of security services or other event collection systems to protect a computer from malware is provided. One aspect of the present invention is a method that proactively protects a computer from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware; determining if the suspicious events satisfy a predetermined threshold; and if the suspicious events satisfy the predetermined threshold, implementing a restrictive security policy designed to prevent the spread of malware.Type: GrantFiled: March 31, 2005Date of Patent: August 20, 2013Assignee: Microsoft CorporationInventors: Anil Francis Thomas, Michael Kramer, Mihai Costea, Efim Hudis, Pradeep Bahl, Rajesh K Dadhia, Yigal Edery
-
Patent number: 8417962Abstract: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.Type: GrantFiled: June 11, 2010Date of Patent: April 9, 2013Assignee: Microsoft CorporationInventors: Mark F. Novak, Robert Karl Spiger, Stefan Thom, David J. Linsley, Scott A. Field, Anil Francis Thomas
-
Publication number: 20130086683Abstract: Techniques are described herein that are capable of selectively scanning objects for infection by malware (i.e., to determine whether one or more of the objects are infected by malware). For instance, metadata that is associated with the objects may be reviewed to determine whether update(s) have been made with regard to the objects since a determination was made that the objects were not infected by malware. An update may involve increasing a number of the objects, modifying one of the objects, etc. Objects that have been updated (e.g., added and/or modified) since the determination may be scanned. Objects that have not been updated since the determination need not necessarily be scanned. For instance, an allowance may be made to perform operations with respect to the objects that have not been updated since the determination without first scanning the objects for infection by malware.Type: ApplicationFiled: September 29, 2011Publication date: April 4, 2013Applicant: MICROSOFT CORPORATIONInventors: Anil Francis Thomas, Adrian M. Marinescu, Ajith Kumar, Jonathan M. Keller, Omer Ben Bassat
-
Publication number: 20120323829Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.Type: ApplicationFiled: June 17, 2011Publication date: December 20, 2012Applicant: MICROSOFT CORPORATIONInventors: Jack W. Stokes, Nikos Karampatziakis, John C. Platt, Anil Francis Thomas, Adrian M. Marinescu
-
Publication number: 20120317644Abstract: The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.Type: ApplicationFiled: June 9, 2011Publication date: December 13, 2012Applicant: MICROSOFT CORPORATIONInventors: Ajith Kumar, Timothy Jon Fraser, Adrian M. Marinescu, Marc E. Seinfeld, Jack Wilson Stokes, III, Anil Francis Thomas
-
Publication number: 20120297488Abstract: The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.Type: ApplicationFiled: June 16, 2011Publication date: November 22, 2012Applicant: MICROSOFT CORPORATIONInventors: Vishal Kapoor, Jonathan Mark Keller, Ajith Kumar, Adrian M. Marinescu, Marc E. Seinfeld, Anil Francis Thomas, Michael Sean Jarrett, Joseph J. Johnson, Joseph L. Faulhaber
-
Publication number: 20120144489Abstract: The subject disclosure is directed towards protecting virtual machines on guest partitions from malware in a resource-efficient manner. Antimalware software is divided into lightweight agents that run on each malware-protected guest partition, a shared scanning and signature update mechanism, and a management component. Each agent provides the scanning mechanism with files to scan for malware, such as by running a script, and receives results from the scanning mechanism including possible remediation actions to perform. The management component provides the scanning mechanism with access to virtual machine services, such as to pause, resume, snapshot and rollback guest partitions as requested by the scanning mechanism.Type: ApplicationFiled: December 7, 2010Publication date: June 7, 2012Applicant: Microsoft CorporationInventors: Michael Sean Jarrett, Joseph Jared Johnson, Vishal Kapoor, Anil Francis Thomas, Eugene John Neystadt, Dennis Scott Batchelder
-
Patent number: 8161557Abstract: In accordance with this invention, a system, method, and computer-readable medium that selectively scans files stored on a computing device for malware is provided. One aspect of the present invention includes identifying files that need to be scanned for malware when a software update that includes a malware signature is received. More specifically, attributes of the new malware are identified by searching metadata associated with the malware. Then, the method searches a scan cache and determines whether each file with an entry in the scan cache is the type that may be infected by the malware. If a file is the type that may be infected by the malware, the file is scanned for malware when a scanning event such as an I/O request occurs. Conversely, if the file is not the type that may be infected by the malware, the file may be accessed without a scan being performed.Type: GrantFiled: November 18, 2010Date of Patent: April 17, 2012Assignee: Microsoft CorporationInventors: Mihai Costea, Adrian M. Marinescu, Anil Francis Thomas
-
Publication number: 20110307711Abstract: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.Type: ApplicationFiled: June 11, 2010Publication date: December 15, 2011Applicant: MICROSOFT CORPORATIONInventors: Mark F. Novak, Robert Karl Spiger, Stefan Thom, David J. Linsley, Scott A. Field, Anil Francis Thomas
-
Publication number: 20110209219Abstract: In one embodiment, a malware protection system may protect a computing system from a malware event. A data storage device 150 may store a watchdog filter driver 240 integrated with an operating system kernel 210. A processor 120 may intercept a process access to an application process 220 with the watchdog filter driver 240 to detect a malware event. The processor 120 may use the watchdog filter driver 240 to determine an originating process for the malware event.Type: ApplicationFiled: February 25, 2010Publication date: August 25, 2011Applicant: MICROSOFT CORPORATIONInventors: Eli Zeitlin, Arnon Axelrod, Anil Francis Thomas, Kanwaljit Marok