Patents by Inventor Michael Burtscher

Michael Burtscher has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20250245318
    Abstract: Techniques are provided for an isolated test environment for ransomware analysis. One or more enterprise applications are assigned to one or more server systems to be provisioned in an isolated test environment. An enterprise replica is generated in the isolated test environment by provisioning the one or more server systems and deploying the one or more enterprise applications on the one or more server systems. A kernel monitoring component is deployed on the one or more server systems in the isolated test environment. The kernel monitoring component is configured to generate kernel telemetry data for a plurality of system calls initiated by processes executing on the one or more server systems. A selected ransomware variant is deployed in the isolated test environment. An effect of the selected ransomware variant on the enterprise replica is determined based on analyzing the kernel telemetry data.
    Type: Application
    Filed: January 29, 2025
    Publication date: July 31, 2025
    Applicant: Mimic Networks, Inc.
    Inventors: Iain Donaldson, Scott Young, Timothy Worsley, Michael Burtscher, Chi Zhang, Kirby Kuehl, Carl Schroeder, Adam Woodbeck
  • Publication number: 20250245328
    Abstract: Techniques are provided for ransomware defense and analysis based on kernel telemetry data. System calls initiated by processes executing on a computer system are monitored. Kernel telemetry data is generated for a plurality of system calls, the kernel telemetry data associating, for each system call of the plurality of system calls, a process invoking the system call, an operation type of the system call, and a target of the system call. The kernel telemetry data is analyzed. Based on analyzing the kernel telemetry data, it is determined that a particular process executed under control of a ransomware agent. In response to determining that the particular process executed under the control of the ransomware agent, one or more response measures are initiated.
    Type: Application
    Filed: January 29, 2025
    Publication date: July 31, 2025
    Applicant: Mimic Networks, Inc.
    Inventors: Michael Burtscher, Chi Zhang, Kirby Kuehl, Scott Young, Carl Schroeder, Timothy Worsley, Adam Woodbeck
  • Patent number: 8943590
    Abstract: Systems, methods and non-transitory, tangible computer readable storage mediums encoded with processor readable instructions to scan files for malware are disclosed. An exemplary method includes writing, via a communication pathway, a first file to a storage medium that is utilized by the computer, requesting access to the first file so as to enable the first file to be scanned for malware, and delaying, when the first file resides on the storage medium, access to the first file while there is at least one I/O operation relative to the storage medium that has a higher priority level than a priority level of the request to access the first file. In addition, except to enable the first file to be scanned for malware, access to the first file is prevented until the first file has been scanned for malware.
    Type: Grant
    Filed: March 25, 2010
    Date of Patent: January 27, 2015
    Assignee: Webroot Inc.
    Inventor: Michael Burtscher
  • Patent number: 8578495
    Abstract: A system and method for analyzing executable files on a computer is described. The method in one embodiment includes initiating, with an operating system of the computer, execution of a loader-process; loading, using the loader-process, code of a first executable file into an executable-memory of the computer; and executing the code of the first executable file, wherein the code of the first executable file unpacks other packed-code to generate unpacked code. In addition, the loader-process executes the unpacked code and stops execution of the unpacked code in response to the unpacked code attempting to make a potentially dangerous system call. The unpacked code is analyzed, in response to the unpacked code attempting to make the potentially dangerous system call, to assess whether the first executable file is a pestware file.
    Type: Grant
    Filed: July 26, 2006
    Date of Patent: November 5, 2013
    Assignee: Webroot Inc.
    Inventor: Michael Burtscher
  • Patent number: 8452744
    Abstract: Systems and methods for scanning files for pestware on a protected computer are described. In one variation, when a file on a storage device is inaccessible via an operating system of the protected computer, a listing of a plurality of pointers for the file is located on the storage device. Each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations. One or more of the plurality of portions for the data are accessed and analyzed, while the operating system continues to limit access to the file via the operating system, so as to determine whether the file is a pestware file.
    Type: Grant
    Filed: June 6, 2005
    Date of Patent: May 28, 2013
    Assignee: Webroot Inc.
    Inventors: Tony Nichols, Michael Burtscher
  • Patent number: 8171550
    Abstract: A system and method for defining and detecting pestware is described. In one embodiment, a pestware file is received and at least a portion of the pestware file is placed into a processor-readable memory. A plurality of execution paths within code of the pestware file are followed and for each of a plurality of selected function calls within the execution paths of the pestware file, at least one parameter from each of the function calls is retrieved so as to obtain a plurality of parameters. A representation of each of the parameters is then stored in a processor-readable pestware-definition file, which is sent to a plurality of client devices.
    Type: Grant
    Filed: August 7, 2006
    Date of Patent: May 1, 2012
    Assignee: Webroot Inc.
    Inventor: Michael Burtscher
  • Patent number: 8065664
    Abstract: A system and method for defining and detecting pestware is described. One embodiment includes receiving a file and placing at least a portion of the file into a processor-readable memory of a computer. A plurality of execution paths within code of the pestware file are followed and particular instructions within the execution paths are identified. A representation of the relative locations of each of the particular instructions within the code of the file are compared against a pestware-definition file so as to determine whether the file is a potential pestware file.
    Type: Grant
    Filed: August 7, 2006
    Date of Patent: November 22, 2011
    Assignee: Webroot Software, Inc.
    Inventor: Michael Burtscher
  • Publication number: 20110239298
    Abstract: Systems, methods and non-transitory, tangible computer readable storage mediums encoded with processor readable instructions to scan files for malware are disclosed. An exemplary method includes writing, via a communication pathway, a first file to a storage medium that is utilized by the computer, requesting access to the first file so as to enable the first file to be scanned for malware, and delaying, when the first file resides on the storage medium, access to the first file while there is at least one I/O operation relative to the storage medium that has a higher priority level than a priority level of the request to access the first file. In addition, except to enable the first file to be scanned for malware, access to the first file is prevented until the first file has been scanned for malware.
    Type: Application
    Filed: March 25, 2010
    Publication date: September 29, 2011
    Applicant: WEBROOT SOFTWARE, INC.
    Inventor: Michael Burtscher
  • Publication number: 20100115619
    Abstract: A method and system for scanning a computer storage device for malware is described. One embodiment keeps track of which portion or portions of each of a plurality of files on a computer storage device are requested for analysis by an anti-malware engine during a first scan of the computer storage device for malware; prefetches, during a second scan of the computer storage device for malware, the portion or portions of each of at least a subset of the plurality of files that were requested by the anti-malware engine during the first scan, the prefetched data being supplied to the anti-malware engine for analysis as requested; and takes corrective action responsive to the results of at least one of the first and second scans.
    Type: Application
    Filed: November 3, 2008
    Publication date: May 6, 2010
    Inventor: Michael Burtscher
  • Patent number: 7565695
    Abstract: Systems and methods for scanning files for pestware on a protected computer are described. In one variation, locations of each of a plurality of files in a file storage device of the protected computer are identified while substantially circumventing an operating system of the protected computer. Information from each of the plurality of files is retrieved and analyzed so as to determine whether any of the plurality of files are potential pestware files. In variations, the operating system is circumvented while the information from each of the plurality of files is retrieved. In other variations, before information is retrieved from each of the plurality of files, a listing of the plurality of files is sorted according to the locations of the files on the storage device so as to reduce, even further, the time required to access the plurality of files.
    Type: Grant
    Filed: April 12, 2005
    Date of Patent: July 21, 2009
    Assignee: Webroot Software, Inc.
    Inventor: Michael Burtscher
  • Publication number: 20090094698
    Abstract: A method and system for efficiently scanning a computer storage volume for pestware is described. One embodiment determines whether a file on the storage device has been modified since it was last scanned for pestware; includes the file in a set of files to be scanned for pestware when it is determined that the file has been modified since it was last scanned for pestware; omits the file from the set of files to be scanned for pestware when it is determined that the file has not been modified since it was last scanned for pestware; scans the files in the set of files for pestware; and reports results of the pestware scan to a user.
    Type: Application
    Filed: October 9, 2007
    Publication date: April 9, 2009
    Inventors: Anthony Lynn Nichols, Michael Burtscher
  • Publication number: 20080281772
    Abstract: Systems and methods for managing access to a file storage device are described. One embodiment is configured to initially allow an anti-pestware process to access the file storage device, and then in response to identifying a process, other than the anti-pestware process, attempting to access the file storage device while the anti-pestware process is accessing the storage device, ceasing to allow the anti-pestware process to access the storage device during an interrupt period. In this embodiment, the interrupt period is limited so as to allow the anti-pestware process to access the storage device of the computer even if the at least one process continues to attempt to access the storage device. In variations, the interrupt period is extended one or more times in response to one or more processes other than the anti-pestware process attempting to access the file storage device.
    Type: Application
    Filed: November 30, 2005
    Publication date: November 13, 2008
    Applicant: Webroot Software, Inc.
    Inventor: Michael Burtscher
  • Patent number: 7346611
    Abstract: Systems and methods for managing multiple related pestware processes on a protected computer are described. One embodiment is configured to identify a location of each of a plurality of files in at least one file storage device of the protected computer and store a list of the location of each of the plurality of files. The list of the plurality of files is then sorted so as to generate a sorted list. Each of the plurality of files is then sequentially accessed as listed in the sorted list so as to retrieve information from each of the plurality of files. Information from the plurality of files is then analyzed to determine whether any of the plurality of files are potential pestware files. In variations, the files in the file storage device are enumerated, and information from the files is accessed, by circumventing the operating system of the protected computer.
    Type: Grant
    Filed: April 12, 2005
    Date of Patent: March 18, 2008
    Assignee: Webroot Software, Inc.
    Inventor: Michael Burtscher
  • Publication number: 20080052679
    Abstract: A system and method for defining and detecting pestware is described. One embodiment includes receiving a file and placing at least a portion of the file into a processor-readable memory of a computer. A plurality of execution paths within code of the pestware file are followed and particular instructions within the execution paths are identified. A representation of the relative locations of each of the particular instructions within the code of the file are compared against a pestware-definition file so as to determine whether the file is a potential pestware file.
    Type: Application
    Filed: August 7, 2006
    Publication date: February 28, 2008
    Inventor: Michael Burtscher
  • Publication number: 20080034430
    Abstract: A system and method for defining and detecting pestware is described. In one embodiment, a pestware file is received and at least a portion of the pestware file is placed into a processor-readable memory. A plurality of execution paths within code of the pestware file are followed and for each of a plurality of selected function calls within the execution paths of the pestware file, at least one parameter from each of the function calls is retrieved so as to obtain a plurality of parameters. A representation of each of the parameters is then stored in a processor-readable pestware-definition file, which is sent to a plurality of client devices.
    Type: Application
    Filed: August 7, 2006
    Publication date: February 7, 2008
    Inventor: Michael Burtscher
  • Publication number: 20080028388
    Abstract: A system and method for analyzing executable files on a computer is described. The method in one embodiment includes initiating, with an operating system of the computer, execution of a loader-process; loading, using the loader-process, code of a first executable file into an executable-memory of the computer; and executing the code of the first executable file, wherein the code of the first executable file unpacks other packed-code to generate unpacked code. In addition, the loader-process executes the unpacked code and stops execution of the unpacked code in response to the unpacked code attempting to make a potentially dangerous system call. The unpacked code is analyzed, in response to the unpacked code attempting to make the potentially dangerous system call, to assess whether the first executable file is a pestware file.
    Type: Application
    Filed: July 26, 2006
    Publication date: January 31, 2008
    Inventor: Michael Burtscher
  • Publication number: 20080028466
    Abstract: A system and method for scanning files on a computer-readable storage medium is described. In one embodiment the method includes retrieving a first piece of information from a first file located at a first portion of the computer-readable storage medium and caching the first piece of information from the first file before retrieving information from a second stored file located at a second portion of the computer-readable storage medium. In addition, a second piece of information from the first file located at a third portion of the computer readable medium is retrieved and analyzed to determine whether the first file is a potential pestware file.
    Type: Application
    Filed: July 26, 2006
    Publication date: January 31, 2008
    Inventor: Michael Burtscher
  • Publication number: 20080028462
    Abstract: A system and method for analyzing files on a computer is described. In one embodiment the system includes a loader module configured to sequentially receive code from a plurality of files stored on a computer-readable medium and initiate execution of the code in a process space of the loader module. In addition, the loader module is configured to stop execution of the code in response to the code attempting to carry out particular instructions while executing. The system also includes a detection module configured to analyze the code from each of the plurality of files after the code is loaded by the loader module.
    Type: Application
    Filed: July 26, 2006
    Publication date: January 31, 2008
    Inventor: Michael Burtscher
  • Publication number: 20070203884
    Abstract: A system and method for gathering information about files stored is described. In one embodiment the method includes identifying a starting location of a file table of the data storage device. The file table includes an entry for the file table and entries for other files stored on the data storage device. The method also includes accessing a data attribute within the entry for the file table, which includes pointers to other locations where portions of the file table are stored on the data storage device. The pointers to the other locations are utilized to locate an entry in the file table for each of the other files, and attribute information for at least one attribute of each of the other files is retrieved from the entries for the other files.
    Type: Application
    Filed: February 28, 2006
    Publication date: August 30, 2007
    Inventors: Tony Nichols, Michael Burtscher
  • Publication number: 20070124267
    Abstract: Systems and methods for scanning files for pestware on a protected computer are described. In one variation, locations of each of a plurality of files in a file storage device of the protected computer are identified while substantially circumventing an operating system of the protected computer. Information from each of the plurality of files is retrieved and analyzed so as to determine whether any of the plurality of files are potential pestware files. In variations, the operating system is circumvented while the information from each of the plurality of files is retrieved. In other variations, before information is retrieved from each of the plurality of files, a listing of the plurality of files is sorted according to the locations of the files on the storage device so as to reduce, even further, the time required to access the plurality of files.
    Type: Application
    Filed: November 30, 2005
    Publication date: May 31, 2007
    Inventor: Michael Burtscher