Vishal Kapoor

The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning… Show more

The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online. Show less

Systems, methods and apparatus for automatically identifying a version of a file that is expected to be present on a computer system and for automatically replacing a potentially corrupted copy of the file with a clean (or undamaged) copy of the expected version. Upon identifying a file on the computer system as being potentially corrupted, a clean file agent may perform an analysis based on the identity of the file and one or more other properties of the system to determine the version of the… Show more

Systems, methods and apparatus for automatically identifying a version of a file that is expected to be present on a computer system and for automatically replacing a potentially corrupted copy of the file with a clean (or undamaged) copy of the expected version. Upon identifying a file on the computer system as being potentially corrupted, a clean file agent may perform an analysis based on the identity of the file and one or more other properties of the system to determine the version of the file that is expected to be present on the system. Once the expected version is identified, a clean replacement copy of the file may be obtained from a clean file repository by submitting a version identifier of the expected version. The version identifier may be a hash value, which may additionally be used to verify integrity of the clean copy.

Show less

The subject disclosure is directed towards protecting virtual machines on guest partitions from malware in a resource-efficient manner. Antimalware software is divided into lightweight agents that run on each malware-protected guest partition, a shared scanning and signature update mechanism, and a management component. Each agent provides the scanning mechanism with files to scan for malware, such as by running a script, and receives results from the scanning mechanism including possible… Show more

The subject disclosure is directed towards protecting virtual machines on guest partitions from malware in a resource-efficient manner. Antimalware software is divided into lightweight agents that run on each malware-protected guest partition, a shared scanning and signature update mechanism, and a management component. Each agent provides the scanning mechanism with files to scan for malware, such as by running a script, and receives results from the scanning mechanism including possible remediation actions to perform. The management component provides the scanning mechanism with access to virtual machine services, such as to pause, resume, snapshot and rollback guest partitions as requested by the scanning mechanism.
Show less

A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application… Show more

A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application support system in response to determining that the antimalware program has detected and attempted to remediate the malicious modern application, and the application support system that can perform remediation operations beyond those that can be performed by the antimalware program.
Show less

The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of… Show more

The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.
Show less

An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware… Show more

An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine.
Show less

A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application… Show more

A system is described for remediating a malicious modern application installed on an end user device. In an embodiment, the system includes an antimalware program executing on the end user device that can detect and attempt to remediate the malicious modern application, an operating system executing on the end user device that is configured to interact with the antimalware program for the purpose of facilitating the establishment of a connection between the end user device and an application support system in response to determining that the antimalware program has detected and attempted to remediate the malicious modern application, and the application support system that can perform remediation operations beyond those that can be performed by the antimalware program.
Show less

The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning… Show more

The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online.
Show less