Information security – Monitoring or scanning of software or data including attack... – Vulnerability assessment
Reexamination Certificate
2007-05-08
2007-05-08
Moazzami, Nasser (Department: 2136)
Information security
Monitoring or scanning of software or data including attack...
Vulnerability assessment
C726S022000, C726S023000, C726S024000, C713S165000, C713S167000, C713S188000
Reexamination Certificate
active
10371945
ABSTRACT:
A kernel mode memory scanning driver for use in safely scanning loaded drivers in the memory of computer systems utilizing Windows® NT based operating systems, such as Windows® 2000, Windows® XP, and other operating systems utilizing the Windows® NT kernel base, for viruses. Prior to scanning the loaded drivers for viruses, the kernel mode memory scanning driver hooks a driver unload function of the operating system, and stalls any calls to the driver unload function to prevent the loaded drivers from being unloaded during scanning. After scanning is complete, any stalled calls to the driver unload function are released. In one embodiment, the kernel mode memory scanning driver is implemented as a Windows® NT 4.0 kernel mode memory scanning driver, and thus can be used on computer systems utilizing Windows® 2000 or Windows® NT without platform specific code.
REFERENCES:
patent: 5274819 (1993-12-01), Blomfield-Brown
patent: 5361359 (1994-11-01), Tajalli et al.
patent: 5398196 (1995-03-01), Chambers
patent: 5822517 (1998-10-01), Dotan
patent: 7028305 (2006-04-01), Schaefer
patent: 7085928 (2006-08-01), Schmid et al.
Danseglio, D., ‘Why rootkits mean you must nuke your machine’, CNET Networks, 2005, entire document, http://www.zdnet.co.uk/misc/print/0,1000000169,39237277-39001093c,00.htm.
Finnegan, J., ‘Pop Open a Privileged Set of APIs with Windows NT Kernel Mode Drivers’, Microsoft Corp., Microsoft Systems Journal, Mar. 1998, entire article, http://www.microsoft.com/MSJ/0398/driver.aspx.
Szor, P., “Attacks on WIN32”, Virus Bulletin Conference, Oct. 1998, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 57-84.
Szor, P., “Memory Scanning Under Windows NT”, Virus Bulletin Conference, Sep. 1999, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 1-22.
Szor, P., “Attacks on WIN32-Part II”, Virus Bulletin Conference, Sep. 2000, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 47-68.
Chien, E. and Szor, P., “Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques In Computer Viruses”, Virus Bulletin Conference, Sep. 2002, Virus Bulletin Ltd., The Pentagon, Abingdon, Oxfordshire, England, pp. 1-36.
Buysse, J., “Virtual Memory: Window NT® Implementation”, pp. 1-15 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://people.msoe.edu/˜barnicks/courses/cs384/papers19992000/buyssej-Term.pdf>.
Dabak, P., Borate, M. and Phadke, S., “Hooking Windows NT System Services”, pp. 1-8 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.windowsitlibrary.com/Content/356/06/2.html>.
Fedotov, A., “Paging Files Sample”, Alex Fedotov.com, pp. 1-2 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.alexfedotov.com/samples/pagefile.asp>.
“How Entercept Protects: System Call Interception”pp. 1-2 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.entercept.com/products/technology/kernelmode.asp>. No author provided.
“How Entercept Protects: System Call Interception”, p. 1 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.entercept.com/products/technology/interception.asp>. No author provided.
Kath, R., “The Virtual-Memory Manager in Windows NT”, pp. 1-11 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://msdn.microsoft.com/library/en-us/dngenlib/html/msdn—ntvmm.asp?frame=true>.
Szor, P. and Kaspersky, E., “The Evolution of 32-Bit Windows Viruses”, Windows & .NET Magazine, pp. 1-4 [online]. Retrieved on Apr. 16, 2003. Retrieved from the Internet:<URL:http://www.winnetmag.com/Articles/Print.cfm?ArticleID=8773>.
Baum Ronald
Gunnison McKay & Hodgson, L.L.P.
Moazzami Nasser
Norris Lisa A.
Symantec Corporation
LandOfFree
Safe memory scanning does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Safe memory scanning, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Safe memory scanning will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3789427