| CPC G06F 21/566 (2013.01) [G06F 21/554 (2013.01); G06F 21/565 (2013.01); G06F 2221/034 (2013.01)] | 14 Claims |
|
1. A method for protecting a computer system coupled to a storage device, comprising:
specifying one or more original file extensions that are applied in naming files that store documents, spreadsheets, or images;
detecting an executing process that performed a specific type of modification to a number of files stored on the storage device, wherein the specific type of modification includes renaming respective file extensions of the files having one of the specified original file extensions from the one of the specified original file extensions to a new file extension;
comparing, by a processor, the detected number of files to a specified threshold; and
initiating, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold,
wherein initiating the preventive action comprises identifying a causality chain for the executing process by analyzing a context of a thread of the executing process that was found to be malicious, applying the analyzed context to identify additional malicious threads in the causality chain, and applying the preventive action to all the identified threads in the causality chain.
|
|
6. An apparatus for protecting a computer system, comprising:
a storage device configured to store a plurality of files;
a memory; and
a processor configured:
to receive one or more specified original file extensions that are applied in naming files that store documents, spreadsheets, or images,
to detect, in the memory, an executing process that performed a specific type of modification to a number of files stored on the storage device, wherein the specific type of modification includes renaming respective file extensions of the files having one of the specified original file extensions from the one of the specified original file extensions to a new file extension,
to compare, the detected number of files to a specified threshold; and
to initiate, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold,
wherein the processor is configured to initiate the preventive action by identifying a causality chain for the executing process by analyzing a context of a thread of the executing process that was found to be malicious, applying the analyzed context to identify additional malicious threads in the causality chain, and applying the preventive action to all the identified threads in the causality chain.
|
|
11. A computer software product for protecting a computing system, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
to receive one or more specified original file extensions that are applied in naming files that store documents, spreadsheets, or images;
to detect an executing process that performed a specific type of modification to a number of files stored on a storage device, wherein the specific type of modification includes renaming respective file extensions of the files having one of the specified original file extensions from the one of the specified original file extensions to a new file extension;
to compare the detected number of files to a specified threshold; and
to initiate, on the executing process, a preventive action in response to determining that the detected number exceeds the specified threshold,
wherein the instructions cause the computer to initiate the preventive action by identifying a causality chain for the executing process by analyzing a context of a thread of the executing process that was found to be malicious, applying the analyzed context to identify additional malicious threads in the causality chain, and applying the preventive action to all the identified threads in the causality chain.
|