US 12,008,103 B2
Method and apparatus for detecting malware via analysis of a screen capture
Hardik Shah, Bangalore (IN)
Assigned to MCAFFE, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Oct. 20, 2022, as Appl. No. 17/970,404.
Application 17/970,404 is a continuation of application No. 17/018,916, filed on Sep. 11, 2020, granted, now 11,514,161.
Prior Publication US 2023/0041274 A1, Feb. 9, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/54 (2013.01); G06F 11/32 (2006.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01)
CPC G06F 21/564 (2013.01) [G06F 11/327 (2013.01); G06F 21/54 (2013.01); G06F 21/554 (2013.01); G06F 21/565 (2013.01)] 17 Claims
OG exemplary drawing
 
1. An apparatus comprising:
at least one memory;
instructions; and
processor circuitry to execute the instructions to:
determine whether an identifier of a detected process is included in a list of processes capable of executing a macro;
capture, after the execution of the process is detected and the determination that the identifier of the process is included in the list of processes, a portion of a screen buffer as a captured image;
analyze the captured image to determine an image similarity to a stored image in a database, the database to at least store images of malicious user interfaces;
perform a responsive action to prevent a user from enabling the macro when the image similarity satisfies a first similarity threshold;
perform character recognition to identify text in the captured image when the image similarity does not satisfy the first similarity threshold;
analyze the identified text to determine a text similarity to text in the database, the database to at least store text corresponding to a malicious macro; and
perform the responsive action when the text similarity satisfies a second similarity threshold.