| CPC G06F 21/566 (2013.01) [G06F 2221/033 (2013.01); G06F 2221/034 (2013.01)] | 23 Claims |
|
1. A computer system comprising at least one hardware processor configured to execute an entity map manager and a malware detection engine connected to the entity map manager, wherein:
the entity map manager is configured to construct entity maps specifying groups of inter-related software entities, and further configured to:
in response to a reboot of the computer system and in response to an attempt by a worker entity currently executing on the computer system to access a resource entity stored on a nonvolatile storage device of the computer system, selectively retrieve an entity map from a map repository according to whether the entity map includes a specification of the resource entity, and
update the entity map by adding a specification of the worker entity to the entity map, wherein the entity map further includes a specification of another worker entity having executed on the computer system prior to the reboot and a specification of a relation between the other worker entity and the resource entity; and
the malware detection engine is configured to determine whether the computer system comprises malicious software according to the updated entity map.
|