With Internet use forming an ever greater part of day to day life, security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments and businesses devote significant resources to preventing intrusions and thefts related to these security exploits. Security exploits, sometimes referred to as “malware,” come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. These exploits are delivered in or through a number of mechanisms, such as spearfish emails, clickable links, documents, files, executables, or archives. Some of the threats posed by security exploits are of such significance that they are described as cyber terrorism or industrial espionage.
To aid in countering such threats, anti-virus software can employ a user-mode component to scan files and perform a security action with respect to a malicious file when malware is detected. For example, when a user tries to open a malicious file, anti-virus software may not allow the malicious file to be opened by blocking a process to open the file. In this situation, a notification can be provided to the user in order to inform the user that a security action was taken (e.g., a notification that a file access request was blocked in order to protect system resources). Existing techniques for providing such user notifications come with several problems.
For example, existing techniques for providing user notifications can create high overhead in terms of the amount of system resources consumed on a monitored device. For instance, vendors of anti-virus software may write code to create a user-mode process (e.g., a notify .exe process) that is to run inside a user session when a security action has been performed with respect to a detected malicious file. This user-mode process may cause a pop-up notification to be displayed in context of the user session. This technique creates a user-mode process for every security action performed by the anti-virus software, which can stress resources on the monitored device. Imagine a scenario where hundreds of users are logged into hundreds of corresponding user sessions on a monitored device, and each user tries to access a malicious file. In this scenario, there can be hundreds of concurrently executing user-mode processes for displaying user notifications about security actions taken with respect to the detected malicious files, which can consume a high amount of system resources.
Other problems with existing approaches pertain to security and privacy concerns. Oftentimes, anti-virus software executes in user mode with high privileges (e.g., Administrator (Admin) privileges or higher) in order to access system resources and data it needs in order to effectively counter threats posed by malware. This means that user-mode processes created by the anti-virus software may share the same high privileges, leaving valuable system resources vulnerable to theft or destruction if and when such processes are exploited with malware. Although some operating systems allow anti-virus software to utilize special functions to create user mode processes with lower privileges, this often involves the anti-virus software impersonating a user account, something that is exclusively available to highly-privileged software. Thus, valuable system resources are still vulnerable to theft or destruction if and when the highly-privileged anti-virus software is exploited with malware. Moreover, impersonating a user account introduces additional privacy concerns because the anti-virus software is given the power to create processes on the system that appear as though they were created by a particular user, even though they weren't. If it just so happened that these processes accessed files that the user is not allowed to access (such as illegal access of files/content), event and audit logs will show that the user himself/herself accessed those files, when, in fact, he/she did not.