阅读说明：本技术 对本地安装在用户设备上的防病毒软件的文件存储服务启动 (File storage service initiation for antivirus software installed locally on user equipment ) 是由 M·E·阿贝热尔 J·D·罗德里格斯 F·凯勒雷斯库 于 2020-03-28 设计创作，主要内容包括：一种用于修复感染了恶意代码的用户设备的方法和系统。一种方法包括：存储针对访问远程文件存储系统的多个用户设备的注册信息,该注册信息包括每个用户设备的唯一标识符和被本地安装在每个用户设备上的防病毒软件的标识符。该方法还包括：响应于检测到远程文件存储系统内的受感染文件而进行以下操作：确定被包括在多个用户设备中的用户设备中的、与受感染文件交互的一个用户设备的唯一标识符；访问注册信息,以基于与远程文件存储系统内的受感染文件交互的用户设备的唯一标识符来识别被本地安装在用户设备上的防病毒软件的标识符；以及基于防病毒软件的标识符来远程启动被本地安装在用户设备上的防病毒软件。(A method and system for repairing user devices infected with malicious code. One method comprises the following steps: registration information for a plurality of user devices accessing a remote file storage system is stored, the registration information including a unique identifier for each user device and an identifier for antivirus software installed locally on each user device. The method further comprises the following steps: in response to detecting an infected file within the remote file storage system: determining a unique identifier of one user device, among user devices included in the plurality of user devices, that interacts with the infected file; accessing registration information to identify an identifier of antivirus software installed locally on a user device based on a unique identifier of the user device interacting with an infected file within a remote file storage system; and remotely launching the antivirus software installed locally on the user device based on the identifier of the antivirus software.)

1. A method for repairing a user device infected with malicious code, the method comprising:

storing registration information for each of a plurality of user devices accessing a remote file storage system, the registration information for each of the plurality of user devices including a unique identifier for each user device and an identifier for antivirus software installed locally on each user device; and

in response to detecting an infected file within the remote file storage system:

determining, with an electronic processor remote from each of the plurality of user devices, a unique identifier of a user device included in the plurality of user devices that interacts with the infected file within the remote file storage system,

accessing, with the electronic processor, the registration information to identify an identifier of antivirus software installed locally on the user device based on the unique identifier of the user device interacting with the infected file within the remote file storage system, an

Remotely launching, with the electronic processor, the antivirus software installed locally on the user device based on the identifier of the antivirus software.

2. The method of claim 1, further comprising: presenting a user interface that prompts a user of the user device to approve remote launching of the antivirus software installed locally on the user device, an

Wherein remotely launching the antivirus software installed locally on the user device comprises: remotely launching the antivirus software installed locally on the user device in response to receiving approval to remotely launch the antivirus software through the user interface.

3. The method of claim 1, wherein the registration information further comprises at least one selected from the group consisting of: an operating system locally installed on each of the plurality of user devices, a version of the operating system locally installed on each of the plurality of user devices, and a device type of each of the plurality of user devices.

4. The method of claim 1, further comprising: receiving state information from the antivirus software installed locally on the user device, and presenting at least a portion of the state information within a user interface.

5. The method of claim 4, further comprising: in response to the status information indicating a failure of the antivirus software installed locally on the user device, notifying a user of the user device of the failure and recommending an action for the user to perform in an attempt to repair the user device.

6. A system for repairing a user device infected with malicious code, the system comprising:

a memory storing a plurality of files within a remote file storage system accessible by a plurality of user devices; and

an electronic processor configured to, in response to detecting an infected file within the plurality of files stored within the memory:

determining a user device included in the plurality of user devices that interacts with the infected file,

determining antivirus software installed locally on the user device,

prompting a user associated with the user device to approve remote launching of the antivirus software installed locally on the user device, an

Remotely launching the antivirus software installed locally on the user device in response to receiving approval to remotely launch the antivirus software.

7. The system of claim 6, wherein the electronic processor is configured to: determining the user device that interacts with the infected file by: determining that the user device uploads the infected file to the remote file storage system or that the user device modifies the infected file within the remote file storage system.

8. The system of claim 6, wherein the electronic processor is further configured to: comparing the antivirus software installed locally on the user device to a list of approved antivirus software applications, and remotely launching the antivirus software installed locally on the user device when the antivirus software is included in the list of approved antivirus software applications.

9. The system of claim 6, wherein the electronic processor is further configured to: receiving state information from the antivirus software installed locally on the user device, and presenting at least a portion of the state information within a user interface.

10. A computer-readable medium storing instructions that, when executed by an electronic processor, perform a set of functions comprising:

determining a user device that interacts with an infected file detected within a remote file storage system;

determining antivirus software installed locally on the user device;

prompting a user associated with the user device to approve remote launching of the antivirus software installed locally on the user device; and

remotely launching the antivirus software installed locally on the user device in response to receiving approval of the remote launch.

11. The computer-readable medium of claim 10, wherein determining the user device to interact with the infected file comprises: determining that the user device uploads the infected file to the remote file storage system or that the user device modifies the infected file within the remote file storage system.

12. The computer-readable medium of claim 10, wherein determining antivirus software installed locally on the user device comprises: registration information associated with the user device is accessed.

13. The computer-readable medium of claim 10, wherein determining antivirus software installed locally on the user device comprises: receiving information associated with the antivirus software from a synchronization client that is installed locally on the user device for the remote file storage system.

14. The computer-readable medium of claim 10, wherein remotely launching the antivirus software installed locally on the user device comprises: an application programming interface call is generated and sent to the user device.

15. The computer-readable medium of claim 10, wherein remotely launching the antivirus software installed locally on the user device comprises: generating an application programming interface call based on at least one selected from the group consisting of the antivirus software, the user device, and the infected file, and sending the application programming interface call to the user device.

Technical Field

Embodiments described herein relate generally to detecting infected files stored in a remote file storage system and, in response to such detection, launching antivirus software locally installed on a client device that uploads or modifies the infected files from the remote file storage system.

Disclosure of Invention

The remote file storage system stores files for access by the plurality of electronic devices from locations other than the physical location of the storage system. Because files are shared among multiple devices, one device may potentially upload an infected file (e.g., a file infected with lemonade, malware, adware, or other malicious code), and thus expose other devices that utilize the remote file storage system to the infected file.

The remote file storage system may employ precautions (e.g., by executing anti-virus software) to prevent storage and distribution of corrupted files. These precautions may identify and even repair corrupt files stored within the remote file storage system. However, without resolving the source of the infected file, the device may continue to upload or create (by modifying existing stored files) the infected file to the remote file storage system, and the remote file storage system's precautions may not be able to identify and resolve the activity fast enough to prevent the spread of infected files. Furthermore, even if the remote file storage system notifies the user of an infected file that may originate from the user's device, the user may not have the knowledge or resources to manually address this situation at their device.

Accordingly, embodiments described herein provide, among other things, systems and methods for addressing infected files at a source by launching antivirus software from a remote file storage system, the antivirus software being locally installed on an electronic device that uploads or modifies detected infected files stored within the remote file storage system.

For example, one embodiment provides a method for repairing a user device infected with malicious code. The method comprises the following steps: storing registration information for each of a plurality of user devices accessing a remote file storage system, wherein the registration information for each of the plurality of user devices includes a unique identifier for each user device and an identifier of antivirus software installed locally on each user device. The method further comprises the following steps: in response to detecting an infected file within the remote file storage system: determining, with an electronic processor remote from each of the plurality of user devices, a unique identifier of a user device included in the plurality of user devices that interacts with the infected file within the remote file storage system; accessing, by the electronic processor, registration information to identify an identifier of antivirus software installed locally on a user device based on a unique identifier of the user device interacting with an infected file within a remote file storage system; and remotely launching, with the electronic processor, anti-virus software installed locally on the user device based on the identifier of the anti-virus software.

Another embodiment provides a system for repairing a user device infected with malicious code. The system comprises: a memory storing a plurality of files within a remote file storage system accessible by a plurality of user devices; and an electronic processor. The electronic processor is configured to: in response to detecting an infected file within a plurality of files stored within a memory: determining a user device included in the plurality of user devices that interacts with the infected file; determining antivirus software installed locally on a user device; prompting a user associated with the user device to approve remote launching of antivirus software installed locally on the user device; and remotely launching the anti-virus software installed locally on the user device in response to receiving approval for the remote launching of the anti-virus software.

Another embodiment provides a non-transitory computer-readable medium storing instructions that, when executed by an electronic processor, perform a set of functions. The set of functions includes: determining a user device that interacts with an infected file detected within a remote file storage system; determining antivirus software installed locally on a user device; prompting a user associated with the user device to approve remote launching of antivirus software installed locally on the user device; and remotely launching antivirus software installed locally on the user device in response to receiving approval for the remote launch.

Drawings

Fig. 1 schematically illustrates a system for repairing a user device infected with malicious code, in accordance with some embodiments.

Fig. 2 schematically illustrates a server included in the system of fig. 1, in accordance with some embodiments.

Fig. 3 schematically illustrates a user equipment comprised in the system of fig. 1, in accordance with some embodiments.

Fig. 4 is a flow diagram illustrating a method performed by the system of fig. 1 for repairing a user device infected with malicious code, in accordance with some embodiments.

FIG. 5 illustrates an example user interface generated as part of the method of FIG. 4 for approving activation of antivirus software on a user device, in accordance with some embodiments.

Detailed Description

One or more embodiments are described and illustrated in the following description and drawings. The embodiments are not limited to the specific details provided herein and may be modified in various ways. Furthermore, other embodiments not described herein may exist. Also, functions described herein as being performed by one component may be performed in a distributed manner by multiple components. Also, functions performed by multiple components may be combined and performed by a single component. Similarly, components described as performing certain functions may also perform additional functions not described herein. For example, a device or structure that is "configured" in a certain way is configured in at least that way, but may also be configured in ways that are not listed. Furthermore, some embodiments described herein may include one or more electronic processors configured to perform the described functions by executing instructions stored in a non-transitory computer-readable medium. Similarly, embodiments described herein may be implemented as a non-transitory computer-readable medium storing instructions executable by one or more electronic processors to perform the described functions. As used in this application, "non-transitory computer readable medium" includes all computer readable media, but does not include transitory propagating signals. Thus, a non-transitory computer readable medium may include, for example, a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a ROM (read only memory), a RAM (random access memory), a register memory, a processor cache, or any combination thereof.

Also, the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. For example, the use of "including," "comprising," "containing," "having," "containing," and variations thereof herein is meant to encompass the items listed thereafter and equivalents thereof as well as additional items. The terms "connected" and "coupled" are used broadly and encompass both direct and indirect connections and couplings. Further, "connected" and "coupled" are not restricted to physical or mechanical connections or couplings, and may include direct or indirect electrical connections or couplings. Additionally, electronic communications and notifications may be performed using wired connections, wireless connections, or a combination thereof, and may be sent directly or through one or more intermediate devices over various types of networks, communication channels, and connections. Moreover, relational terms such as first and second, top and bottom, and the like may be used herein only to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.

As described above, a user device that initially uploads or modifies an infected file may continue to propagate infected files even when the remote file storage system is configured to detect and resolve infected files stored within the remote file storage system. Accordingly, embodiments described herein provide methods and systems for remotely launching antivirus software installed locally on a user device in response to detecting that a file uploaded or modified by the user device within a remote file storage system is infected. These methods and systems more efficiently attack the propagation of infected files at the source (user device), which improves the security of data and devices and reduces the wasted computer resources to detect and resolve infected files.

Fig. 1 schematically illustrates a system 10 for repairing a user device infected with malicious code. As shown in fig. 1, the system 10 includes a remote file storage system 12, a plurality of user devices 14 (also referred to individually as user devices 14), and a communication network 16. It should be understood that system 10 is provided as an example, and in some embodiments, system 10 includes additional components. For example, the system 10 may have fewer or additional user devices 14, more than one remote file storage system 12, more than one communication network 16, and so forth.

The remote file storage system 12 and the plurality of user devices 14 communicate over a communication network 16. Portions of the communication network 16 may use a wireless network (e.g., a wide area network (e.g., the internet), a local area network (e.g., Bluetooth)^TMNetwork or Wi-Fi) or a combination or derivative thereof). Alternatively or additionally, portions of the communication network 16 may be implemented using dedicated connections (e.g., wired or wireless connections). It should also be understood that in some embodiments, the remote file storage system 12 and the plurality of user devices 14 may communicate through one or more intermediary devices not shown in FIG. 1.

The remote file storage system 12 includes one or more computing devices, such as one or more servers. For example, as shown in FIG. 2, in some embodiments, the remote file storage system 12 includes at least a server including an electronic processor 20, a memory 22, and a communication interface 24. The electronic processor 20, memory 22, and communication interface 24 communicate via one or more communication lines or buses, wirelessly, or a combination thereof. In some embodiments, the remote file storage system 12 includes additional components in addition to those shown in FIG. 2, and the components included in the remote file storage system 12 may be arranged in various configurations. For example, as previously indicated, in some embodiments, the remote file storage system 12 includes a plurality of servers, databases, etc. to provide remote file storage services.

The communication interface 24, which may include a wireless transceiver, allows the remote file storage system 12 to communicate with external devices, such as a plurality of user devices 14, over the communication network 16.

Memory 22 includes non-transitory computer readable storage media. Electronic processor 20 comprises a microprocessor, Application Specific Integrated Circuit (ASIC), or other suitable electronic device. The electronic processor 20 is configured to retrieve data from the memory 22 and execute software (instructions) related to the methods described herein, among other things.

For example, as shown in FIG. 2, the memory 22 stores a remote file manager 26. The remote file manager 26 includes instructions that, when executed by the electronic processor 20, store and control access to a plurality of files 28 (each file also referred to herein individually as a file 28) stored in the memory 22 or other remote storage locations included as part of the remote file storage system 12 to provide remote file storage services. For example, the remote file manager 26 controls access to files 28 by multiple user devices 14 and the addition, deletion, and modification of files 28 by multiple user devices. The remote file storage system 12 additionally stores metadata about each of the files 28. The metadata may include a record of the original creation date, the last modified date, and the content that the user device 14 has uploaded, accessed, or modified the file, and optionally, detailed information regarding the type of modification made to the file. For example, each of the plurality of user devices 14 may have a unique identifier within the remote file storage system 12, and these identifiers may be included in the metadata for the file 28 to record the user device 14 uploading, accessing, or otherwise modifying the content of the file 28.

The remote file storage system 12 may also store (in memory 22) a device directory 29, such as a table or other data structure. The device directory 29 stores registration information for each of the plurality of user devices 14. The registration information includes a unique identifier for the user device 14, which may be a serial number, an address (media access control (MAC) address), a user generated identifier, or other type of unique identifier. The registration information includes one or more identifiers of antivirus software installed locally on each user device 14. Each identifier may represent installed antivirus software by name, provider, version, or other identifying information. Optionally, the registration information may include further information about each user device 14, such as operating system, operating system version, file structure information, other remote file storage systems with which the user device 14 is associated, device model, device type (e.g., smart phone, laptop, etc.), and so forth. The registration information may also include information about the user associated with the user device 14, the group or organization associated with the user, and so forth.

Each of the plurality of user devices 14 is remote from the remote file storage system 12 (separate from the remote file storage system 12) and includes a computing device, e.g., a desktop computer, a laptop computer, a tablet computer, a terminal, a server, a smart television, an electronic whiteboard, a tablet computer, a smartphone, a wearable device, and so forth. As shown in fig. 3, in some embodiments, the user device 14 includes an electronic processor 30, a memory 32, a Human Machine Interface (HMI)34, and a communication interface 36. The electronic processor 30, the memory 32, the HMI 34, and the communication interface 36 communicate via one or more communication lines or buses, wirelessly, or a combination thereof. In some embodiments, the user equipment 14 includes additional components, e.g., additional memory, processors, etc., in addition to those shown in fig. 3. Additionally, the components included in the user device 14 shown in fig. 4 may be arranged in various configurations.

The communication interface 36, which may include a wireless transceiver, allows the user device 14 to communicate with external devices, such as a remote file storage system 12, over the communication network 16.

The HMI 34 includes an input device, an output device, or a combination thereof. For example, the HMI 34 may include a display device, touch screen, keyboard, keypad, buttons, cursor control device, printer, speaker, virtual reality headset, microphone, and the like. In some embodiments, the user device 14 includes multiple HMIs. For example, the user device 14 may include a touch screen and a keypad. In some embodiments, the HMI 34 is included in the same housing as the user device 14. However, in other embodiments, the HMI 34 may be external to the user device 14, but may communicate with the user device 14 through a wired or wireless connection. For example, in some embodiments, the user device 14 includes a display device connected to the user device 14 via a cable.

Memory 32 includes non-transitory computer-readable storage media. Electronic processor 30 comprises a microprocessor, Application Specific Integrated Circuit (ASIC), or other suitable electronic device. The electronic processor 20 is configured to retrieve data from the memory 32 and execute software instructions to perform various functions, among others. It should be understood that the user equipment 14 may also perform additional functions in addition to those described herein.

As shown in fig. 4, the memory 32 stores antivirus software 38. The antivirus software 38 is a software application that, when executed by the electronic processor 30, prevents, detects, and removes malicious files and applications from the computing device (e.g., the user device 14). For example, the antivirus software 38 protects and repairs the user device from malicious code, including but not limited to computer viruses, spyware, adware, keyloggers, spam, lasso software, and the like. In some embodiments, the user device 14 may have multiple antivirus software applications installed, for example, for different types of malicious code or different types of antivirus software provided by different companies. It should also be understood that the antivirus software 38 installed locally on the user device 14 may include a client application that interacts with one or more servers or other remote systems to perform malicious code prevention or detection. Thus, not all antivirus functions performed with respect to the user device 14 may be performed locally or directly by the antivirus software 38.

Memory 32 also stores a synchronization ("sync") client 37. The synchronization client 37 is a software application that, when executed by the electronic processor 30, allows the user device 14 to access the remote file storage system 12 and may synchronize files 28 managed by the remote file storage system (e.g., access, upload, download, and modify files 28). For example, in some embodiments, the sync client 37 automatically synchronizes files stored locally on the user device 14 that are marked for remote storage to the remote file storage system 12 to synchronize the state of these files between the user device 14 and the remote file storage system 12. The synchronization client 37 may also provide a user interface that allows a user of the user device 14 to locate and interact with files available through the remote file storage system 12 even if the files are not installed locally on the user device 14. For example, the sync client 37 may be configured to alert the user when new or updated files are available via the remote file storage system 12. It should be understood that in some embodiments, the functions performed by synchronization client 37 as described herein may be distributed among multiple software applications or modules.

In some embodiments, the synchronization client 37 provides registration information for the user device 14 to the remote file storage system 12. For example, the synchronization client 37 may provide the remote file storage system 12 with a unique identifier of the user device 14 and an identifier of the antivirus software 38 installed locally on the user device 14. In some embodiments, each time the user device 14 interacts with the remote file storage system 12, the sync client 37 installed on the user device provides the registration information (or any available updated registration information) to the remote file storage system 12 so that the registration information managed by the remote file storage system 12 is the most recent. In other embodiments, the sync client 27 provides the registration information (including updates to the registration information) to the remote file storage system 12 at other frequencies or in response to other triggers. For example, in some embodiments, the synchronization client 37 is configured to monitor any local installations of antivirus software on the user device 14 and update the registration information stored by the remote file storage system 12 for each new installation. Further, in some embodiments, synchronization client 37 may scan for installed antivirus software in response to a request from remote file storage system 12 (e.g., when remote file storage system 12 detects an infected file, as described below). Also, in some embodiments, the antivirus software application may be configured to register with the remote file storage system 12. For example, synchronization client 37 installed on user device 14 may receive information from antivirus software 38, combine the information with information about user device 14, and register user device 14 and associated antivirus software 38 with a remote file storage system.

Each of the plurality of user devices 14 may access (via execution of the synchronization client 37) the file 28 stored by the remote file storage system 12 (via execution of the remote file manager 26). Thus, a user using one of the plurality of user devices 14 may remotely access the files 28, upload new files 28, download existing files 28, and modify files 28 regardless of where the user device 14 is located relative to the remote file storage system. As also described above, a user device 14 infected with malicious code (e.g., Lesoware) may upload an infected file to the remote file storage system 12, or may modify an existing file stored in the remote file storage system 12 to create an infected file. As described above, while remote file storage systems are typically configured to detect and correct these activities, the user devices 14 representing the source of infected files may still be infected with malicious code. Thus, the remote file storage system 12 described herein is configured to launch antivirus software 38 that is locally installed on the user device 14 that represents the source of an infected file in response to detecting an upload or modification of the infected file within the remote file storage system 12.

For example, fig. 4 is a flow chart illustrating a method 40 for repairing a user device 14 infected with malicious code. The method 40 is described as being performed by the remote file storage system 12 (the remote file manager 26 being executed by the electronic processor 20).

As shown in fig. 4, the method 40 includes storing, at the remote file storage system 12, registration information for each of the plurality of user devices 14 (at block 41). As described above, the registration information may be stored in the device directory 29 and may include, among other information, a unique identifier for each of the plurality of user devices 14 and an identifier for each antivirus software 38 that is locally installed on each of the plurality of user devices 14. The registration information may be stored when the user device 14 first accesses the remote file storage system 12 or by a different registration method (e.g., by an administrator of the remote file storage system 12 importing a list of user devices 14 to register, or by a user manually entering the registration information or a portion thereof (e.g., through one or more user interfaces) as part of an initial account registration or subscription process for the remote file storage service).

In some embodiments, the remote file storage system 12 also stores a list of approved antivirus software applications that may be registered. When an infected file is detected as described below, the remote file storage system 12 may use the list to determine whether the locally installed antivirus software 38 may be remotely launched. Alternatively or additionally, the remote file storage system 12 may use the list as part of establishing the registration information. For example, when the user device 14 attempts to register an antivirus software application that is not on the list of approved antivirus software applications, the remote file storage system 12 may not register the device, may prompt the user to install approved antivirus software, may not store an identifier of the antivirus software in the registration information, or a combination thereof. As described in more detail below, the list of approved antivirus software applications allows the remote file storage system 12 to launch only trusted antivirus software to remediate user devices 14 that potentially include malicious code. The list of approved antivirus software applications may also provide information about the antivirus software (e.g., how the software is launched remotely), including detailed information indicating which antivirus software applications are compatible with Application Programming Interface (API) calls from the remote file storage system 12, and how API calls should be constructed for the particular antivirus software application in each case.

As shown in FIG. 4, the method 40 further includes detecting, with the remote file storage system 12, an infected file stored within the remote file storage system 12 (at block 42). Infected files may be detected in various ways. It can be detected whether the infected file was previously an unencrypted file that is now encrypted (e.g., by file entropy). Similarly, some malicious code is associated with known file extensions or file naming patterns, and thus, an infected file may be identified by comparing the file extension or file name to the known file extension and file naming pattern. The infected file may also have a file type that is incompatible with the data stored within it (e.g., identified as a. jpg type, but does not contain image data). Other methods such as analysis of data within the file, machine learning techniques constructed from user feedback identifying infected and non-infected files, etc. may be used to detect infected files. The remote file storage system 12 may include a local antivirus software application configured to detect infected files. The remote file storage system 12 may be configured to detect infected files during the upload process of new files to be stored in the remote file storage system, during modification of existing files stored in the remote file storage system 12, by routine (e.g., by running a local antivirus software application at a predetermined time), or a combination thereof.

In response to detecting an infected file, the remote file storage system 12 may be configured to take various actions (e.g., by quarantining the infected file, deleting the infected file, etc.) to repair the remote file storage system 12. Additionally, as shown in FIG. 4, in response to detecting an infected file, the remote file storage system is configured to determine a unique identifier of the user device 14 interacting with the infected file (e.g., the uploaded user device 14 or the user device modifying the infected file) (at block 43). When an infected file is detected during the upload or modification of the file, the identifier of the user device 14 may be known, or the identifier of the user device 14 may be queried as part of the upload process. Alternatively, when an infected file is detected, for example, during routine inspection by any local antivirus software of the remote file storage system 12, the remote file storage system 12 may access metadata associated with the detected infected file to determine identifiers of one or more user devices 14 that have recently interacted with the infected file. In some cases, the remote file storage system 12 may be able to identify the individual user device 14 responsible for the detected infected file. However, in other cases, the remote file storage system 12 may only be able to identify a set of two or more user devices 14 that are potentially responsible for the detected infected file. In this case, the remote file storage system 12 may be configured to attempt to repair each user device 14 in the set, as described below.

Using the identifier of the user device 14 associated with the detected infected file, the remote file storage system 12 accesses the stored registration information to identify the antivirus software 38 installed on the user device 14 (at block 44). For example, the remote file storage system 12 may use the unique identifier of the user device 14 to pull data from the device directory 29, which device directory 29 may include a table containing the unique device identifier and the associated identifier for the installed antivirus software application. As described above, the remote file storage system 12 may compare the identified antivirus software 38 installed at the user device 14 to a list of approved software applications to ensure that the locally installed software represents trusted antivirus software prior to remote launching of the antivirus software 38. Thus, the remote file storage system 12 may not remotely launch the installed antivirus application 38 when the identified antivirus software 38 installed at the identified user device 14 is not one of the approved software applications. In this case, however, the remote file storage system 12 may take one or more other actions to address the potential infection of the user device 18. For example, the remote file storage system 12 may present one or more alerts (e.g., emails, text, etc.), such as through the synchronization client 37 or separately, to alert the user associated with the user device 14 of the potential infection. The alert may include information about the time of the attack, the devices affected by the attack, the files affected by the attack, and potential manual steps that the user may take to remedy the situation, including the option to restore the locally stored files.

As shown in FIG. 4, the remote file storage system 12 remotely launches the antivirus software 38 based on the identified locally installed antivirus software 38 (at block 47). In the case where the user device 14 has installed multiple antivirus software applications, the remote file storage system 12 may also be configured to automatically select one or more of the applications for remote launch based on available installed applications, the user device 14, detected infected files, or a combination thereof. For example, the remote file storage system 12 may apply one or more rules to determine which applications to launch in these cases. However, in other embodiments, the remote file storage system 12 may be configured to launch each installed application.

In some embodiments, the remote file storage system 12 builds API calls for the antivirus software 38 installed locally on the identified user device 14 to remotely launch the antivirus software 38. The API call may be constructed based on an identifier of the antivirus software 38 stored as part of the registration information. In other embodiments, the API call may also be based on the user device 14, e.g., the operating system installed on the user device 14, the version of the operating system installed, etc. Further, in some embodiments, the API call may also be based on an infected file. For example, the API may pass information about the infected file to the antivirus software 38 to assist the antivirus software 38 in performing appropriate checks or scans to repair the user device 14. Thus, the remote file storage system 12 may store one or more configuration files or sets of instructions for creating API calls for different antivirus software applications in various circumstances. After the API call is constructed, the remote file storage system 12 sends the API call to the antivirus software 38. In some embodiments, the remote file storage system 12 sends the API call indirectly to the antivirus software 38 through the synchronization client 37. Also, in some embodiments, the remote file storage system 12 uses a different mechanism to launch the antivirus software 38, for example, by sending a message to a server associated with the antivirus software 38, which responds to the message by launching the antivirus software 38 that is installed locally on the user device 14 or issuing a command to the operating system of the user device 14. It should be understood that launching the antivirus software 38, as that term is used in this application, includes activities that activate the antivirus software application (launch its execution) and modify the active (already executed) antivirus software application, for example, by requesting execution of a particular type of device scan or other process for detecting malicious code.

As shown in FIG. 4, in some embodiments, the remote file storage system 12 may optionally be configured to present a user interface to a user associated with the user device to prompt the user to approve remote launching of the antivirus software 38 (at block 45). In this embodiment, the remote file storage system 12 may be configured to remotely launch the antivirus software 38 when the remote file storage system 12 receives approval from a user. Also, in some embodiments, the remote file storage system 12 may be configured to: the antivirus software 38 is remotely launched even if the remote file storage system 12 does not receive user approval through the user interface, but a predetermined amount of time has elapsed since the prompt was provided. The predetermined time may be configurable, for example, by a user or an administrator (e.g., an administrator associated with an organization to which the user belongs).

An example user interface 50 prompting for such approval is shown in fig. 5. The user interface 50 may include a message 52 and a selection mechanism 54, such as the "fix" button shown in FIG. 5. The message 52 may indicate: based on the infected file detected within the remote file storage system 12, the user device 14 may be infected with malicious code. The message 52 also informs the user: if the user wants to launch the antivirus software 38 installed locally on the user device 14 to attempt to repair the user device 14, the user should select the selection mechanism 54. Thus, the user may select the selection mechanism 54 to approve the remote launching of the antivirus software 38. The user interface 50 may be presented on the user device 14 that is identified as interacting with (uploading a file or modifying a file) the infected file (e.g., by the sync client 37 installed on the user device 14). Alternatively or additionally, the user interface 50 may be presented via other user devices 14 associated with the same user as the identified user device 14. For example, when the identified user device 14 is a desktop computer, the user interface 50 may be presented on a desktop computer, a smart phone, or a combination thereof associated with the same user. For example, the user interface 50 may be provided within an email message, a text message, an instant message, an application notification, and the like. In some embodiments, the message 52 may include additional or different information than the example message 52 shown in FIG. 5, such as details of the detected infected file, other actions the user may take to resolve the problem, and so forth. Moreover, in some embodiments, the user interface 50 may include one or more additional selection mechanisms that allow the user to take other actions, such as an "ignore" button for explicitly rejecting or overriding the remote launch of the antivirus software 38, or a "restore" button for restoring the files 28 stored in the remote file storage system 12 to the user device 14. Further, in some embodiments, the remote file storage system 12 may send a message to the user instructing the user to access the sync client 37 on the identified user device to access the user interface 50 and, if necessary, to approve remote launching of the antivirus software 38, alerting the user of potentially malicious code.

In some embodiments, the antivirus software 38 may provide status information to the sync client 37 during or after the antivirus software 38 has run on the user device 14, as initiated by the remote file storage system 12, which the sync client 37 may communicate to the remote file storage system 12. The status information may indicate the current stage of the antivirus scan or check performed by the antivirus software 38 (e.g., percentage completed, time remaining before completion, number of files scanned and repaired, etc.). The status information may also indicate whether the antivirus software 38, as initiated by the remote file storage system 12, successfully completed the scan or check, and whether any files were successfully repaired (e.g., unencrypted, removed, etc.). The state information, or a portion thereof, may be provided to the user by the remote file storage system 12, for example, through the sync client 37. Also, in some embodiments, when the antivirus software 38 is unable to repair the user device 14 (e.g., fails to remove the lasso software or other malicious code from the user device 14), the remote file storage system 12 may provide additional information and status information to the user (e.g., via the synchronization client 37), such as a recommendation for manual steps the user may take in an attempt to repair the user device 14.

Similarly, whether or not the antivirus software 38 is successful, the remote file storage system 12 may provide information to the user outlining various solutions for avoiding future infections. For example, based on the identified type of infected file, the remote file storage system 12 may provide the user with steps to avoid accidental downloads of suspicious or malicious files or applications. The solution provided to the user may be further based on the type of device affected by the infected file, the affected operating system, and other factors that may be obtained from the registration information or from the identified user device 14.

Accordingly, embodiments described herein provide methods and systems for repairing user devices infected with malicious code when an infected file is detected within a remote file storage system. In particular, as described above, antivirus software installed locally on a user device may be launched remotely by a remote file storage service to repair the user device (in addition to any actions taken by the remote file storage service to handle other repairs of infected files). The remote launch may be performed automatically by the remote file storage service (without requiring manual input) or may be presented as an option for user selection to allow user control of the remote launch, while still eliminating the need for the user to take steps to manually launch the locally installed antivirus software application.

Various features and advantages of some embodiments are set forth in the following claims.