US Patent 9411953 Tracking injected threads to remediate malware

Injected threads are tracked to detect malware that injects malicious code into the address space of a legitimate process. Relationships between threads of processes executing on a client and files stored by the client are mapped to identify files that create threads in executing processes. The address space of a process is analyzed to identify legitimate memory regions in the address space. A suspicious thread referencing a suspicious memory region of the address space outside of the legitimate memory regions is identified. The suspicious memory region is scanned to identify malware. The mapped relationships are used to identify the file that created the thread that referenced the address space in which the malware was identified. The malware in the file is remediated.