Systems and methods for whitelisting file clusters in connection with trusted software packages

US 10,089,469 B1
Filed: 06/12/2015
Issued: 10/02/2018
Est. Priority Date: 06/12/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for whitelisting file clusters in connection with trusted software packages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, based on files present on a plurality of computing systems and by a backend server that curates file clusters for the plurality of computing systems, a trusted file cluster that comprises a plurality of clean files, the plurality of clean files representing at least a portion of a single software package;

identifying, based on the files present on the plurality of computing systems and by the backend server, an additional file cluster that;

is not, at the time that the additional file cluster is identified, recognized as part of the single software package; and

includes a plurality of additional files in which each file in the plurality of additional files co-exists with the plurality of clean files included in the trusted file cluster on at least a threshold percentage of computing systems in the plurality of computing systems;

determining that the trusted file cluster and the additional file cluster each represent portions of the single trusted software package; and

in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package;

merging the trusted file cluster and the additional file cluster into a merged file cluster;

whitelisting the merged file cluster on a whitelist that describes files that are explicitly approved for use on computing devices that utilize the whitelist; and

using the whitelist to treat files represented on the whitelist at a lower level of security than files that are not represented on the whitelist.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for whitelisting file clusters in connection with trusted software packages may include (1) identifying a trusted file cluster that includes a set of clean files, (2) identifying an additional file cluster that includes a set of additional files that typically co-exist with the set of clean files included in the trusted file cluster on computing systems, (3) determining that the trusted file cluster and the additional file cluster represent portions of a single trusted software package, and then, in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package, (4) merging the trusted file cluster and the additional file cluster into a merged file cluster and (5) whitelisting the merged file cluster. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for whitelisting file clusters in connection with trusted software packages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, based on files present on a plurality of computing systems and by a backend server that curates file clusters for the plurality of computing systems, a trusted file cluster that comprises a plurality of clean files, the plurality of clean files representing at least a portion of a single software package;
  
  identifying, based on the files present on the plurality of computing systems and by the backend server, an additional file cluster that;
  
  is not, at the time that the additional file cluster is identified, recognized as part of the single software package; and
  
  includes a plurality of additional files in which each file in the plurality of additional files co-exists with the plurality of clean files included in the trusted file cluster on at least a threshold percentage of computing systems in the plurality of computing systems;
  
  determining that the trusted file cluster and the additional file cluster each represent portions of the single trusted software package; and
  
  in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package;
  
  merging the trusted file cluster and the additional file cluster into a merged file cluster;
  
  whitelisting the merged file cluster on a whitelist that describes files that are explicitly approved for use on computing devices that utilize the whitelist; and
  
  using the whitelist to treat files represented on the whitelist at a lower level of security than files that are not represented on the whitelist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein identifying the additional file cluster comprises detecting multiple requests for a reputation score for at least one file in the plurality of additional files.
  - 3. The method of claim 2, wherein the multiple requests for the reputation score of the file in the plurality of additional files exceed a threshold number of reputation score requests.
  - 4. The method of claim 1, wherein determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package comprises determining that the plurality of clean files and the plurality of additional files originate from a common source.
  - 5. The method of claim 4, wherein determining that the plurality of clean files and the plurality of additional files originate from the common source comprises determining that the plurality of clean files and the plurality of additional files originated from a single Uniform Resource Locator (URL).
  - 6. The method of claim 4, wherein determining that the plurality of clean files and the plurality of additional files originate from the common source comprises determining that the common source is a program that generated the plurality of clean files and the plurality of additional files.
  - 7. The method of claim 1, wherein determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package comprises determining that the additional file cluster represents at least a partial update of the trusted software package.
  - 8. The method of claim 7, wherein determining that the additional file cluster represents the partial update of the trusted software package comprises determining that the plurality of clean files and the plurality of additional files share an installation pathway.
  - 9. The method of claim 1, wherein determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package comprises determining that the plurality of clean files and the plurality of additional files are signed by the same code-signing authority.
  - 10. The method of claim 1, wherein the threshold percentage of computing systems comprises a percentage of the total number of computing systems in the plurality of computing systems that utilize the whitelist.
  - 11. The method of claim 1 wherein the threshold percentage of computing systems increases over time.
  - 12. The method of claim 1, wherein determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package comprises determining that the trusted file cluster and the additional file cluster were delivered to a computing system within a predetermined length of time of each other.

13. A system for whitelisting file clusters in connection with trusted software packages, the system comprising:
- an identification module, stored in a non-transitory memory of the system, that;
  
  identifies, based on files present on a plurality of computing systems and by a backend server that curates file clusters for the plurality of computing systems, a trusted file cluster comprising a plurality of clean files, the plurality of clean files representing at least a portion of a single software package; and
  
  identifies, based on the files present on the plurality of computing systems and by the backend server, an additional file cluster that;
  
  is not, at the time that the additional file cluster is identified, recognized as part of the single software package; and
  
  includes a plurality of additional files in which each file in the plurality of additional files co-exists with the plurality of clean files included in the trusted file cluster on at least a threshold percentage of computing systems in the plurality of computing systems;
  
  a determination module, stored in the memory, that determines that the trusted file cluster and the additional file cluster each represent portions of the single trusted software package;
  
  a merging module, stored in the memory, that, in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package, merges the trusted file cluster and the additional file cluster into a merged file cluster;
  
  a whitelisting module, stored in the memory, that;
  
  whitelists the merged file cluster on a whitelist that describes files that are explicitly approved for use on computing devices that utilize the whitelist; and
  
  uses the whitelist to treat files on the whitelist at a lower level of security than files that are not represented on the whitelist; and
  
  at least one physical processor configured to execute the identification module, the determination module, the merging module, and the whitelisting module.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the identification module identifies the additional file cluster by detecting multiple requests for a reputation score for at least one file in the plurality of additional files.
  - 15. The system of claim 14, wherein the multiple requests for the reputation score of the file in the plurality of additional files exceed a threshold number of reputation score requests.
  - 16. The system of claim 13, wherein the determination module determines that the trusted file cluster and the additional file cluster represent portions of the single trusted software package by determining that the plurality of clean files and the plurality of additional files originate from a common source.
  - 17. The system of claim 16, wherein the determination module determines that the plurality of clean files and the plurality of additional files originate from the common source by determining that the plurality of clean files and the plurality of additional files originated from a single Uniform Resource Locator (URL).
  - 18. The system of claim 16, wherein the determination module determines that the plurality of clean files and the plurality of additional files originate from the common source by determining that the common source is a program that generated the plurality of clean files and the plurality of additional files.
  - 19. The system of claim 13, wherein the determination module determines that the trusted file cluster and the additional file cluster represent portions of the single trusted software package by determining that the additional file cluster represents at least a partial update of the trusted software package.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, based on files present on a plurality of computing systems and by a backend server that curates file clusters for the plurality of computing systems, a trusted file cluster that comprises a plurality of clean files, the plurality of clean files representing at least a portion of a single software package;
  
  identify, based on the files present on the plurality of computing systems and by the backend server, an additional file cluster that;
  
  is not, at the time that the additional file cluster is identified, recognized as part of the single software package; and
  
  includes a plurality of additional files in which each file in the plurality of additional files co-exists with the plurality of clean files included in the trusted file cluster on at least a threshold percentage of computing systems in the plurality of computing systems;
  
  determine that the trusted file cluster and the additional file cluster each represent portions of the single trusted software package; and
  
  in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package;
  
  merge the trusted file cluster and the additional file cluster into a merged file cluster;
  
  whitelist the merged file cluster on a whitelist that describes files that are explicitly approved for use on computing devices that utilize the whitelist; and
  
  use the whitelist to treat files represented on the whitelist at a lower level of security than files that are not represented on the whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin, Gates, Christopher
Primary Examiner(s)
Abedin, Shanto
Assistant Examiner(s)
Stoica, Adrian

Application Number

US14/737,528
Time in Patent Office

1,208 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/64   Protecting data integrity, ...

G06F 2221/033   Test or assess software

Systems and methods for whitelisting file clusters in connection with trusted software packages

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for whitelisting file clusters in connection with trusted software packages

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links