Agent assisted malicious application blocking in a network environment
First Claim
1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by at least one processor cause the processor to:
- intercept, on an end host, an attempt to access a network by a process;
determine, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application;
send metadata associated with the process to a network security device, wherein the metadata includes a hash of the application, a tuple of connection information, and the endpoint reputation score; and
receive a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application.
9 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.
-
Citations
24 Claims
-
1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by at least one processor cause the processor to:
-
intercept, on an end host, an attempt to access a network by a process; determine, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application; send metadata associated with the process to a network security device, wherein the metadata includes a hash of the application, a tuple of connection information, and the endpoint reputation score; and receive a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An apparatus for blocking malware, the apparatus comprising:
-
at least one processor coupled to at least one memory element; an endpoint intelligence agent configured to run on the at least one processor to; intercept an attempt to access a network by a process; determine an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application; send metadata associated with the process to a network security device, wherein the metadata includes a hash of the application and the endpoint reputation score; and receive a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A method for blocking malware, the method comprising:
-
intercepting, on an end host, an attempt to access a network by a process on the end host; determining, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application; sending metadata associated with the network access attempt to a network security device, wherein the metadata includes a hash of the application and the endpoint reputation score; and receiving a response indicating an action to be taken, wherein the action is determined based, at least in part, on one or more policies and at least one of a threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application. - View Dependent Claims (22)
-
-
23. A system for blocking malware, the system comprising:
-
first logic at least partially including hardware logic on an end host, the first logic to; intercept an attempt to access a network by a process running on the end host; determine, by the end host, an endpoint reputation score of an application associated with the process, wherein the endpoint reputation score indicates a degree of maliciousness of the application; and send metadata associated with the network access attempt to a network security device, the metadata including a hash of the application and the endpoint reputation score; and second logic on the network security device, the second logic to; request a threat intelligence reputation score based on the hash of the application; determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and wherein, if the action includes allowing a network session established by the process to continue, monitor, by the end host, the network session to identify a dynamic link library (DLL) invoked by the application that indicates some degree of maliciousness based on activities performed by the DLL for the application; and send a response to the end host, the response indicating the action to be taken. - View Dependent Claims (24)
-
Specification