Systems and methods for obtaining information about security threats on endpoint devices
First Claim
1. A computer-implemented method for obtaining information about security threats on endpoint devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, by a security program on the computing device, an attempt to access at least one suspicious file;
before permitting the computing device to access the suspicious file;
searching, by the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; and
determining, by the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file;
in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file;
identifying, by the security program, at least one third-party resource that;
is not associated with the security program; and
is at least partially responsible for developing the suspicious file;
determining, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device;
performing, by the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and
accessing, by the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device;
determining, by the security program based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; and
adding, by the security program, information to the security database that indicates whether the suspicious file represents the security threat.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for obtaining information about security threats on endpoint devices may include (1) detecting, by a security program on a computing device, an attempt to access at least one suspicious file, (2) before permitting the computing device to access the suspicious file, identifying, by the security program, at least one third-party resource not associated with the security program that contains information potentially indicative of the trustworthiness of the suspicious file, (3) obtaining, by the security program from the third-party resource, the information potentially indicative of the trustworthiness of the suspicious file, and then (4) determining, by the security program based at least in part on the information potentially indicative of the trustworthiness of the suspicious file, whether the suspicious file represents a security threat to the computing device. Various other methods, systems, and computer-readable media are also disclosed.
16 Citations
20 Claims
-
1. A computer-implemented method for obtaining information about security threats on endpoint devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
detecting, by a security program on the computing device, an attempt to access at least one suspicious file; before permitting the computing device to access the suspicious file; searching, by the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; and determining, by the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file; in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file; identifying, by the security program, at least one third-party resource that; is not associated with the security program; and is at least partially responsible for developing the suspicious file; determining, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device; performing, by the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and accessing, by the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device; determining, by the security program based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; and adding, by the security program, information to the security database that indicates whether the suspicious file represents the security threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20)
-
-
9. A system for obtaining information about security threats on endpoint devices, the system comprising:
-
a detection module, stored in memory, that detects, as part of a security program on a computing device, an attempt to access at least one suspicious file; an identification module, stored in memory, that before the computing device is permitted to access the suspicious file; searches, as part of the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; determines, as part of the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file; identifies, as part of the security program, in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file, at least one third-party resource that; is not associated with the security program; and is at least partially responsible for developing the suspicious file; and determines, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device; an information module, stored in memory, that; performs, as part of the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and accesses, as part of the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device; a determination module, stored in memory, that determines, as part of the security program, based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; a security module, stored in memory, that adds, as part of the security program, information to the security database that indicates whether the suspicious file represents the security threat; and at least one processor configured to execute the detection module, the identification module, the information module, the determination module, and the security module. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
detect, by a security program on the computing device, an attempt to access at least one suspicious file; before permitting the computing device to access the suspicious file; search, by the security program, a security database utilized by the security program for information indicative of the trustworthiness of the suspicious file; and determine, by the security program, based on the search, that the security database does not store the information indicative of the trustworthiness of the suspicious file; in response to determining that the security database does not store the information indicative of the trustworthiness of the suspicious file; identify, by the security program, at least one third-party resource that; is not associated with the security program; and is at least partially responsible for developing the suspicious file; determine, based on the third-party resource being at least partially responsible for developing the suspicious file, that the third-party resource potentially contains information about behaviors the suspicious file is expected to perform on the computing device; perform, by the security program, an online search for the third-party resource by identifying a server that is hosted by the third-party resource and potentially stores the information about the behaviors the suspicious file is expected to perform on the computing device; and access, by the security program, the server to obtain the information about the behaviors the suspicious file is expected to perform on the computing device; and determine, by the security program based at least in part on the information about the behaviors the suspicious file is expected to perform on the computing device, whether the suspicious file represents a security threat to the computing device; and add, by the security program, information to the security database that indicates whether the suspicious file represents the security threat. - View Dependent Claims (18, 19)
-
Specification