Tracking of software executables that come from untrusted locations
First Claim
1. A computing device for use in a computing system, the computing device comprising:
- a network interface configured to receive files via a network;
an input/output interface configured to access files on a storage device; and
a processing unit comprising circuitry configured to;
determine content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes;
determine a process that is trusted touches a first file that is untrusted;
mark the process as being untrusted, responsive to the process touching the first file;
determine the process subsequently touches a second file not marked as untrusted; and
mark the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for tracking content derived from unverified sources are described. A tracking application determines a file is untrusted when it is obtained from an unverified or untrusted source. Examples of unverified sources include remote servers accessed through a network and removable storage devices. The application marks the file as untrusted by inserting an identification of the file in a watchlist. A filter driver monitors I/O transactions and conveys information regarding file operations and corresponding processes to the tracking application. The filter driver detects a trusted process touches an untrusted file. The application marks the process as being untrusted. The filter driver detects the process subsequently touches another file. The application then marks this other file as untrusted.
35 Citations
20 Claims
-
1. A computing device for use in a computing system, the computing device comprising:
-
a network interface configured to receive files via a network; an input/output interface configured to access files on a storage device; and a processing unit comprising circuitry configured to; determine content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes; determine a process that is trusted touches a first file that is untrusted; mark the process as being untrusted, responsive to the process touching the first file; determine the process subsequently touches a second file not marked as untrusted; and mark the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
determining content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes; determining a process in a computing system that is trusted touches a first file that is untrusted; marking the process as being untrusted, responsive to the process touching the first file; determining the process subsequently touches a second file not marked as untrusted; and marking the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable storage medium storing program instructions, wherein the program instructions are executable by a processor to:
-
determine content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes; determine a process in a computing system that is trusted touches a first file that is untrusted; mark the process as being untrusted, responsive to the process touching the first file; determine the process subsequently touches a second file not marked as untrusted; and mark the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file. - View Dependent Claims (18, 19, 20)
-
Specification