Tracking of software executables that come from untrusted locations

US 10,389,743 B1
Filed: 12/22/2016
Issued: 08/20/2019
Est. Priority Date: 12/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computing device for use in a computing system, the computing device comprising:

a network interface configured to receive files via a network;

an input/output interface configured to access files on a storage device; and

a processing unit comprising circuitry configured to;

determine content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes;

determine a process that is trusted touches a first file that is untrusted;

mark the process as being untrusted, responsive to the process touching the first file;

determine the process subsequently touches a second file not marked as untrusted; and

mark the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for tracking content derived from unverified sources are described. A tracking application determines a file is untrusted when it is obtained from an unverified or untrusted source. Examples of unverified sources include remote servers accessed through a network and removable storage devices. The application marks the file as untrusted by inserting an identification of the file in a watchlist. A filter driver monitors I/O transactions and conveys information regarding file operations and corresponding processes to the tracking application. The filter driver detects a trusted process touches an untrusted file. The application marks the process as being untrusted. The filter driver detects the process subsequently touches another file. The application then marks this other file as untrusted.

35 Citations

View as Search Results

20 Claims

1. A computing device for use in a computing system, the computing device comprising:
- a network interface configured to receive files via a network;
  
  an input/output interface configured to access files on a storage device; and
  
  a processing unit comprising circuitry configured to;
  
  determine content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes;
  
  determine a process that is trusted touches a first file that is untrusted;
  
  mark the process as being untrusted, responsive to the process touching the first file;
  
  determine the process subsequently touches a second file not marked as untrusted; and
  
  mark the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computing device as recited in claim 1, wherein determining the first file is untrusted further comprises determining the first file is received from one of the network and the storage device.
  - 3. The computing device as recited in claim 1, wherein marking the second file as untrusted comprises inserting an identification of a storage location storing the second file in the node of the second file in the watchlist of untrusted content.
  - 4. The computing device as recited in claim 3, wherein the processing unit is further configured to remove the stored indication of the second file in the watchlist responsive to determining the second file has been deleted.
  - 5. The computing device as recited in claim 1, wherein detecting the second file as being not marked as untrusted prior to being touched by the process comprises determining an identification of the second file is not found in the watchlist of untrusted content.
  - 6. The computing device as recited in claim 1, wherein marking the second file as untrusted further comprises inserting a weight associated with the node of the second file that is indicative a number of nodes previously inserted in the watchlist and are used to create the node of the second file.
  - 7. The computing device as recited in claim 6, wherein the processing unit is further configured to remove the stored indication of the process in the watchlist responsive to determining a given time period has elapsed.
  - 8. The computing device as recited in claim 6, wherein the processing unit is further configured to remove the stored indication of the process in the watchlist responsive to determining the process has ceased to exist.

9. A method comprising:
- determining content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes;
  
  determining a process in a computing system that is trusted touches a first file that is untrusted;
  
  marking the process as being untrusted, responsive to the process touching the first file;
  
  determining the process subsequently touches a second file not marked as untrusted; and
  
  marking the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method as recited in claim 9, wherein determining the first file is untrusted further comprises determining the first file is received from one of the network and the storage device.
  - 11. The method as recited in claim 9, wherein marking the second file as untrusted comprises inserting an identification of a storage location storing the second file in the node of the second file in the watchlist of untrusted content.
  - 12. The method as recited in claim 11, further comprising removing the stored indication of the second file in the watchlist responsive to determining the second file has been deleted.
  - 13. The method as recited in claim 9, wherein detecting the second file as being not marked as untrusted prior to being touched by the process comprises determining an identification of the second file is not found in the watchlist of untrusted content.
  - 14. The method as recited in claim 9, wherein marking the second file as untrusted further comprises inserting a weight associated with the node of the second file indicative of a number of nodes previously inserted in the watchlist.
  - 15. The method as recited in claim 14, further comprising removing the stored indication of the process in the watchlist responsive to determining a given time period has elapsed.
  - 16. The method as recited in claim 14, further comprising removing the stored indication of the process in the watchlist responsive to determining the process has ceased to exist.

17. A non-transitory computer readable storage medium storing program instructions, wherein the program instructions are executable by a processor to:
- determine content is untrusted in response to finding identification of the content in a watchlist of untrusted content, wherein the watchlist of untrusted content comprises an identification of untrusted files and processes;
  
  determine a process in a computing system that is trusted touches a first file that is untrusted;
  
  mark the process as being untrusted, responsive to the process touching the first file;
  
  determine the process subsequently touches a second file not marked as untrusted; and
  
  mark the second file as untrusted, responsive to determining the second file is touched by the process, wherein marking the second file as untrusted comprises inserting an identification of the second file as a node in the watchlist and an identification of the process as an edge of the node in the watchlist, wherein the identification of the process associates the first file with the second file.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage device as recited in claim 17, wherein detecting the second file as being not marked as untrusted prior to being touched by the process further comprises determining an identification of the second file is not found in a watchlist of untrusted content.
  - 19. The non-transitory computer readable storage device as recited in claim 18, wherein the program instructions are further configured to remove the stored indication of the second file in the watchlist responsive to determining the second file has been deleted.
  - 20. The non-transitory computer readable storage device as recited in claim 17, wherein marking the second file as untrusted comprises inserting an identification of a storage location storing the second file in the node of the second file in the watchlist of untrusted content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kois, Aleksander
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/387,887
Time in Patent Office

971 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Tracking of software executables that come from untrusted locations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Tracking of software executables that come from untrusted locations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others