Process vulnerability assessment
First Claim
1. A computing device configured to provide security monitoring with reduced interference to user operation, comprising:
- a network interface configured to communicatively couple the computing device to a server; and
one or more logic elements, including at least one hardware logic element, comprising a vulnerability assessment engine comprising a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, the vulnerability assessment engine configured to;
intercept via the shim application a non-prelaunch runtime operation of an executable object;
send via the network interface a validation request for the runtime operation in context of the executable object;
receive a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and
act according to the response code, blocking the runtime operation by the executable object.
10 Assignments
0 Petitions
Accused Products
Abstract
In an example, a vulnerability assessment engine is disclosed. The vulnerability assessment engine may include a shim application and a shim agent. The shim application sits at a relatively low level in an operational stack, such as just above the operating system itself. It may intercept system calls through operating system hooks or other means, so as to determine whether an action taken by an executable object should be allowed. The vulnerability assessment engine sends an identifier, such as a common platform enumeration (CPE)-like string to a server, which queries a database to determine a response code for the action. The response code may indicate that the action should be allowed, blocked, allowed with a warning, or other useful action. A shim agent may also be installed to receive notifications from the server or to query the server for available updates or patches for the executable object.
-
Citations
27 Claims
-
1. A computing device configured to provide security monitoring with reduced interference to user operation, comprising:
-
a network interface configured to communicatively couple the computing device to a server; and one or more logic elements, including at least one hardware logic element, comprising a vulnerability assessment engine comprising a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, the vulnerability assessment engine configured to; intercept via the shim application a non-prelaunch runtime operation of an executable object; send via the network interface a validation request for the runtime operation in context of the executable object; receive a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and act according to the response code, blocking the runtime operation by the executable object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions configured to instruct a processor to provide a vulnerability assessment engine comprising a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, the vulnerability assessment engine configured to provide security monitoring with reduced interference to user operation, comprising instructions for:
-
intercepting via the shim application a non-prelaunch runtime operation of an executable object; sending via the network interface a validation request for the runtime operation in context of the executable object; receiving a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and acting according to the response code, blocking the runtime operation by the executable object. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 27)
-
-
24. A method of providing security monitoring with reduced interference to user operation, comprising:
-
Intercepting, via a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, a non-prelaunch runtime operation of an executable object; sending over a network interface a validation request for the runtime operation in context of the executable object; receiving a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and
,according to the response code, blocking the runtime operation by the executable object. - View Dependent Claims (25, 26)
-
Specification