Process vulnerability assessment

US 10,445,505 B2
Filed: 09/22/2014
Issued: 10/15/2019
Est. Priority Date: 09/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device configured to provide security monitoring with reduced interference to user operation, comprising:

a network interface configured to communicatively couple the computing device to a server; and

one or more logic elements, including at least one hardware logic element, comprising a vulnerability assessment engine comprising a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, the vulnerability assessment engine configured to;

intercept via the shim application a non-prelaunch runtime operation of an executable object;

send via the network interface a validation request for the runtime operation in context of the executable object;

receive a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and

act according to the response code, blocking the runtime operation by the executable object.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a vulnerability assessment engine is disclosed. The vulnerability assessment engine may include a shim application and a shim agent. The shim application sits at a relatively low level in an operational stack, such as just above the operating system itself. It may intercept system calls through operating system hooks or other means, so as to determine whether an action taken by an executable object should be allowed. The vulnerability assessment engine sends an identifier, such as a common platform enumeration (CPE)-like string to a server, which queries a database to determine a response code for the action. The response code may indicate that the action should be allowed, blocked, allowed with a warning, or other useful action. A shim agent may also be installed to receive notifications from the server or to query the server for available updates or patches for the executable object.

Citations

27 Claims

1. A computing device configured to provide security monitoring with reduced interference to user operation, comprising:
- a network interface configured to communicatively couple the computing device to a server; and
  
  one or more logic elements, including at least one hardware logic element, comprising a vulnerability assessment engine comprising a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, the vulnerability assessment engine configured to;
  
  intercept via the shim application a non-prelaunch runtime operation of an executable object;
  
  send via the network interface a validation request for the runtime operation in context of the executable object;
  
  receive a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and
  
  act according to the response code, blocking the runtime operation by the executable object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing device of claim 1, wherein the response code comprises a flag for one of allow, warn, stop, and monitor.
  - 3. The computing device of claim 1, wherein acting according to the response code comprises taking an action selected from the group consisting of allowing the runtime operation, allowing the runtime operation with a warning to an end user, allowing the runtime operation with a warning to a security administrator, allowing the runtime operation only if a confirmation is received from an end user, allowing the runtime operation only if a confirmation is received from a security administrator, allowing the runtime operation unless a refusal is received from an end user, allowing the runtime operation unless a refusal is received from a security administrator, blocking the action, providing a warning to an end user, providing a warning to a security administrator, creating a log entry, updating a whitelist, updating a blacklist, updating a gray list, monitoring the executable object, and reporting information about behavior of the executable object.
  - 4. The computing device of claim 1, wherein sending the validation request comprises providing an identification packet for the computing device and executable object.
  - 5. The computing device of claim 4, wherein the identification packet is a CPE-like string.
  - 6. The computing device of claim 1, wherein the shim application is configured to run with elevated system privileges.
  - 7. The computing device of claim 1, wherein the shim application is configured to intercept launching of a process invisibly to user-space applications.
  - 8. The computing device of claim 1, wherein the vulnerability assessment engine further comprises a shim application configured to execute with elevated privileges and intercept launching of a process via operating system hooks.
  - 9. The computing device of claim 1, wherein the vulnerability assessment engine comprises a shim agent configured to execute with substantially user-space privileges.
  - 10. The computing device of claim 9, wherein the shim agent is configured to receive a notification that a patch or update is available for the executable object, and to schedule application of the patch or update.
  - 11. The computing device of claim 10, wherein the shim agent is configured to send over the network interface an identification packet for the computing device and executable object.
  - 12. The computing device of claim 11, wherein the identification packet is a CPE-like string.
  - 13. The computing device of claim 1, wherein the vulnerability assessment engine is further configured to identify and cause to be installed updates or patches for the executable object.

14. One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions configured to instruct a processor to provide a vulnerability assessment engine comprising a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, the vulnerability assessment engine configured to provide security monitoring with reduced interference to user operation, comprising instructions for:
- intercepting via the shim application a non-prelaunch runtime operation of an executable object;
  
  sending via the network interface a validation request for the runtime operation in context of the executable object;
  
  receiving a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and
  
  acting according to the response code, blocking the runtime operation by the executable object.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 27)
- - 15. The one or more computer-readable mediums of claim 14, wherein the response code comprises a flag for one of allow, warn, stop, and monitor.
  - 16. The one or more computer-readable mediums of claim 14, wherein acting according to the response code comprises taking an action selected from the group consisting of allowing the runtime operation, allowing the runtime operation with a warning to an end user, allowing the runtime operation with a warning to a security administrator, allowing the runtime operation only if a confirmation is received from an end user, allowing the runtime operation only if a confirmation is received from a security administrator, allowing the runtime operation unless a refusal is received from an end user, allowing the runtime operation unless a refusal is received from a security administrator, blocking the action, providing a warning to an end user, providing a warning to a security administrator, creating a log entry, updating a whitelist, updating a blacklist, updating a gray list, monitoring the executable object, and reporting information about behavior of the executable object.
  - 17. The one or more computer-readable mediums of claim 14, wherein sending the validation request comprises providing an identification packet for the computing device and executable object.
  - 18. The one or more computer-readable mediums of claim 17, wherein the identification packet is a CPE-like string.
  - 19. The one or more computer-readable mediums of claim 14, wherein the shim application is configured to run with elevated system privileges.
  - 20. The one or more computer-readable mediums of claim 14, wherein the shim application is configured to intercept launching of a process invisibly to user-space applications.
  - 21. The one or more computer-readable mediums of claim 14, wherein the vulnerability assessment engine comprises a shim agent configured to execute with substantially user-space privileges.
  - 22. The one or more computer-readable mediums of claim 21, wherein the shim agent is configured to receive a notification that a patch or update is available for the executable object, and to schedule application of the patch or update.
  - 23. The one or more computer-readable mediums of claim 22, wherein the shim agent is configured to send over the network interface a CPE-like string for the computing device and executable object.
  - 27. The one or more computer-readable mediums of claim 14, wherein the instructions are further configured to, according to the response code, allow the runtime operation by the executable object.

24. A method of providing security monitoring with reduced interference to user operation, comprising:
- Intercepting, via a shim application to be inserted via operating system hooks to run invisibly to applications running at an application level, a non-prelaunch runtime operation of an executable object;
  
  sending over a network interface a validation request for the runtime operation in context of the executable object;
  
  receiving a response code for the validation request, the response code comprising a common platform enumeration (CPE)-like string comprising a reputation for the runtime operation; and
  
  ,according to the response code, blocking the runtime operation by the executable object.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, wherein a vulnerability assessment engine is configured to, according to the response code, allow the runtime operation by the executable object.
  - 26. The method of claim 24, further comprising, according to the response code, allowing the runtime operation by the executable object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Rebelo, Joshua Cajetan
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/493,293
Publication Number

US 20160085970A1
Time in Patent Office

1,849 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Process vulnerability assessment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Process vulnerability assessment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links