Agent assisted malicious application blocking in a network environment
First Claim
1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by a processor cause the processor to:
- receive metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application;
request a threat intelligence reputation score based on the hash of the application;
determine an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and
send a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.
424 Citations
20 Claims
-
1. At least one non-transitory machine readable storage medium encoded with instructions for blocking malware, wherein the instructions, when executed by a processor cause the processor to:
-
receive metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application; request a threat intelligence reputation score based on the hash of the application; determine an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and send a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus for blocking malware, the apparatus comprising:
-
a hardware processor; a memory element; and an endpoint intelligence agent configured to run on the processor to; receive metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application; request a threat intelligence reputation score based on the hash of the application; determine an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and send a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method for blocking malware, the method comprising:
-
receiving metadata of a process intercepted by an end host when attempting to access a network, wherein the metadata includes a hash of an application associated with the process and an endpoint reputation score of the application; requesting a threat intelligence reputation score based on the hash of the application; determining an action to be taken by the end host based, at least in part, on a policy and at least one of the threat intelligence reputation score and the endpoint reputation score; and sending a response indicating an action to be taken by the end host, wherein, if the action includes allowing a network session established by the process to continue, the end host is to monitor the network session to identify a module invoked by the application that indicates some degree of maliciousness based on the activities performed by the module for the application. - View Dependent Claims (18, 19, 20)
-
Specification