Behavioral-based control of access to encrypted content by a process
First Claim
1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
- monitoring an exposure state of the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure, and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and
when the exposure state of the endpoint is exposed, controlling access by the endpoint to a plurality of encrypted files stored on a storage resource remote from the endpoint through an extension to a file system filter that conditionally decrypts one or more of the plurality of encrypted files for the endpoint according to the exposure state of the endpoint.
4 Assignments
0 Petitions
Accused Products
Abstract
Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.
114 Citations
19 Claims
-
1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
-
monitoring an exposure state of the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure, and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and when the exposure state of the endpoint is exposed, controlling access by the endpoint to a plurality of encrypted files stored on a storage resource remote from the endpoint through an extension to a file system filter that conditionally decrypts one or more of the plurality of encrypted files for the endpoint according to the exposure state of the endpoint. - View Dependent Claims (2, 3, 4)
-
-
5. A method comprising:
-
monitoring an exposure state of an endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and when the exposure state of the endpoint is exposed, controlling access by the endpoint to a plurality of encrypted files through an extension to a file system filter that conditionally decrypts one or more of the plurality of encrypted files for the endpoint according to the exposure state of the endpoint. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
an endpoint; a storage resource remote from the endpoint and in communication with the endpoint, the storage resource storing a plurality of encrypted files; a file system on the endpoint, the file system configured to manage access to the plurality of encrypted files by the endpoint, the file system including an extension configured to monitor an exposure state of the endpoint and to restrict access to the plurality of encrypted files based on the exposure state of the endpoint by conditionally decrypting one of the files of the plurality of encrypted files based on the exposure state; an integrity monitor configured to evaluate the exposure state of the endpoint by applying a plurality of behavioral rules to determine whether the exposure state of the endpoint is either exposed or secure, the endpoint initially identified as secure and the endpoint identified as exposed when a combination of two or more events associated with a process on the endpoint is determined to indicate an exposed state by one of the plurality of behavioral rules; and a remediation component configured to remediate the endpoint from the exposure state of exposed to the exposure state of secure for unrestricted access to the plurality of encrypted files. - View Dependent Claims (19)
-
Specification