Validation for behavior-blocking system

US 20040123117A1
Filed: 12/18/2002
Published: 06/24/2004
Est. Priority Date: 12/18/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

detecting a potentially malicious action of a potentially unsafe application on a first computer system;

checking a local configuration on said first computer system to determine if said potentially unsafe application is an application unknown to said first computer system, wherein upon a determination that said potentially unsafe application is an application unknown to said first computer system during said checking, said method further comprising;

sending an application characteristic of said potentially unsafe application to a second computer system; and

receiving a first response from said second computer system, said first response indicating whether said potentially unsafe application is a safe application, an unsafe application or an unknown application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes detecting a potentially malicious action of a potentially unsafe application on a host computer system; sending an application characteristic of the potentially unsafe application to a server system; and receiving a response from the server system indicating whether the potentially unsafe application is a safe application, an unsafe application or an unknown application. If the potentially unsafe application in an unknown application, the potentially unsafe application is executed in a sandbox on the server system.

110 Citations

36 Claims

1. A method comprising:
- detecting a potentially malicious action of a potentially unsafe application on a first computer system;
  
  checking a local configuration on said first computer system to determine if said potentially unsafe application is an application unknown to said first computer system, wherein upon a determination that said potentially unsafe application is an application unknown to said first computer system during said checking, said method further comprising;
  
  sending an application characteristic of said potentially unsafe application to a second computer system; and
  
  receiving a first response from said second computer system, said first response indicating whether said potentially unsafe application is a safe application, an unsafe application or an unknown application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 further comprising suspending said potentially unsafe application subsequent to said detecting.
  - 3. The method of claim 1 wherein said checking a local configuration on said first computer system further comprises determining if said potentially unsafe application is an application known safe or unsafe to said first computer system.
  - 4. The method of claim 3 further comprising suspending said potentially unsafe application subsequent to said detecting, wherein upon a determination that said potentially unsafe application is a known safe application during said checking, said method further comprising resuming said potentially unsafe application.
  - 5. The method of claim 3 wherein upon a determination that said potentially unsafe application is a known unsafe application during said checking, said method further comprising terminating said potentially unsafe application.
  - 6. The method of claim 5 further comprising notifying a user of said first computer system or an administrator that said potentially unsafe application has been terminated.
  - 7. The method of claim 1 wherein said application characteristic is used during said checking.
  - 8. The method of claim 7 further comprising hashing said potentially unsafe application to generate a hash key, said application characteristic comprising said hash key.
  - 9. The method of claim 8 wherein said application characteristic further comprises an indication of said potentially malicious action.
  - 10. The method of claim 1 further comprising suspending said potentially unsafe application subsequent to said detecting, wherein upon said first response indicating that said potentially unsafe application is a safe application, said method further comprising resuming said potentially unsafe application.
  - 11. The method of claim 1 wherein upon said first response indicating that said potentially unsafe application is an unsafe application, said method further comprising terminating said potentially unsafe application.
  - 12. The method of claim 11 further comprising notifying a user of said first computer system or an administrator that said potentially unsafe application has been terminated.
  - 13. The method of claim 1 wherein upon said first response indicating that said potentially unsafe application is an unknown application, said method further comprising:
    - sending said potentially unsafe application to said second computer system.
  - 14. The method of claim 13 further comprising receiving a second response from said second computer system, said second response indicating whether said potentially unsafe application is a safe application or an unsafe application.
  - 15. The method of claim 14 further comprising suspending said potentially unsafe application subsequent to said detecting, wherein upon said second response indicating that said potentially unsafe application is a safe application, said method further comprising resuming said potentially unsafe application.
  - 16. The method of claim 15 further comprising updating said local configuration.
  - 17. The method of claim 14 wherein upon said second response indicating that said potentially unsafe application is an unsafe application, said method further comprising terminating said potentially unsafe application.
  - 18. The method of claim 17 further comprising updating said local configuration.
  - 19. The method of claim 1 further comprising updating said local configuration of said first computer system by pulling application characteristics of known safe applications and known unsafe applications from said second computer system.
  - 20. The method of claim 1 further comprising updating said local configuration of said first computer system by pushing application characteristics of known safe applications and known unsafe applications to said first computer system.

21. A method comprising:
- receiving an application characteristic of a potentially unsafe application; and
  
  using said application characteristic to determine whether said potentially unsafe application is a known safe application, a known unsafe application, or an unknown application.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The method of claim 21 wherein upon a determination that said potentially unsafe application is a known safe application during said using, said method further comprising:
    - sending a safe application response.
  - 23. The method of claim 21 wherein upon a determination that said potentially unsafe application is a known unsafe application during said using, said method further comprising:
    - sending an unsafe application response.
  - 24. The method of claim 21 wherein upon a determination that said potentially unsafe application is an unknown application during said using, said method further comprising:
    - sending an unknown application response.
  - 25. The method of claim 24 further comprising:
    - receiving said potentially unsafe application; and
      
      determining whether said potentially unsafe application is a safe application or an unsafe application.
  - 26. The method of claim 25 wherein upon a determination that said potentially unsafe application is a safe application during said determining, said method further comprising:
    - sending a safe application response.
  - 27. The method of claim 25 wherein upon a determination that said potentially unsafe application is an unsafe application during said determining, said method further comprising:
    - sending an unsafe application response.
  - 28. The method of claim 25 further comprising updating a local configuration of a validation server.
  - 29. The method of claim 25 wherein said determining comprises executing said potentially unsafe application in a sandbox.

30. A method comprising:
- detecting a potentially malicious action of a potentially unsafe application on a first computer system;
  
  sending an application characteristic of said potentially unsafe application to a second computer system; and
  
  receiving a first response from said second computer system, said first response indicating whether said potentially unsafe application is a safe application, an unsafe application or an unknown application.

31. A computer-program product comprising a computer-readable medium containing computer program code comprising:
- a monitoring and detection application for detecting a potentially malicious action of a potentially unsafe application on a first computer system, said monitoring and detection application further for sending an application characteristic of said potentially unsafe application to a second computer system, and said monitoring and detection application further for receiving a first response from said second computer system, said first response indicating whether said potentially unsafe application is a safe application, an unsafe application or an unknown application.

32. A computer-program product comprising a computer-readable medium containing computer program code comprising:
- a validation application for receiving an application characteristic of a potentially unsafe application, and said validation application further for using said application characteristic to determine whether said potentially unsafe application is a known safe application, a known unsafe application, or an unknown application.

33. A method comprising:
- detecting a potentially malicious action of a potentially unsafe application; and
  
  using a local configuration to determine if said potentially unsafe application is an unknown application.

34. A method comprising:
- detecting a potentially malicious action of a potentially unsafe application on a first computer system;
  
  checking a local configuration on said first computer system to determine if said potentially unsafe application is an application unknown to said first computer system, wherein upon a determination that said potentially unsafe application is an application unknown to said first computer system during said checking, said method further comprises;
  
  determining whether a secure connection exists between said first computer and a second computer.
- View Dependent Claims (35, 36)
- - 35. The method of claim 34 wherein a determination is made during said determining that said secure connection does not exist, said method further comprising terminating said potentially unsafe application.
  - 36. The method of claim 34 wherein a determination is made during said determining that said secure connection does not exist, said method further comprising suspending said potentially unsafe application until establishment of said secure connection, wherein upon said establishment, said method further comprising:
    - sending an application characteristic of said potentially unsafe application to said second computer system; and
      
      receiving a first response from said second computer system, said first response indicating whether said potentially unsafe application is a safe application, an unsafe application or an unknown application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Berger, Henry W.

Application Number

US10/325,580
Publication Number

US 20040123117A1
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Validation for behavior-blocking system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

110 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Validation for behavior-blocking system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others