System and method of monitoring and controlling application files
First Claim
1. A method of adapting a system over the Internet which protects computers from malicious software programs, the method comprising:
- identifying a malicious software program stored on a first computer;
determining whether the malicious software program is identified in a first database;
if the malicious software program is identified in the first database, applying one or more policies associated with the identified malicious software program;
if the malicious software program is not identified in the first database, adding an identifier indicative of the malicious software program to a second database;
uploading the second database including the identifier to a database factory over an Internet;
determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
for each identifier that was not previously analyzed, associating the identifier with a digital fingerprint;
adding the digital fingerprint to a third database;
downloading the third database to a second computer; and
scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.
21 Assignments
0 Petitions
Accused Products
Abstract
A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the launched application to control access to the application on the workstation.
146 Citations
23 Claims
-
1. A method of adapting a system over the Internet which protects computers from malicious software programs, the method comprising:
-
identifying a malicious software program stored on a first computer;
determining whether the malicious software program is identified in a first database;
if the malicious software program is identified in the first database, applying one or more policies associated with the identified malicious software program;
if the malicious software program is not identified in the first database, adding an identifier indicative of the malicious software program to a second database;
uploading the second database including the identifier to a database factory over an Internet;
determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
for each identifier that was not previously analyzed, associating the identifier with a digital fingerprint;
adding the digital fingerprint to a third database;
downloading the third database to a second computer; and
scanning the second computer for the malicious software program associated with the digital fingerprint in the third database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of processing software programs to update a system which controls spyware programs on a computer, the method comprising:
-
receiving an identifier from a first computer at a database factory, wherein the identifier is associated with a spyware program;
determining whether the identifier has been previously analyzed;
for each identifier that was not previously analyzed by the database factory, categorizing each of the identifiers;
downloading the identifier and a category associated with the identifier to a second computer; and
scanning the second computer for the spyware program associated with the identifier. - View Dependent Claims (16, 17, 18)
-
-
19. A method of updating a system which controls operation of programs on a workstation based at least partially on information from another workstation, the method comprising:
-
detecting a malicious software program on a first workstation;
detecting a second malicious software program on a second workstation;
generating a first application digest for the first malicious software program;
generating a second application digest for the second malicious software program;
determining whether the first and second malicious software programs are categorized, wherein a categorized malicious software program is associated with one or more policies;
if the first or second malicious software programs are categorized, then applying the one or more policies that are associated with the categorized malicious software program;
if the first or second malicious software programs are not categorized, then posting information relating to the uncategorized malicious software program to a logging database;
uploading the logging database to a database factory over an Internet;
downloading a database of identifiers from the database factory over the Internet, wherein the identifiers are associated with the first and second malicious software programs along with at least one policy to a third workstation;
scanning the third workstation for the first and second malicious software programs; and
applying the at least one policy if the first or second malicious software programs are found on the third workstation. - View Dependent Claims (20, 21, 22)
-
-
23. A method of updating a system which controls operation of programs on a workstation, the method comprising:
-
detecting a program on the workstation;
generating a hash value for the program;
comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
if the generated hash value matches one or more of the hash values in the hash/policy table, then applying the one or more policies that are associated with the one or more hash values;
if the generated hash value does not match one or more hash values in the hash/policy table, then posting an identifier associated with the program to a logging database;
uploading the logging database to an application server module;
determining whether the program from the logging database is in an application inventory database;
if the program is not in the application inventory database, then posting the identifier associated with the program to an uncategorized application database;
uploading the uncategorized application database to an application database factory;
determining whether the program has been previously categorized by the application database factory;
if the program was not previously categorized, categorizing the program as a spyware program;
posting the identifier as a spyware program in a database of categorized programs;
receiving the database of categorized programs over the Internet; and
scanning a second workstation for the program based at least partially on the received database of categorized programs.
-
Specification