System and method of monitoring and controlling application files

US 20050223001A1
Filed: 06/01/2005
Published: 10/06/2005
Est. Priority Date: 03/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method of adapting a system over the Internet which protects computers from malicious software programs, the method comprising:

identifying a malicious software program stored on a first computer;

determining whether the malicious software program is identified in a first database;

if the malicious software program is identified in the first database, applying one or more policies associated with the identified malicious software program;

if the malicious software program is not identified in the first database, adding an identifier indicative of the malicious software program to a second database;

uploading the second database including the identifier to a database factory over an Internet;

determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;

for each identifier that was not previously analyzed, associating the identifier with a digital fingerprint;

adding the digital fingerprint to a third database;

downloading the third database to a second computer; and

scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the launched application to control access to the application on the workstation.

146 Citations

View as Search Results

23 Claims

1. A method of adapting a system over the Internet which protects computers from malicious software programs, the method comprising:
- identifying a malicious software program stored on a first computer;
  
  determining whether the malicious software program is identified in a first database;
  
  if the malicious software program is identified in the first database, applying one or more policies associated with the identified malicious software program;
  
  if the malicious software program is not identified in the first database, adding an identifier indicative of the malicious software program to a second database;
  
  uploading the second database including the identifier to a database factory over an Internet;
  
  determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
  
  for each identifier that was not previously analyzed, associating the identifier with a digital fingerprint;
  
  adding the digital fingerprint to a third database;
  
  downloading the third database to a second computer; and
  
  scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the malicious software program is a spyware program.
  - 3. The method of claim 1, wherein the malicious software program is an anti-virus program.
  - 4. The method of claim 1, wherein the malicious software program is a hacking program.
  - 5. The method of claim 1, wherein the malicious software program is a remote access program.
  - 6. The method of claim 1, wherein if the scanning of the second computer determines that the malicious software program is stored on the second computer, then disallowing the malicious software program from running on the second computer.
  - 7. The method of claim 1, wherein if the scanning of the second computer determines that the malicious software program is stored on the second computer, then notifying a user of the second computer that the malicious software program is stored on the second computer.
  - 8. The method of claim 1 further comprising:
    - classifying the malicious software program; and
      
      downloading the classification to the second computer.
  - 9. The method of claim 1 further comprising:
    - identifying a malicious software program stored on a third computer;
      
      determining whether the malicious software program is identified in a third database;
      
      if the malicious software program is identified in the third database, applying one or more policies associated with the identified malicious software program;
      
      if the malicious software program is not identified in the third database, adding an identifier indicative of the malicious software program to a fourth database; and
      
      uploading the fourth database including the identifier to the database factory over the Internet.
  - 10. The method of claim 9, wherein the malicious software program scanned for on the second computer is in the second and fourth databases.
  - 11. The method of claim 9 wherein downloading the third database is based at least in part upon a request frequency that is associated with the number of times that the identifier associated with the malicious software program is in the second and fourth databases.
  - 12. The method of claim 9 further comprising merging and sorting the identifiers in the second and fourth databases.
  - 13. The method of claim 9, wherein the identifiers in the second database are the same as the identifiers in the fourth database.
  - 14. The method of claim 9, wherein the second database is different than the fourth database.

15. A method of processing software programs to update a system which controls spyware programs on a computer, the method comprising:
- receiving an identifier from a first computer at a database factory, wherein the identifier is associated with a spyware program;
  
  determining whether the identifier has been previously analyzed;
  
  for each identifier that was not previously analyzed by the database factory, categorizing each of the identifiers;
  
  downloading the identifier and a category associated with the identifier to a second computer; and
  
  scanning the second computer for the spyware program associated with the identifier.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein if the scanning of the second computer identifies that the spyware program associated with the identifier is stored on the second computer, then notifying a user of the second computer that the spyware program is stored on the second computer.
  - 17. The method of claim 15 further comprising:
    - identifying a second spyware program stored on a third computer;
      
      determining whether the second spyware program is categorized;
      
      if the second spyware program is categorized, applying one or more policies associated with the category;
      
      if the second spyware program is not categorized, adding an identifier indicative of the second spyware program to a database; and
      
      uploading the database including the identifier to the database factory over the Internet.
  - 18. The method of claim 17, wherein the second spyware program scanned for on the second computer is in the database.

19. A method of updating a system which controls operation of programs on a workstation based at least partially on information from another workstation, the method comprising:
- detecting a malicious software program on a first workstation;
  
  detecting a second malicious software program on a second workstation;
  
  generating a first application digest for the first malicious software program;
  
  generating a second application digest for the second malicious software program;
  
  determining whether the first and second malicious software programs are categorized, wherein a categorized malicious software program is associated with one or more policies;
  
  if the first or second malicious software programs are categorized, then applying the one or more policies that are associated with the categorized malicious software program;
  
  if the first or second malicious software programs are not categorized, then posting information relating to the uncategorized malicious software program to a logging database;
  
  uploading the logging database to a database factory over an Internet;
  
  downloading a database of identifiers from the database factory over the Internet, wherein the identifiers are associated with the first and second malicious software programs along with at least one policy to a third workstation;
  
  scanning the third workstation for the first and second malicious software programs; and
  
  applying the at least one policy if the first or second malicious software programs are found on the third workstation.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, further comprising:
    - updating a request frequency if identification of the first or second malicious software programs is already in the logging database.
  - 21. The method of claim 19, wherein the at least one policy includes allowing or disallowing the malicious software program to run on the third workstation.
  - 22. The method of claim 19, wherein the logging database further includes additional data associated with the first or second malicious software programs.

23. A method of updating a system which controls operation of programs on a workstation, the method comprising:
- detecting a program on the workstation;
  
  generating a hash value for the program;
  
  comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
  
  if the generated hash value matches one or more of the hash values in the hash/policy table, then applying the one or more policies that are associated with the one or more hash values;
  
  if the generated hash value does not match one or more hash values in the hash/policy table, then posting an identifier associated with the program to a logging database;
  
  uploading the logging database to an application server module;
  
  determining whether the program from the logging database is in an application inventory database;
  
  if the program is not in the application inventory database, then posting the identifier associated with the program to an uncategorized application database;
  
  uploading the uncategorized application database to an application database factory;
  
  determining whether the program has been previously categorized by the application database factory;
  
  if the program was not previously categorized, categorizing the program as a spyware program;
  
  posting the identifier as a spyware program in a database of categorized programs;
  
  receiving the database of categorized programs over the Internet; and
  
  scanning a second workstation for the program based at least partially on the received database of categorized programs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Dimm, John Ross, Kester, Harold M., Anderson, Mark Richard, Hegli, Ronald B.

Granted Patent

US 8,020,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06Q 20/203   Inventory monitoring

H04L 63/0428   wherein the data content is...

H04L 63/20   for managing network securi...

Y10S 707/99931   Database or file accessing

Y10S 707/99943   Generating database or data...

Y10S 707/99945   Object-oriented database st...

System and method of monitoring and controlling application files

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

146 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of monitoring and controlling application files

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links