System and method of monitoring and controlling application files

US 20060004636A1
Filed: 06/01/2005
Published: 01/05/2006
Est. Priority Date: 03/14/2003
Status: Active Grant

First Claim

Patent Images

1. A system configured to protect a computer from malicious software programs based at least partially on information collected from another computer over an Internet, the system comprising:

a first computer;

a first client inventory module configured to identify one or more malicious software programs stored on the first computer;

a database including identification information for malicious software programs, the database being accessible to the first client inventory module for the client inventory module to identify the one or more malicious software programs;

a database factory configured to receive and distribute information relating to the identification information from the database over an Internet;

a second computer; and

a second client inventory module configured to receive information from the database factory and scan the second computer for the one or more malicious software programs identified by the first client inventory module.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the launched application to control access to the application on the workstation.

Citations

29 Claims

1. A system configured to protect a computer from malicious software programs based at least partially on information collected from another computer over an Internet, the system comprising:
- a first computer;
  
  a first client inventory module configured to identify one or more malicious software programs stored on the first computer;
  
  a database including identification information for malicious software programs, the database being accessible to the first client inventory module for the client inventory module to identify the one or more malicious software programs;
  
  a database factory configured to receive and distribute information relating to the identification information from the database over an Internet;
  
  a second computer; and
  
  a second client inventory module configured to receive information from the database factory and scan the second computer for the one or more malicious software programs identified by the first client inventory module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein at least one of the one or more malicious software programs is a spyware program.
  - 3. The system of claim 1, wherein at least one of the one or more malicious software programs is an anti-virus program.
  - 4. The system of claim 1, wherein at least one of the one or more malicious software programs is a hacking program.
  - 5. The system of claim 1, wherein at least one of the one or more malicious software programs is a remote access program.
  - 6. The system of claim 1, wherein if the scanning of the second computer identifies that the one or more malicious software programs is stored on the second computer, then the second client inventory module is configured to disallow the identified one or more malicious software programs from running on the second computer.
  - 7. The system of claim 1, wherein if the scanning of the second computer identifies that the one or more malicious software programs is stored on the second computer, then the second client inventory module is configured to notify a user of the second computer.
  - 8. The system of claim 1, wherein the database factory comprises:
    - an upload/download module configured to receive information from the first client inventory module and determine whether the one or more malicious software programs has been previously analyzed by the database factory;
      
      an application analyst'"'"'s classification module configured to analyze the one or more malicious software programs if not previously analyzed by the database factory; and
      
      a master application database configured to store the information received from the first client inventory module.
  - 9. The system of claim 1, wherein the database factory is configured to classify the one or more malicious software programs and provide the classification to the second client inventory module.
  - 10. The system of claim 1 further comprising a third client inventory module configured to access a second database containing identification information for malicious software programs so as to identify one or more malicious software programs on a third computer, wherein the one or more malicious software programs scanned for by the second client inventory module is identified by the first and third client inventory modules.
  - 11. The system of claim 10, wherein the database factory distributes information based at least in part upon a request frequency that is associated with the number of times that the database factory receives identification of one of the one or more malicious software programs from the first and third client inventory modules.
  - 12. The system of claim 10, wherein the database factory merges and sorts information received from the first client inventory module with information received from the third client inventory module.

13. A system for identifying malicious software programs over an Internet, the system comprising:
- a first client inventory module configured to scan a first computer so as to identify a malicious software program and to upload information associated with the identified malicious software program over an Internet;
  
  a database factory configured to receive the uploaded information and distribute information associated with the uploaded information over the Internet; and
  
  a second client inventory module configured to receive the distributed information and scan a second computer for the malicious software program identified by the first client inventory module.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The system of claim 13, wherein the malicious software program is a spyware program.
  - 15. The system of claim 13, wherein the malicious software program is an anti-virus program.
  - 16. The system of claim 13, wherein if the scanning of the second computer identifies that the malicious software program is stored on the second computer, then the second client inventory module is configured to disallow the identified malicious software program from running on the second computer.
  - 17. The system of claim 13, wherein if the scanning of the second computer identifies that the malicious software program is stored on the second computer, then the second client inventory module is configured to notify a user of the second computer.
  - 18. The system of claim 13, wherein the database factory classifies the malicious software program and provides the classification to the second client inventory module.
  - 19. The system of claim 13 further comprising a third client inventory module configured to access a database so as to identify a second malicious software program, wherein the second malicious software program scanned for by the second client inventory module is identified by the first and third client inventory modules.
  - 20. The system of claim 19, wherein the database factory distributes information at least in part upon a request frequency that is associated with the number of times that the database factory receives the identification of the second malicious software program from the first and third client inventory modules.
  - 21. The system of claim 19, wherein the database factory merges and sorts the information relating to the second malicious software program received from the first client inventory module with information relating to the second malicious software program received from the third client inventory module.

22. A program storage device storing instructions that when executed by a computer perform the method of:
- identifying a malicious software program stored on a first computer;
  
  determining whether the malicious software program is identified in a first database;
  
  if the malicious software program is identified in the first database, applying one or more policies associated with the identified malicious software program;
  
  if the malicious software program is not identified in the first database, adding an identifier indicative of the malicious software program to a second database;
  
  uploading the second database including the identifier to a database factory over an Internet;
  
  determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
  
  for each identifier that was not previously analyzed, associating the identifier with a digital fingerprint;
  
  adding the digital fingerprint to a third database;
  
  downloading the third database to a second computer; and
  
  scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.

23. A program storage device storing instructions that when executed by a computer perform the method of:
- receiving an identifier from a first computer at a database factory, wherein the identifier is associated with a spyware program;
  
  determining whether the identifier has been previously analyzed;
  
  for each identifier that was not previously analyzed by the database factory, categorizing each of the identifiers;
  
  downloading the identifier and a category associated with the identifier to a second computer; and
  
  scanning the second computer for the spyware program associated with the identifier.

24. A program storage device storing instructions that when executed by a computer perform the method of:
- detecting a malicious software program on a first workstation;
  
  detecting a second malicious software program on a second workstation;
  
  generating a first application digest for the first malicious software program;
  
  generating a second application digest for the second malicious software program;
  
  determining whether the first and second malicious software programs are categorized, wherein a categorized malicious software program is associated with one or more policies;
  
  if the first or second malicious software programs are categorized, then applying the one or more policies that are associated with the categorized malicious software program;
  
  if the first or second malicious software programs are not categorized, then posting information relating to the uncategorized malicious software program to a logging database;
  
  uploading the logging database to a database factory over an Internet;
  
  downloading a database of identifiers from the database factory over the Internet, wherein the identifiers are associated with the first and second malicious software programs along with at least one policy to a third workstation;
  
  scanning the third workstation for the first and second malicious software programs; and
  
  applying the at least one policy if the first or second malicious software programs are found on the third workstation.

25. A program storage device storing instructions that when executed by a computer perform the method of:
- detecting a program on the workstation;
  
  generating a hash value for the program;
  
  comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
  
  if the generated hash value matches one or more of the hash values in the hash/policy table, then applying the one or more policies that are associated with the one or more hash values;
  
  if the generated hash value does not match one or more hash values in the hash/policy table, then posting an identifier associated with the program to a logging database;
  
  uploading the logging database to an application server module;
  
  determining whether the program from the logging database is in an application inventory database;
  
  if the program is not in the application inventory database, then posting the identifier associated with the program to an uncategorized application database;
  
  uploading the uncategorized application database to an application database factory;
  
  determining whether the program has been previously categorized by the application database factory;
  
  if the program was not previously categorized, categorizing the program as a spyware program;
  
  posting the identifier as a spyware program in a database of categorized programs;
  
  receiving the database of categorized programs over the Internet; and
  
  scanning a second workstation for the program based at least partially on the received database of categorized programs.

26. A system which protects computers from malicious software programs, the system comprising:
- means for identifying a malicious software program stored on a first computer;
  
  means for determining whether the malicious software program is identified in a first database;
  
  if the malicious software program is identified in the first database, means for applying one or more policies associated with the identified malicious software program;
  
  if the malicious software program is not identified in the first database, means for adding an identifier indicative of the malicious software program to a second database;
  
  means for uploading the second database including the identifier to a database factory over an Internet;
  
  means for determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
  
  for each identifier that was not previously analyzed, means for associating the identifier with a digital fingerprint;
  
  means for adding the digital fingerprint to a third database;
  
  means for downloading the third database to a second computer; and
  
  means for scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.

27. A system which controls spyware programs on a computer, the system comprising:
- means for receiving an identifier from a first computer at a database factory, wherein the identifier is associated with a spyware program;
  
  means for determining whether the identifier has been previously analyzed;
  
  for each identifier that was not previously analyzed by the database factory, means for categorizing each of the identifiers;
  
  means for downloading the identifier and a category associated with the identifier to a second computer; and
  
  means for scanning the second computer for the spyware program associated with the identifier.

28. A system which controls operation of programs on a workstation based at least partially on information from another workstation, the system comprising:
- means for detecting a malicious software program on a first workstation;
  
  means for detecting a second malicious software program on a second workstation;
  
  means for generating a first application digest for the first malicious software program;
  
  means for generating a second application digest for the second malicious software program;
  
  means for determining whether the first and second malicious software programs are categorized, wherein a categorized malicious software program is associated with one or more policies;
  
  if the first or second malicious software programs are categorized, then means for applying the one or more policies that are associated with the categorized malicious software program;
  
  if the first or second malicious software programs are not categorized, then means for posting information relating to the uncategorized malicious software program to a logging database;
  
  means for uploading the logging database to a database factory over an Internet;
  
  means for downloading a database of identifiers from the database factory over the Internet, wherein the identifiers are associated with the first and second malicious software programs along with at least one policy to a third workstation;
  
  means for scanning the third workstation for the first and second malicious software programs; and
  
  means for applying the at least one policy if the first or second malicious software programs are found on the third workstation.

29. A system which controls operation of programs on a workstation, the system comprising:
- means for detecting a program on the workstation;
  
  means for generating a hash value for the program;
  
  means for comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
  
  if the generated hash value matches one or more of the hash values in the hash/policy table, then means for applying the one or more policies that are associated with the one or more hash values;
  
  if the generated hash value does not match one or more hash values in the hash/policy table, then means for posting an identifier associated with the program to a logging database;
  
  means for uploading the logging database to an application server module;
  
  means for determining whether the program from the logging database is in an application inventory database;
  
  if the program is not in the application inventory database, then means for posting the identifier associated with the program to an uncategorized application database;
  
  means for uploading the uncategorized application database to an application database factory;
  
  means for determining whether the program has been previously categorized by the application database factory;
  
  if the program was not previously categorized, means for categorizing the program as a spyware program;
  
  means for posting the identifier as a spyware program in a database of categorized programs;
  
  means for receiving the database of categorized programs over the Internet; and
  
  means for scanning a second workstation for the program based at least partially on the received database of categorized programs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Original Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Inventors
Dimm, John Ross, Kester, Harold M., Anderson, Mark Richard, Hegli, Ronald B.

Granted Patent

US 8,689,325 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/22
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06Q 20/203   Inventory monitoring

H04L 63/0428   wherein the data content is...

H04L 63/20   for managing network securi...

Y10S 707/99931   Database or file accessing

Y10S 707/99943   Generating database or data...

Y10S 707/99945   Object-oriented database st...

System and method of monitoring and controlling application files

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of monitoring and controlling application files

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links