System and method of monitoring and controlling application files
First Claim
1. A system configured to protect a computer from malicious software programs based at least partially on information collected from another computer over an Internet, the system comprising:
- a first computer;
a first client inventory module configured to identify one or more malicious software programs stored on the first computer;
a database including identification information for malicious software programs, the database being accessible to the first client inventory module for the client inventory module to identify the one or more malicious software programs;
a database factory configured to receive and distribute information relating to the identification information from the database over an Internet;
a second computer; and
a second client inventory module configured to receive information from the database factory and scan the second computer for the one or more malicious software programs identified by the first client inventory module.
23 Assignments
0 Petitions
Accused Products
Abstract
A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the launched application to control access to the application on the workstation.
-
Citations
29 Claims
-
1. A system configured to protect a computer from malicious software programs based at least partially on information collected from another computer over an Internet, the system comprising:
-
a first computer;
a first client inventory module configured to identify one or more malicious software programs stored on the first computer;
a database including identification information for malicious software programs, the database being accessible to the first client inventory module for the client inventory module to identify the one or more malicious software programs;
a database factory configured to receive and distribute information relating to the identification information from the database over an Internet;
a second computer; and
a second client inventory module configured to receive information from the database factory and scan the second computer for the one or more malicious software programs identified by the first client inventory module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for identifying malicious software programs over an Internet, the system comprising:
-
a first client inventory module configured to scan a first computer so as to identify a malicious software program and to upload information associated with the identified malicious software program over an Internet;
a database factory configured to receive the uploaded information and distribute information associated with the uploaded information over the Internet; and
a second client inventory module configured to receive the distributed information and scan a second computer for the malicious software program identified by the first client inventory module. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A program storage device storing instructions that when executed by a computer perform the method of:
-
identifying a malicious software program stored on a first computer;
determining whether the malicious software program is identified in a first database;
if the malicious software program is identified in the first database, applying one or more policies associated with the identified malicious software program;
if the malicious software program is not identified in the first database, adding an identifier indicative of the malicious software program to a second database;
uploading the second database including the identifier to a database factory over an Internet;
determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
for each identifier that was not previously analyzed, associating the identifier with a digital fingerprint;
adding the digital fingerprint to a third database;
downloading the third database to a second computer; and
scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.
-
-
23. A program storage device storing instructions that when executed by a computer perform the method of:
-
receiving an identifier from a first computer at a database factory, wherein the identifier is associated with a spyware program;
determining whether the identifier has been previously analyzed;
for each identifier that was not previously analyzed by the database factory, categorizing each of the identifiers;
downloading the identifier and a category associated with the identifier to a second computer; and
scanning the second computer for the spyware program associated with the identifier.
-
-
24. A program storage device storing instructions that when executed by a computer perform the method of:
-
detecting a malicious software program on a first workstation;
detecting a second malicious software program on a second workstation;
generating a first application digest for the first malicious software program;
generating a second application digest for the second malicious software program;
determining whether the first and second malicious software programs are categorized, wherein a categorized malicious software program is associated with one or more policies;
if the first or second malicious software programs are categorized, then applying the one or more policies that are associated with the categorized malicious software program;
if the first or second malicious software programs are not categorized, then posting information relating to the uncategorized malicious software program to a logging database;
uploading the logging database to a database factory over an Internet;
downloading a database of identifiers from the database factory over the Internet, wherein the identifiers are associated with the first and second malicious software programs along with at least one policy to a third workstation;
scanning the third workstation for the first and second malicious software programs; and
applying the at least one policy if the first or second malicious software programs are found on the third workstation.
-
-
25. A program storage device storing instructions that when executed by a computer perform the method of:
-
detecting a program on the workstation;
generating a hash value for the program;
comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
if the generated hash value matches one or more of the hash values in the hash/policy table, then applying the one or more policies that are associated with the one or more hash values;
if the generated hash value does not match one or more hash values in the hash/policy table, then posting an identifier associated with the program to a logging database;
uploading the logging database to an application server module;
determining whether the program from the logging database is in an application inventory database;
if the program is not in the application inventory database, then posting the identifier associated with the program to an uncategorized application database;
uploading the uncategorized application database to an application database factory;
determining whether the program has been previously categorized by the application database factory;
if the program was not previously categorized, categorizing the program as a spyware program;
posting the identifier as a spyware program in a database of categorized programs;
receiving the database of categorized programs over the Internet; and
scanning a second workstation for the program based at least partially on the received database of categorized programs.
-
-
26. A system which protects computers from malicious software programs, the system comprising:
-
means for identifying a malicious software program stored on a first computer;
means for determining whether the malicious software program is identified in a first database;
if the malicious software program is identified in the first database, means for applying one or more policies associated with the identified malicious software program;
if the malicious software program is not identified in the first database, means for adding an identifier indicative of the malicious software program to a second database;
means for uploading the second database including the identifier to a database factory over an Internet;
means for determining whether the malicious software program associated with the identifier has been previously analyzed by the database factory;
for each identifier that was not previously analyzed, means for associating the identifier with a digital fingerprint;
means for adding the digital fingerprint to a third database;
means for downloading the third database to a second computer; and
means for scanning the second computer for the malicious software program associated with the digital fingerprint in the third database.
-
-
27. A system which controls spyware programs on a computer, the system comprising:
-
means for receiving an identifier from a first computer at a database factory, wherein the identifier is associated with a spyware program;
means for determining whether the identifier has been previously analyzed;
for each identifier that was not previously analyzed by the database factory, means for categorizing each of the identifiers;
means for downloading the identifier and a category associated with the identifier to a second computer; and
means for scanning the second computer for the spyware program associated with the identifier.
-
-
28. A system which controls operation of programs on a workstation based at least partially on information from another workstation, the system comprising:
-
means for detecting a malicious software program on a first workstation;
means for detecting a second malicious software program on a second workstation;
means for generating a first application digest for the first malicious software program;
means for generating a second application digest for the second malicious software program;
means for determining whether the first and second malicious software programs are categorized, wherein a categorized malicious software program is associated with one or more policies;
if the first or second malicious software programs are categorized, then means for applying the one or more policies that are associated with the categorized malicious software program;
if the first or second malicious software programs are not categorized, then means for posting information relating to the uncategorized malicious software program to a logging database;
means for uploading the logging database to a database factory over an Internet;
means for downloading a database of identifiers from the database factory over the Internet, wherein the identifiers are associated with the first and second malicious software programs along with at least one policy to a third workstation;
means for scanning the third workstation for the first and second malicious software programs; and
means for applying the at least one policy if the first or second malicious software programs are found on the third workstation.
-
-
29. A system which controls operation of programs on a workstation, the system comprising:
-
means for detecting a program on the workstation;
means for generating a hash value for the program;
means for comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
if the generated hash value matches one or more of the hash values in the hash/policy table, then means for applying the one or more policies that are associated with the one or more hash values;
if the generated hash value does not match one or more hash values in the hash/policy table, then means for posting an identifier associated with the program to a logging database;
means for uploading the logging database to an application server module;
means for determining whether the program from the logging database is in an application inventory database;
if the program is not in the application inventory database, then means for posting the identifier associated with the program to an uncategorized application database;
means for uploading the uncategorized application database to an application database factory;
means for determining whether the program has been previously categorized by the application database factory;
if the program was not previously categorized, means for categorizing the program as a spyware program;
means for posting the identifier as a spyware program in a database of categorized programs;
means for receiving the database of categorized programs over the Internet; and
means for scanning a second workstation for the program based at least partially on the received database of categorized programs.
-
Specification