Client side exploit tracking

US 20070074289A1
Filed: 09/28/2005
Published: 03/29/2007
Est. Priority Date: 09/28/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing pestware on a protected computer comprising:

monitoring the receipt of a file at the protected computer;

monitoring processes created on the protected computer;

identifying at least one of the processes as a process that is generated from the file;

monitoring activity of the process;

comparing activity of the process with factors indicative of pestware;

managing the file and the process based upon the comparison of the activity of the process with the factors.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing pestware is described. In one embodiment the method includes monitoring the receipt of a file at the protected computer, monitoring processes created on the protected computer, identifying at least one of the processes as a process that is generated from the file, monitoring activity of the process, comparing activity of the at least one process with factors indicative of pestware and managing the file and the at least one process based upon the comparison of the activity of the at least one process with the factors.

61 Citations

View as Search Results

24 Claims

1. A method for managing pestware on a protected computer comprising:
- monitoring the receipt of a file at the protected computer;
  
  monitoring processes created on the protected computer;
  
  identifying at least one of the processes as a process that is generated from the file;
  
  monitoring activity of the process;
  
  comparing activity of the process with factors indicative of pestware;
  
  managing the file and the process based upon the comparison of the activity of the process with the factors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the file is an immediately executable file selected from the group consisting of an ActiveX control and a Java applet.
  - 3. The method of claim 1, including:
    - identifying the source of the file received at the protected computer, wherein the comparing includes comparing the source of the of the file with the factors indicative of pestware.
  - 4. The method of claim 3, wherein the identifying the source of the file includes identifying an IP address or a URL.
  - 5. The method of claim 3 including identifying the location where the file is stored on the protected computer wherein the comparing includes comparing the location where the file is stored on the protected computer with the factors indicative of pestware.
  - 6. The method of claim 1 including generating a log file, the log file including information about the file and activities of the process that is generated from the file.
  - 7. The method of claim 1, wherein the factors are weighted factors, and wherein the weighted factors are generated based upon pestware activities on a plurality of computers.
  - 8. The method of claim 1, wherein monitoring activity of the process includes monitoring activities selected from the group consisting of:
    - spawning another process, altering registry entries, initiating communications with remote sites via the Internet, altering a start up folder, injecting a DLL into another process, changing a home page and changing bookmarks.
  - 9. The method of claim 1, wherein comparing includes comparing activity of the process with weighted, factors, the weighted factors being weighted based upon a likelihood the factor is associated with pestware.
  - 10. The method of claim 1, wherein managing includes neutralizing the process in response to the activity of the process matching at least two of the factors, wherein a sum of weights assigned to each of the at least two factors exceeds a threshold.
  - 11. The method of claim 1, wherein the threshold is established by a user of the protected computer.
  - 12. The method of claim 1, including:
    - providing, based upon the comparison of the activity of the at least one process with the factors, information to the user about the process.

13. A method for managing pestware at a plurality of computers comprising:
- collecting data from a plurality of computers, wherein the data includes information about activities on each of the plurality of computers;
  
  establishing factors that correspond to patterns in the activities;
  
  assigning a weight to each of the factors based upon a comparison of the patterns with other patterns associated with both desirable and pestware applications so as to generate a plurality of weighted factors, wherein a magnitude of the weight assigned to each of the factors is indicative of a likelihood that each of the corresponding factors is associated with pestware; and
  
  sending the weighted factors to the plurality of computers.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the activities are selected from the group consisting of:
    - spawning another process, altering registry entries, initiating communications with remote sites via the Internet, altering a start up folder, injecting a DLL into another process, changing a home page and changing bookmarks.

15. A computer readable medium encoded with instructions to manage pestware on a protected computer, the instructions including instructions for:
- monitoring the receipt of a file at the protected computer;
  
  monitoring processes created on the protected computer;
  
  identifying at least one of the processes as a process that is generated from the file;
  
  monitoring activity of the process;
  
  comparing activity of the process with factors indicative of pestware;
  
  managing the file and the process based upon the comparison of the activity of the process with the factors.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The computer readable medium of claim 15, including instructions for:
    - identifying the source of the file received at the protected computer, wherein the comparing includes comparing the source of the of the file with the factors indicative of pestware.
  - 17. The computer readable medium of claim 16 including instructions for identifying the location where the file is stored on the protected computer wherein the instructions for comparing includes instructions for comparing the location where the file is stored on the protected computer with the factors indicative of pestware.
  - 18. The computer readable medium of claim 15 including instructions for generating a log file, the log file including information about the file and activities of the process that is generated from the file.
  - 19. The computer readable medium of claim 15, wherein the factors are weighted factors, and wherein the weighted factors are generated based upon pestware activities on a plurality of computers.
  - 20. The computer readable medium of claim 15, wherein the instructions for monitoring activity of the process includes instructions for monitoring activities selected from the group consisting of:
    - spawning another process, altering registry entries, initiating communications with remote sites via the Internet, altering a start up folder, injecting a DLL into another process, changing a home page and changing bookmarks.
  - 21. The computer readable medium of claim 15, wherein the instructions for comparing includes instructions for comparing activity of the process with weighted factors, the weighted factors being weighted based upon a likelihood the factor is associated with pestware.
  - 22. The computer readable medium of claim 15, wherein the instructions for managing includes instructions for neutralizing the process in response to the activity of the process matching at least two of the factors, wherein a sum of weights assigned to each of the at least two factors exceeds a threshold.
  - 23. The computer readable medium of claim 15, wherein the threshold is established by a user of the protected computer.
  - 24. The computer readable medium of claim 15, including instructions for:
    - providing, based upon the comparison of the activity of the process with the factors, information to the user about the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webroot Software Incorporated (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Maddaloni, Phil

Application Number

US11/237,291
Publication Number

US 20070074289A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1408   by monitoring network traff...

Client side exploit tracking

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Client side exploit tracking

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others