Real time lockdown

US 20070150956A1
Filed: 12/28/2005
Published: 06/28/2007
Est. Priority Date: 12/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method of preventing the execution of file data on a workstation, the method comprising:

identifying a file having modified file data;

flagging meta data associated with the modified file data; and

preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.

119 Citations

View as Search Results

48 Claims

1. A method of preventing the execution of file data on a workstation, the method comprising:
- identifying a file having modified file data;
  
  flagging meta data associated with the modified file data; and
  
  preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising initiating a lock down mode on the workstation, wherein preventing the modified file data from executing is performed in response to initiation of the lock down mode.
  - 3. The method of claim 2, wherein the workstation is continually in lock down mode.
  - 4. The method of claim 2, further comprising identifying a software virus threat, wherein initiating the lock down occurs in response to identifying the software virus threat.
  - 5. The method of claim 1, wherein modifying the file date comprises saving existing file data to a memory.
  - 6. The method of claim 1, wherein modifying the file data comprises changing the location of the file data in a memory.
  - 7. The method of claim 1, wherein modifying the file data comprises saving a new file to a memory.
  - 8. The method of claim 1, wherein modifying the file data comprises renaming the file data in a memory.
  - 9. The method of claim 1, wherein modifying the file data comprises deleting the file data from a memory.
  - 10. The method of claim 1, wherein flagging the meta data comprises inserting one or more bits of data into the meta data, the bits identifying the file data as being modified.
  - 11. The method of claim 4, further comprising updating a virus protection program to include information relating to the software virus threat.
  - 12. The method of claim 11, further comprising ending the lock down mode on the workstation after updating the virus protection program.
  - 13. The method of claim 1, wherein preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data is performed at least in part by a kernel.

14. A method of creating a signature and flag for an executable software program on a workstation, the method comprising:
- creating a new file on a workstation;
  
  identifying the new file with a flag, wherein the flag is a code added to meta data associated with the new file;
  
  creating a hash for the new file, wherein the hash is created at least in part on the meta data associated with the new file; and
  
  storing the hash and the flag in a memory.
- View Dependent Claims (15)
- - 15. The method of claim 14, wherein identifying the new file comprises inserting one or more bits of data into the meta data, the bits identifying the file data as being new.

16. A method of monitoring and tracking changes to a signature for a modified file, the method comprising:
- modifying an executable file;
  
  creating a signature for the modified file, wherein the signature is based at least in part on meta data associated with the modified file;
  
  determining if the signature is already stored;
  
  if the signature is already stored, then determining if the signature is associated with a flag;
  
  if the signature is not stored, then adding a flag to meta data associated with the modified file;
  
  if the signature associated with the modified file is not stored, then associating a flag with the modified file; and
  
  storing the flag and the signature associated with the modified file.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein creating a signature for the modified file is performed before a lock down is initiated.

18. A method of protecting a workstation from a virus threat, the method comprising:
- modifying meta data associated with a first file, wherein the first file is a trusted file;
  
  identifying a virus threat;
  
  initiating a lock down mode in response to the identified virus threat, wherein files created or modified after the lock down is initiated are not allowed to execute;
  
  flagging a second file created after initiation of the lock down mode, wherein the second file relates to the first file;
  
  denying execution of the second file; and
  
  terminating the lock down mode after denying execution of the second file.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18, wherein not allowing the files created or modified after the lock down is performed in response to initiation of the lock down mode.
  - 20. The method of claim 18 further comprising identifying a software virus, wherein initiating the lock down occurs in response to identifying the software virus.
  - 21. The method of claim 20, further comprising updating a virus protection program to include information relating to the software virus.

22. A system for preventing the execution of software code, the system comprising:
- a software module configured to modify a data file having meta data associated with the data file;
  
  a storage medium configured to store the data file; and
  
  a filter configured to flag the meta data associated with the modified file data during a lock down mode and prevent the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.

23. A system for preventing the execution of file data on a workstation, the system comprising:
- means for modifying file data having meta data associated with the file data;
  
  means for flagging the meta data associated with the modified file data; and
  
  means for preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23 further comprising means for initiating a lock down mode on the workstation.
  - 25. The system of claim 24, wherein the workstation is continually in lock down mode.
  - 26. The system of claim 24 further comprising means for identifying a software virus threat, wherein the lock down occurs in response to identifying the software virus threat.

27. A program storage device storing instructions that when executed by a computer perform the method of:
- identifying a file having modified file data;
  
  flagging meta data associated with the modified file data; and
  
  preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The method of claim 27 further comprising initiating a lock down mode on the workstation, wherein preventing the modified file data from executing is performed in response to initiation of the lock down mode.
  - 29. The method of claim 28, wherein the workstation is continually in lock down mode.
  - 30. The method of claim 28 further comprising identifying a software virus, wherein initiating the lock down occurs in response to identifying the software virus.
  - 31. The method of claim 28, wherein modifying the file date comprises saving existing file data to a memory.
  - 32. The method of claim 28, wherein modifying the file data comprises changing the location of the file data in a memory.
  - 33. The method of claim 28, wherein modifying the file data comprises saving a new file to a memory.
  - 34. The method of claim 28, wherein modifying the file data comprises renaming the file data in a memory.
  - 35. The method of claim 28, wherein modifying the file data comprises deleting the file data from a memory.
  - 36. The method of claim 28, wherein flagging the meta data comprises inserting one or more bits of data into the meta data, the bits identifying the file data as being modified.
  - 37. The method of claim 28, further comprising updating a virus protection program to include information relating to the software virus.
  - 38. The method of claim 37, further comprising ending the lock down mode on the workstation after updating the virus protection program.
  - 39. The method of claim 28, wherein preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data is performed at least in part by a kernel.

40. A program storage device storing instructions that when executed by a computer perform the method of:
- creating a new file on a workstation;
  
  identifying the new file with a flag, wherein the flag is a code added to meta data associated with the new file;
  
  creating a hash for the new file, wherein the hash is created at least in part on the meta data associated with the new file; and
  
  storing the hash and the flag in a memory.
- View Dependent Claims (41)
- - 41. The method of claim 40, wherein identifying the new file comprises inserting one or more bits of data into the meta data, the bits identifying the file data as being new.

42. A program storage device storing instructions that when executed by a computer perform the method of:
- modifying an executable file;
  
  creating a signature for the modified file, wherein the signature is based at least in part on meta data associated with the modified file;
  
  determining if the signature is already stored;
  
  if the signature is in the signature table, then determining if the signature is associated with a flag;
  
  if the signature is not in the signature table, then adding a flag to meta data associated with the modified file;
  
  if the signature associated with the modified file is not stored, then associating a flag with the modified file; and
  
  storing the flag and the signature associated with the modified file.
- View Dependent Claims (43)
- - 43. The method of claim 42, wherein creating a signature for the modified file is performed before a lock down is initiated.

44. A program storage device storing instructions that when executed by a computer perform the method of:
- modifying meta data associated with a first file, wherein the first file is a trusted file;
  
  identifying a virus threat;
  
  initiating a lock down mode in response to the identified virus threat, wherein files created or modified after the lock down is initiated are not allowed to execute;
  
  flagging a second file created after initiation of the lock down mode, wherein the second file relates to the first file;
  
  denying execution of the second file; and
  
  terminating the lock down mode after denying execution of the second file.
- View Dependent Claims (45, 46, 47, 48)
- - 45. The method of claim 44, wherein not allowing the files created or modified after the lock down is performed in response to initiation of the lock down mode.
  - 46. The method of claim 44, wherein the workstation is continually in lock down mode.
  - 47. The method of claim 44 further comprising identifying a software virus threat, wherein initiating the lock down occurs in response to identifying the software virus threat.
  - 48. The method of claim 44, further comprising updating a virus protection program to include information relating to the software virus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Papa, Joseph, Sharma, Rajesh, Lo, Winping

Granted Patent

US 8,453,243 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/60   Protecting data

Real time lockdown

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Real time lockdown

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links