Real time lockdown
First Claim
1. A method of preventing the execution of file data on a workstation, the method comprising:
- identifying a file having modified file data;
flagging meta data associated with the modified file data; and
preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.
21 Assignments
0 Petitions
Accused Products
Abstract
A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.
119 Citations
48 Claims
-
1. A method of preventing the execution of file data on a workstation, the method comprising:
-
identifying a file having modified file data;
flagging meta data associated with the modified file data; and
preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of creating a signature and flag for an executable software program on a workstation, the method comprising:
-
creating a new file on a workstation;
identifying the new file with a flag, wherein the flag is a code added to meta data associated with the new file;
creating a hash for the new file, wherein the hash is created at least in part on the meta data associated with the new file; and
storing the hash and the flag in a memory. - View Dependent Claims (15)
-
-
16. A method of monitoring and tracking changes to a signature for a modified file, the method comprising:
-
modifying an executable file;
creating a signature for the modified file, wherein the signature is based at least in part on meta data associated with the modified file;
determining if the signature is already stored;
if the signature is already stored, then determining if the signature is associated with a flag;
if the signature is not stored, then adding a flag to meta data associated with the modified file;
if the signature associated with the modified file is not stored, then associating a flag with the modified file; and
storing the flag and the signature associated with the modified file. - View Dependent Claims (17)
-
-
18. A method of protecting a workstation from a virus threat, the method comprising:
-
modifying meta data associated with a first file, wherein the first file is a trusted file;
identifying a virus threat;
initiating a lock down mode in response to the identified virus threat, wherein files created or modified after the lock down is initiated are not allowed to execute;
flagging a second file created after initiation of the lock down mode, wherein the second file relates to the first file;
denying execution of the second file; and
terminating the lock down mode after denying execution of the second file. - View Dependent Claims (19, 20, 21)
-
-
22. A system for preventing the execution of software code, the system comprising:
-
a software module configured to modify a data file having meta data associated with the data file;
a storage medium configured to store the data file; and
a filter configured to flag the meta data associated with the modified file data during a lock down mode and prevent the modified file data from executing based at least in part on the flagged meta data associated with the modified file data.
-
-
23. A system for preventing the execution of file data on a workstation, the system comprising:
-
means for modifying file data having meta data associated with the file data;
means for flagging the meta data associated with the modified file data; and
means for preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data. - View Dependent Claims (24, 25, 26)
-
-
27. A program storage device storing instructions that when executed by a computer perform the method of:
-
identifying a file having modified file data;
flagging meta data associated with the modified file data; and
preventing the modified file data from executing based at least in part on the flagged meta data associated with the modified file data. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A program storage device storing instructions that when executed by a computer perform the method of:
-
creating a new file on a workstation;
identifying the new file with a flag, wherein the flag is a code added to meta data associated with the new file;
creating a hash for the new file, wherein the hash is created at least in part on the meta data associated with the new file; and
storing the hash and the flag in a memory. - View Dependent Claims (41)
-
-
42. A program storage device storing instructions that when executed by a computer perform the method of:
-
modifying an executable file;
creating a signature for the modified file, wherein the signature is based at least in part on meta data associated with the modified file;
determining if the signature is already stored;
if the signature is in the signature table, then determining if the signature is associated with a flag;
if the signature is not in the signature table, then adding a flag to meta data associated with the modified file;
if the signature associated with the modified file is not stored, then associating a flag with the modified file; and
storing the flag and the signature associated with the modified file. - View Dependent Claims (43)
-
-
44. A program storage device storing instructions that when executed by a computer perform the method of:
-
modifying meta data associated with a first file, wherein the first file is a trusted file;
identifying a virus threat;
initiating a lock down mode in response to the identified virus threat, wherein files created or modified after the lock down is initiated are not allowed to execute;
flagging a second file created after initiation of the lock down mode, wherein the second file relates to the first file;
denying execution of the second file; and
terminating the lock down mode after denying execution of the second file. - View Dependent Claims (45, 46, 47, 48)
-
Specification