FILE ORIGIN DETERMINATION

US 20070174911A1
Filed: 01/23/2007
Published: 07/26/2007
Est. Priority Date: 01/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method for determining an origin of a file on a computer system comprisingmonitoring file origin events on the computer system;

selecting a file of interest resulting from one of the file origin events;

identifying a precursor file from which the file of interest emanates as a result of the one of the file origin events; and

iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest until an origin file with no further precursor file is identified.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.

73 Citations

View as Search Results

30 Claims

1. A method for determining an origin of a file on a computer system comprisingmonitoring file origin events on the computer system;
- selecting a file of interest resulting from one of the file origin events;
  
  identifying a precursor file from which the file of interest emanates as a result of the one of the file origin events; and
  
  iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest until an origin file with no further precursor file is identified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising recording the file origin events in a data structure.
  - 3. The method of claim 2 further comprisingassociating the precursor file and the file of interest with the one of the file origin events in the data structure.
  - 4. The method of claim 1 further comprising identifying an origin location of the file of interest.
  - 5. The method of claim 4 wherein the operation of identifying an origin location further comprises identifying a uniform resource locator associated with the origin location.
  - 6. The method of claim 4 further comprisingrecording the file origin events in a data structure;
    - associating the precursor file and the file of interest with the one of the file origin events in the data structure; and
      
      associating the origin location with the one of the file origin events in the data structure.
  - 7. The method of claim 4, wherein the origin location is located within a remote computer system accessible via a network and the iterative operation further comprises performing the identifying operation upon successive precursor files within the remote computer system.
  - 8. The method of claim 1, wherein either the precursor file, the origin file, or both comprises an external data source file.
  - 9. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a program source file.
  - 10. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a container file.
  - 11. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a copied file.
  - 12. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a renamed file.
  - 13. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a transformed file.
  - 14. The method of claim 1 further comprisingdetermining whether the file of interest is a malware file;
    - compiling a list of origin files associated with any malware files; and
      
      preventing an occurrence of a file origin event associated with any origin file on the list.

15. The method of claim further comprisingdetermining whether the file of interest is a safe file;
- compiling a list of origin files associated with any safe files; and
  
  allowing an occurrence of a file origin event associated with any origin file on the list.

16. A method for determining an origin of malware on a computer system comprisingmonitoring file origin events on the computer system;
- detecting a malware file on the computer system;
  
  identifying an origin file related to the malware file through one or more of the file origin events.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The method of claim 16, wherein the identifying operation further comprisesmaintaining a database file of relationships between the malware file, the origin file, and the one or more of the file origin events.
  - 18. The method of claim 16 further comprising identifying an origin location of the malware file.
  - 19. The method of claim 16, wherein the origin file comprises an external data source file.
  - 20. The method of claim 16, wherein the origin file comprises a program source file.
  - 21. The method of claim 16, wherein the origin file comprises a container file.
  - 22. The method of claim 16, wherein the origin file comprises a copied file.
  - 23. The method of claim 16, wherein the origin file comprises a renamed file.
  - 24. The method of claim 16, wherein the origin file comprises a transformed file.
  - 25. The method of claim 16 wherein the detecting operation further comprises recognizing malicious behavior on the computer system caused by the malware file.
  - 26. The method of claim 16 further comprising creating a signature for the origin file.
  - 27. The method of claim 16 further comprising transmitting the signature to a central server via a network connected to the computer system.

28. A computer system for determining an origin of a file on a computer system comprisinga processor;
- a data storage device;
  
  a monitoring module stored within the data storage device and executed by the processor that monitors file origin events on the computer system and records the file origin events in a data structure within the data storage device; and
  
  an origin determination module stored within the data storage device and executed by the processor thatselects a file of interest resulting from one of the file origin events,identifies a precursor file from which the file of interest emanates as a result ofthe one of the file origin events, anditeratively identifies successive precursor files substituted for the file of interest until an origin file with no further precursor file, an origin location, or both are identified.
- View Dependent Claims (29, 30)
- - 29. The computer system of claim 28, wherein when executed by the processor the origin determination module furtherassociates the precursor file and the file of interest with the one of the file origin events in the data structure;
    - andassociates the origin location with the one of the file origin events in the data structure.
  - 30. The computer system of claim 28 further comprising a network connection, whereinthe origin location is located within a remote computer system accessible by the computer system over a network via the network connection;
    - andorigin determination module further identifies the successive precursor files within the remote computer system to identify the origin file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Novatix Corporation
Inventors
Zahn, Derek, Kronenberg, Pierre-Michel

Granted Patent

US 7,937,758 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 2221/2101 Auditing as a secondary aspect

FILE ORIGIN DETERMINATION

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

FILE ORIGIN DETERMINATION

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links