FILE ORIGIN DETERMINATION
First Claim
1. A method for determining an origin of a file on a computer system comprisingmonitoring file origin events on the computer system;
- selecting a file of interest resulting from one of the file origin events;
identifying a precursor file from which the file of interest emanates as a result of the one of the file origin events; and
iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest until an origin file with no further precursor file is identified.
7 Assignments
0 Petitions
Accused Products
Abstract
An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.
-
Citations
30 Claims
-
1. A method for determining an origin of a file on a computer system comprising
monitoring file origin events on the computer system; -
selecting a file of interest resulting from one of the file origin events; identifying a precursor file from which the file of interest emanates as a result of the one of the file origin events; and iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest until an origin file with no further precursor file is identified. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. The method of claim further comprising
determining whether the file of interest is a safe file; -
compiling a list of origin files associated with any safe files; and allowing an occurrence of a file origin event associated with any origin file on the list.
-
-
16. A method for determining an origin of malware on a computer system comprising
monitoring file origin events on the computer system; -
detecting a malware file on the computer system; identifying an origin file related to the malware file through one or more of the file origin events. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system for determining an origin of a file on a computer system comprising
a processor; -
a data storage device; a monitoring module stored within the data storage device and executed by the processor that monitors file origin events on the computer system and records the file origin events in a data structure within the data storage device; and an origin determination module stored within the data storage device and executed by the processor that selects a file of interest resulting from one of the file origin events, identifies a precursor file from which the file of interest emanates as a result of the one of the file origin events, and iteratively identifies successive precursor files substituted for the file of interest until an origin file with no further precursor file, an origin location, or both are identified. - View Dependent Claims (29, 30)
-
Specification