Automated identification of firewall malware scanner deficiencies

US 20080229419A1
Filed: 03/16/2007
Published: 09/18/2008
Est. Priority Date: 03/16/2007
Status: Abandoned Application

First Claim

Patent Images

1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for investigating malware incidents, the method comprising the steps of:

maintaining a file access log, the log containing entries for processes operating on a host and timestamps associated with respective processes;

scanning a host to detect an incident of suspected malware residing on the host; and

transmitting an incident report, in response to detection of the incident, to a gateway device, the gateway device including a malware scanner and being arranged to implement security measures in accordance with defined security policies, the incident report containing data from the file access log including identification of a process associated with the incident and a timestamp associated with the process.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated identification of deficiencies in a malware scanner contained in a firewall is provided by correlating incident reports that are generated by desktop protection clients running on hosts in an enterprise that is protected by the firewall. A desktop protection client scans a host for malware incidents, and when detected, analyzes the host'"'"'s file access log to extract one or more pieces of information about the incident (e.g., identification of a process that placed the infected file on disk, an associated timestamp, file or content type, malware type, hash of such information, or hash of the infected file). The firewall correlates this file access log information with data in its own log to enable the firewall to download the content again and inspect it. If malware is detected, then it is assumed that it was missed when the file first entered the enterprise because the firewall did not have an updated signature. However, if the malware is not detected, then there is a potential deficiency.

Citations

20 Claims

1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for investigating malware incidents, the method comprising the steps of:
- maintaining a file access log, the log containing entries for processes operating on a host and timestamps associated with respective processes;
  
  scanning a host to detect an incident of suspected malware residing on the host; and
  
  transmitting an incident report, in response to detection of the incident, to a gateway device, the gateway device including a malware scanner and being arranged to implement security measures in accordance with defined security policies, the incident report containing data from the file access log including identification of a process associated with the incident and a timestamp associated with the process.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-readable medium of claim 1 in which the malware is one of virus, trojan horse, rootkit, spyware, or malicious executable code.
  - 3. The computer-readable medium of claim 1 in which the gateway device is arranged to provide enterprise-level security to a plurality of hosts, the hosts being selected from computers, workstations, or terminals.
  - 4. The computer-readable medium of claim 1 in which the gateway device is one of proxy server, central server, or firewall.
  - 5. The computer-readable medium of claim 1 in which the processes are processes that receive network traffic.
  - 6. The computer-readable medium of claim 1 in which the scanning is performed in real time or performed periodically.

7. A method performed by a firewall for identifying a deficiency in a malware scanner disposed in the firewall, the method comprising the steps of:
- receiving data from a host in an enterprise protected by the firewall, the data indicating a suspected incident of malware being resident on the host and further identifying a host process associated with the incident;
  
  correlating the data received from the host with firewall log entries i) to confirm that the host process resulted in a file being retrieved at the firewall and, ii) to identify a source of the retrieved file;
  
  downloading the file from the identified source; and
  
  inspecting the downloaded file for malware.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7 including a further step of obtaining available signature updates, the obtaining being performed prior to the downloading so that the inspecting is performed using currently-available malware signatures.
  - 9. The method of claim 8 including a further step of generating an incident report for transmission to a response center if the inspecting does not result in detection of the malware, the incident report containing data describing the incident.
  - 10. The method of claim 9 including a further step of obtaining an approval from a user prior to the transmission to the response center.
  - 11. The method of claim 9 in which the incident report data includes file access log data obtained from the host.
  - 12. The method of claim 9 in which the incident report data includes firewall log data.
  - 13. The method of claim 9 in which the data describing the incident comprises at least one of identification of the host process, a timestamp associated with the host process, or a description of the malware.
  - 14. The method of claim 7 in which the source is a web site accessible from the Internet.

15. A method for providing a service for addressing deficiencies in firewall malware scanning, the method comprising the steps of:
- receiving one or more incident reports generated by one or more firewalls, each of the firewalls including a malware scanner, and each of the one or more incident reports including data describing an incident in which the malware scanner did not detect malware contained in incoming traffic to the one or more firewalls; and
  
  determining, using the received one or more incident reports, if a deficiency in the malware scanner was a cause for the malware to be undetected by the malware scanner.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 including a further step of providing remediation in response to the determining, the remediation comprising issuing, to the one or more firewalls, one of a hot fix, service pack, patch, or update.
  - 17. The method of claim 15 in which the determining includes correlating the received one or more incident reports to reduce a number of potential suspected sources of the malware.
  - 18. The method of claim 15 including a further step of preparing a report regarding the deficiency for review by an administrator to assist a manual analysis.
  - 19. The method of claim 18 in which the steps of receiving, determining, and preparing are performed in an automated manner without requiring user intervention.
  - 20. The method of claim 15 in which the service is provided by, or on behalf of a vendor of a product that incorporates the malware scanner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Holostov, Vladimir

Application Number

US11/724,705
Publication Number

US 20080229419A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/0263   Rule management

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Automated identification of firewall malware scanner deficiencies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated identification of firewall malware scanner deficiencies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links