Automated identification of firewall malware scanner deficiencies
First Claim
1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for investigating malware incidents, the method comprising the steps of:
- maintaining a file access log, the log containing entries for processes operating on a host and timestamps associated with respective processes;
scanning a host to detect an incident of suspected malware residing on the host; and
transmitting an incident report, in response to detection of the incident, to a gateway device, the gateway device including a malware scanner and being arranged to implement security measures in accordance with defined security policies, the incident report containing data from the file access log including identification of a process associated with the incident and a timestamp associated with the process.
2 Assignments
0 Petitions
Accused Products
Abstract
Automated identification of deficiencies in a malware scanner contained in a firewall is provided by correlating incident reports that are generated by desktop protection clients running on hosts in an enterprise that is protected by the firewall. A desktop protection client scans a host for malware incidents, and when detected, analyzes the host'"'"'s file access log to extract one or more pieces of information about the incident (e.g., identification of a process that placed the infected file on disk, an associated timestamp, file or content type, malware type, hash of such information, or hash of the infected file). The firewall correlates this file access log information with data in its own log to enable the firewall to download the content again and inspect it. If malware is detected, then it is assumed that it was missed when the file first entered the enterprise because the firewall did not have an updated signature. However, if the malware is not detected, then there is a potential deficiency.
-
Citations
20 Claims
-
1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for investigating malware incidents, the method comprising the steps of:
-
maintaining a file access log, the log containing entries for processes operating on a host and timestamps associated with respective processes; scanning a host to detect an incident of suspected malware residing on the host; and transmitting an incident report, in response to detection of the incident, to a gateway device, the gateway device including a malware scanner and being arranged to implement security measures in accordance with defined security policies, the incident report containing data from the file access log including identification of a process associated with the incident and a timestamp associated with the process. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method performed by a firewall for identifying a deficiency in a malware scanner disposed in the firewall, the method comprising the steps of:
-
receiving data from a host in an enterprise protected by the firewall, the data indicating a suspected incident of malware being resident on the host and further identifying a host process associated with the incident; correlating the data received from the host with firewall log entries i) to confirm that the host process resulted in a file being retrieved at the firewall and, ii) to identify a source of the retrieved file; downloading the file from the identified source; and inspecting the downloaded file for malware. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for providing a service for addressing deficiencies in firewall malware scanning, the method comprising the steps of:
-
receiving one or more incident reports generated by one or more firewalls, each of the firewalls including a malware scanner, and each of the one or more incident reports including data describing an incident in which the malware scanner did not detect malware contained in incoming traffic to the one or more firewalls; and determining, using the received one or more incident reports, if a deficiency in the malware scanner was a cause for the malware to be undetected by the malware scanner. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification