Filtering kernel-mode network communications
First Claim
1. At least one computer-readable medium encoded with a plurality of instructions that when executed perform a method in a computer environment that comprises a computer network to which the computer system is coupled, the method comprising acts of:
- (A) determining whether a process that is executing on the computer system and attempting to send and/or receive data over the computer network is executing in an operating system kernel mode of the computer system; and
(B) notifying at least one security engine in the computer environment of the determination made in the act (A).
2 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process'"'"' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.
26 Citations
20 Claims
-
1. At least one computer-readable medium encoded with a plurality of instructions that when executed perform a method in a computer environment that comprises a computer network to which the computer system is coupled, the method comprising acts of:
-
(A) determining whether a process that is executing on the computer system and attempting to send and/or receive data over the computer network is executing in an operating system kernel mode of the computer system; and (B) notifying at least one security engine in the computer environment of the determination made in the act (A). - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for use in a computer system operating in a computer environment that further comprises a computer network to which the computer system is coupled, the method comprising:
-
(A) determining whether a process that is attempting to send and/or receive at least one communication over the computer network is executing in an operating system kernel mode of the computer system; (B) notifying at least one security engine in the computer environment of the determination made in the act (A); and (C) allowing or disallowing the process to perform the operation based on a determination of the security engine. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer environment comprising:
-
at least one computer system having at least one process executing thereon that attempts to send and/or receive at least one communication over a computer network, the computer system comprising at least one processor programmed to determine whether the at least one process is executing in an operating system kernel mode of the at least one computer system; and at least one security engine that establishes at least one security policy that determines at least one filtering function that the at least one security engine performs on at least one communication sent and/or received by the computer system, wherein the at least one security policy employs at least one filtering parameter that is based on a determination of whether a source and/or destination for the at least one communication in the computer system is a process executing in an operating system kernel mode of the computer system. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification