COMPUTER DEVICE AND METHOD FOR ISOLATING UNTRUSTED CONTENT
First Claim
1. A method for isolating untrusted content on a computer device, the method comprising:
- intercepting a task from a primary user account prior to execution of the task by the computer device, wherein the task relates to an untrusted content;
provisioning a task isolation environment for executing the task, including (i) programmatically creating a secondary user account on the computer device, (ii) determining a network drive which is mapped in the primary user account, and (iii) recreating the network drive in the secondary user account by mapping the network drive into the secondary user account;
executing the task in the task isolation environment in relation to the untrusted content;
intercepting by an agent a file access request by the task in relation to the mapped network drive of the secondary user account; and
determining by the agent whether to allow or deny the file access request by the task in relation to the mapped network drive of the secondary user account.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer system and method are provided to intercept a task from a primary user account 121 prior to execution of the task by the computer device 200, where the task relates to an untrusted content. A task isolation environment 350 is provisioned for executing the task, including programmatically creating a secondary user account 121b on the computer device. A mapped network drive 420 of the primary user account 121 is determined and is automatically provisioned in the secondary user account 121b. Access to the mapped network drive 420 is controlled by an agent 300 on the computer device 200.
8 Citations
20 Claims
-
1. A method for isolating untrusted content on a computer device, the method comprising:
-
intercepting a task from a primary user account prior to execution of the task by the computer device, wherein the task relates to an untrusted content; provisioning a task isolation environment for executing the task, including (i) programmatically creating a secondary user account on the computer device, (ii) determining a network drive which is mapped in the primary user account, and (iii) recreating the network drive in the secondary user account by mapping the network drive into the secondary user account; executing the task in the task isolation environment in relation to the untrusted content; intercepting by an agent a file access request by the task in relation to the mapped network drive of the secondary user account; and determining by the agent whether to allow or deny the file access request by the task in relation to the mapped network drive of the secondary user account. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer device, comprising:
-
a hardware layer including at least a processor and a memory; an operating system which performs tasks using the hardware layer; a user process operating in a primary user account controlled by the operating system and configured to request a task to be actioned by the operating system, wherein the primary user account comprises a network drive which is mapped into the primary user account; an agent arranged to execute in cooperation with the operating system, and wherein the agent is configured to; intercept the task before being actioned by the operating system and provide task metadata relevant to the intercepted task; examine the task metadata and selectively output a policy result identifying the task as being an untrusted task; provision a task isolation environment by (i) programmatically creating a secondary user account on the computer device, (ii) determining a network drive which is mapped in the primary user account, and (iii) recreating the network drive in the secondary user account by mapping the network drive into the secondary user account; and cause the untrusted task to be executed as an isolated process in the task isolation environment provided by the secondary user account. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification