COMPUTER DEVICE AND METHOD FOR ISOLATING UNTRUSTED CONTENT

US 20150150142A1
Filed: 10/21/2014
Published: 05/28/2015
Est. Priority Date: 10/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method for isolating untrusted content on a computer device, the method comprising:

intercepting a task from a primary user account prior to execution of the task by the computer device, wherein the task relates to an untrusted content;

providing a task isolation environment for executing the task, including provisioning the task isolation environment by programmatically creating a secondary user account on the computer device;

executing the task in the task isolation environment in relation to the untrusted content; and

redirecting a folder from the secondary user account of the task isolation environment to a folder of the primary user account.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system and method are provided to intercept a task from a primary user account 121 prior to execution of the task by the computer device 200, where the task relates to an untrusted content. A task isolation environment 350 is provisioned for executing the task, including programmatically creating a secondary user account 121b on the computer device. The task is executed in the task isolation environment 350 in relation to the untrusted content. A second folder 126b in the secondary user account 121b is mapped to a first folder 126a in the primary user account 121 and file access requests for the second folder 126b are intercepted by an agent 300 and redirected to the first folder 126a.

Citations

20 Claims

1. A method for isolating untrusted content on a computer device, the method comprising:
- intercepting a task from a primary user account prior to execution of the task by the computer device, wherein the task relates to an untrusted content;
  
  providing a task isolation environment for executing the task, including provisioning the task isolation environment by programmatically creating a secondary user account on the computer device;
  
  executing the task in the task isolation environment in relation to the untrusted content; and
  
  redirecting a folder from the secondary user account of the task isolation environment to a folder of the primary user account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - hooking a file access request to create or open a file by a process executing in the task isolation environment;
      
      where the file access request concerns a file locally within the isolation environment, then allowing the file to be created or opened by the operating system in the secondary user account; and
      
      where the file access request concerns a target file in the folder redirected within the primary user account, then creating an impersonation token of the primary user account to access the target file.
  - 3. The method of claim 2, further comprising:
    - tagging the target file with a tag; and
      
      intercepting a task in the primary user account which subsequently attempts to access the target file having the tag.
  - 4. The method of claim 3, further comprising causing a subsequent file access request to the target file in the folder of the primary user account originated by a user process operating in the primary user account to be satisfied by accessing the target file by the task in the task isolation environment of the secondary user account.
  - 5. The method of claim 1, wherein the folder in the primary user account comprises a plurality of files including at least one trusted file and at least one untrusted file and the method further comprises:
    - selectively allowing the at least one trusted file to be accessed only by a user process of the primary user account, andselectively allowing the at least one untrusted file to be accessed only by the task in the task isolation environment of the secondary user account.
  - 6. The method of claim 1, further comprising:
    - intercepting a file access request by the task in the task isolation environment to a local file in a local folder of the secondary user account, andselectively allowing the file access request to proceed to be performed by the operating system on the local file in the local folder of the secondary user account.
  - 7. The method of claim 1, further comprising:
    - intercepting a file access request by the user process to a requested file in a folder of the primary user account, andselectively allowing the file access request to proceed to be performed by the operating system on the requested file in the folder of the primary user account.
  - 8. The method of claim 1, further comprising:
    - providing a named object associated with the primary user account;
      
      intercepting an object create operation or an object open operation in relation to the named object by a process in the task isolation environment;
      
      checking a policy result in relation to the named object; and
      
      providing to the process, if access is granted, an impersonation token having access to the named object, thereby allowing the process to access the named object using the impersonation token.
  - 9. The method of claim 1, further comprising:
    - making a request for creation of a named object within the task isolation environment by a process therein;
      
      intercepting the request;
      
      passing a modified name of the object to the process by modifying a name of the object; and
      
      creating the named object using the modified name.

10. A computer device, comprising:
- a hardware layer including at least a processor and a memory;
  
  an operating system which performs tasks using the hardware layer;
  
  a user process operating under a primary user account controlled by the operating system and configured to request a task to be actioned by the operating system, wherein the primary user account comprises a first folder for containing files which are accessible under the primary user account;
  
  an agent configured to execute in cooperation with the operating system, and wherein the agent is configured to;
  
  intercept the task before being actioned by the operating system and provide task metadata relevant to the intercepted task;
  
  examine the task metadata and selectively output a policy result identifying the task as being an untrusted task;
  
  provision a task isolation environment by programmatically creating a secondary user account on the computer device, wherein the secondary user account comprises a second folder for containing files which are accessible under the secondary user account; and
  
  cause the untrusted task to be executed as an isolated process in the task isolation environment provided by the secondary user account;
  
  map the second folder of the secondary user account to the first folder of the primary user account; and
  
  redirect a file access request by the isolated process to a subject file in the second folder to be performed by the operating system in relation to a target file in the first folder of the primary user account.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The computer device of claim 10, wherein the agent is further configured to:
    - intercept a file access request by the user process to the target file in the first folder of the primary user account, andselectively deny the file access request to prevent the file access request being performed by the operating system where the target file has previously been accessed by the isolated process of the secondary user account.
  - 12. The computer device of claim 10, wherein the agent is further configured to:
    - hook a file access request by the isolated process executing in the task isolation environment of the secondary user account, wherein the file access request concerns a local file held locally within the secondary user account; and
      
      allow the file access request to be performed by the operating system on the local file in the secondary user account.
  - 13. The computer device of claim 10, wherein the agent is further configured to:
    - hook a file access request by the isolated process executing in the task isolation environment of the secondary user account, wherein the file access request concerns the target file; and
      
      create an impersonation token of the primary user account to access the target file when the file access request is redirected to be performed by the operating system on the target file in the first folder within the primary user account.
  - 14. The computer device of claim 10, wherein the agent is configured to:
    - deny the file access request made by the isolated process in the secondary user account concerning the target file where the file access request would cause an existing file to be overwritten in the first folder of the primary user account.
  - 15. The computer device of claim 10, wherein the agent is further configured to:
    - tag the target file in the primary user account when the file is accessed in response to the file access request of the isolated process in the secondary user account, andintercept a subsequent file access request by the user process in the primary user account which subsequently attempts to access the target file having the tag.
  - 16. The computer device of claim 15, wherein the agent is further configured to:
    - cause the subsequent file access request to be satisfied by accessing the target file by the isolated process of the secondary user account.
  - 17. The computer device of claim 10, wherein the first folder in the primary user account comprises a plurality of files including at least one trusted file and at least one untrusted file and the agent is configured to selectively allow the at least one trusted file to be accessed only by the user process of the primary user account and to allow the at least one untrusted file to be accessed only by the isolated process of the secondary user account.
  - 18. The computer device of claim 10, wherein the agent is further configured to determine a permitted level of access of the isolated process to the target file and to selectively allow or deny the file access request compared with the determined permitted level of access.
  - 19. The computer device of claim 10, wherein:
    - the primary user account is associated with a named object, andthe agent is arranged to intercept an object create operation or an object open operation in relation to the named object by a process in the task isolation environment, check a policy result in relation to the named object and, if access is granted, to provide to the process an impersonation token having access to the named object, thereby allowing the process to access the named object using the impersonation token.
  - 20. The computer device of claim 10, wherein:
    - a process in the task isolation environment is arranged to make a request for creation of a named object within the task isolation environment; and
      
      the agent is arranged to intercept the request, provide a modified name of the object by modifying an original name of the object, and cause the process to create the named object using the modified name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avecto Limited (BeyondTrust Corp.)
Original Assignee
Avecto Limited (BeyondTrust Corp.)
Inventors
AUSTIN, Mark, GOODRIDGE, John

Granted Patent

US 9,715,646 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 16/1734   Details of monitoring file ...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6209   to a single file or object,...

G06F 2221/03   Indexing scheme relating to...

G06F 3/1222   Increasing security of the ...

G06F 9/4812   by interrupt, e.g. masked

G06K 15/4095   Secure printing computer dr...

COMPUTER DEVICE AND METHOD FOR ISOLATING UNTRUSTED CONTENT

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER DEVICE AND METHOD FOR ISOLATING UNTRUSTED CONTENT

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links