COMPUTER DEVICE AND METHOD FOR ISOLATING UNTRUSTED CONTENT
First Claim
1. A method for isolating untrusted content on a computer device, the method comprising:
- intercepting a task from a primary user account prior to execution of the task by the computer device, wherein the task relates to an untrusted content;
providing a task isolation environment for executing the task, including provisioning the task isolation environment by programmatically creating a secondary user account on the computer device;
executing the task in the task isolation environment in relation to the untrusted content; and
redirecting a folder from the secondary user account of the task isolation environment to a folder of the primary user account.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer system and method are provided to intercept a task from a primary user account 121 prior to execution of the task by the computer device 200, where the task relates to an untrusted content. A task isolation environment 350 is provisioned for executing the task, including programmatically creating a secondary user account 121b on the computer device. The task is executed in the task isolation environment 350 in relation to the untrusted content. A second folder 126b in the secondary user account 121b is mapped to a first folder 126a in the primary user account 121 and file access requests for the second folder 126b are intercepted by an agent 300 and redirected to the first folder 126a.
-
Citations
20 Claims
-
1. A method for isolating untrusted content on a computer device, the method comprising:
-
intercepting a task from a primary user account prior to execution of the task by the computer device, wherein the task relates to an untrusted content; providing a task isolation environment for executing the task, including provisioning the task isolation environment by programmatically creating a secondary user account on the computer device; executing the task in the task isolation environment in relation to the untrusted content; and redirecting a folder from the secondary user account of the task isolation environment to a folder of the primary user account. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer device, comprising:
-
a hardware layer including at least a processor and a memory; an operating system which performs tasks using the hardware layer; a user process operating under a primary user account controlled by the operating system and configured to request a task to be actioned by the operating system, wherein the primary user account comprises a first folder for containing files which are accessible under the primary user account; an agent configured to execute in cooperation with the operating system, and wherein the agent is configured to; intercept the task before being actioned by the operating system and provide task metadata relevant to the intercepted task; examine the task metadata and selectively output a policy result identifying the task as being an untrusted task; provision a task isolation environment by programmatically creating a secondary user account on the computer device, wherein the secondary user account comprises a second folder for containing files which are accessible under the secondary user account; and cause the untrusted task to be executed as an isolated process in the task isolation environment provided by the secondary user account; map the second folder of the secondary user account to the first folder of the primary user account; and redirect a file access request by the isolated process to a subject file in the second folder to be performed by the operating system in relation to a target file in the first folder of the primary user account. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification