SYSTEM AND METHOD FOR LOCAL PROTECTION AGAINST MALICIOUS SOFTWARE

US 20150180884A1
Filed: 12/26/2014
Published: 06/25/2015
Est. Priority Date: 07/28/2010
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:

intercepting, on a computing device, an application programming interface (API) associated with a network access attempt;

determining a process mapped to the API;

determining a plurality of software program files mapped to the process;

determining a trust status of each software program file of the plurality of software program files;

determining whether the network access attempt is permitted based, at least in part, on a first criterion, wherein the first criterion includes a trust status of each software program file of the plurality of software program files; and

performing an action if the network access attempt is not permitted.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.

39 Citations

View as Search Results

20 Claims

1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- intercepting, on a computing device, an application programming interface (API) associated with a network access attempt;
  
  determining a process mapped to the API;
  
  determining a plurality of software program files mapped to the process;
  
  determining a trust status of each software program file of the plurality of software program files;
  
  determining whether the network access attempt is permitted based, at least in part, on a first criterion, wherein the first criterion includes a trust status of each software program file of the plurality of software program files; and
  
  performing an action if the network access attempt is not permitted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The one or more non-transitory machine readable media of claim 1, wherein the network access attempt is determined not to be permitted if the trust status of any one of the software program files of the plurality of software program files is defined as untrusted.
  - 3. The one or more non-transitory machine readable media of claim 2, wherein the trust status of a particular software program file of the plurality of software program files is defined as untrusted if the particular software program file is not identified in a whitelist.
  - 4. The one or more non-transitory machine readable media of claim 1, the one or more processors being operable to perform further operations comprising:
    - searching a local cache, identifying trusted software program files, to determine the trust statuses of the plurality of software program files;
      
      querying a central server for the trust statuses of each software program file not identified by the local cache; and
      
      updating the local cache with identifications of any software program files determined to be trusted by the central server.
  - 5. The one or more non-transitory machine readable media of claim 1, wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted.
  - 6. The one or more non-transitory machine readable media of claim 1, wherein at least one network hook, loaded into the process, is to intercept the API.
  - 7. The one or more non-transitory machine readable media of claim 1, wherein the network access attempt is one of an outbound network access attempt from the process or an inbound network access attempt to the process.
  - 8. The one or more non-transitory machine readable media of claim 1, the one or more processors being operable to perform further operations comprising:
    - using an operating system application programming interface to determine the plurality of software program files mapped to the process.
  - 9. The one or more non-transitory machine readable media of claim 1, the one or more processors being operable to perform further operations comprising:
    - evaluating a second criterion to determine whether the second criterion overrides the first criterion when the software program file is determined to be untrusted, wherein the second criterion includes a network access policy for one or more software program files having a trust status defined as untrusted.
  - 10. The one or more non-transitory machine readable media of claim 9, wherein the network access attempt is permitted if the network access attempt includes a destination address within a set of allowed destination addresses indicated by the network access policy.
  - 11. The one or more non-transitory machine readable media of claim 1, wherein the performing the action includes logging information related to the network access attempt if the trust status of at least one of the plurality of software program files is determined to be untrusted.

12. An apparatus, comprising:
- a protection module; and
  
  one or more processors operable to execute instructions associated with the protection module, to cause the one or more processors to;
  
  intercept, on a computing device, an application programming interface (API) associated with a network access attempt;
  
  determine a process mapped to the API;
  
  determine a plurality of software program files mapped to the process;
  
  determine a trust status of each software program file of the plurality of software program files;
  
  determine whether the network access attempt is permitted based, at least in part, on a first criterion, wherein the first criterion includes a trust status of each software program file of the plurality of software program files; and
  
  perform an action if the network access attempt is not permitted.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted.
  - 14. The apparatus of claim 12, wherein at least one network hook, loaded into the process, is to intercept the API.
  - 15. The apparatus of claim 12, the one or more processors being operable to execute further instructions associated with the protection module, to cause the one or more processors to:
    - use an operating system application programming interface to determine the plurality of software program files mapped to the process.
  - 16. The apparatus of claim 12, wherein the performing the action includes logging information related to the network access attempt if the trust status of at least one of the plurality of software program files is determined to be untrusted.

17. A method comprising:
- intercepting, on a computing device, an application programming interface (API) associated with a network access attempt;
  
  determining a process mapped to the API;
  
  determining a plurality of software program files mapped to the process;
  
  determining a trust status of each software program file of the plurality of software program files;
  
  determining whether the network access attempt is permitted based, at least in part, on a first criterion, wherein the first criterion includes a trust status of each software program file of the plurality of software program files; and
  
  performing an action if the network access attempt is not permitted.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted.
  - 19. The method of claim 17, wherein at least one network hook, loaded into the process, is to intercept the API.
  - 20. The method of claim 17, further comprising:
    - using an operating system application programming interface to determine the plurality of software program files mapped to the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Reese, David P. Jr.

Granted Patent

US 9,467,470 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHOD FOR LOCAL PROTECTION AGAINST MALICIOUS SOFTWARE

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR LOCAL PROTECTION AGAINST MALICIOUS SOFTWARE

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links