USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS

US 20150312267A1
Filed: 04/28/2014
Published: 10/29/2015
Est. Priority Date: 04/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of using reputation to avoid false malware detections on an endpoint comprising:

detecting a process executing from a file on the endpoint;

evaluating a local reputation of the file at the endpoint using one or more local criteria on the endpoint;

evaluating a global reputation of the file by requesting an evaluation of the file or the process from a remote threat management facility;

receiving a notification from a gateway between the endpoint and a data network that network traffic from the endpoint includes a violation of a network policy for the endpoint; and

responding to the notification by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Citations

20 Claims

1. A method of using reputation to avoid false malware detections on an endpoint comprising:
- detecting a process executing from a file on the endpoint;
  
  evaluating a local reputation of the file at the endpoint using one or more local criteria on the endpoint;
  
  evaluating a global reputation of the file by requesting an evaluation of the file or the process from a remote threat management facility;
  
  receiving a notification from a gateway between the endpoint and a data network that network traffic from the endpoint includes a violation of a network policy for the endpoint; and
  
  responding to the notification by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein evaluating a local reputation includes using locally available attributes applied by a local whitelisting system.
  - 3. The method of claim 1 wherein evaluating a local reputation includes locally evaluating a source of the file.
  - 4. The method of claim 1 wherein evaluating the local reputation includes evaluating one or more of a user associated with the process, a certificate associated with a source of the file, a certificate associated with an installer for the file, a logical location of a source of the file, and a physical location of a source of the file.
  - 5. The method of claim 1 wherein evaluating the local reputation includes evaluating a reputation of an environment including the endpoint.
  - 6. The method of claim 1 wherein the violation includes a prohibited Uniform Resource Identifier in the destination.
  - 7. The method of claim 1 wherein the violation includes a prohibited domain in the destination.
  - 8. The method of claim 1 wherein the violation includes a command and control location for an advanced persistent threat in the destination.
  - 9. The method of claim 1 wherein the violation includes prohibited content in the request.
  - 10. The method of claim 9 wherein the prohibited content includes command and control protocol traffic for an advanced persistent threat.
  - 11. The method of claim 1 wherein treating the endpoint as a compromised network asset includes quarantining the endpoint.
  - 12. The method of claim 1 wherein treating the endpoint as a compromised network asset includes blocking network access for the network.
  - 13. The method of claim 1 further comprising locating one or more other endpoints containing the file or the process.
  - 14. The method of claim 13 further comprising quarantining the one or more other endpoints.
  - 15. The method of claim 13 further comprising removing the file or the process from the one or more other endpoints.
  - 16. The method of claim 13 further comprising blocking network traffic for the one or more other endpoints.
  - 17. The method of claim 1 wherein evaluating the local reputation further includes evaluating a reputation of a data file used by the process.
  - 18. The method of claim 17 wherein evaluating the reputation of the data file includes one or more of evaluating a reputation of an origin of the data file, evaluating a reputation of an environment for the data file, evaluating a reputation of a user that created the data file, and evaluating a reputation of the process that is using the data file.

19. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- detecting a process executing from a file on an endpoint;
  
  evaluating a local reputation of the file at the endpoint using one or more local criteria on the endpoint;
  
  evaluating a global reputation of the file by requesting an evaluation of the file or the process from a remote threat management facility;
  
  receiving a notification from a gateway between the endpoint and a data network that network traffic from the endpoint includes a violation of a network policy for the endpoint; and
  
  responding to the notification by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown.

20. A system comprising:
- an endpoint associated with an enterprise, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file using one or more local criteria;
  
  a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request an evaluation of a global reputation of the file from a remote resource, the gateway further configured to detect network traffic from the endpoint in violation of a network policy of the enterprise and provide a corresponding violation notification to the remote resource; and
  
  a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway, the threat management facility configured to receive the request from the gateway determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and the violation notification from the gateway and to determine a remedial action for the endpoint based upon the local reputation, the global reputation, and the violation notification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Thomas, Andrew J.

Granted Patent

US 10,122,753 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links