USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS
First Claim
1. A method of using reputation to avoid false malware detections on an endpoint comprising:
- detecting a process executing from a file on the endpoint;
evaluating a local reputation of the file at the endpoint using one or more local criteria on the endpoint;
evaluating a global reputation of the file by requesting an evaluation of the file or the process from a remote threat management facility;
receiving a notification from a gateway between the endpoint and a data network that network traffic from the endpoint includes a violation of a network policy for the endpoint; and
responding to the notification by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown.
4 Assignments
0 Petitions
Accused Products
Abstract
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
-
Citations
20 Claims
-
1. A method of using reputation to avoid false malware detections on an endpoint comprising:
-
detecting a process executing from a file on the endpoint; evaluating a local reputation of the file at the endpoint using one or more local criteria on the endpoint; evaluating a global reputation of the file by requesting an evaluation of the file or the process from a remote threat management facility; receiving a notification from a gateway between the endpoint and a data network that network traffic from the endpoint includes a violation of a network policy for the endpoint; and responding to the notification by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
detecting a process executing from a file on an endpoint; evaluating a local reputation of the file at the endpoint using one or more local criteria on the endpoint; evaluating a global reputation of the file by requesting an evaluation of the file or the process from a remote threat management facility; receiving a notification from a gateway between the endpoint and a data network that network traffic from the endpoint includes a violation of a network policy for the endpoint; and responding to the notification by conditionally treating the endpoint as a compromised network asset only when the local reputation is low and the global reputation is low or unknown.
-
-
20. A system comprising:
-
an endpoint associated with an enterprise, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file using one or more local criteria; a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request an evaluation of a global reputation of the file from a remote resource, the gateway further configured to detect network traffic from the endpoint in violation of a network policy of the enterprise and provide a corresponding violation notification to the remote resource; and a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway, the threat management facility configured to receive the request from the gateway determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and the violation notification from the gateway and to determine a remedial action for the endpoint based upon the local reputation, the global reputation, and the violation notification.
-
Specification