SYSTEMS AND METHODS FOR USING ATTRIBUTE DATA FOR SYSTEM PROTECTION AND SECURITY AWARENESS TRAINING
First Claim
1. A method for creating attribute data for a file of an application, the method comprising:
- (a) registering, by a service executing on a device, a driver into an operating system of the device to monitor processes, the driver configured to receive notifications from the operating system of processes started or terminated on the device;
(b) executing, an attribute data writer on the device, the attribute data writer in communication with the driver to receive notifications from the driver of processes started on the device;
(c) receiving, by the attribute data writer, a process id from the driver for a process of an application detected by the driver as starting on the device;
(d) injecting, by an injector program launched by the attribute data writer, an attribute data writer library into the process of the application corresponding to the process id;
(e) classifying, by the attribute data writer library, the application into a class of a plurality of classes; and
(f) causing, by the attribute data writer library, the application to create attribute data corresponding to the class responsive to a file being one of created or opened by the application.
4 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.
-
Citations
20 Claims
-
1. A method for creating attribute data for a file of an application, the method comprising:
-
(a) registering, by a service executing on a device, a driver into an operating system of the device to monitor processes, the driver configured to receive notifications from the operating system of processes started or terminated on the device; (b) executing, an attribute data writer on the device, the attribute data writer in communication with the driver to receive notifications from the driver of processes started on the device; (c) receiving, by the attribute data writer, a process id from the driver for a process of an application detected by the driver as starting on the device; (d) injecting, by an injector program launched by the attribute data writer, an attribute data writer library into the process of the application corresponding to the process id; (e) classifying, by the attribute data writer library, the application into a class of a plurality of classes; and (f) causing, by the attribute data writer library, the application to create attribute data corresponding to the class responsive to a file being one of created or opened by the application. - View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 13, 14, 15, 16)
-
-
5. The method of claim 5, further comprising determining, by the attribute data writer responsive to the file being in the list of applications to be monitored, a type of architecture of the application.
-
6. The method of claim 6, wherein (d) further comprises launching, by the attribute data writer, a version of the injector program corresponding to the type of architecture.
-
12. A method for alerting of access to a file based on attribute data, the method comprising:
-
(a) intercepting, by a document filter injected into an application executing on a client device, a call of the application to open a file (b) identifying, by the document filter, using a name of the file, an attribute data file of the file; (c) accessing, by the document filter, a set of attribute data and corresponding values from the attribute data file; (d) identifying, by the document filter, one or more rules to be applied to the set of attribute data to determine whether or not to open the file; (e) applying, by the document filter, the one or more rules to values of the set of attribute data; (f) determining, responsive to the application of the one or more rules, not to open the file; and (g) displaying prompt, identifying one or more reasons for not opening the file.
-
-
17. A method for alerting of a launch of a suspicious application, the method comprising:
-
(a) resolving, by a process filter service executing on a client device, name of an executable file of the application based on a process id of a launched application; (b) identifying, by the process filter service using a name of the file, an attribute data file of the application; (c) accessing, by the process filter service, a set of attribute data and corresponding values from the attribute data file; (d) identifying, by the process filter service, one or more rules to be applied to the set of attribute data to determine whether or not the launched application is suspicious; (e) applying, by the process filter service, the one or more rules to values of the set of attribute data; (f) determining, responsive to the application of the one or more rules, that the launched application is suspicious; and (g) displaying a prompt, responsive to the determination, identifying that the launched application is suspicious. - View Dependent Claims (18, 19, 20)
-
Specification