USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS
First Claim
1. A system comprising:
- an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file;
a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and
a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by determining a remedial action for the file on the endpoint based upon the local reputation, the global reputation, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy.
4 Assignments
0 Petitions
Accused Products
Abstract
A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
-
Citations
20 Claims
-
1. A system comprising:
-
an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file; a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by determining a remedial action for the file on the endpoint based upon the local reputation, the global reputation, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A network comprising:
-
an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, the process, during execution, opening a data file for manipulation, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file and to evaluate the local reputation of the file further based on evaluating one or more of an origin of the data file, evaluating a reputation of an environment for the data file, evaluating a reputation of a user that created the data file, and evaluating a reputation of the process using the data file; a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by directing the endpoint to take a remedial action for the file based upon the local reputation, the global reputation, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy. - View Dependent Claims (20)
-
Specification