System and method of enforcing executable code identity verification over the network
First Claim
1. A process for monitoring and analyzing executable computer code comprising the steps of:
- providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through a computer network, said central computer having a database comprising a plurality of executable code identity signatures;
detecting an event on a client computer by said monitoring application;
identifying an executable code associated with an event;
creating a unique signature of a said executable code with said monitoring application on said client computer;
receiving in said central computer said unique signature;
comparing said unique signature with said plurality of executable code identity signatures in said database;
forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures;
investigating the identity and intent of said executable code if said executable code is unknown; and
transmitting from the said central computer to said client computer at least one item selected from the group consisting of;
a message and a command to the monitoring application on a said client computer to perform a respective action.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and system for identity verification of executable code includes a central computer that is in communication with a computer network. The central computer includes a database that is adapted to store and analyze a plurality of executable code signatures, including signatures of malicious, legitimate, those executable codes identity of which is being investigated and those that have not been received for an investigation. The client computer has monitoring software that is adapted to monitor potentially dangerous events, such as an attempt to send or receive data over the network, receiving an e-mail, creation of a new process and likes. Any executable code on the client'"'"'s computer in the current system is assumed to be potentially dangerous unless its identity and intent has been determined. In operation, unique signatures that relate to potentially dangerous executable codes are received by the central computer. Upon receipt, the unique signatures are compared with the plurality of executable code signatures in the database. Any executable code signatures of which are not already in the database are forwarded to the central computer for investigation. Once a determination is made regarding the status of the unique executable code (i.e., is it legitimate or malicious) the central computer transmits a command regarding the disposition of the respective executable code.
-
Citations
41 Claims
-
1. A process for monitoring and analyzing executable computer code comprising the steps of:
-
providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through a computer network, said central computer having a database comprising a plurality of executable code identity signatures;
detecting an event on a client computer by said monitoring application;
identifying an executable code associated with an event;
creating a unique signature of a said executable code with said monitoring application on said client computer;
receiving in said central computer said unique signature;
comparing said unique signature with said plurality of executable code identity signatures in said database;
forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures;
investigating the identity and intent of said executable code if said executable code is unknown; and
transmitting from the said central computer to said client computer at least one item selected from the group consisting of;
a message and a command to the monitoring application on a said client computer to perform a respective action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A process for monitoring and analyzing executable computer code comprising the steps of:
-
providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
detecting an event on a client computer by said monitoring application;
identifying an executable code associated with an event;
creating a unique signature of a said executable code with said monitoring application on said client computer;
receiving in said central computer said unique signature;
comparing said unique signature with said plurality of executable code identity signatures in said database;
forwarding to said central computer for investigation said executable code when said unique signature is absent from plurality of executable code identity signatures;
transmitting from the said central computer to said client computer at least one item selected from the group consisting of;
a message, a command to the monitoring application on said client computer to perform a respective action, and usage history data of said client computer prior to the working session, wherein said usage history data is stored in a local database; and
storing within said database usage history data of said client computer, wherein said client computer receives from the central computer said usage history data prior to the working session and said usage history data is stored in a local database. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
-
29. A process for monitoring and analyzing executable computer code comprising the steps of:
-
providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
detecting an event on a client computer by said monitoring application;
identifying both an executable code and a second executable code associated with an event;
creating a unique signature of at least one of said executable code and said second executable code with said monitoring application on said client computer;
receiving in said central computer said unique signature;
comparing said unique signature with said plurality of executable code identity signatures in said database;
forwarding to said central computer for investigation at least one of said executable code and said second executable code when said unique signature is absent from plurality of executable code identity signatures; and
transmitting from the said central computer to said client computer at least one item selected from the group consisting of;
a message and a command to the monitoring application on a said client computer to perform a respective action;
wherein a second executable code is active in said event; and
wherein said executable code and second executable code are simultaneously identified.
-
-
30. A process for monitoring and analyzing computer executable code comprising the steps of:
-
providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
detecting an event on a client computer by said monitoring application;
identifying an executable code associated with an event;
creating a unique signature of a said executable code with said monitoring application on said client computer;
receiving in said central computer a unique signature associated with an executable code;
comparing said unique signature with said plurality of executable code signatures in said database;
matching said unique signature to a malicious executable computer file signature from said plurality of file signatures; and
transmitting a message and command to monitoring application regarding said executable code. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
-
37. A process for monitoring and analyzing an executable code comprising the steps of:
-
providing a client computer having an event monitoring application in a working session, said client computer accessing a central computer through the computer network, said central computer having a database comprising a plurality of executable code identity signatures;
providing a client computer in communication with said central computer through said computer network;
detecting an event on a client computer by said monitoring application;
identifying an executable code associated with an event;
creating a unique signature of a said executable code with said monitoring application on said client computer;
receiving in said server a unique signature transmitted from said client computer;
investigating said unique signature to determine if it is related to a malicious executable computer code; and
transmitting from said central computer a message and a respective command concerning said unique signature to said client computer. - View Dependent Claims (38, 39, 40, 41)
-
Specification