Managing malware protection upon a computer network

US 7,269,851 B2
Filed: 01/07/2002
Issued: 09/11/2007
Est. Priority Date: 01/07/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A program stored on a computer-readable medium for controlling a managing computer to manage malware protection within a computer network containing a plurality of network connected computers, said computer program product comprising:

receiving code for receiving at said managing computer a plurality of log data messages identifying detection of malware by respective ones of said plurality of network connected computers;

detecting code for detecting from said plurality of log data messages received by said managing computer a pattern and a network-wide threshold of malware detection across said plurality of network connected computers matching at least one predetermined trigger, the network-wide threshold being applied to a sum of detections, the detections each being associated with a different one of the network connected computers;

wherein said plurality of network connected computers each have a malware scanner for scanning computer files to detect malware within said computer files;

action performing code, responsive to detection of one of said at least one predetermined trigger to perform at least one predetermined anti-malware action;

wherein predefined network-wide thresholds and patterns are provided as templates; and

wherein the predefined network-wide thresholds and patterns are customized based on a network being protected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A managing computer within a computer network serves to log messages received from individual computers within that computer network indicating detection of malware. The managing computer detects patterns of malware detection across the network as a whole a triggers associated predetermined anti-malware actions. These may include forcing specific computers to update their malware definition data, forcing particular computers to change their security settings and isolating individual portions of the computer network.

123 Citations

29 Claims

1. A program stored on a computer-readable medium for controlling a managing computer to manage malware protection within a computer network containing a plurality of network connected computers, said computer program product comprising:
- receiving code for receiving at said managing computer a plurality of log data messages identifying detection of malware by respective ones of said plurality of network connected computers;
  
  detecting code for detecting from said plurality of log data messages received by said managing computer a pattern and a network-wide threshold of malware detection across said plurality of network connected computers matching at least one predetermined trigger, the network-wide threshold being applied to a sum of detections, the detections each being associated with a different one of the network connected computers;
  
  wherein said plurality of network connected computers each have a malware scanner for scanning computer files to detect malware within said computer files;
  
  action performing code, responsive to detection of one of said at least one predetermined trigger to perform at least one predetermined anti-malware action;
  
  wherein predefined network-wide thresholds and patterns are provided as templates; and
  
  wherein the predefined network-wide thresholds and patterns are customized based on a network being protected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A program stored on a computer-readable medium as claimed in claim 1, wherein said malware scanner includes malware definition data for identifying malware to be detected.
  - 3. A program stored on a computer-readable medium as claimed in claim 2, wherein said at least one predetermined anti-malware action includes forcing an update of malware definition data being used by one or more of said plurality of network connected computers.
  - 4. A program stored on a computer-readable medium as claimed in claim 1, wherein said at least one predetermined anti-malware action includes altering at least one scanner setting of at least one of said malware scanners such that said at least one of said malware scanners performs more thorough malware scanning.
  - 5. A program stored on a computer-readable medium as claimed in claim 1, wheren said at least one predetermined anti-malware action includes isolating at least one of said network connected computers from other parts of said computer network.
  - 6. A program stored on a computer-readable medium as claimed in claim 1, wherein said managing computer stores said plurality of log data messages within a database.
  - 7. A program stored on a computer-readable medium as claimed in claim 6, wherein said detecting code is operable to query said database.
  - 8. A program stored on a computer-readable medium as claimed in claim 6, wherein said database includes data identifying at least one of:
    - malware protection mechanisms used by respective network connected computers;
      
      versions of malware protection computer programs used by respective network connected computers;
      
      versions of malware definition data used by respective network connected computers; and
      
      security settings of malware protection mechanisms used by respective network connected computers.
  - 9. A program stored on a computer-readable medium as claimed in claim 1, wherein said at least one predetermined anti-malware action is targeted to a particular threat so as to reduce network traffic.
  - 10. A program stored on a computer-readable medium as claimed in claim 1, wherein a plurality of said network connected computers associated with said detections utilize outdated malware definition data.
  - 11. A program stored on a computer-readable medium as claimed in claim 10, wherein said at least one predetermined anti-malware action includes updating only said network connected computers that utilize said outdated malware definition data.
  - 12. A program stored on a computer-readable medium as claimed in claim 1, wherein plurality of said network connected computers associated with said detections are connected to a particular server.
  - 13. A program stored on a computer-readable medium as claimed in claim 12, wherein said at least one predetermined anti-malware action includes isolating only said particular server and said network connected computers connected thereto.

14. A method of managing malware protection within a computer network containing a plurality of network connected computers, said method comprising the steps of:
- receiving at a managing computer a plurality of log data messages identifying detection of malware by respective ones of said plurality of network connected computers;
  
  detecting from said plurality of log data messages received by said managing computer a pattern and a network-wide threshold of malware detection across said plurality of network connected computers matching at least one predetermined trigger, the network-wide threshold being applied to a sum of detections, the detections each being associated with a different one of the network connected computers;
  
  wherein said plurality of network connected computers each have a malware scanner that serves to scan computer files to detect malware within said computer files;
  
  in response to detection of said at least one predetermined trigger, performing at least one predetermined anti-malware action;
  
  wherein predefined network-wide thresholds and patterns are provided as templates; and
  
  wherein the predefined network-wide thresholds and patterns are customized based on a network being protected.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. A method as claimed in claim 14, wherein said malware scanner uses malware definition data to identify malware to be detected.
  - 16. A method as claimed in claim 15, wherein said at least one predetermined anti-malware action includes forcing an update of malware definition data being used by at least one of said plurality of network connected computers.
  - 17. A method as claimed in claim 14, wherein said at least one predetermined anti-malware action includes altering at least one scanner setting of at least one malware scanner such that said malware scanner performs more thorough malware scanning.
  - 18. A method as claimed in claim 14, wherein said at least one predetermined anti-malware action includes isolating at least one of said network connected computers from other parts of said computer network.
  - 19. A method as claimed in claim 14, wherein said managing computer stores said plurality of log data messages within a database.
  - 20. A method as claimed in claim 19, wherein said detecting step includes querying said database.
  - 21. A method as claimed in claim 19, wherein said database includes data identifying at least one of:
    - malware protection mechanisms used by respective network connected computers;
      
      versions of malware protection computer programs used by respective network connected computers;
      
      versions of malware definition data used by respective network connected computers; and
      
      security settings of malware protection mechanisms used by respective network connected computers.

22. Apparatus for managing malware protection within a computer network said computer network said computer network containing a plurality of network connected computers, said apparatus comprising:
- receiving logic for receiving at a managing computer a plurality of log data messages identifying detection of malware by respective ones of said plurality of network connected computers;
  
  detecting logic for detecting from said plurality of log data messages received by said managing computer a pattern and a network-wide threshold of malware detection across said plurality of network connected computers matching at least one predetermined trigger, the network-wide threshold being applied to a sum of detections, the detections each being associated with a different one of the network connected computers;
  
  wherein each of said plurality of network connected computers have a malware scanner that serves to scan computer files to detect malware within said computer files;
  
  action performing logic, in response to detection of at least one predetermined trigger, for performing at least one predetermined anti-malware action;
  
  wherein predefined network-wide thresholds and patters are provided as templates; and
  
  wherein the predefined network-wide thresholds and patterns are customized based on a network being protected.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. Apparatus as claimed in claim 22, wherein said malware includes malware definition data to identify malware to be detected.
  - 24. Apparatus as claimed in claim 23, wherein said at least one predetermined anti-malware action includes an update of malware definition data in at least one of said plurality of network connected computers.
  - 25. Apparatus as claimed in claim 22, wherein at least one predetermined anti-malware action includes altering at least one scanner setting of at least one malware scanner such that said malware scanner performs more thorough malware scanning.
  - 26. Apparatus as claimed in claim 22, wherein said at least one predetermined anti-malware action includes isolating at least one of said network connected computers from other parts of said computer network.
  - 27. Apparatus as claimed in claim 22, wherein said managing computer stores said plurality of log data messages within a database.
  - 28. Apparatus as claimed in claim 27, wherein said detecting logic is operable to query said database.
  - 29. Apparatus as claimed in claim 27, wherein said database includes data identifying at least one of:
    - malware protection mechanisms used by respective network connected computers;
      
      versions of malware protection computer programs used by respective network connected computers;
      
      versions of malware definition data used by respective network connected computers; and
      
      security settings of malware protection mechanisms used by respective network connected computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ackroyd, Robert John
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Shiferaw; Eleni A.

Application Number

US10/036,521
Publication Number

US 20030131256A1
Time in Patent Office

2,073 Days
Field of Search

713/201, 726/24, 726/22, 726/23, 726/25
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Managing malware protection upon a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Managing malware protection upon a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others