Execution environment file inventory

US 7,895,573 B1
Filed: 03/27/2006
Issued: 02/22/2011
Est. Priority Date: 03/27/2006
Status: Active Grant

First Claim

Patent Images

1. Container management and protection logic encoded in one or more tangible media for managing a system of containers accessible to a computer system by using an inventory of a plurality of protected containers in the system of containers, the plurality of protected containers being accessible to the computer system from at least one of a locally-accessible storage device, a remotely-accessible file storage system, or a storage repository, wherein each of the protected containers is executable in at least one of a plurality of execution environments characterizing the computer system, the container management and protection logic including code for execution and when executed by one or more processors is operable to perform operations, comprising:

generating the inventory of the plurality of protected containers, the inventory including a plurality of identifiers corresponding respectively to each of the plurality of protected containers, wherein each identifier includes information specific to accessing or locating the corresponding protected container, information uniquely representing the corresponding protected container, or a combination thereof, wherein the inventory is maintained by the container management and protection logic including an interception module, the inventory for use by the interception module;

dynamically intercepting, by the interception module, an operation request on the computer system for a targeted container, the operation request selected from a group consisting of a user-initiated request and a software process initiated request;

identifying the targeted container of the intercepted operation request;

analyzing the inventory of the plurality of protected containers to determine if an identifier corresponding to one of the plurality of protected containers matches that of the targeted container;

allowing the operation request if the operation request is a change request and if it is determined that none of the identifiers corresponding to the plurality of protected containers matches that of the targeted container; and

evaluating, if the operation request is allowed, whether an operation resulting from the operation request creates a new container that is executable in at least one of the plurality of execution environments characterizing the computer system, wherein if the new container is created then a new identifier corresponding to the new container is added to the inventory if the operation is authorized.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.

Citations

25 Claims

1. Container management and protection logic encoded in one or more tangible media for managing a system of containers accessible to a computer system by using an inventory of a plurality of protected containers in the system of containers, the plurality of protected containers being accessible to the computer system from at least one of a locally-accessible storage device, a remotely-accessible file storage system, or a storage repository, wherein each of the protected containers is executable in at least one of a plurality of execution environments characterizing the computer system, the container management and protection logic including code for execution and when executed by one or more processors is operable to perform operations, comprising:
- generating the inventory of the plurality of protected containers, the inventory including a plurality of identifiers corresponding respectively to each of the plurality of protected containers, wherein each identifier includes information specific to accessing or locating the corresponding protected container, information uniquely representing the corresponding protected container, or a combination thereof, wherein the inventory is maintained by the container management and protection logic including an interception module, the inventory for use by the interception module;
  
  dynamically intercepting, by the interception module, an operation request on the computer system for a targeted container, the operation request selected from a group consisting of a user-initiated request and a software process initiated request;
  
  identifying the targeted container of the intercepted operation request;
  
  analyzing the inventory of the plurality of protected containers to determine if an identifier corresponding to one of the plurality of protected containers matches that of the targeted container;
  
  allowing the operation request if the operation request is a change request and if it is determined that none of the identifiers corresponding to the plurality of protected containers matches that of the targeted container; and
  
  evaluating, if the operation request is allowed, whether an operation resulting from the operation request creates a new container that is executable in at least one of the plurality of execution environments characterizing the computer system, wherein if the new container is created then a new identifier corresponding to the new container is added to the inventory if the operation is authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein:
    - the attempted operation is an attempted change to the targeted container; and
      
      determining, if an identifier corresponding to one of the plurality of protected containers matches that of the targeted container, whether a change resulting from the attempted change is authorizedand, if it is determined that the change is authorized, allowing the change.
  - 3. The method of claim 2, wherein:
    - determining if the change is authorized includes considering an entity attempting to make the change.
  - 4. The method of claim 3, wherein:
    - if the entity attempting to make the change is an anytime updater, then it is determined that the change is authorized.
  - 5. The method of claim 3, wherein:
    - if the entity attempting to make the change is a sometime updater and the system is in an update mode with respect to the sometime updater, then it is determined that the change is authorized.
  - 6. The container management and protection logic of claim 1, wherein the software process initiated request includes an automatic software updater.
  - 7. The container management and protection logic of claim 1, wherein each execution environment is in the group comprising:
    - a native binary execution environment configured to execute native machine language instructions; and
      
      a set of non-native execution environments, each execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions.

8. A method of managing a system of containers accessible to a computer system by generating and using an inventory of a plurality of protected containers in the system of containers, the plurality of protected containers being accessible to the computer system from at least one of a locally-accessible storage device, a remotely-accessible file storage system, or a storage repository, wherein each of the protected containers is executable in at least one of a plurality of execution environments characterizing the computer system, the method comprising:
- evaluating each container in the system of containers to determine whether at least a portion of each container is executable in at least one of the plurality of execution environments characterizing the computer system;
  
  generating the inventory including a plurality of identifiers corresponding respectively to each of the plurality of protected containers, wherein each identifier includes information specific to accessing or locating the corresponding protected container, information uniquely representing the corresponding protected container, or a combination thereof, wherein the inventory is maintained by container management and protection software including an interception module, the inventory for use by the interception module;
  
  dynamically intercepting, by the interception module, an operation request on the computer system for a targeted container, the operation request selected from a group consisting of a user-initiated request and a software process initiated request;
  
  identifying the targeted container of the intercepted operation request;
  
  analyzing the inventory of the plurality of protected containers to determine if an identifier corresponding to one of the plurality of protected containers matches that of the targeted container;
  
  allowing the operation request if the operation request is a change request and if it is determined that none of the identifiers corresponding to the plurality of protected containers matches that of the targeted container; and
  
  evaluating, if the operation request is allowed, whether an operation resulting from the operation request creates a new container that is executable in at least one of the plurality of execution environments characterizing the computer system, wherein if the new container is created then a new identifier corresponding to the new container is added to the inventory if the operation is authorized.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein:
    - at least one of the containers in the system of containers is a file, and the evaluating each container in the system of containers includes evaluating substantially all contents of the file to determine whether the file is executable in at least one of the plurality of execution environments characterizing the computer system.
  - 10. The method of claim 8, wherein:
    - the evaluating each container in the system of containers includes evaluating only a portion of contents of a container to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system.
  - 11. The method of claim 8, wherein:
    - the evaluating each container in the system of containers includes evaluating a piece of metadata or an external reference associated with a container to determine whether the container is executable in at least one of the plurality of execution environments characterizing the computer system.
  - 12. The method of claim 8, wherein the software process initiated request includes an automatic software updater.
  - 13. The method of claim 8, wherein each execution environment is in the group comprising:
    - a native binary execution environment configured to execute native machine language instructions; and
      
      a set of non-native execution environments, each execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions.

14. A method of managing a system of containers accessible to a computer system by using an inventory of a plurality of protected containers in the system of containers, the plurality of protected containers being accessible to the computer system from at least one of a locally-accessible storage device, a remotely-accessible file storage system, or a storage repository, wherein each of the protected containers is executable in at least one of a plurality of execution environments characterizing the computer system, the method comprising:
- providing the inventory of the plurality of protected containers, the inventory including a plurality of identifiers corresponding respectively to each of the plurality of protected containers, wherein each identifier includes information specific to accessing or locating the contents of the corresponding protected container, information uniquely representing the corresponding protected container, or a combination thereof, wherein the inventory is maintained by container management and protection software including an interception module, the inventory for use by the interception module;
  
  dynamically intercepting, by the interception module, an operation request on the computer system for a targeted container, the operation request selected from a group consisting of a user-initiated request and a software process initiated request;
  
  identifying the targeted container of the intercepted operation request;
  
  analyzing the inventory of the plurality of protected containers to determine if an identifier corresponding to one of the plurality of protected containers matches that of the targeted container;
  
  allowing the operation request if the operation request is a change request and if it is determined that none of the identifiers corresponding to the plurality of protected containers matches that of the targeted container; and
  
  evaluating, if the operation request is allowed, whether an operation resulting from the operation request creates a new container that is executable in at least one of the plurality of execution environments characterizing the computer system, wherein if the new container is created then a new identifier corresponding to the new container is added to the inventory if the operation is authorized.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, wherein:
    - the attempted operation is an attempted change to the targeted container; and
      
      determining, if an identifier corresponding to one of the plurality of protected containers matches that of the targeted container, whether a change resulting from the attempted change is authorized.
  - 16. The method of claim 15, wherein:
    - the determining whether a change resulting from the attempted change is authorized includes considering an entity attempting to make the change.
  - 17. The method of claim 16, wherein:
    - if the entity attempting to make the change is an anytime updater, then it is determined that the change is authorized.
  - 18. The method of claim 16, wherein:
    - if the entity attempting to make the change is a sometime updater and the system is in an update mode with respect to the sometime updater, then it is determined that the change is authorized.
  - 19. The method of claim 14, wherein:
    - the attempted operation is an attempt to execute the targeted container; and
      
      determining to log the attempt to execute the targeted container if it is determined that none of the identifiers corresponding to the plurality of protected containers matches that of the targeted container.
  - 20. The method of claim 14, wherein:
    - the attempted operation is an attempt to execute the targeted container; and
21. The method of claim 20, further comprising:
- determining to log the attempt to execute the targeted container if it is determined that none of the identifiers corresponding to the plurality of protected containers matches that of the targeted container.
22. The method of claim 14, wherein the inventory of the plurality of protected containers is aggregated with one or more inventories corresponding to a plurality of host computers to create an aggregate inventory of a plurality of protected containers executable in at least one execution environment of the plurality of host computers, and wherein the computer system is one of the plurality of host computers.
23. The method of claim 22, further comprising:
- analyzing the aggregate inventory to determine if a container of the plurality of protected containers of the aggregate inventory represents malware;
  
  identifying which inventory of the aggregate inventory indicates the container representing malware; and
  
  causing removal of the container representing malware from a host computer associated with the identified inventory that indicates the container.
24. The method of claim 14, wherein the software process initiated request includes an automatic software updater.
25. The method of claim 14, wherein each execution environment is in the group comprising:
- a native binary execution environment configured to execute native machine language instructions; and
  
  a set of non-native execution environments, each execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sebes, E. John, Bhargava, Rishi
Primary Examiner(s)
VU, TUAN A

Application Number

US11/277,596
Time in Patent Office

1,793 Days
Field of Search

717/106, 717/127, 717/135, 717/140, 717/170, 717/120, 709/223, 713187-188, 713/323, 726 22- 24, 705/22, 705/59
US Class Current

717/120
CPC Class Codes

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/2149   Restricted operating enviro...

Execution environment file inventory

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Execution environment file inventory

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links