File origin determination

US 7,937,758 B2
Filed: 01/23/2007
Issued: 05/03/2011
Est. Priority Date: 01/25/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining an origin of a file on a computer system comprising monitoring file origin events on the computer system;

selecting a file of interest, on the computer system, resulting from one of the file origin events;

identifying a first precursor file from a first record of a file origin table, wherein the file of interest emanates from the first precursor file as a result of the one of the file origin events;

adding the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the file of interest, wherein the list of records is a chain of records from the file of interest to an origin file;

substituting the first precursor file for the file of interest;

iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the previously identified file until the origin file with no further precursor file is identified;

generating a signature for each of the precursor files added to the file origin path list;

adding the signature for each precursor file to the file origin path list;

receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and

determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.

39 Citations

View as Search Results

30 Claims

1. A method for determining an origin of a file on a computer system comprising monitoring file origin events on the computer system;
- selecting a file of interest, on the computer system, resulting from one of the file origin events;
  
  identifying a first precursor file from a first record of a file origin table, wherein the file of interest emanates from the first precursor file as a result of the one of the file origin events;
  
  adding the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the file of interest, wherein the list of records is a chain of records from the file of interest to an origin file;
  
  substituting the first precursor file for the file of interest;
  
  iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the previously identified file until the origin file with no further precursor file is identified;
  
  generating a signature for each of the precursor files added to the file origin path list;
  
  adding the signature for each precursor file to the file origin path list;
  
  receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and
  
  determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further comprising recording the file origin events in a data structure.
  - 3. The method of claim 2 further comprising associating the precursor file and the file of interest with the one of the file origin events in the data structure.
  - 4. The method of claim 1 further comprising identifying an origin location of the file of interest.
  - 5. The method of claim 4 wherein the operation of identifying an origin location further comprises identifying a uniform resource locator associated with the origin location.
  - 6. The method of claim 4 further comprisingrecording the file origin events in a data structure;
    - associating the precursor file and the file of interest with the one of the file origin events in the data structure; and
      
      associating the origin location with the one of the file origin events in the data structure.
  - 7. The method of claim 4, wherein the origin location is located within a remote computer system accessible via a network and the iterative operation further comprises performing the identifying operation upon successive precursor files within the remote computer system.
  - 8. The method of claim 1, wherein either the precursor file, the origin file, or both comprises an external data source file.
  - 9. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a program source file.
  - 10. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a container file.
  - 11. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a copied file.
  - 12. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a renamed file.
  - 13. The method of claim 1, wherein either the precursor file, the origin file, or both comprises a transformed file.
  - 14. The method of claim 1 further comprisingdetermining whether the file of interest is a malware file;
    - compiling a list of origin files associated with any malware files; and
      
      preventing an occurrence of a file origin event associated with any origin file on the list.
  - 15. The method of claim 1 further comprisingdetermining whether the file of interest is a safe file;
    - compiling a list of origin files associated with any safe files; and
      
      allowing an occurrence of a file origin event associated with any origin file on the list.

16. A method for determining an origin of malware on a computer system comprising:
- monitoring file origin events on the computer system;
  
  selecting a malware file of interest on the computer system, resulting from the monitored file origin events;
  
  identifying a first precursor file from a first record of a file origin table, wherein the malware file emanates from the first precursor file as a result of the one of the file origin events;
  
  adding the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the malware file, wherein the list of records is a chain of records from the malware file to an origin file;
  
  substituting the first precursor file for the file of interest;
  
  iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the previously identified file until the origin file with no further precursor file is identified;
  
  generating a signature for each of the precursor files added to the file origin path list;
  
  adding the signature for each precursor file to the file origin path list;
  
  receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and
  
  determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The method of claim 16, wherein the identifying operation further comprisesmaintaining a database file of relationships between the malware file, the origin file, and the one or more of the file origin events.
  - 18. The method of claim 16 further comprising identifying an origin location of the malware file.
  - 19. The method of claim 16, wherein the origin file comprises an external data source file.
  - 20. The method of claim 16, wherein the origin file comprises a program source file.
  - 21. The method of claim 16, wherein the origin file comprises a container file.
  - 22. The method of claim 16, wherein the origin file comprises a copied file.
  - 23. The method of claim 16, wherein the origin file comprises a renamed file.
  - 24. The method of claim 16, wherein the origin file comprises a transformed file.
  - 25. The method of claim 16 wherein the detecting operation further comprises recognizing malicious behavior on the computer system caused by the malware file.
  - 26. The method of claim 16 further comprising creating a signature for the origin file.
  - 27. The method of claim 16 further comprising transmitting a signature to a central server via a network connected to the computer system.

28. A computer system for determining an origin of a file on a computer system comprising:
- a processor;
  
  a data storage device;
  
  a monitoring module stored within the data storage device and executed by the processor that monitors file origin events on the computer system and records the file origin events in a data structure within the data storage device; and
  
  an origin determination module stored within the data storage device and executed by the processor thatselects a file of interest resulting from one of the file origin events,identifies a first precursor file from a first record of a file origin table, wherein the file of interest emanates from the first precursor file as a result of the one of the file origin events,adds the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the file of interest, wherein the list of records is a chain of records from the file of interest to an origin file,substitutes the first precursor file for the file of interest,iteratively identifies successive precursor files substituted for the previously identified file until the origin file with no further precursor file, an origin location, or both are identified;
  
  generating a signature for each of the precursor files added to the file origin path list;
  
  adding the signature for each precursor file to the file origin path list;
  
  receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and
  
  determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list.
- View Dependent Claims (29, 30)
- - 29. The computer system of claim 28, wherein when executed by the processor the origin determination module furtherassociates the precursor file and the file of interest with the one of the file origin events in the data structure;
    - andassociates the origin location with the one of the file origin events in the data structure.
  - 30. The computer system of claim 28 further comprising a network connection, whereinthe origin location is located within a remote computer system accessible by the computer system over a network via the network connection;
    - andorigin determination module further identifies the successive precursor files within the remote computer system to identify the origin file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Zahn, Derek, Kronenberg, Pierre-Michel
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Holder; Bradley

Application Number

US11/626,306
Publication Number

US 20070174911A1
Time in Patent Office

1,561 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 2221/2101 Auditing as a secondary aspect

File origin determination

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

File origin determination

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links