File origin determination
First Claim
1. A method for determining an origin of a file on a computer system comprising monitoring file origin events on the computer system;
- selecting a file of interest, on the computer system, resulting from one of the file origin events;
identifying a first precursor file from a first record of a file origin table, wherein the file of interest emanates from the first precursor file as a result of the one of the file origin events;
adding the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the file of interest, wherein the list of records is a chain of records from the file of interest to an origin file;
substituting the first precursor file for the file of interest;
iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the previously identified file until the origin file with no further precursor file is identified;
generating a signature for each of the precursor files added to the file origin path list;
adding the signature for each precursor file to the file origin path list;
receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and
determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list.
7 Assignments
0 Petitions
Accused Products
Abstract
An origin of a file of interest on a computer system is determined by monitoring file origin events on the computer system. A file of interest resulting from one of the file origin events may then be selected for tracing. A precursor file from which the file of interest emanates as a result of one of the file origin events is then identified. By iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the file of interest, an origin file with no further precursor file may thus be identified. It is thus possible to trace back a given process or file of interest to a file container and/or location that initially introduced it into the computer system and any intermediate files or forms the process or file of interest may have assumed.
39 Citations
30 Claims
-
1. A method for determining an origin of a file on a computer system comprising monitoring file origin events on the computer system;
-
selecting a file of interest, on the computer system, resulting from one of the file origin events; identifying a first precursor file from a first record of a file origin table, wherein the file of interest emanates from the first precursor file as a result of the one of the file origin events; adding the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the file of interest, wherein the list of records is a chain of records from the file of interest to an origin file; substituting the first precursor file for the file of interest; iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the previously identified file until the origin file with no further precursor file is identified; generating a signature for each of the precursor files added to the file origin path list; adding the signature for each precursor file to the file origin path list; receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for determining an origin of malware on a computer system comprising:
-
monitoring file origin events on the computer system; selecting a malware file of interest on the computer system, resulting from the monitored file origin events; identifying a first precursor file from a first record of a file origin table, wherein the malware file emanates from the first precursor file as a result of the one of the file origin events; adding the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the malware file, wherein the list of records is a chain of records from the malware file to an origin file; substituting the first precursor file for the file of interest; iteratively performing the identifying operation upon successive precursor files substituted in the identifying operation for the previously identified file until the origin file with no further precursor file is identified; generating a signature for each of the precursor files added to the file origin path list; adding the signature for each precursor file to the file origin path list; receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system for determining an origin of a file on a computer system comprising:
-
a processor; a data storage device; a monitoring module stored within the data storage device and executed by the processor that monitors file origin events on the computer system and records the file origin events in a data structure within the data storage device; and an origin determination module stored within the data storage device and executed by the processor that selects a file of interest resulting from one of the file origin events, identifies a first precursor file from a first record of a file origin table, wherein the file of interest emanates from the first precursor file as a result of the one of the file origin events, adds the first precursor file to a file origin path list, wherein the file origin path list comprises a list of records of one or more precursor files that are a predecessor of the file of interest, wherein the list of records is a chain of records from the file of interest to an origin file, substitutes the first precursor file for the file of interest, iteratively identifies successive precursor files substituted for the previously identified file until the origin file with no further precursor file, an origin location, or both are identified; generating a signature for each of the precursor files added to the file origin path list; adding the signature for each precursor file to the file origin path list; receiving a request to download a file, wherein the file originates from at least one precursor file in the file origin path list; and determining whether to allow the file to download based on an analysis of the signature for the at least one precursor file in the file origin path list. - View Dependent Claims (29, 30)
-
Specification