Obtaining network origins of potential software threats
First Claim
1. A method of obtaining a network origin of a downloaded entity of interest, the method including the steps of, in a processing system:
- recording network locations of at least some files downloaded to the processing system;
recording physical locations of the at least some files stored in one or more storage devices of the processing system;
recording at least some events performed in the processing system by the at least some files downloaded to the processing system;
identifying an entity of interest in the processing system;
searching the recorded network locations and the recorded physical locations for a network location and a physical location of the entity of interest;
using the at least some recorded events to search the recorded network locations and the recorded physical locations for a network location and a physical location for a file downloaded to the processing system by the identified entity of interest; and
if the network location and the physical location of the entity of interest are identified, transmitting the network location and the physical location of the entity of interest and the network location and the physical location of the file downloaded to the processing system by the entity of interest to a remote processing system, wherein the remote processing system downloads the entity of interest and the file downloaded to the processing system directly from the transmitted network locations.
6 Assignments
0 Petitions
Accused Products
Abstract
A method/system/computer program for obtaining the network origin of a downloaded entity of interest (e.g. a threat or malicious software). The method includes recording the network locations of at least some files downloaded to a processing system and recording the physical locations of the at least some files stored in one or more storage devices of the processing system. Then, identifying an entity of interest in the processing system and searching the recorded network locations and the recorded physical locations for the network location and the physical location of the entity of interest. Then, if the network location and the physical location of the entity of interest is identified, transmitting the network location and the physical location of the entity of interest to a remote processing system.
46 Citations
20 Claims
-
1. A method of obtaining a network origin of a downloaded entity of interest, the method including the steps of, in a processing system:
-
recording network locations of at least some files downloaded to the processing system; recording physical locations of the at least some files stored in one or more storage devices of the processing system; recording at least some events performed in the processing system by the at least some files downloaded to the processing system; identifying an entity of interest in the processing system; searching the recorded network locations and the recorded physical locations for a network location and a physical location of the entity of interest; using the at least some recorded events to search the recorded network locations and the recorded physical locations for a network location and a physical location for a file downloaded to the processing system by the identified entity of interest; and if the network location and the physical location of the entity of interest are identified, transmitting the network location and the physical location of the entity of interest and the network location and the physical location of the file downloaded to the processing system by the entity of interest to a remote processing system, wherein the remote processing system downloads the entity of interest and the file downloaded to the processing system directly from the transmitted network locations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
-
-
11. A non-transitory computer program product for obtaining a network origin of a downloaded entity of interest, the computer program product executable in a processing system and configured to:
-
record network locations of at least some files downloaded to the processing system; record physical locations of the at least some files stored in one or more storage devices of the processing system; record at least some events performed in the processing system by the at least some files downloaded to the processing system; identify an entity of interest in the processing system; search the recorded network locations and the recorded physical locations for a network location and a physical location of the entity of interest; use the at least some recorded events to search the recorded network locations and the recorded physical locations for a network location and a physical location for a file downloaded to the processing system by the identified entity of interest; and if the network location and the physical location of the entity of interest are identified, transmit the network location and the physical location of the entity of interest and the network location and the physical location of the file downloaded to the processing system by the entity of interest to a remote processing system, wherein the remote processing system downloads the entity of interest and the file downloaded to the processing system directly from the transmitted network locations.
-
-
12. A method of obtaining a network location of a downloaded file, the method including the steps of, in a processing system:
-
identifying when an entity is being downloaded to the processing system; storing a network location of the entity in a record, and storing one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity; identifying when a new file is created in the processing system; comparing information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file; if a match is found between the new file and the entity, storing at least the network location and the filename for the new file in a second record; recording at least some events performed in the processing system by the new file created in the processing system; using the at least some recorded events to search the stored network locations for a network location for a file downloaded to the processing system by the new file; and transmitting the network location of the new file and the network location of the file downloaded to the processing system by the new file to a remote processing system, wherein the remote processing system downloads the new file and the file downloaded to the processing system directly from the transmitted network locations. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer program product for obtaining a network location of a downloaded file, the computer program product executable in a processing system and configured to:
-
identify when an entity is being downloaded to the processing system; store a network location of the entity in a record, and store one or more of a hash function for the entity, a size of the entity, a series of sections of the entity, and a filename for the entity; identify when a new file is created in the processing system; compare information in the record with one or more of a hash function for the new file, a size of the new file, a series of sections of the new file, and a filename for the new file; if a match is found between the new file and the entity, store at least the network location and the filename for the new file in a second record; record at least some events performed in the processing system by the new file created in the processing system; use the at least some recorded events to search the stored network locations for a network location for a file downloaded to the processing system by the new file; and transmit the network location of the new file and the network location of the file downloaded to the processing system by the new file to a remote processing system, wherein the remote processing system downloads the new file and the file downloaded to the processing system directly from the transmitted network locations.
-
Specification