White list creation in behavior monitoring system
First Claim
1. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
- detecting execution of a process;
determining that the process has a valid digital signature;
determining that the process is not launched from a removable storage device;
determining that the process is not enabled to make an inbound connection to the computing device;
determining that the process is not enabled to make an outbound connection to an external component from the computing device; and
automatically updating the white list with a process identifier associated with said process, thereby maintaining the white list without human intervention.
1 Assignment
0 Petitions
Accused Products
Abstract
A white list (or exception list) for a behavior monitoring system for detecting unknown malware on a computing device is maintained automatically without human intervention. A white list contains process IDs and other data relating to processes that are determined to be (or very likely be) free of malware. If a process is on this list, the rule matching operations of a conventional behavior monitor are not performed, thereby saving processing resources on the computing device. When a process start up is detected, the behavior monitor performs a series of checks or tests. If the process has all valid digital signatures and is not launched from a removable storage device (such as a USB key) and is not enabled to make any inbound or outbound connections, it is eligible for being on the white list. The white list is also automatically maintained by removing process IDs for processes that have terminated or which attempt to make a new outbound or inbound connection, such as a TCP/UDP connection. Scheduled integrity checks on the white list are also performed by examining the process stack for each process to ensure that there are no abnormal files in the process stack.
-
Citations
19 Claims
-
1. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
-
detecting execution of a process; determining that the process has a valid digital signature; determining that the process is not launched from a removable storage device; determining that the process is not enabled to make an inbound connection to the computing device; determining that the process is not enabled to make an outbound connection to an external component from the computing device; and automatically updating the white list with a process identifier associated with said process, thereby maintaining the white list without human intervention. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
-
receiving an indication that a process is executing; automatically updating the white list with a process identifier associated with said process when it is determined that the process has a valid digital signature and that the process is not launched from a removable storage device and that the process is not enabled to make an inbound connection to the computing device and that the process is not enabled to make an outbound connection to an external component from the computing device; and removing the process identifier from the white list when the behavior monitoring system detects a new connection being made by the process. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method of maintaining a white list for use in a behavior monitoring system for malware detection executing on a computing device, the method comprising:
-
detecting execution of a process; automatically updating the white list with a process identifier associated with said process when it is determined that the process has a valid digital signature and that the process is not launched from a removable storage device and that the process is not enabled to make an inbound connection to the computing device and that the process is not enabled to make an outbound connection to an external component from the computing device; and removing the process identifier from the list when the behavior monitoring system determines that a process stack corresponding to the process contains abnormal files. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification