Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process
First Claim
Patent Images
1. A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process, comprising:
- monitoring, by a hardware processor, loading activity of the trusted process;
altering, by the hardware processor, a trust level associated with the trusted process when an unverified component is loaded into the trusted process;
upon altering the trust level of the trusted process, monitoring, by the hardware processor, events performed by the trusted process for a suspicious activity that comprises a portable executable (“
PE”
) file modification, PE file deletion, or PE file creation;
assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component;
calling, by an operating system, an application programming interface to trace code execution by the trusted process;
tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity;
determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and
upon determining that the security risk associated with the unverified component that originated the suspicious activity is above the predetermined threshold, terminating, by the hardware processor, the trusted process and deleting the unverified component that originated the suspicious activity.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.
-
Citations
14 Claims
-
1. A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process, comprising:
-
monitoring, by a hardware processor, loading activity of the trusted process; altering, by the hardware processor, a trust level associated with the trusted process when an unverified component is loaded into the trusted process; upon altering the trust level of the trusted process, monitoring, by the hardware processor, events performed by the trusted process for a suspicious activity that comprises a portable executable (“
PE”
) file modification, PE file deletion, or PE file creation;assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component; calling, by an operating system, an application programming interface to trace code execution by the trusted process; tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity; determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and upon determining that the security risk associated with the unverified component that originated the suspicious activity is above the predetermined threshold, terminating, by the hardware processor, the trusted process and deleting the unverified component that originated the suspicious activity. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system configured to prevent threats originating from a non-process based component hosted by a trusted process, comprising:
-
a processor; a memory in electronic communication with the processor, wherein the memory stores computer executable instructions that when executed by the processor cause the processor to perform the steps of; monitoring loading activity of the trusted process; altering a trust level associated with the trusted process when an unverified component is loaded into the trusted process; upon altering the trust level of the trusted process, monitoring events performed by the trusted process for a suspicious activity that comprises a portable executable (“
PE”
) file modification, PE file deletion, or PE file creation;assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component; calling an application programming interface to trace code execution by the trusted process; tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity; determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and upon determining that the security risk associated with the unverified component that originated the suspicious activity is above the predetermined threshold, terminating the trusted process and deleting the unverified component that originated the suspicious activity. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium storing computer executable instructions that when executed by a processor cause the processor to perform the steps of:
-
monitoring loading activity of the trusted process; altering a trust level associated with the trusted process when an unverified component is loaded into the trusted process; upon altering the trust level of the trusted process, monitoring events performed by the trusted process for a suspicious activity that comprises a portable executable (“
PE”
) file modification, PE file deletion, or PE file creation;assigning a trust level on an image file to the unverified component based on a digital signature of the unverified component; calling an application programming interface to trace code execution by the trusted process; tracing the code execution of the suspicious activity back to an address space belonging to the unverified component that originated the suspicious activity; determining whether security risk associated with the unverified component that originated the suspicious activity is above a predetermined threshold; and upon determining that the security risk associated with the suspicious activity is above the predetermined threshold, terminating the trusted process and deleting the unverified component that originated the suspicious activity.
-
Specification