Real time lockdown
First Claim
1. A method of protecting a computer workstation from a virus threat, the method comprising:
- detecting a modification to an executable program file, the file comprising file data and file meta data;
creating a hash from the file meta data;
adding a flag to the file meta data in response to the modification;
storing the hash and the flag in a memory;
identifying a virus threat;
initiating a lock down mode in response to the identified virus threat, wherein policies are applied to files created or modified after the lock down mode is initiated;
identifying the executable program file as being associated with an operation performed after the lock down mode is initiated andapplying at least one of a policy for restricted files and a policy for unrestricted files based on at least the file meta data flag associated with the executable program file, the policy applied after detecting the modification to the executable program file.
21 Assignments
0 Petitions
Accused Products
Abstract
A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.
-
Citations
20 Claims
-
1. A method of protecting a computer workstation from a virus threat, the method comprising:
-
detecting a modification to an executable program file, the file comprising file data and file meta data; creating a hash from the file meta data; adding a flag to the file meta data in response to the modification; storing the hash and the flag in a memory; identifying a virus threat; initiating a lock down mode in response to the identified virus threat, wherein policies are applied to files created or modified after the lock down mode is initiated; identifying the executable program file as being associated with an operation performed after the lock down mode is initiated and applying at least one of a policy for restricted files and a policy for unrestricted files based on at least the file meta data flag associated with the executable program file, the policy applied after detecting the modification to the executable program file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory, computer-readable medium storing instructions that when executed by a computer perform the method of:
-
detecting a modification to an executable program file, the file comprising file data and file meta data; creating a hash from the file meta data; adding a flag to the file meta data in response to the file modification; storing the hash and the flag in a memory; identifying a virus threat; initiating a lock down mode in response to the identified virus threat, wherein policies are applied to files created or modified after the lock down mode is initiated; identifying the executable program file as being associated with an operation performed after the lock down mode is initiated; retrieving the hash and the flag from the memory; and applying at least one of a policy for restricted files and a policy for unrestricted files based on at least the file meta data flag associated with the executable program file, the policy applied after detecting the modification to the executable program file. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification