Real time lockdown

US 8,453,243 B2
Filed: 12/28/2005
Issued: 05/28/2013
Est. Priority Date: 12/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a computer workstation from a virus threat, the method comprising:

detecting a modification to an executable program file, the file comprising file data and file meta data;

creating a hash from the file meta data;

adding a flag to the file meta data in response to the modification;

storing the hash and the flag in a memory;

identifying a virus threat;

initiating a lock down mode in response to the identified virus threat, wherein policies are applied to files created or modified after the lock down mode is initiated;

identifying the executable program file as being associated with an operation performed after the lock down mode is initiated andapplying at least one of a policy for restricted files and a policy for unrestricted files based on at least the file meta data flag associated with the executable program file, the policy applied after detecting the modification to the executable program file.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.

Citations

20 Claims

1. A method of protecting a computer workstation from a virus threat, the method comprising:
- detecting a modification to an executable program file, the file comprising file data and file meta data;
  
  creating a hash from the file meta data;
  
  adding a flag to the file meta data in response to the modification;
  
  storing the hash and the flag in a memory;
  
  identifying a virus threat;
  
  initiating a lock down mode in response to the identified virus threat, wherein policies are applied to files created or modified after the lock down mode is initiated;
  
  identifying the executable program file as being associated with an operation performed after the lock down mode is initiated andapplying at least one of a policy for restricted files and a policy for unrestricted files based on at least the file meta data flag associated with the executable program file, the policy applied after detecting the modification to the executable program file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising determining if the modified executable program file is a trusted file based on a digital signature of the modified executable program file.
  - 3. The method of claim 1, wherein the meta data comprises extended attributes and alternate streams.
  - 4. The method of claim 1, wherein the file meta data comprises permissions.
  - 5. The method of claim 1, further comprising updating a virus protection program to include information relating to the virus threat. program to include information relating to the software virus.
  - 6. The method of claim 1, further comprising:
    - creating a new file on the workstation;
      
      identifying the new file with a flag, wherein the flag is a code added to the file meta data associated with the new file;
      
      creating a hash for the new file, wherein the hash is created at least in part on the file meta data associated with the new file; and
      
      storing the hash and the flag in a memory.
  - 7. The method of claim 6, wherein identifying the new file comprises inserting one or more bits of data into the file meta data, the bits identifying the file data as being new.
  - 8. The method of claim 1, wherein identifying a modified executable program file comprises receiving notifications regarding monitoring input and output operations from a file system.
  - 9. The method of claim 1, wherein creating a hash from the file meta data is performed before the lock down mode is initiated.
  - 10. The method of claim 1 wherein, the file meta data comprises one or more of a filename, publisher, suite, hash, file size, and version.
  - 11. The method of claim 5, further comprising ending the lock down mode on the workstation after updating the virus protection program.

12. A non-transitory, computer-readable medium storing instructions that when executed by a computer perform the method of:
- detecting a modification to an executable program file, the file comprising file data and file meta data;
  
  creating a hash from the file meta data;
  
  adding a flag to the file meta data in response to the file modification;
  
  storing the hash and the flag in a memory;
  
  identifying a virus threat;
  
  initiating a lock down mode in response to the identified virus threat, wherein policies are applied to files created or modified after the lock down mode is initiated;
  
  identifying the executable program file as being associated with an operation performed after the lock down mode is initiated;
  
  retrieving the hash and the flag from the memory; and
  
  applying at least one of a policy for restricted files and a policy for unrestricted files based on at least the file meta data flag associated with the executable program file, the policy applied after detecting the modification to the executable program file.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The non-transitory, computer-readable medium of claim 12, wherein the file meta data comprises one or more of a filename, publisher, suite, hash, file size, and version.
  - 14. The non-transitory, computer-readable medium of claim 12, wherein adding a flag to the meta data comprises inserting one or more bits of data into the meta data, the bits identifying the file data as being modified.
  - 15. The non-transitory, computer-readable medium of claim 12, further comprising updating a virus protection program to include information relating to the virus threat.
  - 16. The non-transitory, computer-readable medium of claim 12, wherein applying the policy is performed at least in part by a kernel.
  - 17. The non-transitory, computer-readable medium of claim 12, further comprising:
    - creating a new file on a workstation, wherein the flag is a code added to the meta data associated with the new file;
      
      creating a hash for the new file, wherein the hash is created at least in part on the file meta data associated with the new file; and
      
      storing the hash and the flag in a memory.
  - 18. The non-transitory, computer-readable medium of claim 17, wherein identifying the new file comprises inserting one or more bits of data into the file meta data, the bits identifying the file data as being new.
  - 19. The non-transitory, computer-readable medium of claim 12, wherein the policies determine whether to execute the executable program file, deny execution of the executable program file, alert the user that the request to run the executable program file will be logged, and allowing the user a specific amount of time in which to run the executable program file.
  - 20. The non-transitory, computer-readable medium of claim 15, further comprising ending the lock down mode on the workstation after updating the virus protection program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Original Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Inventors
Lo, Winping, Papa, Joseph, Sharma, Rajesh Kumar
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LEE, JASON T

Application Number

US11/319,678
Publication Number

US 20070150956A1
Time in Patent Office

2,708 Days
Field of Search

726/4, 726 22- 25, 713/201, 713/156, 713/176, 713/164, 707/100, 707/1, 707/200
US Class Current

726/24
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/60   Protecting data

Real time lockdown

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Real time lockdown

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links