Selectively trusting signed files

US 8,499,150 B1
Filed: 11/11/2010
Issued: 07/30/2013
Est. Priority Date: 11/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of assigning a trust level to a digitally-signed file, comprising:

receiving, at a computer, signing information identifying a certificate used to sign the file;

determining, by the computer, whether the certificate is compromised;

responsive to determining that the certificate is compromised, comparing, by the computer, a discovery date of the file with a compromise date of the certificate; and

generating, by the computer, trust data assigning the trust level to the file responsive to the comparison, the generating comprising;

generating trust data assigning an intermediate trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the discovery date is within a threshold amount of time before or after the compromise date;

generating trust data assigning a low trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is past the threshold amount of time after the compromise date; and

generating trust data assigning a high trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is prior to the threshold amount of time before the compromise date.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module on a client detects a signed file at the client and reports signing information identifying a certificate used to sign the file and a file identifier identifying the file to a security server. The security server uses the signing information to determine whether the certificate is compromised. If the certificate is compromised, the security server compares a discovery date of the file with a compromise date of the certificate. The security server generates trust data assigning a trust level to the file responsive to the comparison. The trust data assign a low trust level to the file if the comparison indicates that the file discovery date is after the compromise date and assign a high trust level to the file if the comparison indicates that the file discovery date is not after the compromise date. The security server provides the trust data to the client.

42 Citations

View as Search Results

15 Claims

1. A computer-implemented method of assigning a trust level to a digitally-signed file, comprising:
- receiving, at a computer, signing information identifying a certificate used to sign the file;
  
  determining, by the computer, whether the certificate is compromised;
  
  responsive to determining that the certificate is compromised, comparing, by the computer, a discovery date of the file with a compromise date of the certificate; and
  
  generating, by the computer, trust data assigning the trust level to the file responsive to the comparison, the generating comprising;
  
  generating trust data assigning an intermediate trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the discovery date is within a threshold amount of time before or after the compromise date;
  
  generating trust data assigning a low trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is past the threshold amount of time after the compromise date; and
  
  generating trust data assigning a high trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is prior to the threshold amount of time before the compromise date.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the signing information is received from a client on which the file is detected, the trust data are provided to the client, and the client is adapted to use the trust data to determine whether the file contains malware.
  - 3. The method of claim 1, wherein determining whether the certificate is compromised comprises:
    - determining whether the certificate is listed on a list of compromised certificates.
  - 4. The method of claim 1, wherein the comparing comprises:
    - determining the compromise date for the certificate, the compromise date indicating when the certificate became compromised;
      
      determining the discovery date of the file, the discovery date indicating when the file was first discovered on one or more of a plurality of clients; and
      
      comparing the compromise date with the discovery date.
  - 5. The method of claim 4, wherein the compromise date indicates a most recent date that the certificate was known to have been used to sign a legitimate file.

6. A non-transitory computer-readable storage medium storing executable computer program instructions for assigning a trust level to a digitally-signed file, the instructions comprising instructions for:
- receiving signing information identifying a certificate used to sign the file;
  
  determining whether the certificate is compromised;
  
  responsive to determining that the certificate is compromised, comparing a discovery date of the file with a compromise date of the certificate; and
  
  generating trust data assigning the trust level to the file responsive to the comparison, the generating comprising;
  
  generating trust data assigning an intermediate trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the discovery date is within a threshold amount of time before or after the compromise date;
  
  generating trust data assigning a low trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is past the threshold amount of time after the compromise date; and
  
  generating trust data assigning a high trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is prior to the threshold amount of time before the compromise date.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable medium of claim 6, wherein the signing information is received from a client on which the file is detected, the trust data are provided to the client, and the client is adapted to use the trust data to determine whether the file contains malware.
  - 8. The computer-readable medium of claim 6, wherein determining whether the certificate is compromised comprises:
    - determining whether the certificate is listed on a list of compromised certificates.
  - 9. The computer-readable medium of claim 6, wherein the comparing comprises:
    - determining the compromise date for the certificate, the compromise date indicating when the certificate became compromised;
      
      determining the discovery date of the file, the discovery date indicating when the file was first discovered on one or more of a plurality of clients; and
      
      comparing the compromise date with the discovery date.
  - 10. The computer-readable medium of claim 9, wherein the compromise date indicates a most recent date that the certificate was known to have been used to sign a legitimate file.

11. A computer for assigning a trust level to a digitally-signed file, comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  receiving signing information identifying a certificate used to sign the file;
  
  determining whether the certificate is compromised;
  
  responsive to determining that the certificate is compromised, comparing a discovery date of the file with a compromise date of the certificate; and
  
  generating trust data assigning the trust level to the file responsive to the comparison, the generating comprising;
  
  generating trust data assigning an intermediate trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the discovery date is within a threshold amount of time before or after the compromise date;
  
  generating trust data assigning a low trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is past the threshold amount of time after the compromise date; and
  
  generating trust data assigning a high trust level to the file responsive to the comparison of the compromise date with the discovery date indicating that the file discovery date is prior to the threshold amount of time before the compromise date; and
  
  a processor for executing the computer program instructions.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer of claim 11, wherein the signing information is received from a client on which the file is detected, the trust data are provided to the client, and the client is adapted to use the trust data to determine whether the file contains malware.
  - 13. The computer of claim 11, wherein determining whether the certificate is compromised comprises:
    - determining whether the certificate is listed on a list of compromised certificates.
  - 14. The computer of claim 11, wherein the comparing comprises:
    - determining the compromise date for the certificate, the compromise date indicating when the certificate became compromised;
      
      determining the discovery date of the file, the discovery date indicating when the file was first discovered on one or more of a plurality of clients; and
      
      comparing the compromise date with the discovery date.
  - 15. The computer of claim 14, wherein the compromise date indicates a most recent date that the certificate was known to have been used to sign a legitimate file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Nalven, Andrew L
Assistant Examiner(s)
Doan, Huan V

Application Number

US12/944,429
Time in Patent Office

992 Days
Field of Search

713/156, 713/168, 713/173, 713/175, 713/176, 713/180, 713/188, 713/189, 709/220, 709/225, 709/229, 380/30, 705/39, 705/40, 705/44, 726/4, 726/22, 726/24, 726/26
US Class Current

713/158
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/645   using a third party

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 9/3268   using certificate validatio...

Selectively trusting signed files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively trusting signed files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links