×

System and method for transitioning to a whitelist mode during a malware attack in a network environment

  • US 8,646,089 B2
  • Filed: 10/18/2011
  • Issued: 02/04/2014
  • Est. Priority Date: 10/18/2011
  • Status: Active Grant
First Claim
Patent Images

1. A method, comprising:

  • receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network;

    enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes;

    preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and

    allowing another software object to be executed responsive to determining the other software object is represented on the whitelist;

    identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled;

    allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified;

    identifying a second process on the process list of the host, the second process associated with one or more second software objects;

    terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process;

    identifying a third process on the process list of the host, the third process associated with one or more third software objects;

    restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled,identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects;

    wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×