System and method for transitioning to a whitelist mode during a malware attack in a network environment
First Claim
1. A method, comprising:
- receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network;
enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes;
preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and
allowing another software object to be executed responsive to determining the other software object is represented on the whitelist;
identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled;
allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified;
identifying a second process on the process list of the host, the second process associated with one or more second software objects;
terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process;
identifying a third process on the process list of the host, the third process associated with one or more third software objects;
restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled,identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects;
wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified.
-
Citations
15 Claims
-
1. A method, comprising:
-
receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network; enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes; preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and allowing another software object to be executed responsive to determining the other software object is represented on the whitelist; identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled; allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified; identifying a second process on the process list of the host, the second process associated with one or more second software objects; terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process; identifying a third process on the process list of the host, the third process associated with one or more third software objects; restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled, identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects; wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
a protection module; a memory element configured to store software objects; one or more processors operable to execute instructions, associated with the software objects and the protection module, comprising; receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network; enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes; preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and allowing another software object to be executed responsive to determining the other software object is represented on the whitelist; identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled; allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified; identifying a second process on the process list of the host, the second process associated with one or more second software objects; terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process; identifying a third process on the process list of the host, the third process associated with one or more third software objects; restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled, identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects; wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process. - View Dependent Claims (7, 8, 9, 10)
-
-
11. Logic encoded in non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network; enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes; preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and allowing another software object to be executed responsive to determining the other software object is represented on the whitelist; identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled; allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified; identifying a second process on the process list of the host, the second process associated with one or more second software objects; terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process; identifying a third process on the process list of the host, the third process associated with one or more third software objects; restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled, identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects; wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process. - View Dependent Claims (12, 13, 14, 15)
-
Specification