System and method for transitioning to a whitelist mode during a malware attack in a network environment

US 8,646,089 B2
Filed: 10/18/2011
Issued: 02/04/2014
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network;

enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes;

preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and

allowing another software object to be executed responsive to determining the other software object is represented on the whitelist;

identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled;

allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified;

identifying a second process on the process list of the host, the second process associated with one or more second software objects;

terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process;

identifying a third process on the process list of the host, the third process associated with one or more third software objects;

restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled,identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects;

wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified.

Citations

15 Claims

1. A method, comprising:
- receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network;
  
  enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes;
  
  preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and
  
  allowing another software object to be executed responsive to determining the other software object is represented on the whitelist;
  
  identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled;
  
  allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified;
  
  identifying a second process on the process list of the host, the second process associated with one or more second software objects;
  
  terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process;
  
  identifying a third process on the process list of the host, the third process associated with one or more third software objects;
  
  restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled,identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects;
  
  wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the antivirus mode is disabled on the host after the whitelist mode is enabled on the host.
  - 3. The method of claim 1, further comprising:
    - receiving a second signal to enable the antivirus mode after enabling the whitelist mode; and
      
      disabling the whitelist mode.
  - 4. The method of claim 1, wherein the whitelist is dynamically updated.
  - 5. The method of claim 1, wherein at least one of the one or more first software objects corresponds to a sub-process of the first process.

6. An apparatus, comprising:
- a protection module;
  
  a memory element configured to store software objects;
  
  one or more processors operable to execute instructions, associated with the software objects and the protection module, comprising;
  
  receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network;
  
  enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes;
  
  preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and
  
  allowing another software object to be executed responsive to determining the other software object is represented on the whitelist;
  
  identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled;
  
  allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified;
  
  identifying a second process on the process list of the host, the second process associated with one or more second software objects;
  
  terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process;
  
  identifying a third process on the process list of the host, the third process associated with one or more third software objects;
  
  restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled,identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects;
  
  wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the antivirus mode is disabled on the host after the whitelist mode is enabled on the host.
  - 8. The apparatus of claim 6, wherein the one or more processors are operable to perform further operations comprising:
    - receiving a second signal to enable the antivirus mode after enabling the whitelist mode; and
      
      disabling the whitelist mode.
  - 9. The apparatus of claim 6, wherein the whitelist is dynamically updated.
  - 10. The apparatus of claim 6, wherein at least one of the one or more second software objects corresponds to a sub-process of the second process.

11. Logic encoded in non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- receiving at least one signal to enable a whitelist mode and disable an antivirus mode on a host in a network;
  
  enabling the whitelist mode on the host and disabling the antivirus mode on the host, wherein the whitelist mode includes;
  
  preventing execution of a software object on the host responsive to determining the software object is not represented on a whitelist; and
  
  allowing another software object to be executed responsive to determining the other software object is represented on the whitelist;
  
  identifying a first process of a plurality of processes on a process list of the host, the first process associated with one or more first software objects, wherein each one of the plurality of processes was invoked prior to the whitelist mode being enabled and the antivirus mode being disabled;
  
  allowing the first process to continue running unimpeded on the host after the whitelist mode is enabled on the host, wherein the first process is allowed to continue running responsive to determining each of the one or more first software objects is represented on the whitelist and process memory associated with the first process has not been modified;
  
  identifying a second process on the process list of the host, the second process associated with one or more second software objects;
  
  terminating the second process on the host after the whitelist mode is enabled on the host, wherein the second process is terminated responsive to determining any of the one or more second software objects is not represented on the whitelist and the one or more second software objects are not part of a critical process;
  
  identifying a third process on the process list of the host, the third process associated with one or more third software objects;
  
  restarting the third process on the host after the whitelist mode is enabled on the host, wherein the third process is restarted responsive to determining each of the one or more third software objects is represented on the whitelist and process memory associated with the third process was modified before the whitelist mode was enabled,identifying a fourth process on the process list of the host, the fourth process associated with one or more fourth software objects;
  
  wherein the host is quarantined if any of the one or more fourth software objects is not represented on the whitelist and any of the one or more fourth software objects is part of a critical process.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The logic of claim 11, wherein the antivirus mode is disabled on the host after the whitelist mode is enabled on the host.
  - 13. The logic of claim 11, wherein the one or more processors are operable to perform further operations comprising:
    - receiving a second signal to enable the antivirus mode after enabling the whitelist mode; and
      
      disabling the whitelist mode.
  - 14. The logic of claim 11, wherein the whitelist is dynamically updated.
  - 15. The logic of claim 11, wherein at least one of the one or more third software objects corresponds to a sub-process of the third process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Jayanthi, Sridhar, Khare, Praneet, Srinivasa, Gangadharasa
Primary Examiner(s)
Shaw, Brian

Application Number

US13/276,086
Publication Number

US 20130097708A1
Time in Patent Office

840 Days
Field of Search

726/25, 726/19, 713/200
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/145   the attack involving the pr...

System and method for transitioning to a whitelist mode during a malware attack in a network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for transitioning to a whitelist mode during a malware attack in a network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links