System and method for intercepting process creation events
First Claim
1. A method of controlling processes, the method comprising:
- injecting an interceptor into an operating system process associated with new process registration;
detecting, with the interceptor, registration of a new process with the operating system process;
in response to said detecting registration of the new process, using the interceptor to discover identification information associated with the new process;
determining whether the identification information associated with the new process corresponds to a program that is to be controlled;
controlling the new process in response to determining that the new process is to be controlled, wherein said controlling comprises one of the following;
preventing the new process from executing or limiting the new process; and
wherein said controlling the new process comprises changing access rights of the new process from administrator rights to non-administrator rights;
wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites.
23 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting creation of a program instance includes an interceptor routine that obtains a parameter corresponding to a characteristic of a program instance and an interceptor module that can be injected into a native operating system process. In certain examples, the interceptor module can replace an address of a selected routine in an address table with an address to the interceptor routine, such that the native operating system process can call the interceptor routine in place of the selected routine. Additionally, the system can include a comparison module that compares the parameter to a set of identified programs to determine whether the program instance corresponds to at least one of the identified programs. The system can also include a security module that can modify execution of the program instance based at least in part on a determination that the program instance corresponds to at least one identified program.
-
Citations
16 Claims
-
1. A method of controlling processes, the method comprising:
-
injecting an interceptor into an operating system process associated with new process registration; detecting, with the interceptor, registration of a new process with the operating system process;
in response to said detecting registration of the new process, using the interceptor to discover identification information associated with the new process;determining whether the identification information associated with the new process corresponds to a program that is to be controlled; controlling the new process in response to determining that the new process is to be controlled, wherein said controlling comprises one of the following;
preventing the new process from executing or limiting the new process; andwherein said controlling the new process comprises changing access rights of the new process from administrator rights to non-administrator rights; wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for controlling processes, the system comprising:
-
one or more computer processors comprising computer hardware; an interceptor executing via the one or more computer processors, the interceptor configured to be injected into an operating system process responsible for process registration, detect registration of a new process by the operating system process, and discover identification information associated with the new process; a comparison module executing via the one or more computer processors, the comparison module configured to determine whether the identification information associated with the new process corresponds to a program that is to be controlled; a security module executing via the one or more computer processors, the security module configured to control the new process in response to determining that the new process is to be controlled, by at least performing one of the following; preventing the new process from executing or limiting the new process; and
wherein the security module is further configured to control the new process by at least changing access rights of the new process from administrator rights to non-administrator rights;wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites. - View Dependent Claims (10, 11, 12, 13)
-
-
14. Non-transitory physical computer storage comprising instructions stored thereon that, when executed in one or more processors, cause the one or more processors to implement a system for controlling processes, the system comprising:
-
an interceptor configured to be injected into an operating system process responsible for process registration, detect registration of a new process by the operating system process, and identify identification information associated with the new process; a comparison module configured to determine whether the identification information associated with the new process corresponds to a program that is to be controlled; and a security module configured to control the new process in response to determining that the new process is to be controlled, by at least performing one of the following;
preventing the new process from executing or limiting the new process; andwherein the security module is further configured to control the new process by at least changing access rights of the new process from administrator rights to non-administrator rights; wherein the new process is a browser process and wherein said limiting the new process comprises preventing the browser process from visiting one or more web sites. - View Dependent Claims (15, 16)
-
Specification