Systems and methods for protecting networks from infected computing devices

US 8,806,638 B1
Filed: 12/10/2010
Issued: 08/12/2014
Est. Priority Date: 12/10/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting networks from infected computing devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

providing a computing system with a first level of access to a network, the computing system being managed by an endpoint management system that controls the computing system'"'"'s access to the network;

determining that the computing system is infected with malware by performing one of;

detecting diminished system performance without detecting explicit evidence of malware;

detecting explicit evidence of malware;

determining that the computing system cannot autonomously neutralize the malware at least in part by;

periodically checking, by the endpoint management system, a flag to determine whether the computing system is infected with malware;

executing software by the computing device in an attempt to autonomously neutralize the malware;

setting the flag by the computing device indicating that the attempt by the software to autonomously neutralize the malware failed;

reading the flag by the endpoint management system and determining that the flag is set;

in response to the determining that the computing system cannot autonomously neutralize the malware, modifying by the endpoint management system a network access control policy to alter the computing system'"'"'s first level of access to the network to a second level of access to the network, the second level providing more limited access to the network than the first level.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for protecting networks from infected computing devices may include providing a computing system with a first level of access to a network. The method may also include determining that the computing system is infected with malware. The method may further include determining that the computing system cannot autonomously neutralize the malware. The method may additionally include modifying by an endpoint management system a network access control policy that controls network access of the first computing system. Various other methods, systems, and computer-readable media are also disclosed.

119 Citations

20 Claims

1. A computer-implemented method for protecting networks from infected computing devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- providing a computing system with a first level of access to a network, the computing system being managed by an endpoint management system that controls the computing system'"'"'s access to the network;
  
  determining that the computing system is infected with malware by performing one of;
  
  detecting diminished system performance without detecting explicit evidence of malware;
  
  detecting explicit evidence of malware;
  
  determining that the computing system cannot autonomously neutralize the malware at least in part by;
  
  periodically checking, by the endpoint management system, a flag to determine whether the computing system is infected with malware;
  
  executing software by the computing device in an attempt to autonomously neutralize the malware;
  
  setting the flag by the computing device indicating that the attempt by the software to autonomously neutralize the malware failed;
  
  reading the flag by the endpoint management system and determining that the flag is set;
  
  in response to the determining that the computing system cannot autonomously neutralize the malware, modifying by the endpoint management system a network access control policy to alter the computing system'"'"'s first level of access to the network to a second level of access to the network, the second level providing more limited access to the network than the first level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the diminished system performance comprises a slowing of processing by the computing system.
  - 3. The method according to claim 1, whereinthe explicit evidence of malware comprises a hash of a file on the computing system that matches a hash of a known malware file.
  - 4. The method according to claim 1, wherein:
    - altering the computing system'"'"'s first level of access to the network to the second level of access to the network comprises transmitting a firewall policy to the computing system;
      
      modifying the network access control policy comprises enforcing the firewall policy.
  - 5. The method according to claim 4, wherein enforcing the firewall policy comprises denying all incoming and outgoing connections to the computing system except a connection with the endpoint management system.
  - 6. The method according to claim 5, wherein enforcing the firewall policy comprises permitting a connection for downloading updated anti-malware definitions from the endpoint management system.
  - 7. The method according to claim 5, wherein enforcing the firewall policy comprises permitting a connection for reporting the health of the computing system to the endpoint management system.
  - 8. The method according to claim 4, wherein the firewall policy does not permit any application that attempts to access system files of the computing system to access the files.
  - 9. The method according to claim 4, wherein the firewall policy does not permit the computing system to access a removable device locally attached to the computing system.
  - 10. The method according to claim 4, wherein the endpoint management system enforces the firewall policy at the computing system until the malware is neutralized.

11. A system for protecting networks from infected computing devices, the system comprising:
- an access control module programmed to provide a computing system with a first level of access to a network, the computing system being managed by an endpoint management system that controls the computing system'"'"'s access to the network;
  
  a determining module programmed to determine;
  
  that the computing system is infected with malware by performing one of;
  
  detecting diminished system performance without detecting explicit evidence of malware;
  
  detecting explicit evidence of malware;
  
  that the computing system cannot autonomously neutralize the malware at least in part by;
  
  periodically checking, by the endpoint management system, a flag to determine whether the computing system is infected with malware;
  
  executing software by a computing device in an attempt to autonomously neutralize the malware;
  
  setting the flag by the computing device indicating that the attempt by the software to autonomously neutralize the malware failed;
  
  reading the flag by the endpoint management system and determining that the flag is set;
  
  wherein the access control module is further programmed to, in response to the determining that the computing system cannot autonomously neutralize the malware, modify a network access control policy to alter the computing system'"'"'s first level of access to the network to a second level of access to the network, the second level providing more limited access to the network than the first level;
  
  a physical processor configured to execute at least one of the access control module and the determining module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system according to claim 11, wherein the diminished system performance comprises a slowing of processing by the computing system.
  - 13. The system according to claim 11, wherein the explicit evidence of malware comprises a hash of a file on the computing system that matches a hash of a known malware file.
  - 14. The system according to claim 11, wherein:
    - the access control module is programmed to alter the computing system'"'"'s first level of access to the network to the second level of access to the network by transmitting a firewall policy to the computing system;
      
      the access control module is programmed to modify the network access control policy by enforcing the firewall policy.
  - 15. The system according to claim 14, wherein the access control module is programmed to enforce the firewall policy at least in part by denying all incoming and outgoing connections to the computing system except that a connection with the endpoint management system is permissible.
  - 16. The system according to claim 15, wherein the access control module is programmed to enforce the firewall policy at least in part by permitting a connection for downloading updated anti-malware definitions from the endpoint management system.
  - 17. The system according to claim 15, wherein the access control module is programmed to enforce the firewall policy at least in part by permitting a connection for reporting the health of the computing system to the endpoint management system.
  - 18. The system according to claim 14, wherein the firewall policy does not permit any application that attempts to access system files of the computing system to access the files.
  - 19. The system according to claim 14, wherein the firewall policy does not permit the computing system to access a removable device locally attached to the computing system.

20. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- provide a computing system with a first level of access to a network, the computing system being managed by an endpoint management system that controls the computing system'"'"'s access to the network;
  
  determine that the computing system is infected with malware by performing one of;
  
  detecting diminished system performance without detecting explicit evidence of malware;
  
  detecting explicit evidence of malware;
  
  determine that the computing system cannot autonomously neutralize the malware at least in part by;
  
  periodically checking, by the endpoint management system, a flag to determine whether the computing system is infected with malware;
  
  executing software by the computing device in an attempt to autonomously neutralize the malware;
  
  setting the flag by the computing device indicating that the attempt by the software to autonomously neutralize the malware failed;
  
  reading the flag by the endpoint management system and determining that the flag is set;
  
  in response to the determining that the computing system cannot autonomously neutralize the malware, modify by the endpoint management system a network access control policy to alter the computing system'"'"'s first level of access to the network to a second level of access to the network, the second level providing more limited access to the network than the first level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Mani, SivaShakthivel
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US12/965,075
Time in Patent Office

1,341 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/2117   User registration

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Systems and methods for protecting networks from infected computing devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for protecting networks from infected computing devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links