Detecting and responding to malware using link files
First Claim
1. A computer-implemented method, comprising:
- monitoring, by a first computer, a generation of a link file that includes a target path that points to an object;
in response to monitoring the generation of the link file;
identifying, by the first computer, a process that caused the link file to be generated;
determining, by the first computer, whether the process is a prohibited process;
in response to determining that the process is a prohibited process, performing, by the first computer, one or more protection processes on the process and the link file;
in response to determining that the process is not a prohibited process, determining, by the first computer, whether the link file generates a request to a uniform resource locator;
in response to determining that the link file generates a request to a uniform resource locator, determining, by the first computer, whether the uniform resource locator is associated with a malicious resource;
in response to determining that the uniform resource locator is associated with a malicious resource, performing, by the first computer, one or more protection processes on the link file.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for monitoring the generation of link files by processes on a computer and performing protection processes based on whether the link files target malicious objects or are generated by malicious processes. In one aspect, a method includes monitoring for a generation of a first file that includes a target path that points to an object; in response to monitoring the generation of the first file: determining whether the target path is a uniform resource locator; in response to determining that the target path is a uniform resource locator, identifying a process that caused the first file to be generated; determining whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing one or more protection processes on the process and the first file; in response to determining that the process is not a prohibited process, determining whether the uniform resource locator is a prohibited uniform resource locator; in response to determining that the uniform resource locator is a prohibited uniform resource locator, performing one or more protection processes on the process and the first file.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
monitoring, by a first computer, a generation of a link file that includes a target path that points to an object; in response to monitoring the generation of the link file; identifying, by the first computer, a process that caused the link file to be generated; determining, by the first computer, whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing, by the first computer, one or more protection processes on the process and the link file; in response to determining that the process is not a prohibited process, determining, by the first computer, whether the link file generates a request to a uniform resource locator; in response to determining that the link file generates a request to a uniform resource locator, determining, by the first computer, whether the uniform resource locator is associated with a malicious resource; in response to determining that the uniform resource locator is associated with a malicious resource, performing, by the first computer, one or more protection processes on the link file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-implemented method, comprising:
-
monitoring, by a first computer, a generation of a link file that includes a target path that points to an object; in response to monitoring the generation of the link file; determining, by the first computer, whether the link file generates a request to a uniform resource locator; in response to determining that the link file generates a request to a uniform resource locator, identifying, by the first computer, a process that caused the link file to be generated; determining, by the first computer, whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing, by the first computer, one or more protection processes on the process and the link file; in response to determining that the process is not a prohibited process, determining, by the first computer, whether the uniform resource locator is associated with a malicious resource; in response to determining that the uniform resource locator is associated with a malicious resource, performing, by the first computer, one or more protection processes on the process and the link file. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer storage medium encoded with a computer program, the program comprising instructions that when executed by at least one data processing apparatus cause the at least one data processing apparatus to perform operations comprising:
-
monitoring a generation of a link file that generates a request to a uniform resource locator; in response to monitoring the generation of the link file; identifying a process that caused the link file to be generated; determining whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing one or more protection processes on the process and the link file; in response to determining that the process is not a prohibited process, determining whether the uniform resource locator is associated with a malicious resource; in response to determining that the uniform resource locator is associated with a malicious resource, performing one or more protection processes on the process and the link file. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification