Scanning protected files for violations of a data loss prevention policy
First Claim
1. A method, implemented by a computing system programmed to perform the following, the method comprising:
- creating, by a processing device of the computing system, an inventory of protected files in the computing system, wherein the inventory stores hashes and policy violation statuses of the protected files, wherein the creating the inventory comprises;
obtaining a running instance of a data object corresponding to one of the protected files when the one protected file is created, opened, or saved;
extracting decrypted data from the running instance of the data object;
scanning the decrypted data to detect a violation of a data loss prevention (DLP) policy;
creating a hash of the one protected file; and
storing the hash and a policy violation status of the one protected file;
monitoring the protected files of the inventory;
detecting a transfer of one of the protected files being monitored; and
performing an action when the policy violation status indicates that the one protected file violates the DLP policy.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for scanning protected files for violations of a Data Loss Prevention (DLP) policy is described. In one method, an inventory of protected files in the computing system is created. The inventory stores hashes and policy violation statuses of the protected files. The method obtains a running instance of a data object corresponding one of the protected files when the one protected is created, opened, or saved. The method extracts decrypted data from the running instance of the data object and scans the decrypted data to detect a violation of a DLP policy. The method creates a hash of the one protected file and stores the hash and a policy violation status of the one protected file. The method monitors the protected files of the inventory. When the method detects a transfer of one of the protected files being monitored, the method performs an action when the policy violation status indicates that the one protected file violates the DLP policy.
13 Citations
20 Claims
-
1. A method, implemented by a computing system programmed to perform the following, the method comprising:
-
creating, by a processing device of the computing system, an inventory of protected files in the computing system, wherein the inventory stores hashes and policy violation statuses of the protected files, wherein the creating the inventory comprises; obtaining a running instance of a data object corresponding to one of the protected files when the one protected file is created, opened, or saved; extracting decrypted data from the running instance of the data object; scanning the decrypted data to detect a violation of a data loss prevention (DLP) policy; creating a hash of the one protected file; and storing the hash and a policy violation status of the one protected file; monitoring the protected files of the inventory; detecting a transfer of one of the protected files being monitored; and performing an action when the policy violation status indicates that the one protected file violates the DLP policy. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer readable storage medium including instructions that, when executed by a processing system, cause the processing system to perform operations comprising:
-
creating an inventory of protected files in the processing system, wherein the inventory stores hashes and policy violation statuses of the protected files, wherein the creating the inventory comprises; obtaining a running instance of a data object corresponding one of the protected files when the one protected file is created, opened, or saved; extracting decrypted data from the running instance of the data object; scanning the decrypted data to detect a violation of a data loss prevention (DLP) policy creating a hash of the one protected file; and storing the hash and a policy violation status of the one protected file; monitoring the protected files of the inventory; detecting a transfer of one of the protected files being monitored; and performing an action when the policy violation status indicates that the one protected file violates the DLP policy. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computing system comprising:
-
a data storage device to store a data store that stores information to track objects that are currently running on the computing system; and a processing device coupled to the data storage device, the processing device is to execute a data loss prevention (DLP) agent, wherein the DLP agent comprises; a file system component to monitor file events on protected files in the computing system, wherein the file events comprise at least one of a create file event, an open file event, a close file event, or a write file event; a file monitor component to monitor whether applications executing on the computing system have created, opened, closed, or saved one of the protected files; an extractor component to obtain a running instance of a data object, corresponding to the one protected file, from the data store, and wherein the extractor component is to extract decrypted data from the obtained data object; a detection component to scan the decrypted data to detect a violation of a DLP policy; and a discovery component to create an inventory of the protected files in the computing system. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification