Scanning protected files for violations of a data loss prevention policy

US 8,893,223 B1
Filed: 03/17/2014
Issued: 11/18/2014
Est. Priority Date: 01/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a computing system programmed to perform the following, the method comprising:

creating, by a processing device of the computing system, an inventory of protected files in the computing system, wherein the inventory stores hashes and policy violation statuses of the protected files, wherein the creating the inventory comprises;

obtaining a running instance of a data object corresponding to one of the protected files when the one protected file is created, opened, or saved;

extracting decrypted data from the running instance of the data object;

scanning the decrypted data to detect a violation of a data loss prevention (DLP) policy;

creating a hash of the one protected file; and

storing the hash and a policy violation status of the one protected file;

monitoring the protected files of the inventory;

detecting a transfer of one of the protected files being monitored; and

performing an action when the policy violation status indicates that the one protected file violates the DLP policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for scanning protected files for violations of a Data Loss Prevention (DLP) policy is described. In one method, an inventory of protected files in the computing system is created. The inventory stores hashes and policy violation statuses of the protected files. The method obtains a running instance of a data object corresponding one of the protected files when the one protected is created, opened, or saved. The method extracts decrypted data from the running instance of the data object and scans the decrypted data to detect a violation of a DLP policy. The method creates a hash of the one protected file and stores the hash and a policy violation status of the one protected file. The method monitors the protected files of the inventory. When the method detects a transfer of one of the protected files being monitored, the method performs an action when the policy violation status indicates that the one protected file violates the DLP policy.

13 Citations

View as Search Results

20 Claims

1. A method, implemented by a computing system programmed to perform the following, the method comprising:
- creating, by a processing device of the computing system, an inventory of protected files in the computing system, wherein the inventory stores hashes and policy violation statuses of the protected files, wherein the creating the inventory comprises;
  
  obtaining a running instance of a data object corresponding to one of the protected files when the one protected file is created, opened, or saved;
  
  extracting decrypted data from the running instance of the data object;
  
  scanning the decrypted data to detect a violation of a data loss prevention (DLP) policy;
  
  creating a hash of the one protected file; and
  
  storing the hash and a policy violation status of the one protected file;
  
  monitoring the protected files of the inventory;
  
  detecting a transfer of one of the protected files being monitored; and
  
  performing an action when the policy violation status indicates that the one protected file violates the DLP policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising checking the policy violation status of the one protected file when the transfer is detected.
  - 3. The method of claim 1, wherein said monitoring comprising monitoring for file events on the protected files in the computing system using a file-system filter driver, wherein the file events comprise at least one of a create file event, an open file event, a write file event, or a close file event.
  - 4. The method of claim 1, wherein said monitoring comprises detecting that an application executing on the computing system has opened, created, or saved one of the protected files.
  - 5. The method of claim 1, further comprising tracking an order in which a plurality of the protected files are opened for obtaining running instances of data objects, corresponding to the plurality of the protected files.
  - 6. The method of claim 1, wherein the detecting the transfer comprises:
    - creating a hash of a file being transferred; and
      
      comparing the hash of the file being transferred to the hashes stored in the inventory.
  - 7. The method of claim 1, wherein the transfer is at least one of the protected file being saved to an external device, sent over a network to another device, sent as an attachment to an email message, sent using a file transfer protocol (FTP) application, or sent using a browser.

8. A non-transitory computer readable storage medium including instructions that, when executed by a processing system, cause the processing system to perform operations comprising:
- creating an inventory of protected files in the processing system, wherein the inventory stores hashes and policy violation statuses of the protected files, wherein the creating the inventory comprises;
  
  obtaining a running instance of a data object corresponding one of the protected files when the one protected file is created, opened, or saved;
  
  extracting decrypted data from the running instance of the data object;
  
  scanning the decrypted data to detect a violation of a data loss prevention (DLP) policy creating a hash of the one protected file; and
  
  storing the hash and a policy violation status of the one protected file;
  
  monitoring the protected files of the inventory;
  
  detecting a transfer of one of the protected files being monitored; and
  
  performing an action when the policy violation status indicates that the one protected file violates the DLP policy.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer readable storage medium of claim 8, wherein the operations further comprise checking the policy violation status of the one protected file when the transfer is detected.
  - 10. The computer readable storage medium of claim 8, wherein said monitoring comprising monitoring for file events on the protected files in the processing system using a file-system filter driver, wherein the file events comprise at least one of a create file event, an open file event, a write file event, or a close file event.
  - 11. The computer readable storage medium of claim 8, wherein the operations further comprising tracking an order in which a plurality of the protected files are opened for obtaining running instances of data objects, corresponding to the plurality of the protected files.
  - 12. The computer readable storage medium of claim 8, wherein the detecting the transfer comprises:
    - creating a hash of a file being transferred; and
      
      comparing the hash of the file being transferred to the hashes stored in the inventory.
  - 13. The computer readable storage medium of claim 8, wherein the transfer is at least one of the protected file being saved to an external device, sent over a network to another device, sent as an attachment to an email message, sent using an file transfer protocol (FTP) application, or sent using a browser.

14. A computing system comprising:
- a data storage device to store a data store that stores information to track objects that are currently running on the computing system; and
  
  a processing device coupled to the data storage device, the processing device is to execute a data loss prevention (DLP) agent, wherein the DLP agent comprises;
  
  a file system component to monitor file events on protected files in the computing system, wherein the file events comprise at least one of a create file event, an open file event, a close file event, or a write file event;
  
  a file monitor component to monitor whether applications executing on the computing system have created, opened, closed, or saved one of the protected files;
  
  an extractor component to obtain a running instance of a data object, corresponding to the one protected file, from the data store, and wherein the extractor component is to extract decrypted data from the obtained data object;
  
  a detection component to scan the decrypted data to detect a violation of a DLP policy; and
  
  a discovery component to create an inventory of the protected files in the computing system.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computing system of claim 14, wherein the detection component is to scan the decrypted data when the file system component receives a close file event for the one protected file.
  - 16. The computing system of claim 15, wherein the file system component comprises a file-system filter driver to monitor the file events.
  - 17. The computing system of claim 14, wherein the discovery component is to create hashes of the protected files and to store the hashes and policy violation statuses of the protected files.
  - 18. The computing system of claim 17, wherein the discovery component is further to:
    - create a hash of a file being transferred; and
      
      compare the hash of the file being transferred to the hashes stored in the inventory.
  - 19. The computing system of claim 18, wherein the file being transferred is at least one of the protected file being saved to an external device, sent over a network to another device, sent as an attachment to an email message, sent using a file transfer protocol (FTP) application, or sent using a browser.
  - 20. The computing system of claim 14, wherein the DLP agent is to track an order in which a plurality of the protected files are opened for obtaining running instances of data objects, corresponding to the plurality of the protected files from the data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Dodke, Dhananjay Namdeo
Primary Examiner(s)
Hailu, Teshome

Application Number

US14/217,169
Time in Patent Office

246 Days
Field of Search

726/1, 726/26
US Class Current

726/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/6209 to a single file or object,...

Scanning protected files for violations of a data loss prevention policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scanning protected files for violations of a data loss prevention policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links