System and method for local protection against malicious software
First Claim
1. A method comprising:
- intercepting, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network;
determining the process mapped to the packets;
querying a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process;
determining a trust status of each software program file of the plurality of software program files;
determining whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and
blocking the network access attempt on the computing device if the network access attempt is not permitted.
10 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.
-
Citations
52 Claims
-
1. A method comprising:
-
intercepting, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network; determining the process mapped to the packets; querying a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining a trust status of each software program file of the plurality of software program files; determining whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and blocking the network access attempt on the computing device if the network access attempt is not permitted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. Logic encoded in one or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
intercepting, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network; determining the process mapped to the packets; querying a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining a trust status of each software program file of the plurality of software program files; determining whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and blocking the network access attempt on the computing device if the network access attempt is not permitted. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. An apparatus, comprising:
-
a protection module; one or more processors operable to execute instructions associated with the protection module, to cause the one or more processors to; intercept, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network; determine the process mapped to the packets; query a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determine a trust status of each software program file of the plurality of software program files; determine whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and block the network access attempt on the computing device if the network access attempt is not permitted. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A method, comprising:
-
intercepting, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network; determining the process mapped to the packets; querying a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining a trust status of each software program file of the plurality of software program files; determining whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and logging the information related to the network access attempt in a memory element if the first criterion indicates one or more of the trust statuses are defined as untrusted. - View Dependent Claims (38, 39, 40, 41, 42)
-
-
43. Logic encoded in one or more non-transitory tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
intercepting, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network; determining the process mapped to the packets; querying a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining a trust status of each software program file of the plurality of software program files; determining whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and logging the information related to the network access attempt in a memory element if the first criterion indicates one or more of the trust statuses are defined as untrusted. - View Dependent Claims (44, 45, 46, 47)
-
-
48. An apparatus, comprising:
-
a protection module; one or more processors operable to execute instructions associated with the protection module, to cause the one or more processors to; intercept, on a computing device, one or more packets of an outbound network access attempt initiated by a process executing on the computing device, wherein the packets include a requested destination address in a network; determine the process mapped to the packets; query a process traffic mapping element of the computing device to determine each software program file of a plurality of software program files mapped to the process in the process traffic mapping element, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determine a trust status of each software program file of the plurality of software program files; determine whether the network access attempt is permitted based on at least a first criterion, wherein the first criterion includes the trust status of each software program file of the plurality of software program files; and provide the information related to the network access attempt to be logged in a memory element if the first criterion indicates one or more of the trust statuses are defined as untrusted. - View Dependent Claims (49, 50, 51, 52)
-
Specification