Executable download tracking system
First Claim
1. A method of monitoring computer-readable instructions, comprising:
- identifying an executable portion of the computer-readable instructions received on a computer network from a source;
determining, by a central system configured to perform an analysis to identify a risk, that the executable portion of the computer-readable instructions is a risk;
responsive to determining by the central system that the executable portion of the computer-readable instructions is a risk, transmitting the executable portion to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device;
analyzing, by the computing device, the executable portion by the internal antivirus software;
comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system;
responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable portion for continuous monitoring until the identified risk is neutralized;
responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including;
identifying a level of importance of the conflicting results;
neutralizing the risk on the computer network; and
identifying a source of the risk; and
generating a report that includes the risk, wherein the report includes a name of the risk, information about the risk'"'"'s signature, a version of the risk, a type of solution that was used to neutralize the risk, a file size of the risk, and a latest update to anti-virus software,wherein the report is used to create a risk signature dictionary that includes information about signatures of a plurality of riskswherein the report is updated at least once a week; and
using the report to update a data file that identifies future risks,wherein user identification and a password are required for access to the data file,wherein the data file includes characteristics of known risks, a date and time at which the risk was identified, an action required to neutralize the risk, a source of the risk, and related risks.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for monitoring executable software applications on a computer network. Executable software applications and data files may be monitored by a risk monitoring system. The executable software application and data files may attempt to access a computer network and/or a computing device and a monitoring process may identify risks associated with the executable software application and/or data file. A suspicious characteristic of the executable software application may be identified during the monitoring process. The suspicious characteristic may be malware and may be neutralized before it causes damage to the computer network and/or computing device.
110 Citations
19 Claims
-
1. A method of monitoring computer-readable instructions, comprising:
-
identifying an executable portion of the computer-readable instructions received on a computer network from a source; determining, by a central system configured to perform an analysis to identify a risk, that the executable portion of the computer-readable instructions is a risk; responsive to determining by the central system that the executable portion of the computer-readable instructions is a risk, transmitting the executable portion to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device; analyzing, by the computing device, the executable portion by the internal antivirus software; comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable portion for continuous monitoring until the identified risk is neutralized; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including; identifying a level of importance of the conflicting results; neutralizing the risk on the computer network; and identifying a source of the risk; and generating a report that includes the risk, wherein the report includes a name of the risk, information about the risk'"'"'s signature, a version of the risk, a type of solution that was used to neutralize the risk, a file size of the risk, and a latest update to anti-virus software, wherein the report is used to create a risk signature dictionary that includes information about signatures of a plurality of risks wherein the report is updated at least once a week; and using the report to update a data file that identifies future risks, wherein user identification and a password are required for access to the data file, wherein the data file includes characteristics of known risks, a date and time at which the risk was identified, an action required to neutralize the risk, a source of the risk, and related risks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of monitoring data files on a computer network, comprising:
-
receiving an executable software application on a first computer network from a second computer network; identifying at least one suspicious characteristic of the executable software application; determining, by a central system configured to perform analysis to identify risk, whether the at least one suspicious characteristic of the executable software application is malware; responsive to determining by the central system that the at least one suspicious characteristic of the executable software application is malware, transmitting the executable software application to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device; analyzing, by the computing device, the executable software application by the internal antivirus software; comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable software application was transmitted from the central system; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable software application for continuous monitoring until the identified malware is neutralized; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the conflicting results, including; identifying a level of importance of the conflicting results; and preventing the malware from contaminating the first computer network by at least one of;
deleting, quarantining, repairing, cleaning, blocking, rejecting, and neutralizing; andgenerating a report that identifies the malware, wherein the report includes a name of the malware, information about the malware'"'"'s signature, a version of the malware, a type of solution that was used to perform the preventing, a file size of the malware, and a latest update to anti-virus software, wherein the report is used to create a malware signature dictionary that includes information about signatures of a plurality of malware wherein the report is updated at least once a week; and using the report to update a data file that identifies future malware, wherein user identification and a password are required for access to the data file, wherein the data file includes characteristics of known malware, a date and time at which the malware was identified, an action required to perform the preventing, a source of the malware, and related malware. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A risk monitoring system, comprising:
-
at least one computing device that contains computer readable instructions for authenticating an executable software application received on a computer network; a receiver for receiving data associated with the executable software application; a server comprising memory for storing the data in a data file; and a processor for executing the computer-executable instructions to perform a method, comprising; receiving the executable software application on a first computer network from a second computer network; identifying at least one suspicious characteristic of the executable software application; determining, by a central system configured to perform analysis to identify a risk, whether the at least one suspicious characteristic of the executable software application is malware; responsive to determining by the central system that the at least one suspicious characteristic of the executable software application is malware, transmitting the executable software application to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device; analyzing, by the computing device, the executable software application by the internal antivirus software; comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable software application for continuous monitoring until the identified malware is neutralized; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including; identifying a level of importance of the conflicting results; and preventing the malware from contaminating the first computer network by at least one of;
filtering, blocking, rejecting, and neutralizing; andgenerating a report that identifies the malware, wherein the report includes a name of the malware, information about the malware'"'"'s signature, a version of the malware, a type of solution that was used to perform the preventing, a file size of the malware, and a latest update to anti-virus software, wherein the report is used to create a malware signature dictionary that includes information about signatures of a plurality of malware wherein the report is updated at least once a week; and using the report to update the data file that identifies future malware, wherein user identification and a password are required for access to the data file, wherein the data file includes characteristics of known malware, a date and time at which the malware was identified, an action required to perform the preventing, a source of the malware, and related malware.
-
-
19. A method comprising:
-
identifying an executable portion of the computer-readable instructions received on a computer network from an Internet Protocol address, wherein the identifying occurs by comparing the executable portion of the computer-readable instructions with known computer viruses, wherein the executable portion of the computer-readable instructions includes a phone home type of computer virus structure where internal information on the computer network is at risk of exposure to a remote unauthorized user; using a centralized server, analyzing the executable portion and classifying the executable portion of the computer-readable instructions as a computer virus; transmitting from the centralized server, the executable portion and the results of the analysis to a computing device including internal antivirus software; wherein the computer virus is given a severity level, wherein the classifying occurs when at least one suspicious characteristic is associated with the executable portion of the computer-readable instructions, wherein the at least one suspicious characteristic includes generating multiple copies of a portion of the executable portion of the computer-readable instructions, sending the copies to several computing devices on the computer network without user intervention, monitoring a user'"'"'s keystrokes, attempting to write instructions to another executable program, and a morphing of a signature of the computer virus; tagging, by the computing device, the executable portion of the computer-readable instructions for further analysis by an internal antivirus software; analyzing the tagged executable portion of the computer-readable instructions with the internal antivirus software stored in memory local to a system, wherein the anti-virus software examines the computer virus by comparing the signature of the computer virus with signatures of known computer viruses; comparing the transmitted results of the centralized server analysis with results of the internal antivirus software analysis to determine whether the centralized server and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the centralized server and the internal antivirus software obtained the same results, marking the executable portion for continuous monitoring until the identified computer virus is neutralized; responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the centralized server and the internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including; identifying a level of importance of the conflicting results; identifying a source of the computer virus; blocking the source of the computer virus from accessing the computer network; and neutralizing the computer virus on the computer network, wherein the neutralizing the computer virus includes analyzing the executable portion of the computer-readable instructions with the anti-virus software, and further includes deleting the computer virus, generating a report that identifies the computer virus, wherein the report includes a name of the computer virus, information about the computer virus'"'"'s signature, a version of the computer virus, a type of solution that was used to neutralize the computer virus, a file size of the computer virus, and a latest update to the anti-virus software, wherein the report is used to create a computer virus signature dictionary that includes information about signatures of a plurality of computer viruses wherein the report is updated at least once a week; and using the report to update a data file that identifies a future computer virus, wherein user identification and a password are required for access to the data file, wherein the data file includes characteristics of known computer viruses, a date and time at which the computer virus was identified, an action required to neutralize the computer virus, a source of the computer virus, and related computer viruses.
-
Specification