Real time lockdown

US 8,959,642 B2
Filed: 05/23/2013
Issued: 02/17/2015
Est. Priority Date: 12/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing access to a computer file stored by a computer file system, the computer file comprising file data and file meta data, the method comprising:

generating, via an electronic processor, a hash based at least in part on the file meta data;

writing the hash to the file meta data;

writing a first indicator to the file meta data in response to detecting an attempt to modify the computer file; and

applying, via an electronic processor, an access policy to the computer file based at least partially on the hash in the file meta data.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.

108 Citations

16 Claims

1. A method of managing access to a computer file stored by a computer file system, the computer file comprising file data and file meta data, the method comprising:
- generating, via an electronic processor, a hash based at least in part on the file meta data;
  
  writing the hash to the file meta data;
  
  writing a first indicator to the file meta data in response to detecting an attempt to modify the computer file; and
  
  applying, via an electronic processor, an access policy to the computer file based at least partially on the hash in the file meta data.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the hash is not based on the file data.
  - 3. The method of claim 1, wherein the computer file system is a Windows NT file system (NTFS), and the file meta data comprises extended attributes and alternate streams.
  - 4. The method of claim 1, further comprising writing a second indicator to the file meta data in response to an attempt to create the computer file.

5. An apparatus for managing access to a computer file stored by a computer file system, the computer file comprising file data and file meta data, the apparatus comprising:
- An electronic processor;
  
  a memory, operably connected to the electronic processor, the memory configured to store instructions that configure the processor to;
  
  generate a hash based at least in part on the file meta data,write the hash to the file meta data,write a first indicator to the file meta data in response to detecting an attempt to modify the computer file, andapply an access policy to the computer file based at least partially on the hash in the file meta data.
- View Dependent Claims (6, 7, 8)
- - 6. The apparatus of claim 5, wherein the memory further stores instructions that configure the electronic processor to write a second indicator to the file meta data in response to a creation of the computer file.
  - 7. The apparatus of claim 5, wherein the hash is not based on the file data.
  - 8. The method of claim 5, wherein the computer file system is a Windows NT file system (NTFS), and the file meta data comprises extended attributes and alternate streams.

9. An apparatus for managing access to a computer file stored by a computer file system, the computer file comprising file data and file meta data, the apparatus comprising:
- an electronic processor;
  
  a memory, operably connected to the electronic processor;
  
  means for generating a hash based at least in part on the file meta data;
  
  means for writing the hash to the file meta data;
  
  means for writing a first indicator to the file meta data in response to an attempt to modify the computer file; and
  
  means for applying an access policy to the computer file based at least partially on the hash in the file meta data.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The apparatus of claim 9, further comprising means for writing a second indicator to the file meta data in response to a creation of the computer file.
  - 11. The apparatus of claim 9, wherein the means for writing a first indicator to the file meta data is a file system filter driver executing on the electronic processor.
  - 12. The apparatus of claim 9, wherein the means for storing the file meta data in the memory is a file system filter driver executing on the electronic processor.
  - 13. The apparatus of claim 9, wherein the means for applying an access policy to the file based at least partially on the first indicator is a file system filter driver executing on the electronic processor.

14. A non-transitory computer-readable storage medium comprising instructions that when executed cause an electronic processor to perform a method of managing access to a computer file stored by a computer file system, the computer file comprising file data and file meta data, the method comprising:
- generating a hash based at least in part on the file meta data;
  
  writing the hash to the file meta data;
  
  writing a first indicator to the file meta data in response to detecting an attempt to modify the computer file; and
  
  applying an access policy to the computer file based at least partially on the hash in the file meta data.
- View Dependent Claims (15, 16)
- - 15. The computer-readable storage medium of claim 14, wherein the hash is not based on the file data.
  - 16. The computer-readable storage medium of claim 14, the method further comprising writing a second indicator to the file meta data in response to detecting an attempt to create the computer file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Sharma, Rajesh Kumar, Lo, Winping, Papa, Joseph
Primary Examiner(s)
LEE, JASON T

Application Number

US13/900,954
Publication Number

US 20130254839A1
Time in Patent Office

635 Days
Field of Search

726/1, 726/4, 726/22, 726/24, 713/150, 713/156, 713/176
US Class Current

726/24
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/60   Protecting data

Real time lockdown

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Real time lockdown

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links