System and method for strategic anti-malware monitoring

US 9,088,606 B2
Filed: 12/03/2012
Issued: 07/21/2015
Est. Priority Date: 07/05/2012
Status: Active Grant

First Claim

Patent Images

1. A system for strategic anti-malware monitoring in a network, comprising:

one or more active scanners configured to remotely scan a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes; and

one or more processors coupled to the one or more active scanners, wherein the one or more processors are configured to;

communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued;

receive a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and

generate a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Citations

30 Claims

1. A system for strategic anti-malware monitoring in a network, comprising:
- one or more active scanners configured to remotely scan a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes; and
  
  one or more processors coupled to the one or more active scanners, wherein the one or more processors are configured to;
  
  communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued;
  
  receive a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and
  
  generate a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 3. The system recited in claim 1, wherein the unique signatures associated with the enumerated processes running on the remotely scanned host include cryptographic hashes or cryptographic checksums.
  - 4. The system recited in claim 1, wherein the one or more active scanners are further configured to:
    - upload a dissolvable agent to the remotely scanned host to enumerate the one or more processes running thereon and compute the unique signatures associated therewith; and
      
      remove the dissolvable agent from the remotely scanned host subsequent to the one or more processors communicating the unique signatures associated with the enumerated processes to the cloud database.
  - 5. The system recited in claim 1, wherein the one or more processors are further configured to generate a report to indicate that one or more additional hosts in the network have the malware infection if the one or more additional hosts are running processes that have unique signatures matching the unique signature associated with the at least one enumerated process on the remotely scanned host that matched the signature associated with the at least one known virus or malware sample.
  - 6. The system recited in claim 1, wherein the one or more active scanners are further configured to:
    - compare a file system associated with the remotely scanned host to a trusted file system known to have no malware infections; and
      
      identify one or more suspicious files in the file system associated with the remotely scanned host, wherein the one or more suspicious files do not appear in the trusted file system or have unique signatures that differ from corresponding files in the trusted file system.
  - 7. The system recited in claim 1, wherein the one or more processors are further configured to:
    - communicate the unique signatures associated with the one or more suspicious files to the cloud database that aggregates the signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and
      
      generate a report to indicate that the remotely scanned host has been infected with malware if the unique signature associated with at least one suspicious file on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.
  - 8. The system recited in claim 1, further comprising:
    - one or more passive scanners configured to observe connections in the network to identify one or more events and vulnerabilities potentially associated with a virus or malware outbreak in the network; and
      
      a log aggregator configured to;
      
      collect one or more logs that describe the connections observed with the one or more passive scanners and system processes that have occurred in the network; and
      
      query the one or more collected logs in response to the report indicating that the remotely scanned host has the malware infection to isolate where the malware infection was introduced into the network and to evaluate the extent to which the malware infection has propagated or spread throughout the network.
  - 9. The system recited in claim 8, wherein the log aggregator is further configured to:
    - detect one or more events in the collected logs indicating that the virus or malware outbreak has potentially occurred in the network, wherein the one or more detected events include one or more of a host in the network running a new executable for the first time, a new executable running in the network for the first time, or a known executable, being invoked in a new manner for the first time; and
      
      query the cloud database using a unique signature associated with the new executable or the known executable invoked in the new manner to determine whether the one or more detected events reflect an actual virus or malware outbreak in the network.
  - 10. The system recited in claim 1, wherein the one or more active scanners are further configured to:
    - determine a network configuration associated with the remotely scanned host, wherein the determined network configuration includes an Internet Protocol (IP) address associated with the remotely scanned host and a Domain Name System (DNS) IP address used on the remotely scanned host; and
      
      detect that the remotely scanned host participates in an active botnet if the IP address associated therewith or the DNS IP address used thereon appears in a database that lists known botnet IP addresses.
  - 11. The system recited in claim 1, wherein the one or more active scanners are further configured to:
    - enumerate one or more active connections on the remotely scanned host; and
      
      detect that the remotely scanned host participates in an active botnet if at least one active connection enumerated on the remotely scanned host has a source or destination Internet. Protocol (IP) address that appears in a database that lists known botnet IP addresses.
  - 12. The system recited in claim 1, wherein the one or more active scanners are further configured to:
    - scan a web application on the remotely scanned host to identify one or more external network addresses to which the scanned web application points; and
      
      detect that the remotely scanned host links to malicious content if at least one external network address to which the scanned web application points corresponds to an Internet. Protocol (IP) address that appears in a database that lists IP addresses and Domain Name System (DNS) names associated with known botnet activity.
  - 13. The system recited in claim 1, further comprising a log aggregator configured to:
    - collect one or more logs that describe the connections observed in the network that are associated with potential botnet activity; and
      
      detect the potential botnet activity if at least one connection observed in the network has a source or destination Internet Protocol (IP) address or queries a Domain Name System (DNS) IP address that appears in a database that lists known botnet IP addresses.
  - 14. The system recited in claim 13, wherein the log aggregator is further configured to generate a report that describes the potential botnet activity and indicates whether the at least one connection associated with the potential botnet activity originated from a source IP address associated with a malicious botnet or an internal host that reached out to a destination IP address associated with the malicious botnet.
  - 15. The system recited in claim 1, wherein the one or more active scanners are further configured to:
    - examine local or resident anti-virus agents deployed in the network to audit an anti-malware strategy deployed in the network; and
      
      generate a report to indicate whether the audited anti-malware strategy provides appropriate protection against virus or malware outbreaks in the network.

2. The system recited in claim wherein the remotely scanned host does not have a local or resident anti-virus agent.

16. A method for strategic anti-malware monitoring in a network, comprising:
- remotely scanning a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes;
  
  communicating the unique signatures associated with the enumerated process running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued;
  
  receiving a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and
  
  generating a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The method recited in claim 16, wherein the remotely scanned host does not have a local or resident anti-virus agent.
  - 18. The method recited in claim 16, wherein the unique signatures associated with the enumerated processes running on the remotely scanned host include cryptographic hashes or cryptographic checksums.
  - 19. The method recited in claim 16, wherein remotely scanning the host to enumerate the running processes and compute the unique signatures associated therewith includes:
    - uploading a dissolvable agent to the remotely scanned host to enumerate the one or more processes running thereon and compute the unique signatures associated therewith; and
      
      removing the dissolvable agent from the remotely scanned host subsequent to communicating the unique signatures associated with the enumerated processes to the cloud database.
  - 20. The method recited in claim 16, further comprising generating a report to indicate that one or more additional hosts in the network have the malware infection if the one or more additional hosts are running processes that have unique signatures matching the unique signature associated with the at least one enumerated process on the remotely scanned host that matched the signature associated with the at least one known virus or malware sample.
  - 21. The method recited in claim 16, further comprising:
    - comparing a file system associated with the remotely scanned host to a trusted file system known to have no malware infections; and
      
      identifying one or more suspicious files in the file system associated with the remotely sunned host, wherein the one or more suspicious files do not appear in the trusted file system or have unique signatures that differ from corresponding files in the trusted file system.
  - 22. The method recited in claim 16, further comprising:
    - communicating the unique signatures associated with the one or more suspicious files to the cloud database that aggregates the signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and
      
      generating a report to indicate that the remotely scanned host has been infected with malware if the unique signature associated with at least one suspicious file on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.
  - 23. The method recited in claim 16, further comprising:
    - configuring one or more passive scanners to observe connections in the network and identify one or more events and vulnerabilities potentially associated with a virus or malware outbreak in the network; and
      
      querying one or more logs that describe the connections observed with the one or more passive scanners and system processes that have occurred in the network in response to the report indicating that the remotely scanned host has the malware infection to isolate where the malware infection was introduced into the network and to evaluate the extent to which the malware infection has propagated or spread throughout the network.
  - 24. The method recited in claim 23, further comprising:
    - detecting one or more events in the one or more logs indicating that the virus or malware outbreak has potentially occurred in the network, wherein the one or more detected events include one or more of a host in the network running a new executable for the first time, a new executable running in the network for the first time, or a known executable being invoked in a new manner for the first time; and
      
      querying the cloud database using a unique signature associated with the new executable or the known executable invoked in the new manner to determine whether the one or more detected events reflect an actual virus or malware outbreak in the network.
  - 25. The method recited in claim 16, further comprising:
    - determining a network configuration associated with the remotely scanned host, wherein the determined network configuration includes an Internet Protocol (IP) address associated with the remotely scanned host and a Domain Name System (DNS) IP address used on the remotely scanned host; and
      
      detecting that the remotely scanned host participates in an active botnet if the IP address associated therewith or the DNS IP address used thereon appears in a database that lists known botnet IP addresses.
  - 26. The method recited in claim 16, further comprising:
    - enumerating one or more active connections on the remotely scanned host; and
      
      detecting that the remotely scanned host participates in an active botnet if at least one active connection enumerated on the remotely scanned host has a source or destination Internet Protocol (IP) address that appears in a database that lists known botnet IP addresses.
  - 27. The method recited in claim 16, further comprising:
    - scanning a web application on the remotely scanned host to identify one or more external network addresses to which the scanned web application points; and
      
      detecting that the remotely scanned host links to malicious content if at least one external network address to which the scanned web application points corresponds to an Internet Protocol (IP) address that appears in a database that lists IP addresses and Domain Name System (DNS) names associated with known botnet activity.
  - 28. The method recited in claim 16, further comprising:
    - collecting one or more logs that describe the connections observed in the network that are associated with potential botnet activity;
      
      detecting the potential botnet activity if at least one connection observed in the network has a source or destination Internet Protocol (IP) address or queries a Domain Name System (DNS) IP address that appears in a database that lists known botnet IP addresses; and
      
      generating a report that describes the potential botnet activity and indicates whether the at least one connection associated with the potential botnet activity originated from a source IP address associated with a malicious botnet or an internal host that reached out to a destination IP address associated with the malicious botnet.
  - 29. The method recited in claim 16, further comprising:
    - examining local or resident anti-virus agents deployed in the network to audit an anti-malware strategy deployed in the network; and
      
      generating a report to indicate whether the audited anti-malware strategy provides appropriate protection against virus or malware outbreaks in the network.

30. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for strategic anti-malware monitoring in a network, wherein executing the computer-executable instructions one or more processors causes the one or more processors to:
- remotely scan a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes;
  
  communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued;
  
  receive a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and
  
  generate a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Ranum, Marcus J., Gula, Ron
Primary Examiner(s)
Darrow, Justin T

Application Number

US13/692,200
Publication Number

US 20140013434A1
Time in Patent Office

960 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 16/903   Querying for retrieval from...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

System and method for strategic anti-malware monitoring

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for strategic anti-malware monitoring

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links