System and method for strategic anti-malware monitoring
First Claim
1. A system for strategic anti-malware monitoring in a network, comprising:
- one or more active scanners configured to remotely scan a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes; and
one or more processors coupled to the one or more active scanners, wherein the one or more processors are configured to;
communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued;
receive a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and
generate a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.
-
Citations
30 Claims
-
1. A system for strategic anti-malware monitoring in a network, comprising:
-
one or more active scanners configured to remotely scan a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes; and one or more processors coupled to the one or more active scanners, wherein the one or more processors are configured to; communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued; receive a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and generate a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
2. The system recited in claim wherein the remotely scanned host does not have a local or resident anti-virus agent.
-
16. A method for strategic anti-malware monitoring in a network, comprising:
-
remotely scanning a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes; communicating the unique signatures associated with the enumerated process running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued; receiving a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and generating a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for strategic anti-malware monitoring in a network, wherein executing the computer-executable instructions one or more processors causes the one or more processors to:
-
remotely scan a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes; communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, wherein the cloud database aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued; receive a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued; and generate a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample that the multiple different anti-virus vendors have catalogued.
-
Specification