Installer trust chain validation

US 9,098,706 B1
Filed: 07/31/2006
Issued: 08/04/2015
Est. Priority Date: 07/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-program product comprising a non-transitory computer readable storage medium containing computer program code comprising:

an executable file installer trust chain validation application for determining whether a creator of a created executable file in a local filesystem is a trusted installer, wherein said determining comprises;

receiving an indication of suspicious behavior from a behavior blocking application resulting from execution of said created executable file; and

checking whether said created executable file is a trusted file, wherein said checking comprises determining that said creator is unsigned and determining that a location of said unsigned creator within said local filesystem indicates that said unsigned creator should be trusted,wherein upon a determination that said creator is said trusted installer, said executable file installer trust chain validation application further defines said created executable file as a trusted file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A determination is made as to whether a creator of a created executable file is a trusted installer, e.g., a digitally signed installer. Upon a determination that the creator is a trusted installer, the created executable file is defined as a trusted file. By bestowing the trust of a trusted installer to the executable files that the installer creates, suspicious behavior by the created executable files and associated processes, which otherwise would be blocked, is allowed. In this manner, false positives, e.g., blocking of legitimate behavior by the created executable file and associated process(es), are avoided.

Citations

16 Claims

1. A computer-program product comprising a non-transitory computer readable storage medium containing computer program code comprising:
- an executable file installer trust chain validation application for determining whether a creator of a created executable file in a local filesystem is a trusted installer, wherein said determining comprises;
  
  receiving an indication of suspicious behavior from a behavior blocking application resulting from execution of said created executable file; and
  
  checking whether said created executable file is a trusted file, wherein said checking comprises determining that said creator is unsigned and determining that a location of said unsigned creator within said local filesystem indicates that said unsigned creator should be trusted,wherein upon a determination that said creator is said trusted installer, said executable file installer trust chain validation application further defines said created executable file as a trusted file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-program product of claim 1 wherein said creator is an executable file, and wherein execution of said creator creates said created executable file.
  - 3. The computer-program product of claim 1 wherein said trusted installer vouches for said created executable file.
  - 4. The computer-program product of claim 1 wherein said created executable file is bestowed trust of said trusted installer.
  - 5. The computer-program product of claim 1 wherein said executable file installer trust chain validation application is further for determining that said created executable file has been created.
  - 6. The computer-program product of claim 1 wherein said executable file installer trust chain validation application is further determining whether said created executable file has a valid digital signature or a valid surrogate digital signature.
  - 7. The computer-program product of claim 1 wherein upon determining that said created executable file has said valid digital signature or said valid surrogate digital signature, said executable file installer trust chain validation application is further for defining said created executable file as a trusted file.
  - 8. The computer-program product of claim 1 wherein said executable file installer trust chain validation application is further determining said creator.
  - 9. The computer-program product of claim 1 wherein upon a determination that said creator is said trusted installer, said executable file installer trust chain validation application further for creating a surrogate digital signature for said created executable file.
  - 10. The computer-program product of claim 1 wherein said executable file installer trust chain validation application is further for detecting suspicious behavior by a process.
  - 11. The computer-program product of claim 10 wherein upon said detecting suspicious behavior, said executable file installer trust chain validation application is further for determining whether said process is from a trusted file.
  - 12. The computer-program product of claim 11 wherein said executable file installer trust chain validation application is further for taking protective action to protect a computer system upon a determination that said process is not from said trusted file.
  - 13. The computer-program product of claim 11 wherein upon a determination that said process is from said trusted file, said executable file installer trust chain validation application is further for allowing said suspicious behavior.

14. A computer system comprising:
- a memory having stored therein an executable file installer trust chain validation application; and
  
  a processor coupled to said memory, wherein execution of said executable file installer trust chain validation application generates a method comprising;
  
  receiving an indication of suspicious behavior from a behavior blocking application resulting from execution of said created executable file;
  
  checking whether said created executable file is a trusted file, wherein said checking comprises determining whether a creator of a created executable file in a local filesystem is a trusted installer based on a determination that said creator is unsigned and a determination that a location of said unsigned creator within said local filesystem indicates that said unsigned creator should be trusted; and
  
  defining said created executable file as a trusted file upon a determination that said creator is said trusted installer.

15. A computer system comprising:
- means for determining whether a creator of a created executable file in a local filesystem is a trusted installer, wherein said determining comprises;
  
  receiving an indication of suspicious behavior from a behavior blocking application resulting from execution of said created executable file; and
  
  checking whether said created executable file is a trusted file, wherein said checking comprises determining that said creator is unsigned and determining that a location of said unsigned creator within said local filesystem indicates that said unsigned creator should be trusted; and
  
  means for defining said created executable file as a trusted file upon a determination that said creator is said trusted installer.

16. A computer-program product comprising a tangible non-transitory computer readable medium containing computer program code comprising:
- an executable file installer trust chain validation application for detecting suspicious behavior by a process and for determining whether a creator of a created executable file in a local filesystem is a trusted installer, wherein said determining comprises;
  
  receiving an indication of suspicious behavior from a behavior blocking application resulting from execution of said created executable file; and
  
  checking whether said created executable file is a trusted file, wherein said checking comprises determining that said creator is unsigned and determining that a location of said unsigned creator within said local filesystem indicates that said unsigned creator should be trusted, wherein upon a determination that said creator is said trusted installer, said executable file installer trust chain validation application further defines said created executable file as a trusted file,wherein said creator is an executable file, and wherein execution of said creator creates said created executable file,wherein said created executable file is bestowed trust of said trusted installer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kennedy, Mark
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
Labud, Jonathan R

Application Number

US11/496,852
Time in Patent Office

3,291 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/572   Secure firmware programming...

G06F 2221/033   Test or assess software

H04L 67/125   involving control of end-de...

H04L 67/535   Tracking the activity of th...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Installer trust chain validation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Installer trust chain validation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links