Detecting and remediating malware dropped by files

US 9,178,906 B1
Filed: 07/11/2014
Issued: 11/03/2015
Est. Priority Date: 10/28/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious software (malware) on an endpoint, comprising:

detecting arrival of a file at the endpoint from a host;

observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived;

querying a security server as to whether the network identifier is associated with a suspicious host;

receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host;

responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; and

responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module detects and remediates malware from suspicious hosts. A file arrives at an endpoint from a host. The security module detects the arrival of the file and determines the host from which the file arrived. The security module also determines whether the host is suspicious. If the host is suspicious, the security module observes the operation of the file and identifies a set of files dropped by the received file. The security module monitors the files in the set using heuristics to detect whether any of the files engage in malicious behavior. If a file engages in malicious behavior, the security module responds to the malware detection by remediating the malware, which may include removing system changes caused by the set.

150 Citations

20 Claims

1. A computer-implemented method for detecting malicious software (malware) on an endpoint, comprising:
- detecting arrival of a file at the endpoint from a host;
  
  observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived;
  
  querying a security server as to whether the network identifier is associated with a suspicious host;
  
  receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host;
  
  responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; and
  
  responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein applying the first set of heuristics to the file comprises:
    - tracking changes to the endpoint made by the file; and
      
      storing a record of the changes to the endpoint made by the file, the record associated with the file.
  - 3. The method of claim 1, further comprising:
    - responsive to determining that the file is malware, remediating the malware.
  - 4. The method of claim 1, wherein the arrived file comprises an installer and the installer drops files on the endpoint responsive to execution of the installer by extracting files based on data in the installer, further comprising:
    - identifying a set of files on the endpoint, the set comprising the arrived file and the extracted files;
      
      wherein responsive to receiving an indication that the network identifier is associated with a suspicious host, the first set of heuristics is applied to the files in the set to determine whether any of the files in the set are malware; and
      
      wherein responsive to receiving an indication that the network identifier is not associated with a suspicious host, the second set of heuristics less resource-intensive than the first set of heuristics is applied to the files in the set to determine whether any of the files in the set are malware.
  - 5. The method of claim 1, wherein applying the second set of heuristics less resource-intensive than the first set of heuristics comprises:
    - applying a sub-set of the first set of heuristics to the file as the second set of heuristics.
  - 6. The method of claim 1, further comprising:
    - determining whether a heuristic is resource intensive responsive to information stored on the endpoint.
  - 7. The method of claim 1, further comprising:
    - determining whether a heuristic is resource intensive responsive to information retrieved from the security server.

8. A non-transitory computer-readable storage medium storing executable computer program instructions for detecting malicious software (malware) on an endpoint, the computer program instructions comprising instructions for:
- detecting arrival of a file at the endpoint from a host;
  
  observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived;
  
  querying a security server as to whether the network identifier is associated with a suspicious host;
  
  receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host;
  
  responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; and
  
  responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein applying the first set of heuristics to the file comprises:
    - tracking changes to the endpoint made by the file; and
      
      storing a record of the changes to the endpoint made by the file, the record associated with the file.
  - 10. The non-transitory computer-readable storage medium of claim 8, further comprising instructions for:
    - responsive to determining that the file is malware, remediating the malware.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the arrived file comprises an installer and the installer drops files on the endpoint responsive to execution of the installer by extracting files based on data in the installer, further comprising instructions for:
    - identifying a set of files on the endpoint, the set comprising the arrived file and the extracted files;
      
      wherein responsive to receiving an indication that the network identifier is associated with a suspicious host, the first set of heuristics is applied to the files in the set to determine whether any of the files in the set are malware; and
      
      wherein responsive to receiving an indication that the network identifier is not associated with a suspicious host, the second set of heuristics less resource-intensive than the first set of heuristics is applied to the files in the set to determine whether any of the files in the set are malware.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein applying the second set of heuristics less resource-intensive than the first set of heuristics comprises:
    - applying a sub-set of the first set of heuristics to the file as the second set of heuristics.
  - 13. The non-transitory computer-readable storage medium of claim 8, further comprising instructions for:
    - determining whether a heuristic is resource intensive responsive to information stored on the endpoint.
  - 14. The non-transitory computer-readable storage medium of claim 8, further comprising instructions for:
    - determining whether a heuristic is resource intensive responsive to information retrieved from the security server.

15. A system for detecting malicious software (malware) on an endpoint, the system comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  detecting arrival of a file at the endpoint from a host;
  
  observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived;
  
  querying a security server as to whether the network identifier is associated with a suspicious host;
  
  receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host;
  
  responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware;
  
  responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware; and
  
  a processor for executing the computer program instructions.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein applying the first set of heuristics to the file comprises:
    - tracking changes to the endpoint made by the file; and
      
      storing a record of the changes to the endpoint made by the file, the record associated with the file.
  - 17. The system of claim 15, the non-transitory computer-readable storage medium further storing computer program instructions for:
    - responsive to determining that the file is malware, remediating the malware.
  - 18. The system of claim 15, wherein applying the second set of heuristics less resource-intensive than the first set of heuristics comprises:
    - applying a sub-set of the first set of heuristics to the file as the second set of heuristics.
  - 19. The system of claim 15, the non-transitory computer-readable storage medium further storing computer program instructions for:
    - determining whether a heuristic is resource intensive responsive to information stored on the endpoint.
  - 20. The system of claim 15, the non-transitory computer-readable storage medium further storing computer program instructions for:
    - determining whether a heuristic is resource intensive responsive to information retrieved from the security server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chen, Joseph H., Chen, Zhongning
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US14/329,624
Time in Patent Office

480 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Detecting and remediating malware dropped by files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and remediating malware dropped by files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links