Detecting and remediating malware dropped by files
First Claim
1. A computer-implemented method for detecting malicious software (malware) on an endpoint, comprising:
- detecting arrival of a file at the endpoint from a host;
observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived;
querying a security server as to whether the network identifier is associated with a suspicious host;
receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host;
responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; and
responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A security module detects and remediates malware from suspicious hosts. A file arrives at an endpoint from a host. The security module detects the arrival of the file and determines the host from which the file arrived. The security module also determines whether the host is suspicious. If the host is suspicious, the security module observes the operation of the file and identifies a set of files dropped by the received file. The security module monitors the files in the set using heuristics to detect whether any of the files engage in malicious behavior. If a file engages in malicious behavior, the security module responds to the malware detection by remediating the malware, which may include removing system changes caused by the set.
150 Citations
20 Claims
-
1. A computer-implemented method for detecting malicious software (malware) on an endpoint, comprising:
-
detecting arrival of a file at the endpoint from a host; observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived; querying a security server as to whether the network identifier is associated with a suspicious host; receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host; responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; and responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing executable computer program instructions for detecting malicious software (malware) on an endpoint, the computer program instructions comprising instructions for:
-
detecting arrival of a file at the endpoint from a host; observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived; querying a security server as to whether the network identifier is associated with a suspicious host; receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host; responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; and responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting malicious software (malware) on an endpoint, the system comprising:
-
a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for; detecting arrival of a file at the endpoint from a host; observing network traffic at the endpoint to observe a network identifier of the host from which the file arrived; querying a security server as to whether the network identifier is associated with a suspicious host; receiving a response to the query from the security server, the response indicating whether the network identifier is associated with a suspicious host; responsive to receiving an indication that the network identifier is associated with a suspicious host, applying a first set of heuristics to the file to determine whether the file is malware; responsive to receiving an indication that the network identifier is not associated with a suspicious host, applying a second set of heuristics less resource-intensive than the first set of heuristics to the file to determine whether the file is malware; and a processor for executing the computer program instructions. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification