Real time lockdown

US 9,230,098 B2
Filed: 02/13/2015
Issued: 01/05/2016
Est. Priority Date: 12/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method of applying an access policy to a computer file, comprising:

receiving, via an electronic hardware processor, a request to modify a computer file, the computer file comprising file user data and file meta data associated with the user data;

writing a first indicator to the file meta data in response to the request;

receiving, via an electronic hardware processor, a second request to execute the computer file;

determining, via an electronic hardware processor, in response to receiving the second request, the file meta data includes the first indicator;

selecting, in response to the determining, a first policy from a plurality of policies based on the file meta data including the first indicator; and

applying, via an electronic hardware processor, the selected policy to the second request.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system.

114 Citations

20 Claims

1. A method of applying an access policy to a computer file, comprising:
- receiving, via an electronic hardware processor, a request to modify a computer file, the computer file comprising file user data and file meta data associated with the user data;
  
  writing a first indicator to the file meta data in response to the request;
  
  receiving, via an electronic hardware processor, a second request to execute the computer file;
  
  determining, via an electronic hardware processor, in response to receiving the second request, the file meta data includes the first indicator;
  
  selecting, in response to the determining, a first policy from a plurality of policies based on the file meta data including the first indicator; and
  
  applying, via an electronic hardware processor, the selected policy to the second request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprisingreceiving a third request to execute a second computer file;
    - performing a second determining that the file meta-data of the second computer file does not include the first indicator in response to receiving the third request;
      
      selecting, in response to the second determining, a second policy from the plurality of policies based on the file meta-data of the second computer not including the first indicator; and
      
      applying the second policy to the request.
  - 3. The method of claim 1, wherein the selected policy is for restricted executables.
  - 4. The method of claim 2, wherein the second policy is for trusted or unrestricted files.
  - 5. The method of claim 1, further comprising:
    - hashing the file meta data; and
      
      selecting the first policy based at least in part on the hash of the file meta data.
  - 6. The method of claim 1, further comprising:
    - performing a third determining of whether the first indicator is associated with restricted files; and
      
      selecting the first policy based at least in part on the third determining.
  - 7. The method of claim 6, further comprising:
    - applying a policy for restricted executables in response to the first indicator being associated with restricted files; and
      
      applying a policy for trusted or unrestricted executables in response to the first indicator not being associated with restricted files.

8. An apparatus for applying an access policy to a computer file, comprising:
- an electronic processor;
  
  a memory, operably connected to the electronic processor, and storing instructions that configure the electronic processor to;
  
  receive a request to modify a computer file, the computer file comprising file user data and file meta data associated with the user data;
  
  write a first indicator to the file meta data in response to the request;
  
  receive a second request to execute the computer file;
  
  determine, in response to receiving the second request, the file meta data includes the first indicator;
  
  select, in response to the determining, a first policy from a plurality of policies based on the file meta data including the first indicator; and
  
  apply the selected policy to the second request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the memory stores further instructions that further configure the electronic processor to:
    - receive a third request to execute a second computer file;
      
      perform a second determination that the file meta-data of the second computer file does not include the first indicator in response to receiving the third request;
      
      select, in response to the second determining, a second policy from the plurality of policies based on the file meta-data of the second computer not including the first indicator; and
      
      apply the second policy to the request.
  - 10. The apparatus of claim 8, wherein the selected policy is for restricted executables.
  - 11. The apparatus of claim 9, wherein the second policy is for trusted or unrestricted files.
  - 12. The apparatus of claim 8, wherein the memory further stores instructions that configure the electronic processor to:
    - hash the file meta data; and
      
      select the first policy based at least in part on the hash of the file metadata.
  - 13. The apparatus of claim 8, wherein the memory further stores instructions that configure the electronic processor to:
    - determine whether the first indicator is associated with restricted files; and
      
      select the first policy based at least in part on whether the first indicator is associated with restricted files.
  - 14. The apparatus of claim 8, wherein the memory further stores instructions that configure the electronic processor to:
    - apply a policy for restricted executables in response to the first indicator being associated with restricted files; and
      
      apply a policy for trusted or unrestricted executables in response to the first indicator not being associated with restricted files.

15. A non-transitory computer readable storage medium comprising instructions that when executed cause an electronic processor to apply an access policy to a computer file by:
- receiving a request to modify a computer file, the computer file comprising file user data and file meta data associated with the user data;
  
  writing a first indicator to the file meta data in response to the request;
  
  receiving a second request to execute the computer file;
  
  determining, in response to receiving the second request, the file meta data includes the first indicator;
  
  selecting, in response to the determining, a first policy from a plurality of policies based on the file meta data including the first indicator; and
  
  applying the selected policy to the second request.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer readable storage medium of claim 15, further comprising instructions that when executed cause the electronic processor to apply the access policy to a computer file byreceiving a third request to execute a second computer file;
    - performing a second determination that the file meta-data of the second computer file does not include the first indicator in response to receiving the third request;
      
      selecting, in response to the second determining, a second policy from the plurality of policies based on the file meta-data of the second computer not including the first indicator; and
      
      applying the second policy to the request.
  - 17. The computer readable storage medium of claim 15, further comprising instructions that when executed cause the electronic processor to apply the access policy to a computer file by:
    - hashing the file meta data; and
      
      selecting the first policy based at least in part on the hash of the file metadata.
  - 18. The computer readable storage medium of claim 15, further comprising instructions that when executed cause the electronic processor to apply the access policy to a computer file by:
    - determining whether the first indicator is associated with a restricted file; and
      
      selecting the first policy based at least in part on whether the first indicator is associated with a restricted file.
  - 19. The computer readable storage medium of claim 18, further comprising instructions that when executed cause the electronic processor to apply the access policy to a computer file by:
    - applying a policy for restricted executables in response to the first indicator being associated with restricted files; and
      
      applying a policy for trusted or unrestricted executables in response to the first indicator not being associated with restricted files.

20. An apparatus for applying an access policy to a computer file comprising:
- means for receiving a request to modify a computer file, the computer file comprising file user data and file meta data associated with the user data;
  
  means for writing a first indicator to the file meta data in response to the request;
  
  means for receiving a second request to execute the computer file;
  
  means for determining, in response to receiving the second request, the file meta data includes the first indicator;
  
  means for selecting, in response to the determining that the file metadata includes the first indicator, a first policy from a plurality of policies based on the file meta data including the first indicator; and
  
  means for applying the selected policy to the second request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Sharma, Rajesh Kumar, Lo, Winping, Papa, Joseph
Primary Examiner(s)
LEE, JASON T

Application Number

US14/622,598
Publication Number

US 20150161380A1
Time in Patent Office

326 Days
Field of Search

726/1, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/60   Protecting data

Real time lockdown

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Real time lockdown

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links