Determining file risk based on security reputation of associated objects
First Claim
1. A computer implemented method for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the method comprising the steps of:
- tracking, by a computer, a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service;
determining whether a security reputation for the first object meets a security threshold;
determining, by a computer, a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;
storing, by a computer, the security reputation for the first object in a database;
linking, by a computer, a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and
receiving, by a computer, the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object.
2 Assignments
0 Petitions
Accused Products
Abstract
The creations of objects by files that have not been previously identified as malware are tracked. The security reputations of specific created objects are determined. Based on the determined security reputations of specific created objects, the security risks concerning the specific files that created the objects are determined. Responsive to whether a determined security risk concerning a specific creating file meets a given threshold, it is determined whether the specific creating file comprises malware. Responsive to determining that a specific creating file comprises malware, the creating file is blocked from performing the activity associated with the creation of the associated object. Responsive to determining that a creating file comprises malware, the creating file can be disabled, and an alert concerning the creating file can be transmitted to a central security server.
-
Citations
20 Claims
-
1. A computer implemented method for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the method comprising the steps of:
-
tracking, by a computer, a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service; determining whether a security reputation for the first object meets a security threshold; determining, by a computer, a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;storing, by a computer, the security reputation for the first object in a database; linking, by a computer, a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and receiving, by a computer, the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. At least one non-transitory computer readable storage medium storing a computer program product for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the computer program product comprising:
-
program code for tracking a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service; program code for determining whether a security reputation for the first object meets a security threshold; program code for determining a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;program code for storing the security reputation for the first object in a database; program code for linking a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and program code for receiving the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer system for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the computer system comprising:
-
means for tracking a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service; means for determining whether a security reputation for the first object meets a security threshold; means for determining a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;means for storing the security reputation for the first object in a database; means for linking a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and means for receiving the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object. - View Dependent Claims (20)
-
Specification