Server-assisted anti-malware client

US 9,311,480 B2
Filed: 03/15/2013
Issued: 04/12/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

receive a query from a particular host device;

identify a file detected by an antimalware tool local to the particular host device;

determine that the particular host device is associated with a particular one of a plurality of domains, wherein each domain corresponds to a respective network;

identify that a particular one of a plurality of sets of rules corresponds to the particular domain;

determine a particular security score for the file based on the particular set of rules, wherein a different security score is to be determined for the file when detected local to a host device in a different one of the plurality of domains;

determine particular reputation data for the file based at least in part on the security score, wherein the particular reputation data includes the security score and information detected by one or more other devices identifying characteristics of the file relevant to the antimalware tool; and

send a response to the query to the particular host device, wherein the response includes the particular reputation data.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An antimalware support system is provided to support one or more host-based antimalware clients. A query is received from a particular host device that identifies a file detected by an antimalware tool local to the particular host device. Reputation data is determined for the file, and a response to the query is sent to the particular host device. The query response includes the reputation data determined for the file.

58 Citations

View as Search Results

22 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive a query from a particular host device;
  
  identify a file detected by an antimalware tool local to the particular host device;
  
  determine that the particular host device is associated with a particular one of a plurality of domains, wherein each domain corresponds to a respective network;
  
  identify that a particular one of a plurality of sets of rules corresponds to the particular domain;
  
  determine a particular security score for the file based on the particular set of rules, wherein a different security score is to be determined for the file when detected local to a host device in a different one of the plurality of domains;
  
  determine particular reputation data for the file based at least in part on the security score, wherein the particular reputation data includes the security score and information detected by one or more other devices identifying characteristics of the file relevant to the antimalware tool; and
  
  send a response to the query to the particular host device, wherein the response includes the particular reputation data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The storage medium of claim 1, wherein determining the particular reputation data includes identifying predetermined reputation data for the file.
  - 3. The storage medium of claim 2, wherein the predetermined reputation data is based on an encounter of the file by another host device.
  - 4. The storage medium of claim 1, wherein the query includes identification of a certificate of the file and at least one behavior of the file.
  - 5. The storage medium of claim 1, wherein the security score for the file is determined based at least in part on information included in the query.
  - 6. The storage medium of claim 5, wherein the security score is further based on predetermined reputation data for the file provided by one or more other host devices.
  - 7. The storage medium of claim 5, wherein the security score is further based on intelligence data received from a remote threat intelligence system.
  - 8. The storage medium of claim 1, wherein determining the reputation data includes initiating a scan of the file, wherein the reputation data includes results of the scan.
  - 9. The storage medium of claim 8, wherein initiating the scan includes selecting one or more particular scanners from a plurality of remote scanners for use in the scanning of the file.
  - 10. The storage medium of claim 9, wherein selecting the one or more particular scanners is based, at least in part, on the particular reputation data.

11. A method comprising:
- receiving a query from a particular host device;
  
  identifying a file detected by an antimalware tool local to the particular host device;
  
  determining that the particular host device is associated with a particular one of a plurality of domains, wherein each domain corresponds to a respective network;
  
  identifying that a particular one of a plurality of sets of rules corresponds to the particular domain;
  
  determine a particular security score for the file based on the particular set of rules, wherein a different security score is to be determined for the file when detected local to a host device in a different one of the plurality of domains;
  
  determine particular reputation data for the file based at least in part on the security score, wherein the particular reputation data includes the security score and information detected by one or more other devices identifying characteristics of the file relevant to the antimalware tool; and
  
  sending a response to the query to the particular host device, wherein the response includes the particular reputation data.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the query includes local reputation data collected by the antimalware tool.
  - 13. The method of claim 12, wherein the local reputation data includes identification of a certificate of the file.
  - 14. The method of claim 12, wherein the local reputation data includes behaviors of the file detected by the antimalware tool.
  - 15. The method of claim 12, further comprising:
    - maintaining, in a data store for a domain, records describing a plurality of files, wherein the records are based on information obtained from a plurality of host devices in the domain including the particular host device; and
      
      supplementing information for a record of the data store corresponding to the file based on the local reputation data.
  - 16. The method of claim 15, wherein at least a portion of the information obtained from the plurality of host devices was received in connection with a query by another one of the plurality of host devices.
  - 17. The method of claim 11, wherein the query includes a hash of the file.

18. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  an antimalware support server adapted when executed by the at least one processor device to;
  
  receive a query from a particular host device;
  
  identify a file detected by an antimalware tool local to the particular host device;
  
  determine that the particular host device is associated with a particular one of a plurality of domains, wherein each domain corresponds to a respective network;
  
  identify that a particular one of a plurality of sets of rules corresponds to the particular domain;
  
  determine a particular security score for the file based on the particular set of rules, wherein a different security score is to be determined for the file when detected local to a host device in a different one of the plurality of domains;
  
  determine particular reputation data for the file based at least in part on the security score, wherein the particular reputation data includes the security score and information detected by one or more other devices identifying characteristics of the file relevant to the antimalware tool; and
  
  send a response to the query to the particular host device, wherein the response includes the particular reputation data.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The system of claim 18, further comprising a plurality of host devices including the particular host device.
  - 20. The system of claim 18, wherein the antimalware tool is adapted to detect a portion of a set of characteristics of the file and attempt to decide whether to allow the file to load on the particular host device based at least on the portion of the set of characteristics.
  - 21. The system of claim 20, wherein the query is based on a determination that the portion of the set of characteristics is insufficient to decide whether to allow the file to load on the particular host device.
  - 22. The system of claim 21, wherein the response to the query describes additional characteristics of the particular host device and the antimalware tool is to attempt to decide whether to allow the file further based on the additional characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Teddy, John D., Bean, James Douglas, Dalcher, Gregory William, Hetzler, Jeff, Woodruff, Andrew Arlin
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
McCoy, Richard

Application Number

US13/976,994
Publication Number

US 20140283066A1
Time in Patent Office

1,124 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/56 Computer malware detection ...

Server-assisted anti-malware client

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Server-assisted anti-malware client

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links