System and method for local protection against malicious software
First Claim
1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- intercepting, on a computing device, a network access attempt associated witha process executing on the computing device;
determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process;
determining trust statuses of at least the executable file and the library module;
determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and
performing an action if the network access attempt is not permitted,wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files.
9 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.
396 Citations
19 Claims
-
1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
intercepting, on a computing device, a network access attempt associated with a process executing on the computing device; determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining trust statuses of at least the executable file and the library module; determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and performing an action if the network access attempt is not permitted, wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
a protection module; and one or more processors operable to execute instructions associated with the protection module, to cause the one or more processors to; intercept, on a computing device, a network access attempt associated with a process executing on the computing device; determine a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determine trust statuses of at least the executable file and the library module; determine whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and perform an action if the network access attempt is not permitted, wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
intercepting, on a computing device, a network access attempt associated with a process executing on the computing device; determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining trust statuses of at least the executable file and the library module; determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and performing an action if the network access attempt is not permitted, wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files. - View Dependent Claims (17, 18, 19)
-
Specification