System and method for local protection against malicious software

US 9,467,470 B2
Filed: 12/26/2014
Issued: 10/11/2016
Est. Priority Date: 07/28/2010
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:

intercepting, on a computing device, a network access attempt associated witha process executing on the computing device;

determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process;

determining trust statuses of at least the executable file and the library module;

determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and

performing an action if the network access attempt is not permitted,wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.

396 Citations

19 Claims

1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- intercepting, on a computing device, a network access attempt associated witha process executing on the computing device;
  
  determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process;
  
  determining trust statuses of at least the executable file and the library module;
  
  determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and
  
  performing an action if the network access attempt is not permitted,wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more non-transitory machine readable media of claim 1, wherein the network access attempt is determined not to be permitted if no policy overrides the untrusted status.
  - 3. The one or more non-transitory machine readable media of claim 2, wherein the trust status of a particular software program file of the plurality of software program files is defined as untrusted if the particular software program file is not identified in a whitelist.
  - 4. The one or more non-transitory machine readable media of claim 1, the one or more processors being operable to perform further operations comprising:
    - searching a local cache that identifies trusted software program files, to determine a trust status of each of the plurality of software program files;
      
      querying a central server for the trust status of each software program file not identified by the local cache; and
      
      updating the local cache with identifications of any software program files determined to be trusted by the central server.
  - 5. The one or more non-transitory machine readable media of claim 1, wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted.
  - 6. The one or more non-transitory machine readable media of claim 1, wherein at least one network hook, loaded into the process, is to intercept an application programming interface (API) associated with the network access attempt.
  - 7. The one or more non-transitory machine readable media of claim 1, wherein the network access attempt is one of an outbound network access attempt from the process or an inbound network access attempt to the process.
  - 8. The one or more non-transitory machine readable media of claim 1, the one or more processors being operable to perform further operations comprising:
    - using an operating system application programming interface to determine the plurality of software program files mapped to the process.
  - 9. The one or more non-transitory machine readable media of claim 1, the one or more processors being operable to perform further operations comprising:
    - responsive to determining the one of the software program files has the untrusted status, evaluating the network access policy to determine whether the network access policy overrides the untrusted status; and
      
      applying the network access policy to the network access attempt if the network access policy is determined to override the untrusted status.
  - 10. The one or more non-transitory machine readable media of claim 1, wherein the performing the action includes logging information related to the network access attempt if the trust status of at least one of the plurality of software program files is determined to be untrusted.

11. An apparatus, comprising:
- a protection module; and
  
  one or more processors operable to execute instructions associated with the protection module, to cause the one or more processors to;
  
  intercept, on a computing device, a network access attempt associated witha process executing on the computing device;
  
  determine a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process;
  
  determine trust statuses of at least the executable file and the library module;
  
  determine whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and
  
  perform an action if the network access attempt is not permitted,wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted.
  - 13. The apparatus of claim 11, wherein at least one network hook, loaded into the process, is to intercept an application programming interface (API) associated with the network access attempt.
  - 14. The apparatus of claim 11, the one or more processors being operable to execute further instructions associated with the protection module, to cause the one or more processors to:
    - use an operating system application programming interface to determine the plurality of software program files mapped to the process.
  - 15. The apparatus of claim 11, wherein the performing the action includes logging information related to the network access attempt if the trust status of at least one of the plurality of software program files is determined to be untrusted.

16. A method comprising:
- intercepting, on a computing device, a network access attempt associated witha process executing on the computing device;
  
  determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process;
  
  determining trust statuses of at least the executable file and the library module;
  
  determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and
  
  performing an action if the network access attempt is not permitted,wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted.
  - 18. The method of claim 16, wherein at least one network hook, loaded into the process, is to intercept an application programming interface (API) associated with the network access attempt.
  - 19. The method of claim 16, further comprising:
    - using an operating system application programming interface to determine the plurality of software program files mapped to the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Reese, David P. Jr.
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/583,509
Publication Number

US 20150180884A1
Time in Patent Office

655 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

System and method for local protection against malicious software

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

396 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for local protection against malicious software

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

396 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links