System and method for preventing data loss using virtual machine wrapped applications

US 9,552,497 B2
Filed: 11/10/2009
Issued: 01/24/2017
Est. Priority Date: 11/10/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request from a host operating system outside a virtual machine for access to a data from a browser within the virtual machine;

evaluating a criterion of a policy to determine whether to permit the access to the data, wherein the evaluating is performed in response to a determination that a master image is not available, the master image corresponding to a version of the virtual machine;

downloading the browser, in response to a determination that the browser is not being used;

comparing the browser to the master image to determine if the browser is current;

updating the browser if the browser is determined, based on the master image, to not be current, wherein the browser is part of an application suite wrapped in the virtual machine; and

creating a buffer for manipulating the data within the virtual machine, based on the criterion of the policy, wherein the buffer cannot be accessed by the host operating system.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.

240 Citations

17 Claims

1. A method, comprising:
- receiving a request from a host operating system outside a virtual machine for access to a data from a browser within the virtual machine;
  
  evaluating a criterion of a policy to determine whether to permit the access to the data, wherein the evaluating is performed in response to a determination that a master image is not available, the master image corresponding to a version of the virtual machine;
  
  downloading the browser, in response to a determination that the browser is not being used;
  
  comparing the browser to the master image to determine if the browser is current;
  
  updating the browser if the browser is determined, based on the master image, to not be current, wherein the browser is part of an application suite wrapped in the virtual machine; and
  
  creating a buffer for manipulating the data within the virtual machine, based on the criterion of the policy, wherein the buffer cannot be accessed by the host operating system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - updating the policy through an administration module included in a virtual machine monitor to modify the criterion.
  - 3. The method of claim 1, wherein the policy includes a criterion permitting an attempt to transmit the data to another application.
  - 4. The method of claim 1, wherein a criterion of the policy permits a transmission of the data to a client device if the client device is requesting the access to the browser from within a secured network environment, and prohibits the transmission of the data to the client device if the client device is requesting the access to the browser from an unsecured network environment.
  - 5. The method of claim 1, further comprising:
    - creating a log for recording an entry corresponding to data transmitted from the virtual machine.
  - 6. The method of claim 1, further comprising:
    - sending an email message from a mail client within a virtual machine to a secure mail proxy; and
      
      extracting data from the email message if a criterion of the policy indicates that a recipient of the email message is not authorized to receive the extracted data.

7. One or more non-transitory computer readable storage media that include codes for execution that, when executed by a processor, are operable to perform operations comprising:
- receiving a request from a host operating system outside a virtual machine for access to a data from a browser within the virtual machine;
  
  evaluating a criterion of a policy to determine whether to permit the access to the data, wherein the evaluating is performed in response to a determination that a master image is not available, the master image corresponding to a version of the virtual machine;
  
  downloading the browser, in response to a determination that the browser is not being used;
  
  comparing the browser to the master image to determine if the browser is current;
  
  updating the browser if the browser is determined, based on the master image, to not be current, wherein the browser is part of an application suite wrapped in the virtual machine; and
  
  creating a buffer for manipulating the data within the virtual machine, based on the criterion of the policy, wherein the buffer cannot be accessed by the host operating system.
- View Dependent Claims (8, 9, 10, 16, 17)
- - 8. The media of claim 7, the operations further comprising:
    - updating the policy through an administration module included in a virtual machine monitor to modify the criterion.
  - 9. The media of claim 7, wherein the policy includes a criterion permitting an attempt to transmit the data to another application.
  - 10. The media of claim 7, wherein a criterion of the policy permits a transmission of the data to a client device if the client device is requesting the access to the browser from within a secured network environment, and prohibits the transmission of the data to the client device if the client device is requesting the access to the browser from an unsecured network environment.
  - 16. The media of claim 7, wherein the policy is configured in the virtual machine before the virtual machine is deployed.
  - 17. The media of claim 7, wherein if a client has the version of the virtual machine, access to the virtual machine is allowed.

11. An apparatus, comprising:
- a memory element; and
  
  a processor that executes instructions associated with the memory element, wherein the apparatus is configured forreceiving a request from a host operating system outside a virtual machine for access to a data from at least one browser within the virtual machine;
  
  evaluating, in response to a determination that a master image is not available, a criterion of a policy to determine whether to permit the access to the data, the master image corresponding to a version of the virtual machine;
  
  downloading the at least one browser, in response to a determination that the at least one browser is not being used;
  
  comparing the at least one browser to the master image to determine if the at least one browser is current;
  
  updating the at least one browser if the at least one browser is determined, based on the master image, to not be current, wherein the at least one browser is part of an application suite wrapped in the virtual machine; and
  
  creating a buffer for manipulating the data within the virtual machine, based on the criterion of the policy, wherein the buffer cannot be accessed by the host operating system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the policy includes a criterion permitting an attempt to transmit the data to another application.
  - 13. The apparatus of claim 11, wherein a criterion of the policy permits a transmission of the data to a client device if the client device is requesting the access to the at least one browser from within a secured network environment, and prohibits the transmission of the data to the client device if the client device is requesting the access to the at least one browser from an unsecured network environment.
  - 14. The apparatus of claim 11, wherein the buffer is within the virtual machine.
  - 15. The apparatus of claim 11, wherein the processor is configured tosend an email message from a mail client within a virtual machine to a secure mail proxy;
    - andextract data from the email message if a criterion of the policy indicates that a recipient of the email message is not authorized to receive the extracted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Agarwal, Sonali, Tarbotton, Lee Codel Lawson
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US12/615,521
Publication Number

US 20110113467A1
Time in Patent Office

2,632 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/128   involving web programs, i.e...

G06F 21/53   by executing in a restricte...

G06F 21/6281   at program execution time, ...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

System and method for preventing data loss using virtual machine wrapped applications

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

240 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing data loss using virtual machine wrapped applications

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

240 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links