Confirming a malware infection on a client device using a remote access connection tool to identify a malicious file based on fuzzy hashes
First Claim
1. A device, comprising:
- one or more processors to;
receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file,a client device, of the set of client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device;
generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file,the file identification information including a first set of fuzzy hashes associated with execution results of the malicious file;
obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file,the connection tool providing access to the one or more client devices;
obtain information, associated with the one or more client devices, using the remote access,the information including one or more second sets of fuzzy hashes,each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively;
determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file;
generate, based on determining that the one or more client devices are infected by the malicious file and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the set of client devices; and
provide, based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the set of client devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file. The device may generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain information, associated with the one or more client devices, using the remote access. The device may provide information indicating whether the one or more client devices are infected by the malicious file based on the file identification information and the information associated with the one or more client devices.
32 Citations
20 Claims
-
1. A device, comprising:
one or more processors to; receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file, a client device, of the set of client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device; generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file, the file identification information including a first set of fuzzy hashes associated with execution results of the malicious file; obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file, the connection tool providing access to the one or more client devices; obtain information, associated with the one or more client devices, using the remote access, the information including one or more second sets of fuzzy hashes, each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively; determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file; generate, based on determining that the one or more client devices are infected by the malicious file and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the set of client devices; and provide, based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the set of client devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors to, cause the one or more processors to; generate file identification information associated with a malicious file to determine whether one or more client devices are infected by the malicious file, a client device, of the one or more client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device, and the file identification information including a first set of fuzzy hashes associated with executing the malicious file; obtain remote access to the one or more client devices using a connection tool to determine whether the one or more client devices are infected by the malicious file, the connection tool providing access to the one or more client devices; obtain information, associated with the one or more client devices using the remote access, the information including one or more second sets of fuzzy hashes, each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively; determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file; generate, based on determining that the one or more client devices are infected by the malicious file and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the one or more client devices; and provide, based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the one or more client devices. - View Dependent Claims (9, 10, 12, 13, 14)
-
11. The non-transitory computer-readable medium of claim wherein the execution results are associated with at least one of:
-
a file generated during execution of the malicious file in the testing environment, a file modified during execution of the malicious file in the testing environment, a registry key created during execution of the malicious file in the testing environment, a registry key modified during execution of the malicious file in the testing environment, or a process operating during execution of the malicious file in the testing environment.
-
-
15. A method, comprising:
-
generating, by a device, file identification information associated with a malicious file to determine whether one or more client devices are infected by the malicious file, a client device, of the one or more client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device, and the file identification information including a first set of fuzzy hashes associated with executing the malicious file; obtaining, by the device, remote access to the one or more client devices to determine whether the one or more client devices are infected by the malicious file; obtaining, by the device, information associated with the one or more client devices using the remote access, the information including one or more second sets of fuzzy hashes, each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively; determining, by the device and based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file; generating, by the device, based on determining that the one or more client devices are infected by the malicious file, and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the one or more client devices; and providing, by the device and based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the one or more client devices. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification