Server-assisted anti-malware client

US 9,614,865 B2
Filed: 03/15/2013
Issued: 04/04/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

identify, using an antimalware client executed on a host device, a file in memory of the host device;

determine, at the antimalware client, attributes of the file relating to reputation of the file;

send a query from the host device to an antimalware support system relating to the file, wherein the query is to include local reputation data describing the attributes of the file and the query further comprises a request for the antimalware support system to perform a reputation analysis of the file in response to the query;

receive, in response to the query, particular reputation data from the antimalware support system, wherein the particular reputation data is generated by the antimalware support system during the reputation analysis based at least in part on the local reputation data;

receive a remediation script from the antimalware support system based on the query;

run the remediation script on the antimalware client to remove the file from the memory of the host device; and

use the antimalware client to dispose of the remediation script following the removal of the file.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host-based antimalware client can interface with a server-based antimalware support server. A file is identified at a host device. It is determined whether local reputation data for the file is available at the host device for the file. A query is sent to an antimalware support system relating to the file. Particular reputation data is received from the antimalware support system corresponding to the query. It is determined whether to allow the file to be loaded on the host device based at least in part on the particular reputation data.

74 Citations

View as Search Results

17 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- identify, using an antimalware client executed on a host device, a file in memory of the host device;
  
  determine, at the antimalware client, attributes of the file relating to reputation of the file;
  
  send a query from the host device to an antimalware support system relating to the file, wherein the query is to include local reputation data describing the attributes of the file and the query further comprises a request for the antimalware support system to perform a reputation analysis of the file in response to the query;
  
  receive, in response to the query, particular reputation data from the antimalware support system, wherein the particular reputation data is generated by the antimalware support system during the reputation analysis based at least in part on the local reputation data;
  
  receive a remediation script from the antimalware support system based on the query;
  
  run the remediation script on the antimalware client to remove the file from the memory of the host device; and
  
  use the antimalware client to dispose of the remediation script following the removal of the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The storage medium of claim 1, wherein the instructions when executed on a machine, further cause the machine to determine whether to allow the file to be loaded on the host device based, at least in part, on the local reputation data.
  - 3. The storage medium of claim 1, wherein the particular reputation data describes behaviors of the file.
  - 4. The storage medium of claim 1, wherein the host device is of a particular type and at least one rule for determining whether to allow the file to be loaded on the host device is for host devices of the particular type.
  - 5. The storage medium of claim 1, wherein a copy of the file is to be sent with the query to the antimalware support system.
  - 6. The storage medium of claim 1, wherein the instructions when executed on a machine, further cause the machine to generate a hash of the file, wherein the file is to be identified by the hash in the query.
  - 7. The storage medium of claim 1, wherein the instructions when executed on a machine, further cause the machine to scan the file to identify one or more characteristics of the file to be included in the local reputation data.
  - 8. The storage medium of claim 1, wherein the local reputation data includes a certificate of the file and wherein the instructions when executed on a machine, further cause the machine to determine whether to allow the file to be loaded on the host device based at least in part on the certificate.
  - 9. The storage medium of claim 8, wherein the instructions when executed on a machine, further cause the machine to determine whether the certificate is included in a listing of approved certificates for a domain.
  - 10. The storage medium of claim 8, wherein the instructions when executed on a machine, further cause the machine to determine whether the certificate is a certificate of one of a set of trusted publishers identified for a domain.

11. A method comprising:
- identifying, using an antimalware client executed on a host device, a file local to the host device;
  
  determining, using the antimalware client, attributes of the file;
  
  sending a query from the host device to an antimalware support system relating to the file,wherein the query is to include local reputation data describing the attributes of the file and the query further comprises a request for the antimalware support system to perform a reputation analysis of the file in response to the query;
  
  receiving particular reputation data from the antimalware support system, wherein the particular reputation data is generated by the antimalware support system during the reputation analysis based at least in part on the local reputation data;
  
  receiving a remediation script from the antimalware support system based on the query;
  
  running the remediation script on the antimalware client to remove the file from memory of the host device; and
  
  using the antimalware client to dispose of the remediation script following the removal of the file.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the file comprises an executable file.
  - 13. The method of claim 11, wherein the local reputation data is determined to be available for the file at the host device, and the method further comprises determining that the local reputation data is insufficient to determine whether to allow the file to be loaded on the host device.
  - 14. The method of claim 11, wherein the particular reputation data includes a previously-determined reputation score for the file.
  - 15. The method of claim 14, wherein the file is to be allowed to load on the host device when the reputation score is above a corresponding threshold score.

16. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  an antimalware client local to a host device and adapted when executed by the at least one processor device to;
  
  identify a file local to the host device;
  
  scan the file to identify characteristics of the file;
  
  generate local reputation data at the host device based on the characteristics of the file;
  
  send a query to an antimalware support system relating to the file, wherein the query is to include the local reputation data and comprises a request for the antimalware support system to perform a reputation analysis of the file in response to the query;
  
  receive, in response to the query, particular reputation data from the antimalware support system, wherein the particular reputation data is generated by the antimalware support system during the reputation analysis based at least in part on the local reputation data;
  
  receive a remediation script from the antimalware support system based on the query;
  
  run the remediation script on the antimalware client to remove the file from memory of the host device; and
  
  use the antimalware client to dispose of the remediation script following the removal of the file.
- View Dependent Claims (17)
- - 17. The system of claim 16, further comprising the antimalware support system to determine additional reputation data for the file based on the query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Teddy, John, Bean, James Douglas, Dalcher, Gregory William, Hetzler, Jeff
Primary Examiner(s)
McNally, Michael S
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US13/976,988
Publication Number

US 20140283065A1
Time in Patent Office

1,481 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/145   the attack involving the pr...

H04L 67/06   specially adapted for file ...

H04L 67/34   involving the movement of s...

Server-assisted anti-malware client

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Server-assisted anti-malware client

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links