Mapping process changes

US 9,824,205 B2
Filed: 12/14/2016
Issued: 11/21/2017
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware;

before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after that, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process;

obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment;

after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and

copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, a computer-implemented method includes receiving a request to run a particular process; determining whether the particular process is to be run in isolation on the computer system; selecting a particular permission scheme from among a plurality of permission schemes based, at least in part, on one or more characteristics of the particular process; fetching, according to the particular permission scheme, a copy object that corresponds to an actual object for the particular process, wherein the copy object is instantiated in an isolated environment; running the particular process is isolation on the computer system by executing the copy object in the isolated environment; applying, according to the particular permission scheme, one or more changes to the copy object; and mapping, according to the particular permission scheme, the one or more changes in the copy object to the actual object.

101 Citations

18 Claims

1. A computer-implemented method comprising:
- identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware;
  
  before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after that, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process;
  
  obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment;
  
  after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and
  
  copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, comprising:
    - outputting, by the computer system and before obtaining the isolated copy object, information to prompt the user to provide permission for changes to the isolated copy object in advance of any changes being made; and
      
      receiving, at the computer system and before obtaining the isolated copy object, user input comprising permission for changes to the isolated copy object,wherein the copy object is obtained in response to the user input being received.
  - 3. The computer-implemented method of claim 1, comprising:
    - outputting, by the computer system after obtaining the isolated copy object and before applying the one or more changes to the copy object, information to prompt the user to provide permission for each of the one or more changes to the isolated copy object; and
      
      receiving, at the computer system and before applying the one or more changes to the isolated copy object, user input comprising permission for each of the one or more changes to the isolated copy object,wherein the one or more changes are applied to the isolated copy object in response to the user input being received.
  - 4. The computer-implemented method of claim 1, comprising:
    - receiving, at the process manager, a request to run the particular process on the computer system; and
      
      determining, by the process manager, that the particular process is characterized as possibly malware.
  - 5. The method of claim 1, wherein one or more of the characteristics of the particular process that is characterized as possibly malware comprise a trust score associated with the particular process.
  - 6. The method of claim 1, wherein one or more of the characteristics of the particular process that is characterized as possibly malware comprise a quantity of changes to objects that the particular process previously required during a prior execution.

7. A non-transitory computer-readable medium having stored thereon instructions, which, when executed by one or more computers, cause the one or more computers to perform operations comprising:
- identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware;
  
  before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after that, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process;
  
  obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment;
  
  after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and
  
  copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The medium of claim 7, wherein the operations comprise:
    - outputting, by the computer system and before obtaining the isolated copy object, information to prompt the user to provide permission for changes to the isolated copy object in advance of any changes being made; and
      
      receiving, at the computer system and before obtaining the isolated copy object, user input comprising permission for changes to the isolated copy object,wherein the copy object is obtained in response to the user input being received.
  - 9. The medium of claim 7, wherein the operations comprise:
    - outputting, by the computer system after obtaining the isolated copy object and before applying the one or more changes to the copy object, information to prompt the user to provide permission for each of the one or more changes to the isolated copy object; and
      
      receiving, at the computer system and before applying the one or more changes to the isolated copy object, user input comprising permission for each of the one or more changes to the isolated copy object,wherein the one or more changes are applied to the isolated copy object in response to the user input being received.
  - 10. The medium of claim 7, wherein the operations comprise:
    - receiving, at the process manager, a request to run the particular process on the computer system; and
      
      determining, by the process manager, that the particular process is characterized as possibly malware.
  - 11. The medium of claim 7, wherein one or more of the characteristics of the particular process that is characterized as possibly malware comprise a trust score associated with the particular process.
  - 12. The medium of claim 7, wherein one or more of the characteristics of the particular process that is characterized as possibly malware comprise a quantity of changes to objects that the particular process previously required during a prior execution.

13. A system comprising:
- one or more processors and one or more computer storage media storing instructions that are operable, when executed by the one or more processors, to cause the one or more processors to perform operations comprising;
  
  identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware;
  
  before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process;
  
  obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment;
  
  after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and
  
  copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the operations comprise:
    - outputting, by the computer system and before obtaining the isolated copy object, information to prompt the user to provide permission for changes to the isolated copy object in advance of any changes being made; and
      
      receiving, at the computer system and before obtaining the isolated copy object, user input comprising permission for changes to the isolated copy object,wherein the copy object is obtained in response to the user input being received.
  - 15. The system of claim 13, wherein the operations comprise:
    - outputting, by the computer system after obtaining the isolated copy object and before applying the one or more changes to the copy object, information to prompt the user to provide permission for each of the one or more changes to the isolated copy object; and
      
      receiving, at the computer system and before applying the one or more changes to the isolated copy object, user input comprising permission for each of the one or more changes to the isolated copy object,wherein the one or more changes are applied to the isolated copy object in response to the user input being received.
  - 16. The system of claim 13, wherein the operations comprise:
    - receiving, at the process manager, a request to run the particular process on the computer system; and
      
      determining, by the process manager, that the particular process is characterized as possibly malware.
  - 17. The system of claim 13, wherein one or more of the characteristics of the particular process that is characterized as possibly malware comprise a trust score associated with the particular process.
  - 18. The system of claim 13, wherein one or more of the characteristics of the particular process that is characterized as possibly malware comprise a quantity of changes to objects that the particular process previously required during a prior execution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US15/378,252
Publication Number

US 20170109520A1
Time in Patent Office

342 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

Mapping process changes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Mapping process changes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links