Mapping process changes
First Claim
1. A computer-implemented method comprising:
- identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware;
before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after that, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process;
obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment;
after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and
copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment.
1 Assignment
0 Petitions
Accused Products
Abstract
In one implementation, a computer-implemented method includes receiving a request to run a particular process; determining whether the particular process is to be run in isolation on the computer system; selecting a particular permission scheme from among a plurality of permission schemes based, at least in part, on one or more characteristics of the particular process; fetching, according to the particular permission scheme, a copy object that corresponds to an actual object for the particular process, wherein the copy object is instantiated in an isolated environment; running the particular process is isolation on the computer system by executing the copy object in the isolated environment; applying, according to the particular permission scheme, one or more changes to the copy object; and mapping, according to the particular permission scheme, the one or more changes in the copy object to the actual object.
101 Citations
18 Claims
-
1. A computer-implemented method comprising:
-
identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware; before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after that, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process; obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment; after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable medium having stored thereon instructions, which, when executed by one or more computers, cause the one or more computers to perform operations comprising:
-
identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware; before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after that, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process; obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment; after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
one or more processors and one or more computer storage media storing instructions that are operable, when executed by the one or more processors, to cause the one or more processors to perform operations comprising; identifying one or more characteristics of a particular process that is to be run in an isolated environment and that is characterized as possibly malware; before the particular process is run in the isolated environment, selecting, by a process manager running on a computer system and based on one or more of the characteristics of the particular process, a particular permission scheme from among (i) a first permission scheme in which a user is prompted for permission a single time in advance of a first change being made to a copy object by the particular process and is not subsequently prompted for permission for any other change being made to the copy object by the particular process after, and (ii) a second permission scheme in which the user is prompted for permission in response to each change being made to the copy object by the particular process; obtaining, by the process manager and according to the particular permission scheme, an isolated copy object that (a) is in the isolated environment, and (b) corresponds to an actual object that is not in the isolated environment; after selecting the particular permission scheme, running the particular process in the isolated environment on the computer system, thereby generating one or more changes to the isolated copy object; and copying, by the process manager and according to the particular permission scheme, one or more of the changes to the isolated copy object to the actual object that is not in the isolated environment. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification