Confirming a malware infection on a client device using a remote access connection tool, to identify a malicious file based on fuzz hashes
First Claim
1. A device, comprising:
- one or more memories; and
one or more processors to;
receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file;
generate a first set of hashes based on executing the malicious file in a testing environment and receiving the trigger to determine whether one or more client devices, of the set of client devices, are infected by the malicious file;
obtain information, associated with the one or more client devices and based on receiving the trigger, to determine whether the one or more client devices are infected by the malicious file,the information indicating at least one process running on the one or more client devices;
generate one or more second sets of hashes associated with each of the one or more client devices, respectively, based on the at least one process running on the one or more client devices;
generate a plurality of similarity scores,each of the plurality of similarity scores indicating a measure of similarity between the first set of hashes generated based on executing the malicious file in the testing environment and each of the one or more second sets of hashes generated based on the least one process running on the one or more client devices;
determine, based on the plurality of similarity scores, that at least one of the one or more client devices is infected by the malicious file; and
provide information indicating that the at least one of the one or more client devices is infected by the malicious file.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file. The device may generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain information, associated with the one or more client devices, using the remote access. The device may provide information indicating whether the one or more client devices are infected by the malicious file based on the file identification information and the information associated with the one or more client devices.
18 Citations
20 Claims
-
1. A device, comprising:
-
one or more memories; and one or more processors to; receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file; generate a first set of hashes based on executing the malicious file in a testing environment and receiving the trigger to determine whether one or more client devices, of the set of client devices, are infected by the malicious file; obtain information, associated with the one or more client devices and based on receiving the trigger, to determine whether the one or more client devices are infected by the malicious file, the information indicating at least one process running on the one or more client devices; generate one or more second sets of hashes associated with each of the one or more client devices, respectively, based on the at least one process running on the one or more client devices; generate a plurality of similarity scores, each of the plurality of similarity scores indicating a measure of similarity between the first set of hashes generated based on executing the malicious file in the testing environment and each of the one or more second sets of hashes generated based on the least one process running on the one or more client devices; determine, based on the plurality of similarity scores, that at least one of the one or more client devices is infected by the malicious file; and provide information indicating that the at least one of the one or more client devices is infected by the malicious file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file; generate a first set of hashes based on executing the malicious file in a testing environment and receiving the trigger to determine whether one or more client devices, of the set of client devices, are infected by the malicious file; obtain information, associated with the one or more client devices and based on receiving the trigger, to determine whether the one or more client devices are infected by the malicious file, the information indicating at least one process running on the one or more client devices; generate one or more second sets of hashes associated with each of the one or more client devices, respectively, based on the at least one process running on the one or more client devices; generate a plurality of similarity scores, each of the plurality of similarity scores indicating a measure of similarity between the first set of hashes generated based on executing the malicious file in the testing environment and each of the one or more second sets of hashes generated based on the at least one process running on the one or more client devices; determine, based on the plurality of similarity scores, that at least one of the one or more client devices is infected by the malicious file; and provide information indicating that the at least one of the one or more client devices is infected by the malicious file. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
receiving, by a device, a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file; generating, by the device, a first set of hashes based on executing the malicious file in a testing environment and receiving the trigger to determine whether one or more client devices, of the set of client devices, are infected by the malicious file; obtaining, by the device, information, associated with the one or more client devices and based on receiving the trigger, to determine whether the one or more client devices are infected by the malicious file, the information indicating at least one process running on the one or more client devices; generate one or more second sets of hashes associated with each of the one or more client devices, respectively, based on the at least one process running on the one or more client devices; generating, by the device, a plurality of similarity scores, each of the plurality of similarity scores indicating a measure of similarity between the first set of hashes generated based on executing the executing the malicious file in the testing environment and each of the one or more second sets of hashes generated based on the at least one process running on the one or more client devices; determining, by the device and based on the plurality of similarity scores, that at least one of the one or more client devices is infected by the malicious file; and providing, by the device, information indicating that the at least one of the one or more client devices is infected by the malicious file. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification