System, method, and computer program product for reacting in response to a detection of an attempt to store a configuration file and an executable file on a removable device

US 8,918,872 B2
Filed: 06/27/2008
Issued: 12/23/2014
Est. Priority Date: 06/27/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory tangible computer readable medium comprising one or more instructions that when executed on a processor configure the processor to performing operations for protecting against the transfer of malicious files to a removable device and the spread of the malicious files to other devices via the removable device, the operations comprising:

identifying the removable device coupled to a second device, comprises an alert provided by the first device, wherein the first device provides an alert to the second device when it detects that it is coupled to the second device, wherein the removable device removably couples to the second device using a universal serial bus (USB) port;

monitoring file copy operations directed toward the removable device;

detecting an attempt made by a malicious program residing on the second device to transfer a configuration file and an executable file onto the removable device based on the monitoring of the file copy operations directed towards the removable device over the USB port, wherein configuration file is setup information file (INF) file, wherein the malicious program is already present on the second device, before the transfer and is not previously detected by an antivirus program of a security system provided in the second device as malicious due to the second device not having a malware signature for the malicious program, and wherein the security system is configured to scan a plurality of ports, including the USB port, of the second device in order to identify the attempt; and

reacting, by the security system, in response to the detection of the attempt by;

providing a user of the second device with an option to prevent storage of the configuration file and the executable file on the removable device by deleting the configuration file and the executable file; and

in response to the user selecting the option, flagging the malicious program residing on the second device from which the attempt originated for review by the security system;

reacting includes alerting the user of the second device of the attempt to store the configuration file and executable file, wherein an alerting the user includes providing the user with the option to review the configuration file and the executable file names, and open and view all or part of the configuration file and executable file text.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for reacting in response to a detection of an attempt to store a configuration file and an executable file on a removable device. In use, a first device removably coupled to a second device is identified. Additionally, an attempt to store on the first device a configuration file for the first device and an executable file is detected. Further, a reaction is performed in response to the detection of the attempt.

36 Citations

View as Search Results

14 Claims

1. A non-transitory tangible computer readable medium comprising one or more instructions that when executed on a processor configure the processor to performing operations for protecting against the transfer of malicious files to a removable device and the spread of the malicious files to other devices via the removable device, the operations comprising:
- identifying the removable device coupled to a second device, comprises an alert provided by the first device, wherein the first device provides an alert to the second device when it detects that it is coupled to the second device, wherein the removable device removably couples to the second device using a universal serial bus (USB) port;
  
  monitoring file copy operations directed toward the removable device;
  
  detecting an attempt made by a malicious program residing on the second device to transfer a configuration file and an executable file onto the removable device based on the monitoring of the file copy operations directed towards the removable device over the USB port, wherein configuration file is setup information file (INF) file, wherein the malicious program is already present on the second device, before the transfer and is not previously detected by an antivirus program of a security system provided in the second device as malicious due to the second device not having a malware signature for the malicious program, and wherein the security system is configured to scan a plurality of ports, including the USB port, of the second device in order to identify the attempt; and
  
  reacting, by the security system, in response to the detection of the attempt by;
  
  providing a user of the second device with an option to prevent storage of the configuration file and the executable file on the removable device by deleting the configuration file and the executable file; and
  
  in response to the user selecting the option, flagging the malicious program residing on the second device from which the attempt originated for review by the security system;
  
  reacting includes alerting the user of the second device of the attempt to store the configuration file and executable file, wherein an alerting the user includes providing the user with the option to review the configuration file and the executable file names, and open and view all or part of the configuration file and executable file text.
- View Dependent Claims (2, 3, 4, 5, 9, 10)
- - 2. The non-transitory tangible computer readable medium of claim 1, wherein the first device is a flash-based memory device.
  - 3. The non-transitory tangible computer readable medium of claim 1, wherein the configuration file for the first device instructs an operating system to run the executable file.
  - 4. The non-transitory tangible computer readable medium of claim 1, wherein the reacting includes providing the user of the second device with an option to allow storage of the configuration file for the first device and the executable file on the first device.
  - 5. The non-transitory tangible computer readable medium of claim 1, wherein the operations further comprises monitoring file copy and file create operations directed to the removable device.
  - 9. The non-transitory tangible computer readable medium of claim 1, wherein the configuration file includes an autorun.inf file.
  - 10. The non-transitory tangible computer readable medium of claim 1, wherein reacting includes providing the user of the second device with a review file option that allows the user to view the text of the configuration file.

6. A method for protecting against the transfer of malicious files to a removable device and the spread of the malicious files to files to other devices via the removable device, comprising:
- identifying the removable device coupled to a second device via an alert provided by the removable device to the second device, wherein the removable device removably couples to the second device using a universal serial bus (USB) port;
  
  monitoring file copy operations directed toward the removable device;
  
  detecting an attempt made by a malicious program residing on the second device to transfer a configuration file and an executable file onto the removable device based on the monitoring of the file copy operations directed towards the removable device over the USB port, wherein the configuration file is a setup information (INF) file, the malicious program is already present on the second device before the transfer and is not previously detected by an antivirus program of a security system provided in the second device as malicious due to the second device not having a malware signature for the malicious program, and the security system is configured to scan a plurality of ports, including the USB port, of the second device in order to identify the attempt; and
  
  reacting, by the security system, in response to the detection of the attempt by;
  
  providing a user of the second device with an option to prevent storage of the configuration file and the executable file on the removable device by deleting the configuration file and the executable file;
  
  providing the user of the second device with an option to review the names and text of the configuration file and/or the executable file; and
  
  in response to the user selecting the option to prevent storage of the configuration file and executable file, flagging the malicious program residing on the second device from which the attempt originated for review by the security system.
- View Dependent Claims (11, 12)
- - 11. The method of claim 6, wherein the configuration file includes an autorun.inf file.
  - 12. The method of claim 6, wherein reacting includes providing the user of the second device with a review file option that allows the user to view the text of the configuration file.

7. A system for protecting against the transfer of malicious files to a removable device and the spread of the malicious files to other devices via the removable device, comprising:
- a processor, wherein the system is configured for;
  
  identifying the removable device coupled to a second device via an alert provided by the removable device to the second device, wherein the removable device removably couples to the second device using a universal serial bus (USB) port;
  
  monitoring file copy operations directed toward the removable device;
  
  detecting an attempt made by a malicious program residing on the second device to transfer a configuration file and an executable file onto the removable device based on the monitoring of the file copy operations directed towards the removable device over the USB port, wherein the configuration file is a setup information (INF) file, the malicious program is already present on the second device before the transfer and is not previously detected by an antivirus program of a security system provided in the second device as malicious due to the second device not having a malware signature for the malicious program, and the security system is configured to scan a plurality of ports, including the USB port, of the second device in order to identify the attempt; and
  
  reacting, by the security system, in response to the detection of the attempt by;
  
  providing a user of the second device with an option to prevent storage of the configuration file and the executable file on the removable device by deleting the configuration file and the executable file;
  
  providing the user of the second device with an option to review the names and text of the configuration file and/or the executable file; and
  
  in response to the user selecting the option to prevent storage of the configuration file and executable file, flagging the malicious program residing on the second device from which the attempt originated for review by the security system.
- View Dependent Claims (8, 13, 14)
- - 8. The system of claim 7, wherein the processor is coupled to memory via a bus.
  - 13. The system of claim 7, wherein the configuration file includes an autorun.inf file.
  - 14. The system of claim 7, wherein reacting includes providing the user of the second device with a review file option that allows the user to view the text of the configuration file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Kumar, Lokesh, Ramachetty, Harinath V.
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US12/163,417
Publication Number

US 20130247189A1
Time in Patent Office

2,370 Days
Field of Search

726/23, 726/24, 726/27, 726/9, 705/325, 705/76, 717/168, 709/217, 711/112, 711/115, 711/103
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/145   the attack involving the pr...

H04W 12/08   Access security

System, method, and computer program product for reacting in response to a detection of an attempt to store a configuration file and an executable file on a removable device

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for reacting in response to a detection of an attempt to store a configuration file and an executable file on a removable device

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links