Using multiple layers of policy management to manage risk
First Claim
Patent Images
1. A system, comprising:
- a receiver to receive a file at a computer system, the file including a content, the content including a first portion;
a file type identifier to identify a purported file type of the file;
a scanner to scan the content of the file using a set of rules corresponding to the purported file type, the scanner operative to determine that the file does not conform to the set of rules corresponding to the purported file type for a first reason with an associated first issue identifier (ID);
a quarantine that can store the file;
a file issue exclusion policy specifying an approved file type and a second issue ID;
a file content policy to allow the first portion of the content of the file to be included in the file, the file content policy including a whitelist of hashes of known approved portions of content;
a hasher to generate a hash of the first portion of the content of the file;
a comparator to compare the first portion of the content of the file with the whitelist;
a scanning service to perform additional analysis to determine whether the file can be released from quarantine; and
a transmitter to transmit the file to the recipient instead of storing the file in the quarantine when the approved file type in the file issue exclusion policy matches the purported file type and the second issue ID in the file issue exclusion policy matches the first issue ID,wherein the first portion of the content of the file is included in the file when the first portion of the content of the file matches a known approved portion of content in the whitelist.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for processing a file using a file issue exclusion policy to manage risk is disclosed. If a file does not conform to a set of rules and would otherwise be quarantined, a file issue exclusion policy can be reviewed. If the file issue exclusion policy indicates that the reason why the file did not conform to the set of rules is acceptable, the file can be delivered to the recipient despite not conforming to the set of rules.
95 Citations
17 Claims
-
1. A system, comprising:
-
a receiver to receive a file at a computer system, the file including a content, the content including a first portion; a file type identifier to identify a purported file type of the file; a scanner to scan the content of the file using a set of rules corresponding to the purported file type, the scanner operative to determine that the file does not conform to the set of rules corresponding to the purported file type for a first reason with an associated first issue identifier (ID); a quarantine that can store the file; a file issue exclusion policy specifying an approved file type and a second issue ID; a file content policy to allow the first portion of the content of the file to be included in the file, the file content policy including a whitelist of hashes of known approved portions of content; a hasher to generate a hash of the first portion of the content of the file; a comparator to compare the first portion of the content of the file with the whitelist; a scanning service to perform additional analysis to determine whether the file can be released from quarantine; and a transmitter to transmit the file to the recipient instead of storing the file in the quarantine when the approved file type in the file issue exclusion policy matches the purported file type and the second issue ID in the file issue exclusion policy matches the first issue ID, wherein the first portion of the content of the file is included in the file when the first portion of the content of the file matches a known approved portion of content in the whitelist. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
receiving a file at a computer system, the file include content; determining a purported file type of the file; scanning the content of the file using a set of rules corresponding to the purported file type, including; identifying a first portion of the content of the file that can include malicious content; accessing a whitelist of hashes of known approved portions of content; calculating a hash of the first portion of the content of the file; comparing the hash of the first portion of the content of the file with the whitelist of hashes of known approved portions of content; and when the hash of the first portion of the content of the file is included in the whitelist, including the first portion of the content of the file in the file; determining that content does not conform to the set of rules corresponding to the purported file type; flagging the file for quarantine; when the file is subject to quarantine, submitting the file to a scanning service for additional analysis to determine whether the file is to be released from quarantine; determining a first issue identifier (ID) for an issue as to why the content does not conform to the set of rules; accessing a file issue exclusion policy, the file issue exclusion policy specifying an approved file type and a second issue ID; and transmitting the file to a recipient instead of quarantining the file when approved file type in the file issue exclusion policy matches the purported file type and the second issue ID in the file issue exclusion policy matches the first issue ID. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
Specification