System and method for interlocking a host and a gateway
US-2015365380-A1 · Dec 17, 2015 · US
System and method for local protection against malicious software
US9467470B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9467470-B2 |
| Application number | US-201414583509-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 26, 2014 |
| Priority date | Jul 28, 2010 |
| Publication date | Oct 11, 2016 |
| Grant date | Oct 11, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.
First claim
Opening claim text (preview).
What is claimed is: 1. One or more non-transitory machine readable media that includes code for execution and when executed by one or more processors is operable to perform operations comprising: intercepting, on a computing device, a network access attempt associated with a process executing on the computing device; determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining trust statuses of at least the executable file and the library module; determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and performing an action if the network access attempt is not permitted, wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files. 2. The one or more non-transitory machine readable media of claim 1 , wherein the network access attempt is determined not to be permitted if no policy overrides the untrusted status. 3. The one or more non-transitory machine readable media of claim 2 , wherein the trust status of a particular software program file of the plurality of software program files is defined as untrusted if the particular software program file is not identified in a whitelist. 4. The one or more non-transitory machine readable media of claim 1 , the one or more processors being operable to perform further operations comprising: searching a local cache that identifies trusted software program files, to determine a trust status of each of the plurality of software program files; querying a central server for the trust status of each software program file not identified by the local cache; and updating the local cache with identifications of any software program files determined to be trusted by the central server. 5. The one or more non-transitory machine readable media of claim 1 , wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted. 6. The one or more non-transitory machine readable media of claim 1 , wherein at least one network hook, loaded into the process, is to intercept an application programming interface (API) associated with the network access attempt. 7. The one or more non-transitory machine readable media of claim 1 , wherein the network access attempt is one of an outbound network access attempt from the process or an inbound network access attempt to the process. 8. The one or more non-transitory machine readable media of claim 1 , the one or more processors being operable to perform further operations comprising: using an operating system application programming interface to determine the plurality of software program files mapped to the process. 9. The one or more non-transitory machine readable media of claim 1 , the one or more processors being operable to perform further operations comprising: responsive to determining the one of the software program files has the untrusted status, evaluating the network access policy to determine whether the network access policy overrides the untrusted status; and applying the network access policy to the network access attempt if the network access policy is determined to override the untrusted status. 10. The one or more non-transitory machine readable media of claim 1 , wherein the performing the action includes logging information related to the network access attempt if the trust status of at least one of the plurality of software program files is determined to be untrusted. 11. An apparatus, comprising: a protection module; and one or more processors operable to execute instructions associated with the protection module, to cause the one or more processors to: intercept, on a computing device, a network access attempt associated with a process executing on the computing device; determine a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determine trust statuses of at least the executable file and the library module; determine whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and perform an action if the network access attempt is not permitted, wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files. 12. The apparatus of claim 11 , wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted. 13. The apparatus of claim 11 , wherein at least one network hook, loaded into the process, is to intercept an application programming interface (API) associated with the network access attempt. 14. The apparatus of claim 11 , the one or more processors being operable to execute further instructions associated with the protection module, to cause the one or more processors to: use an operating system application programming interface to determine the plurality of software program files mapped to the process. 15. The apparatus of claim 11 , wherein the performing the action includes logging information related to the network access attempt if the trust status of at least one of the plurality of software program files is determined to be untrusted. 16. A method comprising: intercepting, on a computing device, a network access attempt associated with a process executing on the computing device; determining a plurality of software program files mapped to the process, wherein at least one software program file of the plurality of software program files is an executable file and at least one other software program file of the plurality of software program files is a library module loaded by the process; determining trust statuses of at least the executable file and the library module; determining whether the network access attempt is permitted based, at least in part, on the trust statuses of the executable file and the library module; and performing an action if the network access attempt is not permitted, wherein if one of the software program files is determined to have an untrusted status, the network access attempt is permitted if a destination address of the network access attempt is contained in a set of allowed destination addresses indicated by a network access policy associated with the one of the software program files. 17. The method of claim 16 , wherein the performing the action includes blocking the network access attempt when the network access attempt is determined not to be permitted. 18. The method of claim 16 , wherein at least one network ho
Assignees
Inventors
Classifications
involving event detection and direct action · CPC title
by adding security routines or objects to programs · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
- H04L63/145Primary
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
by securing the transmission between two devices or processes · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9467470B2 cover?
- A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includ…
- Who is the assignee on this patent?
- Mcafee Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 11 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).