Escolar Documentos
Profissional Documentos
Cultura Documentos
(75) Inventors:
Publication Classi?cation
(51)
Int CL
G06F 21/00
G06F 15/16
G06F 17/30
(2006.01)
(2006.01)
(2006-01)
(Us)
(52)
(73) Assignee:
Bit 9 Inc"Wa1thamMA(US)
(57)
ABSTRACT
A security system provides a defense from known and
13/459,957
(22) Filed?
(63)
intimdgy
na ysis
_
8eivices
l/?q
{w
lsewer Agphame /
Maoist
Antibody
Store
Gonieni
w Systems
Fiie
Poois&
?gfgng
Anaiysis
Ce
Web Browser
i-insi
Com
Anaiysis
,
Enterprise M, 33
Management
Admin
Services
Consoles
L E?
(if
!
'
m, "
M i /
Lmi
Parametric
Local
Parametric
Aniibwy
Policy
Antibody
Poiicy
Etore
Engine
Store
Engine
Host Agent
Host
Lil.
Host Agent
I, - t4,
Locai
Miicy
store
Engine
Host Agent
Host
Lil.
Paiameiris {law 16
Antibody
Host
"it
h
.
US 2012/0216246 A1
N32%
US 2012/0216246 A1
US 2012/0216246 A1
HEgg
a:ann
m$w+3uaE22wmgnwam
w mavzsgnm?a,
miwasamM3Em5mma?g%an?umgs
29%asn
Eam9zvamw;
Em32%38:
$2
US 2012/0216246 A1
mE m
mat
US 2012/0216246 A1
US 2012/0216246 A1
mMwmiw
wm mwx wm
wEgm
gmtm wsim
mi
mgwml mg mEhwE
US 2012/0216246 A1
AMQS
EmNammam
US 2012/0216246 A1
mammamvow
US 2012/0216246 A1
ing.
CROSS REFERENCES TO RELATED
APPLICATION
SUMMARY
[0009]
terns are complex to develop and test, and as a result they have
US 2012/0216246 A1
hosts can maintain their oWn lists, Which may diverge from
the central lists. In particular, this can be the case With Local
Approve and Pending states, and it is often true With name
based states, such as NameBan and NameApprove. Since
name is generally a local property, these states can diverge
from the centrally controlled states. For example, if a ?le
foo has a certain hashq and a central server state Pending,
on a host the ?le could be Local Approved or Name-Banned
[0016]
central authority (and thus all other hosts). The latter permits
until it is too late, do not knoW When their policies are being
violated, and have no means to effectively enforce their poli
cies. By tracking neW programs as Pending While they are
being modi?ed/Written to the ?le system, a host agent can
detect and report neW content, in real-time, as it enters the
netWork from almost any means, Whether email, instant mes
[0018]
policies are possible, such as: Permit, but Warn When hosts
US 2012/0216246 A1
which track all ?les, including those which have not changed,
the invention here tracks ?le changes in memory as the ?les
are changing, and this provides an ef?cient means to query
[0022]
service, it is important that the hosts connect to, post to, and
forming an analysis.
[0027] FIGS. 4-5 are schematics of processes performed by
the system.
[0028]
ses.
[0029]
timed analysis.
[0030]
DETAILED DESCRIPTION
[0031]
US 2012/0216246 A1
hosts.
[0039] Another aspect is in the use of a centrally set param
eter, sometimes denoted D or Defcon, that controls the
policies of the hosts. This central policy and parameter can be
applied to all hosts, or to selected groups of hosts. The param
eter can be set manually by an operator or can be adjusted by
shoWn here, the server includes a neW ?le processing and ?le
When they are created or altered by hosts, hoW scans are run,
rity level for the system, and policy engine 94 that governs
blocks 82, 90, and 92 for controlling various ?le operations
including executions, ?le reads, ?le Writes, and other actions.
hoW logging is done, and many other functions, and for each
policy (e.g., What operations can be done With a neWly seen
executable) there can be a number of policy options (such as
ban, alloW, or alloW and log). The policies can be based on the
US 2012/0216246 A1
policies includes:
[0044]
system
[0055] 12. Different policies for hosts When o?line,
remotely connected or locally connected
[0056] 13. List hosts/paths that contain a speci?c ?le by
data or by name
con?gurable)
[0063]
ten
[0066] The server can maintain one or more policies for
When the policies are violated become more and more severe.
and test (generally, one can just test the endpoints need be
tested, such as DIl and D:8). With ordered states the num
bers of ?les and users become successively more accessible
mations.
US 2012/0216246 A1
GetPolicySet query.
[0078]
detail.
folloWs:
ExecutableClass:(*.exe|*.sys|*.dll| . . . )
[0081]
mums).
pering.
[0075]
roll the value of D back to its original level after the operation
is terminated. External triggers can change the value of D,
hosts to select one of the lists. By having the lists present at the
the roWs are policies in the master set, the columns are
such as SNMP.
[0076]
US 2012/0216246 A1
7
DValue
vs
D=10
Global
D=8
D=6
Protection Tracking
D=4
Silent
D=3
Local
Policy Name
Approval
Disabled
Only
Alarm
Approval
New/Pending
Auto
Permit
Permit
Permit
Auto
Executables
Global
execution, Local
Execution, Write/Exec,
Approve
Report
Approve
Notify,
Notify,
New,
Report
Report
Report
Block
Block
*.exe, *.sys, . . .
New,
Report
Permit
Permit
Block
Block
Auto
Standalone Scripts
Global
execution, Local
Execution, Write/Exec,
Approve
Report
Approve
Notify,
Notify,
New,
Report
Report
Report
Block
Block
New,
Report
New/Pending
Auto
Embedded Scripts
Global
execution, Local
Execution, Write/Exec,
Approve
Report
In *.doc, *.xls, . . .
Permit
Permit
Permit
Auto
Protect
New/Pending
*.vbs, *.bat, . . .
Permit
D=2
D=1
Lockdown Write
New,
Report
Notify,
Notify,
Report
Report
Auto
Permit
Permit
Write
Write
*.html, *.asp, . . .
Global
Writes,
Writes,
Protect,
Protect,
Approve
New,
Report
Report
Report
Report
Report
Permit
Permit
Permit
Permit
Permit
Permit
Permit
Block
Block
Block
Block
Block
(by hash)
Exes/ S cripts/Embed
Banned/Unapproved Permit
Permit
Approve
New,
Report
Approved
Permit
(hash and/ or name)
Exes/ S cripts/Embed
Banned/Unapproved Permit
Permit
Auto
Block
Block
Block
Block
Block
(by name)
Exes/ S cripts/Embed
Notify,
Report
Track,
Report
Permit
Notify,
Report
Track,
Report
Notify,
Report
Track,
Report
Notify,
Report
Track,
Report
Notify,
Report
Track,
Report
tracking
(1) Permit: Permit the operation, otherwise silent
(2) Block: Block the operation, otherwise silent
(3) Track: Track the operation and resulting content (if content is Pending or Banned), otherwise silent. Approved content is generally
not tracked.
(4) Report: Send a noti?cation to the server
(5) Notify: Indicate to the host endpoint user why the operation was blocked/interrupted
(6) Auto Local Approve: New host ?les and/or new content with local host state = Pending are locally set to host state = Approved or
state = LocallyApproved only on the local host as the ?les/content are created/modi?ed.
(7) Auto Global Approve: New host ?les and/or new content with local state = Pending are globally set to server state = Approved on
the server as the ?les/content are created/modi?ed.
OMAC.
[0090]
[0091]
network.
[0092] File Path. The path of the ?le, as ?rst seen and
reported to the server.
[0093]
reported
[0094]
ported
[0095]
other analyses.
[0099] Last Analysis. The time the ?le was last scanned/
analyzed.
[0100]
US 2012/0216246 A1
[0103]
[0105]
[0106]
ies for the system. While each host can contain a local subset
of the antibodies in user cache 64 and in kernel cache 82, the
are the only authority that can set a state to locally approved.
(508), Which con?rms the upload (509). The server can also
[0109]
name states With content states. For instance, the server can
tent that has already been analyZed and for Which an antibody
has already been stored in a ho st cache. If the content antibody
is not in the host cache, the server is queried to determine if
the server has already analyZed the content. If the server does
not have a corresponding antibody, then the content may be
uploaded to the server for further analyses. Until the server
can determine the state de?nitively, the state associated With
the content is set to be pending or not yet determined. Sub
US 2012/0216246 A1
state, and only has to be recomputed When the name ban list
changes or When the ?le name changes. The Wildcard list does
not have to be compared on every ?le operation. So the dual
nature of data antibody and name antibody is useful. Also,
hundreds or thousands of name regular expressions can be
[0115] The host agent has a user antibody name cache (UN)
and a user antibody data cache (UD) 60. The UN maps the ?le
With strong hashes that are preferably used, such as MDS. The
UN and UD caches are also Weakly consistent With the server,
but both UN and UD are strongly consistent With the local
host ?le system, as is the kernel cache. UN and UD can be
direct access to the name, but not to the hash. The kernel cache
[0120]
[0123]
have its oWn cache entry. If a given process attempts a neW ?le
access, the stateful ?lter Will experience a cache miss for that
?le, Which Will cause it to submit the ?le access request to the
triggers and actions module. The ?ag for the requested opera
tion (read, Write, or execute) should be set to permit if
module 90 alloWs it. OtherWise, it should be set to block. If
a process Which has only obtained one kind of permission
(e.g., read) then tries another kind of access (e. g., Write),
module 90 Will again be contacted.
[0124]
entries Which for some reason are not removed. It also alloWs
name antibody Was banned based on its name, then the GetA
This event speci?es the ?lename and the dirty operation. The
kernel cache 82 is not consulted for this operation, as the dirty
bers. As hosts poll in, they check their version numbers. When
query from the server (i.e., the hosts pull the neW ban data
US 2012/0216246 A1
bodies Which have changed since the last poll. Preferably, the
server sends the current number, and When the host realiZes
the mismatch, it asks the server for an antibody update, and
the list of data antibodies is returned. These then are merged
into the host antibodies, and changes are also sent doWn into
the kernel too. Although the host may get and store some
antibodies for data Which it has never seen, generally only
those antibodies Which correspond to existing host ?les are
merged. The others are usually discarded. The server caches
the last feW minutes of updates, to minimiZe the effect of
servers and get antibody update lists. The super server can
merge them, and send out tailored updates for each server.
These updates are all Weakly consistent, in that they can lag
server has not seen the hash before or if the server analysis is
speci?ed states.
[0136] One issue is With the initial states of the cache and
initial policies. The server cache can be preloaded With
knoWn good and bad hash antibodies, or it can be empty, and
US 2012/0216246 A1
sockets needed.
[0153] The connected hosts each process their FindFile
neW program called inst.exe and then renames and executes it.
[0157]
pleted.
[0139] The kernel cache contains antibodies for almost all
?les in the ?le system upon initialization. Operations that
could leave holes in the kernel cache or other inconsistencies,
even for brief times, are delayed and interlocked so that
consistency is maintained. The user space caches are opti
miZed to resolve kernel misses With very loW latencies.
Whereas the kernel and user space caches are quite insensi
tive to server-side latencies, the kernel cache is sensitive to
[0159]
[0160]
[0161]
[0162] (9) one or more host ?le states associated With the
?le from a set of at least three states: approved, banned,
pending analysis,
[0163] (10) Whether certain ?le operations have been
performed by the host on the ?le, and
[0164] (l l) a host group.
[0165]
FindFile
[0146]
[0147]
[0148]
[0149] (9) one or more host ?le states associated With the
?le from a set of at least three states: approved, banned,
(NameBan, BanByHash).
[0150] (10) Whether certain ?le operations have been
performed by the host on the ?le, and
[0151] (l l) a host group.
[0152] Referring to FIG. 4, a completed FindFile request is
analogous to an email in that the server posts a request for
FindFile result lists from the hosts. This union of these lists is
the complete FindFile request response, and it builds up over
can affect and trigger SNMP, syslog, alarms, and other noti
?cation systems.
[0167]