Claims
- 1. A method, comprising:
receiving downloadable-information, determining whether the downloadable-information includes executable code; and causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
- 2. The method of claim 1, wherein the receiving includes monitoring received information of an information re-communicator.
- 3. The method of claim 2, wherein the information re-communicator is a network server.
- 4. The method of claim 1, wherein the determining comprises analyzing the downloadable-information for an included type indicator indicating an executable file type.
- 5. The method of claim 1, wherein the determining comprises analyzing the downloadable-information for an included an included type detector indicating an archive file that contains at least one executable.
- 6. The method of claim 1, wherein the determining comprises analyzing the downloadable-information for an included file type indicator and an information pattern corresponding to one or more information patterns that tend to be included within executable code.
- 7. The method of claim 1, further comprising receiving one or more executable code characteristics of executable code that is capable of being executed by the information-destination, and wherein the determining is conducted in accordance with the executable code characteristics.
- 8. The method of claim 1, wherein the determining comprises performing one or more analyses of the downloadable-information, the analyses producing detection-indicators indicating whether a correspondence is detected between a downloadable-information characteristic and at least one respective executable code characteristic, and evaluating the detection-indicators to determine whether the downloadable-information includes executable code.
- 9. The method of claim 8, wherein at least one of the detection-indicators indicates a level of downloadable-information characteristic and executable code characteristic correspondence.
- 10. The method of claim 8, wherein the evaluating includes assigning a weighted level of importance to at least one of the indicators.
- 11. The method of claim 1, wherein the causing mobile protection code to be communicated comprises forming a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be communicated to the at least one information-destination.
- 12. The method of claim 10, wherein the sandboxed package is formed such that the mobile protection code will be executed by the information-destination before the downloadable-information.
- 13. The method of claim 11, wherein the sandboxed package further includes protection policies according to which the mobile protection code is operable.
- 14. The method of claim 13, wherein the sandboxed package is formed for receipt by the information-destination such that the mobile protection code is received before the downloadable-information, and the downloadable information before the protection policies.
- 15. The method of claim 13, wherein the protection policies correspond with at least one of the information-destination and a user of the information destination.
- 16. A system, comprising:
an information monitor for receiving downloadable-information; a content inspection engine communicatively coupled to the information monitor for determining whether the downloadable-information includes executable code; and a protection agent engine communicatively coupled to the content inspection engine for causing mobile protection code (“MPC”) to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
- 17. The system of claim 16, wherein the information monitor intercepts received information received by an information re-communicator.
- 18. The system of claim 17, wherein the information re-communicator is a network server.
- 19. The system of claim 16, wherein the content inspection engine comprises a file type detector for determining whether the downloadable-information includes a file type indicator indicating an executable file type.
- 20. The system of claim 16, wherein the content inspection engine comprises a parser for parsing the downloadable-information and a content analyzer communicatively coupled to the parser for determining whether one or more downloadable-information elements of the downloadable-information correspond with executable code elements are executable code elements.
- 21. The system of claim 16, wherein the content inspection engine comprises one or more downloadable-information analyzers for analyzing the downloadable-information, each analyzer producing therefrom a detection indicator indicating whether a downloadable-information characteristic corresponds with an executable code characteristic, and an inspection controller communicatively coupled to the analyzers for determining whether the indicators indicate that the downloadable-information includes executable code.
- 22. The system of claim 21, wherein at least one of the detection-indicators indicates a level of downloadable-information characteristic and executable code characteristic correspondence.
- 23. The system of claim 21, wherein the evaluating includes assigning a weighted level of importance to at least one of the detection-indicators.
- 24. The system of claim 16, wherein the sandboxed package engine comprises an MPC generator for providing the MPC, a linking engine coupled to the MPC generator for forming a protection agent including the MPC and the downloadable-information, and a transfer engine for causing the protection agent to be communicated to the at least one information-destination.
- 25. The system of claim 24, wherein the protection agent engine further comprises a policy generator communicatively coupled to the linking engine for providing protection policies according to which the MPC is operable.
- 26. The system of claim 25, wherein the sandboxed package is formed for receipt by the information-destination such that the mobile protection code is executed before the downloadable-information.
- 27. The system of claim 26, wherein the protection policies correspond with policies of at least one of the information-destination and a user of the information destination.
- 28. A system, comprising:
means for receiving downloadable-information; means for determining whether the downloadable-information includes executable code; and means for causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
- 29. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
receiving downloadable-information; determining whether the downloadable-information includes executable code; and causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
- 30. A method, comprising:
receiving, at an information re-communicator, downloadable-information, including executable code; and causing mobile protection code to be executed by a mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code.
- 31. The method of claim 30, wherein the mobile code executor is a Java Virtual Machine.
- 32. The method of claim 30, wherein the mobile code executor is the operating system, running native code executables.
- 33. The method of claim 30, wherein the mobile code executor is ActiveX subsystem of the windows operating system
- 34. The method of claim 30, wherein the mobile code executor is the Microsoft Windows scripting host
- 35. The method of claim 30, wherein the causing is accomplished by forming a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be delivered to the downloadable-information destination.
- 36. The method of claim 35, wherein the sandboxed package further includes protection policies according to which the processing by the mobile protection code is conducted.
- 37. A sandboxed package formed according to the method of claim 35.
- 38. A sandboxed package formed according to the method of claim 36.
- 39. The method of claim 36, wherein the forming comprises generating the mobile protection code, generating the sandboxed package, and linking the mobile protection code, protection policies and downloadable-information.
- 40. The method of claim 39, wherein the generating of at least one of the mobile protection code and the protection policies is conducted in accordance with one or more destination-characteristics of the destination.
- 41. The method of claim 40, wherein the destination-characteristics include characteristics corresponding to at least one of a destination user, a destination device and a destination process.
- 42. The method of claim 35, wherein the causing the sandboxed package to be executed includes communicating the sandboxed package to a communication buffer of the information re-communicator.
- 43. The method of claim 30, wherein the re-communicator is at least one of a firewall and a network server.
- 44. The method of claim 30, wherein the sandboxed package has a same file type as the downloadable-information, thereby causing the mobile code executor to be unaware that the protected package is not a normal downloadable.
- 45. The method of claim 44, wherein the sandboxed package is formed using concatenation of a mobile protection code, a policy, and a downloadable.
- 46. The method of claim 30, wherein executing the mobile protection code at the destination causes downloadable interfaces to resources at the destination to be modified such that at least one attempted operation of the executable code is diverted to the mobile protection code.
- 47. A system, comprising:
receiving means for receiving, at an information re-communicator, downloadable-information, including executable code; and mobile code means communicatively coupled to the receiving means for causing mobile protection code to be executed by a mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code.
- 48. The system of claim 47, wherein the mobile code executor is a Java Virtual Machine.
- 49. The system of claim 47, wherein the mobile code executor is an operating system, running native code executables.
- 50. The system of claim 47, wherein the mobile code executor is an ActiveX subsystem of the windows operating system.
- 51. The system of claim 47, wherein the mobile code executor is a Microsoft Windows scripting host.
- 52. The system of claim 47, wherein the causing is accomplished by forming a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be delivered to the downloadable-information destination.
- 53. The system of claim 52, wherein the sandboxed package further includes protection policies according to which the processing by the mobile protection code is conducted.
- 54. The system of claim 53, wherein the forming comprises generating the mobile protection code, generating the protection policies, and linking the mobile protection code, protection policies and downloadable-information.
- 55. The system of claim 54, wherein the generating of at least one of the mobile protection code and the protection policies is conducted in accordance with one or more destination-characteristics of the destination.
- 56. The system of claim 55, wherein the destination-characteristics include characteristics corresponding to at least one of a destination user, a destination device and a destination process.
- 57. The system of claim 46, wherein the causing the sandboxed package to be executed includes communicating the sandboxed package to a communication buffer of the information re-communicator.
- 58. The system of claim 47, wherein the re-communicator is at least one of a firewall and a network server.
- 59. The system of claim 47, wherein executing the mobile protection code at the destination causes downloadable interfaces a resource at the destination to be modified such that at least one attempted operation of the executable code is diverted to the mobile protection code.
- 60. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
receiving, at an information re-communicator, downloadable-information, including executable code; and causing mobile protection code to be executed by a mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code.
- 61. A method, comprising:
receiving mobile protection code (“MPC”) and a Downloadable at a Downloadable-destination; causing, by the MPC, one or more operations attempted by the Downloadable to be received by the MPC; receiving, by the MPC, an attempted operation of the Downloadable; and initiating, by the MPC, a protection policy corresponding to the attempted operation.
- 62. The method of claim 61, wherein the receiving comprises receiving a sandboxed package that includes the MPC, the Downloadable and one or more protection policies.
- 63. The method of claim 62, wherein the sandboxed package is configured such that the MPC is executed first, the Downloadable is executed by the MPC and the protection policies are accessible to the MPC.
- 64. The method of claim 61, wherein the causing comprises modifying, by the MPC, interfaces of a corresponding downloadable to resources at the destination.
- 65. The method of claim 64, wherein the modifying is accomplished by initiating a loading of the Downloadable, thereby causing a mobile code executor to provide and initialize the interfaces, modifying one or more interface elements to divert corresponding attempted Downloadable operations to the MPC, and initiating execution of the Downloadable.
- 66. The method of claim 64, wherein the interfaces comprise an import address table (“IAT”) of a native code executable downloadable.
- 67. The method of claim 64, wherein modifying the interfaces installs a filter-driver between the downloadable and the resources.
- 68. A system, comprising:
a mobile code executer for initiating received mobile code; and a sandboxed package capable of being received and initiated by the mobile code executer, the sandboxed package including a Downloadable and mobile protection code (“MPC”) for causing one or more Downloadable operations to be intercepted and for processing the intercepted operations, if the Downloadable attempts to initiate the operations.
- 69. The system of claim 60, wherein the MPC comprises:
an MPC installer for causing MPC elements to be installed; a Downloadable installer communicatively coupled to the MPC element installer for installing the Downloadable; a resource access diverter communicatively coupled to the MPC installer for causing the Downloadable operations to be intercepted; a resource access analyzer communicatively coupled to the MPC installer for receiving an intercepted Downloadable operation and determining a protection policy corresponding to the intercepted Downloadable operation; and a policy enforcer communicatively coupled to the resource access analyzer for processing the intercepted Downloadable operation.
- 70. The system of claim 69, wherein the resource access diverter modifies one or more elements of an interface usable by the Downloadable to effectuate the Downloadable operations.
- 71. The system of claim 69, wherein the mobile code executer is a Java Virtual Machine.
- 72. The system of claim 69, wherein the mobile code executor is an operating system, running native code executables.
- 73. The system of claim 69, wherein the mobile code executor is an ActiveX subsystem of the windows operating system.
- 74. The system of claim 69, wherein the mobile code executor is an Microsoft Windows scripting host.
- 75. A system, comprising
receiving means for receiving mobile protection code (“MPC”) and a Downloadable at a Downloadable-destination; monitoring means for causing, by the MPC, one or more operations attempted by the Downloadable to be received by the MPC; second receiving means receiving, by the MPC, an attempted operation of the Downloadable; and initiating means for initiating, by the MPC, a protection policy corresponding to the attempted operation.
- 76. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
receiving mobile protection code (“MP C”) and a Downloadable at a Downloadable-destination; causing, by the MPC, one or more operations attempted by the Downloadable to be received by the MPC; receiving, by the MPC, an attempted operation of the Downloadable; and initiating, by the MPC, a protection policy corresponding to the attempted operation.
PRIORITY REFERENCE TO RELATED APPLICATIONS
[0001] This application claims benefit of and hereby incorporates by reference provisional application Ser. No. 60/205,591, entitled “Computer Network Malicious Code Run-time Monitoring,” filed on May 17, 2000 by inventors Nimrod Itzhak Vered, et al. This application is also a Continuation-In-Part of and hereby incorporates by reference patent application Ser. No. 09/539,667, entitled “System and Method for Protecting a Computer and a Network From Hostile Downloadables” filed on Mar. 30, 2000 by inventor Shlomo Touboul. This application is also a Continuation-In-Part of and hereby incorporates by reference patent application Ser. No. 09/551,302, entitled “System and Method for Protecting a Client During Runtime From Hostile Downloadables”, filed on Apr. 18, 2000 by inventor Shlomo Touboul.
Provisional Applications (1)
|
Number |
Date |
Country |
|
60205591 |
May 2000 |
US |
Continuation in Parts (2)
|
Number |
Date |
Country |
Parent |
09539667 |
Mar 2000 |
US |
Child |
09861229 |
May 2001 |
US |
Parent |
09551302 |
Apr 2000 |
US |
Child |
09861229 |
May 2001 |
US |