System, method and program product for detecting presence of malicious software running on a computer system
Abstract
A system, method and program product for detecting presence of malicious software running on a computer system. The method includes locally querying the system to enumerate a local inventory of tasks and network services running on the system for detecting presence of malicious software running on the system and remotely querying the system from a remote system via a network to enumerate a remote inventory of tasks and network services running on the system for detecting presence of malicious software running on the system, where the local inventory enumerates ports in use on the system and where the remote inventory enumerates ports in use on the system. Further, the method includes collecting the local inventory and the remote inventory and comparing the local inventory with the remote inventory to identify any discrepancies between the local and the remote inventories for detecting presence of malicious software running on the system.
Claims
exact text as granted — not AI-modified1 . A method of detecting presence of a malicious service agent running on a computer system, said method comprising the steps of:
locally querying a computer system to enumerate a local inventory of tasks and network services currently running on said computer system in order to detect presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system; remotely querying via a network said computer system from a remote computer system to enumerate a remote inventory of tasks and network services currently running on said computer system in order to detect presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system; collecting each of said local inventory of tasks and network services enumerated and collecting each of said remote inventory of tasks and network services enumerated; and comparing said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system.
2 . The method according to claim 1 , wherein said locally querying step further comprises the steps of:
providing a first tool for locally detecting presence of said malicious service agent running on said computer system; and utilizing said first tool to conduct a local scan of said computer system to locally query said computer system.
3 . The method according to claim 2 , wherein said remotely querying step further comprises the steps of:
providing a second tool for remotely detecting presence of said malicious service agent running on said computer system; and utilizing said second tool to conduct a remote scan of said computer system to remotely query said computer system.
4 . The method according to claim 3 , wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.
5 . The method according to claim 4 , further comprising:
flagging said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies identified for determining presence of said malicious service agent running on said computer system.
6 . A system for detecting presence of a malicious service agent running on a host computer system, comprising:
a network communications channel; a host computer system connected to said network communications channel; a first tool for locally detecting presence of a malicious service agent on said host computer system, said first tool being installed locally on said host computer system to conduct a local scan of said host computer system; a remote computer system connected to said network communications channel; a second tool for remotely detecting presence of said malicious service agent on said host computer system, said second tool being installed on said remote computer system for conducting a remote scan of said host computer system; and a results correlation engine for correlating results collected from said local scan of said host computer system and said remote scan of said host computer system, said results correlation engine identifying any discrepancies between said local scan and said remote scan of said host computer system for detecting presence of said malicious service agent on said host computer system.
7 . The system according to claim 6 , further comprising:
a third tool for providing a discrepancy report, said discrepancy report reporting said any discrepancies identified between said local scan and said remote scan of said host computer system for detecting presence of said malicious service agent on said host computer system.
8 . The system according to claim 7 , wherein said first tool locally queries said host computer system to enumerate a local inventory of tasks and network services currently running on said host computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said host computer system, and wherein a port of said respective ports enumerated in said local inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.
9 . The system according to claim 8 , wherein said second tool remotely queries said host computer system to enumerate a remote inventory of tasks and network services currently running on said host computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said host computer system, and wherein a port of said respective ports enumerated in said remote inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.
10 . The system according to claim 9 , further comprising a fourth tool for flagging said host computer system having said any discrepancies identified in order to conduct further tests to evaluate said any discrepancies for verifying presence of said malicious service agent running on said host computer system.
11 . A computer program product for detecting presence of a malicious service agent running on a host computer system, said computer program product comprising:
a computer readable storage medium; first program instructions to locally query a computer system for enumeration of a local inventory of tasks and network services currently running on said computer system for detecting presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system; second program instructions to remotely query via a network said computer system from a remote computer system for enumeration of a remote inventory of tasks and network services currently running on said computer system for detecting presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system; third program instructions to collect each of said local inventory of tasks and network services enumerated and to collect each of said remote inventory of tasks and network services enumerated; fourth program instructions to compare said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system, and wherein said first, second, third and fourth program instructions are recorded on said computer readable storage medium.
12 . The computer program product according to claim 11 , further comprising:
fifth program instructions to flag said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies, wherein said fifth program instructions are recorded on said computer readable medium.
13 . The computer program product according to claim 12 , wherein said first program instructions further comprise instructions to provide a first tool for locally detecting presence of said malicious service agent running on said computer system, and to utilize said first tool to conduct a local scan of said computer system to locally query said computer system.
14 . The computer program product according to claim 13 , wherein said second program instructions further comprise instructions to provide a second tool for remotely detecting presence of said malicious service agent running on said computer system, and to utilize said second tool to conduct a remote scan of said computer system to remotely query said computer system.
15 . The computer program product according to claim 14 , wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.
16 . A computer system for detecting presence of a malicious service agent running on a host computer system, comprising:
first program instructions to locally query a computer system for enumeration of a local inventory of tasks and network services currently running on said computer system for detecting presence of a malicious service agent running on said computer system, wherein said local inventory of tasks and network services enumerated includes respective ports in use on said computer system; second program instructions to remotely query via a network said computer system from a remote computer system for enumeration of a remote inventory of tasks and network services currently running on said computer system for detecting presence of said malicious service agent running on said computer system, wherein said remote inventory of tasks and network services enumerated includes respective ports in use on said computer system; third program instructions to collect each of said local inventory of tasks and network services enumerated and to collect each of said remote inventory of tasks and network services enumerated; fourth program instructions to compare said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said computer system; a computer readable storage medium for storing each of said first, second, third and fourth program instructions; and a central processing unit for executing each of said first, second, third and fourth program instructions.
17 . The computer system according to claim 16 , fifth program instructions to flag said computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies, wherein said fifth program instructions are stored on said computer readable storage medium for execution by said central processing unit.
18 . The computer system according to claim 17 , wherein said first program instructions further comprise instructions to provide a first tool for locally detecting presence of said malicious service agent running on said computer system, and to utilize said first tool to conduct a local scan of said computer system to locally query said computer system.
19 . The computer system according to claim 18 , wherein said second program instructions further comprise instructions to provide a second tool for remotely detecting presence of said malicious service agent running on said computer system, and to utilize said second tool to conduct a remote scan of said computer system to remotely query said computer system.
20 . The computer system according to claim 19 , wherein a port of said respective ports comprises at least one of: an open port, a closed port and a filtered port.
21 . A process for deploying computing infrastructure comprising integrating computer-readable code into a computing system, wherein said code in combination with said computing system is capable of detecting presence of a malicious service agent running on a host computer system, said process comprising the steps of:
locally running a first tool on a host computer system for conducting a local scan of said host computer system, said local scan enumerating a local inventory of tasks and network services currently running on said computer system and enumerating respective ports in use on said host computer system; remotely running a second tool on said host computer system for conducting a remote scan of said host computer system, said remote scan enumerating a remote inventory of tasks and network services currently running on said computer system and enumerating respective ports in use on said host computer system; and correlating results collected from said local scan and said remote scan of said host computer system to identify any discrepancies between said local inventory of tasks and network services enumerated and said remote inventory of tasks and network services enumerated for detecting presence of said malicious service agent running on said host computer system.
22 . The process according to claim 21 , wherein said correlating step includes the step of:
comparing said local inventory of tasks and network services enumerated with said remote inventory of tasks and network services enumerated to identify said any discrepancies.
23 . The process according to claim 22 , wherein a port of said respective ports enumerated in each of said local inventory of tasks and network services currently running on said host computer system and said remote inventory of tasks and network services currently running on said host computer system comprises at least one of: an open port, a closed port and a filtered port.
24 . The process according to claim 23 , further comprising:
providing a discrepancy report for reporting said any discrepancies identified for evaluating presence of said malicious service agent running on said host computer system.
25 . The process according to claim 24 , further comprising:
flagging said host computer system having said any discrepancies identified for conducting further tests to evaluate said any discrepancies identified for determining presence of said malicious service agent running on said host computer system.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.