System and method for strategic anti-malware monitoring
Abstract
The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for remote scanning, comprising:
receiving, via a credentialed scan of a scanning target located in a network or from a local agent executing on the scanning target, information describing a set of current connections on the scanning target; detecting that a current connection among the set of current connections is associated with a compromised host having a known malicious Internet Protocol (IP) address; performing one or more actions to facilitate isolation of the network from malicious traffic attributable to the compromised host.
2 . The method of claim 1 , wherein the known malicious IP address corresponds to a known botnet IP address.
3 . The method of claim 1 , wherein the one or more actions comprise:
generation of a report that identifies the compromised host as being associated with the known malicious IP address, or disablement of network connectivity for at least the compromised host to isolate the network from malicious traffic, or a combination thereof.
4 . The method of claim 1 , wherein the detecting includes:
identification of one or more IP addresses associated with each of the set of current connections on the scanning targets; comparison of the one or more identified IP addresses to a list that includes one or more known malicious IP addresses.
5 . The method of claim 4 ,
wherein the one or more identified IP addresses comprise a source IP address and a destination IP address associated with each of the set of current connections on the scanning target, wherein the source IP address and the destination IP address are compared to the list.
6 . The method of claim 1 , wherein the known malicious IP address is previously identified as associated with a respective host with one or more virus infections, one or more malware infections, one or more backdoor installations, one or more exploitable default accounts, one or more adware installations, one or more software installations known to be vulnerable to infection, one or more peer-to-peer (P2P) software installations, or a combination thereof.
7 . A method for remote scanning, comprising:
receiving, via a credentialed scan of a scanning target located in a network, information describing an object on the scanning target; determining that the scanning target includes an infection or a vulnerability based at least in part upon the information describing the object on the scanning target; performing one or more actions to facilitate remediation of the infection or the vulnerability based on the determination.
8 . The method of claim 7 , wherein the one or more actions comprise:
generation of a report that identifies the scanning target as infected or vulnerable to infection, or disabling network connectivity for at least the scanning target to isolate the network from malicious traffic, or a combination thereof.
9 . The method of claim 7 , wherein the object comprises a running process.
10 . The method of claim 7 , wherein the object comprises a configuration.
11 . The method of claim 10 , wherein the configuration comprises an operating system running on the scanning target, whether one or more passwords for one or more users associated with the scanning target complies with one or more policies, whether the scanning target stores a particular type of data, or a combination thereof.
12 . The method of claim 7 , wherein the object comprises a file.
13 . The method of claim 12 , wherein the information comprises a signature of the file, a hash of the file, a checksum associated with the file, or a combination thereof.
14 . The method of claim 13 , wherein the information comprises a message digest 5 (MD5) hash or checksum of the file.
15 . The method of claim 12 ,
wherein the information comprises a hash of the file, and wherein the determination is based on a comparison between the hash of the file to a database of file signatures.
16 . The method of claim 15 , wherein the database of file signatures comprises a blacklist of known malware signatures.
17 . The method of claim 15 , wherein the database of file signatures comprises a whitelist of trusted file signatures.
18 . An apparatus, comprising:
a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: receive, via a credentialed scan of a scanning target located in a network or from a local agent executing on the scanning target, information describing a set of current connections on the scanning target; detect that a current connection among the set of current connections is associated with a compromised host having a known malicious Internet Protocol (IP) address; perform one or more actions to facilitate isolation of the network from malicious traffic attributable to the compromised host.
19 . The apparatus of claim 18 , wherein the known malicious IP address corresponds to a known botnet IP address.
20 . The apparatus of claim 18 , wherein the one or more actions comprise:
generation of a report that identifies the compromised host as being associated with the known malicious IP address, or disablement of network connectivity for at least the compromised host to isolate the network from malicious traffic, or a combination thereof.
21 . The apparatus of claim 18 , wherein the detecting includes:
identification of one or more IP addresses associated with each of the set of current connections on the scanning targets; comparison of the one or more identified IP addresses to a list that includes one or more known malicious IP addresses.
22 . The apparatus of claim 21 ,
wherein the one or more identified IP addresses comprise a source IP address and a destination IP address associated with each of the set of current connections on the scanning target, wherein the source IP address and the destination IP address are compared to the list.
23 . The apparatus of claim 18 , wherein the known malicious IP address is previously identified as associated with a respective host with one or more virus infections, one or more malware infections, one or more backdoor installations, one or more exploitable default accounts, one or more adware installations, one or more software installations known to be vulnerable to infection, one or more peer-to-peer (P2P) software installations, or a combination thereof.
24 . An apparatus, comprising:
a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: receive, via a credentialed scan of a scanning target located in a network, information describing an object on the scanning target; determine that the scanning target includes an infection or a vulnerability based at least in part upon the information describing the object on the scanning target; perform one or more actions to facilitate remediation of the infection or the vulnerability based on the determination.
25 . The apparatus of claim 24 , wherein the one or more actions comprise:
generation of a report that identifies the scanning target as infected or vulnerable to infection, or disabling network connectivity for at least the scanning target to isolate the network from malicious traffic, or a combination thereof.
26 . The apparatus of claim 24 , wherein the object comprises a running process.
27 . The apparatus of claim 24 , wherein the object comprises a configuration.
28 . The apparatus of claim 27 , wherein the configuration comprises an operating system running on the scanning target, whether one or more passwords for one or more users associated with the scanning target complies with one or more policies, whether the scanning target stores a particular type of data, or a combination thereof.
29 . The apparatus of claim 24 , wherein the object comprises a file.
30 . The apparatus of claim 29 , wherein the information comprises a signature of the file, a hash of the file, a checksum associated with the file, or a combination thereof.
31 . The apparatus of claim 30 , wherein the information comprises a message digest 5 (MD5) hash or checksum of the file.
32 . The apparatus of claim 29 ,
wherein the information comprises a hash of the file, and wherein the determination is based on a comparison between the hash of the file to a database of file signatures.
33 . The apparatus of claim 32 , wherein the database of file signatures comprises a blacklist of known malware signatures.
34 . The apparatus of claim 32 , wherein the database of file signatures comprises a whitelist of trusted file signatures.
35 . A non-transitory computer-readable medium storing computer-executable instructions that, when executed by an apparatus, cause the apparatus to:
receive, via a credentialed scan of a scanning target located in a network or from a local agent executing on the scanning target, information describing a set of current connections on the scanning target; detect that a current connection among the set of current connections is associated with a compromised host having a known malicious Internet Protocol (IP) address; perform one or more actions to facilitate isolation of the network from malicious traffic attributable to the compromised host.
36 . The non-transitory computer-readable medium of claim 35 , wherein the known malicious IP address corresponds to a known botnet IP address.
37 . The non-transitory computer-readable medium of claim 35 , wherein the one or more actions comprise:
generation of a report that identifies the compromised host as being associated with the known malicious IP address, or disablement of network connectivity for at least the compromised host to isolate the network from malicious traffic, or a combination thereof.
38 . The non-transitory computer-readable medium of claim 35 , wherein the detecting includes:
identification of one or more IP addresses associated with each of the set of current connections on the scanning targets; comparison of the one or more identified IP addresses to a list that includes one or more known malicious IP addresses.
39 . The non-transitory computer-readable medium of claim 38 ,
wherein the one or more identified IP addresses comprise a source IP address and a destination IP address associated with each of the set of current connections on the scanning target, wherein the source IP address and the destination IP address are compared to the list.
40 . The non-transitory computer-readable medium of claim 35 , wherein the known malicious IP address is previously identified as associated with a respective host with one or more virus infections, one or more malware infections, one or more backdoor installations, one or more exploitable default accounts, one or more adware installations, one or more software installations known to be vulnerable to infection, one or more peer-to-peer (P2P) software installations, or a combination thereof.
41 . A non-transitory computer-readable medium storing computer-executable instructions that, when executed by an apparatus, cause the apparatus to:
receive, via a credentialed scan of a scanning target located in a network, information describing an object on the scanning target; determine that the scanning target includes an infection or a vulnerability based at least in part upon the information describing the object on the scanning target; perform one or more actions to facilitate remediation of the infection or the vulnerability based on the determination.
42 . The non-transitory computer-readable medium of claim 41 , wherein the one or more actions comprise:
generation of a report that identifies the scanning target as infected or vulnerable to infection, or disabling network connectivity for at least the scanning target to isolate the network from malicious traffic, or a combination thereof.
43 . The non-transitory computer-readable medium of claim 41 , wherein the object comprises a running process.
44 . The non-transitory computer-readable medium of claim 41 , wherein the object comprises a configuration.
45 . The non-transitory computer-readable medium of claim 44 , wherein the configuration comprises an operating system running on the scanning target, whether one or more passwords for one or more users associated with the scanning target complies with one or more policies, whether the scanning target stores a particular type of data, or a combination thereof.
46 . The non-transitory computer-readable medium of claim 41 , wherein the object comprises a file.
47 . The non-transitory computer-readable medium of claim 46 , wherein the information comprises a signature of the file, a hash of the file, a checksum associated with the file, or a combination thereof.
48 . The non-transitory computer-readable medium of claim 47 , wherein the information comprises a message digest 5 (MD5) hash or checksum of the file.
49 . The non-transitory computer-readable medium of claim 46 ,
wherein the information comprises a hash of the file, and wherein the determination is based on a comparison between the hash of the file to a database of file signatures.
50 . The non-transitory computer-readable medium of claim 49 , wherein the database of file signatures comprises a blacklist of known malware signatures.
51 . The non-transitory computer-readable medium of claim 49 , wherein the database of file signatures comprises a whitelist of trusted file signatures.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.