System and method for strategic anti-malware monitoring
Abstract
The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for passively scanning a network, the method comprising:
sniffing, by an endpoint passive scanner deployed on an endpoint device, network traffic traveling to and/or from the endpoint device, the network traffic comprising a plurality of packets; and detecting, by the endpoint passive scanner, information that facilitates discovery of one or more assets of the network and/or identification of one or more vulnerabilities in one or more network entities and/or one or more services based on the sniffed network traffic.
2 . The method of claim 1 , further comprising:
discovering, by the endpoint passive scanner, the one or more assets of the network and/or identifying the one or more vulnerabilities based on the detected information.
3 . The method of claim 2 ,
wherein discovering the one or more assets includes discovering attributes of the one or more assets, and/or wherein identifying the one or more vulnerabilities includes identifying attributes of the one or more vulnerabilities.
4 . The method of claim 2 , further comprising:
providing, by the endpoint passive scanner, an asset-vulnerability report comprising the one or more discovered assets and/or the one or more identified vulnerabilities to a vulnerability manager (VM), wherein the VM is external to the endpoint device.
5 . The method of claim 4 , wherein the VM is configured to build a network topology of the network based on one or more asset-vulnerability reports from one or more endpoint passive scanners.
6 . The method of claim 4 , further comprising:
performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and providing, by the endpoint agent, a vulnerability scan report to the VM, the vulnerability scan report comprising a result of performing the vulnerability scan.
7 . The method of claim 6 , wherein the VM is configured to correlate the one or more discovered assets and/or the one or more identified vulnerabilities of the asset-vulnerability report with the vulnerability scan report.
8 . The method of claim 1 , further comprising:
providing, by the endpoint passive scanner, a detection report comprising the detected information to a vulnerability manager (VM), wherein the VM is external to the endpoint device.
9 . The method of claim 8 , wherein the VM is configured to discover the one or more assets of the network and/or identify the one or more vulnerabilities in the one or more network entities and/or the one or more services based on one or more detection reports from one or more endpoint passive scanners.
10 . The method of claim 8 , wherein the VM is configured to build a network topology of the network based on one or more detection reports from one or more endpoint passive scanners.
11 . The method of claim 8 , further comprising:
performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and providing, by the endpoint agent, a vulnerability scan report to the VM, the vulnerability scan report being a report of a result of performing the vulnerability scan.
12 . The method of claim 11 , wherein the VM is configured to correlate the one or more discovered assets and/or the one or more identified vulnerabilities of the asset-vulnerability report with the vulnerability scan report.
13 . The method of claim 1 , wherein the one or more assets of the network include any combination of:
one or more network entities, one or more applications and/or services running on the one or more network entities, and operating systems running on the one or more network entities.
14 . The method of claim 13 , wherein the one or more vulnerabilities of the network include one or both of:
one or more vulnerabilities associated with one or more applications running on one or more network entities, and one or more vulnerabilities associated with one or more services running on the one or more network entities.
15 . A method for passively scanning a network, the method comprising:
obtaining information that is detected based on network traffic traveling to and/or from an endpoint device that is sniffed by an endpoint passive scanner deployed on the endpoint device, the network traffic comprising a plurality of packets; and discovering one or more assets of the network and/or identifying one or more vulnerabilities in one or more network entities and/or one or more services based on the obtained information.
16 . The method of claim 15 ,
wherein discovering the one or more assets includes discovering attributes of the one or more assets, and/or wherein identifying the one or more vulnerabilities includes identifying attributes of the one or more vulnerabilities.
17 . The method of claim 15 ,
wherein obtaining is performed by the endpoint passive scanner, and wherein discovering and/or identifying are performed by the endpoint passive scanner.
18 . The method of claim 17 , further comprising:
building, by a vulnerability manager (VM), a network topology of the network based on the one or more discovered assets and/or the one or more identified vulnerabilities, wherein the VM is external to the endpoint device.
19 . The method of claim 18 , further comprising:
performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and correlating, by the VM, the one or more discovered assets and/or the one or more identified vulnerabilities with the vulnerability scan.
20 . The method of claim 15 ,
wherein obtaining is performed by the endpoint passive scanner, and wherein discovering and/or identifying are performed by a vulnerability manager (VM) based the obtained information, the VM being external to the endpoint device.
21 . The method of claim 20 , further comprising:
building, by a vulnerability manager (VM), a network topology of the network based on the obtained information.
22 . The method of claim 20 , further comprising:
performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and correlating, by the VM, the one or more discovered assets and/or the one or more identified vulnerabilities with the vulnerability scan.
23 . The method of claim 15 ,
wherein the one or more assets of the network include any combination of:
one or more network entities,
one or more applications and/or services running on the one or more network entities, and
operating systems running on the one or more network entities, and
wherein the one or more vulnerabilities include one or both of:
one or more vulnerabilities associated with one or more applications running on one or more network entities, and
one or more vulnerabilities associated with one or more services running on the one or more network entities.
24 . An endpoint device configured to passively scan a network, comprising:
a memory; and at least one processor coupled to the memory, wherein when an endpoint passive scanner is deployed on the endpoint device, the at least one processor and the memory are configured to:
sniff network traffic traveling to and/or from the endpoint device, the network traffic comprising a plurality of packets; and
detect information that facilitates discovery of one or more assets of the network and/or identification of one or more vulnerabilities in one or more network entities and/or one or more services based on the sniffed network traffic.
25 . A device, comprising:
a memory; and at least one processor coupled to the memory, wherein the at least one processor and the memory are configured to: obtain information that is detected based on network traffic traveling to and/or from an endpoint device that is sniffed by an endpoint passive scanner deployed on the endpoint device, the network traffic comprising a plurality of packets; and discover one or more assets of the network and/or identify one or more vulnerabilities in one or more network entities and/or one or more services based on the obtained information.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.