-
公开(公告)号:US20170255778A1
公开(公告)日:2017-09-07
申请号:US15063086
申请日:2016-03-07
申请人: CrowdStrike, Inc.
CPC分类号: G06F21/57 , G06F9/45558 , G06F21/53 , G06F21/54 , G06F21/554 , G06F2009/45583 , G06F2221/034
摘要: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.
-
公开(公告)号:US09621515B2
公开(公告)日:2017-04-11
申请号:US14709779
申请日:2015-05-12
申请人: CrowdStrike, Inc.
CPC分类号: G06F21/566 , G06F9/46 , G06F21/554 , G06F21/56 , G06F21/567 , G06F21/568 , G06F2221/034 , G06N5/04 , H04L41/0803 , H04L63/0245 , H04L63/1441
摘要: A kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
-
公开(公告)号:US20170061127A1
公开(公告)日:2017-03-02
申请号:US14810840
申请日:2015-07-28
申请人: CrowdStrike, Inc.
IPC分类号: G06F21/57
CPC分类号: G06F21/575
摘要: Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.
摘要翻译: 本文描述了利用库和预引导组件来确保在引导阶段期间在其他驱动程序之前初始化与内核模式组件相关联的驱动程序的技术。 库组件在引导阶段进行处理; 预引导组件可以是库组件的替代,在预引导阶段期间被处理。 通过确保驱动程序是初始化的第一个驱动程序,组件使驱动程序能够在其他驱动程序初始化之前启动内核模式组件。 库组件还可以确定在内核模式组件驱动程序之前是否要初始化其他驱动程序,可以确保内核模式组件驱动程序首先被初始化,并且可以提醒内核模式组件。 此外,库组件可以在初始化驱动程序之前检索操作系统要删除的信息,并可将该信息提供给内核模式组件。
-
公开(公告)号:US20150326614A1
公开(公告)日:2015-11-12
申请号:US14792177
申请日:2015-07-06
申请人: CrowdStrike, Inc.
发明人: Dmitri Alperovitch , George Robert Kurtz , David Frederick Diehl , Sven Krasser , Adam S. Meyers
IPC分类号: H04L29/06
CPC分类号: G06Q50/01 , G06Q10/00 , H04L63/104 , H04L63/107 , H04L63/14 , H04L63/1441 , H04L63/20
摘要: Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group.
摘要翻译: 本文描述了形成组的客户端实体之间的社交共享安全信息的技术。 客户端实体组由安全服务器的结果形成,该安全服务器提供一个或多个安全机制,用于在客户端实体之间形成组,每个属于不同组织的客户实体。 然后,安全服务自动与组中的一个或多个其他客户端实体共享组中的客户端实体的安全信息。
-
公开(公告)号:US20150101044A1
公开(公告)日:2015-04-09
申请号:US14048920
申请日:2013-10-08
申请人: CrowdStrike, Inc.
发明人: Daniel T. Martin , David F. Diehl
IPC分类号: G06F21/50
CPC分类号: G06F21/552 , G06F11/3006 , G06F11/3089 , G06F21/554 , G06F2201/86 , G06F2201/875 , H04L63/1425
摘要: A computing device described herein is configured to receive a notification of an event associated with a plurality of system components. In response, the computing device determines a state for the system components based on a state for one of those system components specified in an event model. That specified state in the event model reflects a previous occurrence of another event.
摘要翻译: 这里描述的计算设备被配置为接收与多个系统组件相关联的事件的通知。 作为响应,计算设备基于事件模型中指定的那些系统组件之一的状态来确定系统组件的状态。 事件模型中的指定状态反映了先前发生的另一个事件。
-
公开(公告)号:US20150033339A1
公开(公告)日:2015-01-29
申请号:US13953608
申请日:2013-07-29
申请人: CrowdStrike, Inc.
发明人: Jason Geffner
IPC分类号: G06F21/56
CPC分类号: G06F21/56
摘要: The techniques described herein identify, and/or distinguish between, legitimate code and/or irrelevant code in programs so that an analyst does not have to spend additional time sifting through and/or considering the irrelevant code when viewing the code of the program. Therefore, the analyst can be more efficient when determining a type of a program (e.g., malware) and/or when determining the actions of the program. For instance, a security researcher may be tasked with identifying the malware and/or determining the harmful or deceptive actions the malware executes on a computer (e.g., deletion of a file, the targeting of sensitive information such as social security numbers or credit card numbers, etc.).
摘要翻译: 本文描述的技术在程序中识别和/或区分合法代码和/或不相关的代码,使得当查看程序的代码时,分析人员不必花费额外的时间筛选和/或考虑不相关的代码。 因此,当确定程序的类型(例如,恶意软件)和/或在确定程序的动作时,分析者可以更有效率。 例如,安全研究人员可能负责识别恶意软件和/或确定恶意软件在计算机上执行的有害或欺骗行为(例如删除文件,敏感信息的定位,如社会安全号码或信用卡号码 等)。
-
公开(公告)号:US11687649B2
公开(公告)日:2023-06-27
申请号:US17008038
申请日:2020-08-31
申请人: Crowdstrike, Inc.
CPC分类号: G06F21/554 , G06F9/545 , G06F9/547 , G06F21/33 , G06F21/566
摘要: A security agent executing in kernel mode may receive a request from the anti-malware component executing with low privileges in user mode, and, in response, the security agent may perform a security action with respect to a malicious file detected on the computing device. The security agent may then assist the anti-malware component in providing a user notification about the security action by obtaining, on behalf of the anti-malware component, a user token associated with the user session in which the malicious file was detected. The anti-malware component can use the obtained user token to request a pointer to a Component Object Model (COM) interface for outputting the notification in context of the appropriate user session, which allows for securely and efficiently providing the user notification.
-
公开(公告)号:US20230164152A1
公开(公告)日:2023-05-25
申请号:US18094580
申请日:2023-01-09
申请人: CrowdStrike, Inc.
IPC分类号: H04L9/40
CPC分类号: H04L63/1416 , H04L63/1425 , H04L63/1441
摘要: Techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.
-
公开(公告)号:US20230164151A1
公开(公告)日:2023-05-25
申请号:US18094303
申请日:2023-01-06
申请人: CrowdStrike, Inc.
发明人: David F. Diehl , Nora Lillian Sandler , Matthew Edward Noonan , Christopher Robert Gwinn , Thomas Johann Essebier
IPC分类号: H04L9/40 , G06F21/54 , H04L41/042 , H04L41/28
CPC分类号: H04L63/1416 , G06F21/54 , H04L41/042 , H04L41/28 , H04L63/1441
摘要: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.
-
公开(公告)号:US11599641B2
公开(公告)日:2023-03-07
申请号:US16855585
申请日:2020-04-22
申请人: CrowdStrike, Inc.
摘要: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.
-
-
-
-
-
-
-
-
-