-
公开(公告)号:US11599641B2
公开(公告)日:2023-03-07
申请号:US16855585
申请日:2020-04-22
申请人: CrowdStrike, Inc.
摘要: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.
-
公开(公告)号:US11563756B2
公开(公告)日:2023-01-24
申请号:US16849411
申请日:2020-04-15
申请人: Crowdstrike, Inc.
发明人: David F. Diehl , Nora Lillian Sandler , Matthew Edward Noonan , Christopher Robert Gwinn , Thomas Johann Essebier
IPC分类号: G06F11/00 , H04L9/40 , G06F21/54 , H04L41/042 , H04L41/28
摘要: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.
-
公开(公告)号:US11423186B2
公开(公告)日:2022-08-23
申请号:US16248315
申请日:2019-01-15
申请人: CrowdStrike, Inc.
摘要: Some example computing systems herein include two modules, e.g., drivers. A first can instantiate an interface associated with a service routine, receive, by the service routine, a verification message; and send, in response, a confirmation message via the interface. A second can locate the interface; open a handle to the interface; send the verification message via the handle, the verification message identifying at least an interface type or a version; and receive, via the handle, the confirmation message associated with the verification message. In some examples, the first driver is a Plug and Play driver. In some examples, the first module can receive, by the service routine, a command associated with the interface; determine that the command is a valid command based at least in part on stored command data; and send, via the interface, a response to the command.
-
公开(公告)号:US20220147636A1
公开(公告)日:2022-05-12
申请号:US17095884
申请日:2020-11-12
申请人: CrowdStrike, Inc.
发明人: Harsha Mahuli , Cat S. Zimmermann
摘要: A system for updating a security sensor monitoring potential security threats on an endpoint computing device includes is configured to access an updated version of the computing environment running on the end-point computing device. The system builds an updated security sensor based at least in part on the updated version of the computing environment. The system determines compatibility of the updated security sensor with an earlier-version of the computing environment by comparing the updated security sensor with an earlier version of the security sensor that was built for the earlier-version computing environment. The system communicates an indication of the compatibility to the end-point computing device.
-
公开(公告)号:US11163880B2
公开(公告)日:2021-11-02
申请号:US15721508
申请日:2017-09-29
申请人: CrowdStrike, Inc.
发明人: Cat S. Zimmermann , Steven King
摘要: A security agent for a host computing device may be implemented with multiple levels of indirection from an operating system (OS) kernel of the computing device in order to facilitate software upgrades for the security agent. An unserviceable kernel-mode component of the security agent may directly interface with the OS kernel and hook into a function (e.g., a security callback function) of the OS kernel in a first level of indirection, while a serviceable kernel-mode component of the security agent, which is upgradable, may indirectly interface with the OS kernel via the unserviceable kernel-mode component in a second level of indirection. The serviceable kernel-mode component may be configured to process events, and/or data related thereto, received from the OS kernel via the unserviceable kernel-mode component in order to monitor activity on the computing device for malware attacks.
-
公开(公告)号:US20210329013A1
公开(公告)日:2021-10-21
申请号:US16849450
申请日:2020-04-15
申请人: CrowdStrike, Inc.
IPC分类号: H04L29/06 , G06F16/2455
摘要: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.
-
公开(公告)号:US11113425B2
公开(公告)日:2021-09-07
申请号:US15873670
申请日:2018-01-17
申请人: Crowdstrike, Inc.
IPC分类号: G06F21/00 , G06F21/82 , G06F13/40 , G06F21/71 , G06F13/38 , G06F21/56 , G06F21/57 , G06F21/55 , G06F9/4401 , G06F21/85 , G06F13/20
摘要: A plug-and-play (PnP) driver associated with a security agent is described herein. The PnP driver attaches to device stacks of enumerated bus devices of a computing device as upper-device or lower-device filters based on the device classes of the enumerated bus devices. For example, the PnP driver may attach to the device stack of a hub or controller device as an upper-device filter and to device stacks of other devices as lower-device filters. Either while attaching or after attachment, the PnP driver may take action to alter, limit, or otherwise block functionality of an enumerated bus device. The PnP driver may also perform a system inventory of enumerated bus devices connected to the computing device and create fingerprints for one or more of the computing devices. Additionally, the PnP driver may create and remove control device objects (CDOs) to enable communication with user-mode processes or threads.
-
公开(公告)号:US20210263790A1
公开(公告)日:2021-08-26
申请号:US17234602
申请日:2021-04-19
申请人: CrowdStrike, Inc.
发明人: Vincenzo Iozzo , Giovanni Gola
摘要: A computer-processor executable container application operates within an operating system, such as an Android operating system. The application is itself configured to execute applications contained within the container application. The container application may create a secure computing environment in which business applications on a computing device can be protected and monitored without affecting or interacting with other applications or data on the computing device. Such a secure computing environment may enable businesses to protect their data residing on a personal computing device and to have visibility into how the data is accessed, used, and shared, while not interfering with personal use of the personal computing device.
-
公开(公告)号:US10983849B2
公开(公告)日:2021-04-20
申请号:US16289344
申请日:2019-02-28
申请人: CrowdStrike, Inc.
发明人: Vincenzo Iozzo , Giovanni Gola
摘要: A computer-processor executable container application operates within an operating system, such as an Android operating system. The application is itself configured to execute applications contained within the container application. The container application may create a secure computing environment in which business applications on a computing device can be protected and monitored without affecting or interacting with other applications or data on the computing device. Such a secure computing environment may enable businesses to protect their data residing on a personal computing device and to have visibility into how the data is accessed, used, and shared, while not interfering with personal use of the personal computing device.
-
公开(公告)号:US20210056078A1
公开(公告)日:2021-02-25
申请号:US17091700
申请日:2020-11-06
申请人: CrowdStrike, Inc.
发明人: Cameron Gutman , Aaron LeMasters
摘要: Drivers in different functional paths can use different types of identifiers for the same hardware device, such that the drivers may not be able to natively coordinate their actions related to the hardware device due to incompatible identifier types. However, a driver at a file system layer of one functional path can obtain a volume Physical Device Object (PDO) identifier at a volume layer and find a disk PDO identifier at a disk layer that is associated with the same device number. The driver can also find a parent device instance identifier from the disk PDO identifier, and use the parent device instance identifier as a plug-and-play (PnP) identifier for the hardware device during communications with a second driver in a PnP functional path.
-
-
-
-
-
-
-
-
-