公开(公告)号：US20060150256A1

公开(公告)日：2006-07-06

申请号：US11296094

申请日：2005-12-05

申请人： Andrew Fanton ,  John Gandee ,  William Lutton ,  Edwin Harper ,  Kurt Godwin ,  Anthony Rozga

发明人： Andrew Fanton ,  John Gandee ,  William Lutton ,  Edwin Harper ,  Kurt Godwin ,  Anthony Rozga

IPC分类号： H04L9/32

CPC分类号： G06F21/44 ,  G06F21/10 ,  G06F21/51 ,  G06F21/52 ,  G06F21/53 ,  G06F21/602 ,  G06F2221/033 ,  G06F2221/2141 ,  H04L9/0643 ,  H04L9/32 ,  H04L9/3239 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/145 ,  Y10S707/99934 ,  Y10S707/99943 ,  Y10S707/99944

摘要： Systems and methods are described for allowing the execution of authorized computer program code and for protecting computer systems and networks from unauthorized code execution. In one embodiment, a multi-level proactive whitelist approach is employed to secure a computer system by allowing only the execution of authorized computer program code thereby protecting the computer system against the execution of malicious code such as viruses, Trojan horses, spy-ware, and/or the like. Various embodiments use a kernel-level driver, which intercepts or “hooks” certain system Application Programming Interface (API) calls in order to monitor the creation of processes prior to code execution. The kernel-level driver may also intercept and monitor the loading of code modules by running processes, and the passing of non-executable code modules, such as script files, to approved or running code modules via command line options, for example. Once intercepted, a multi-level whitelist approach may be used to authorize the code execution.

摘要翻译： 描述了允许执行授权的计算机程序代码并保护计算机系统和网络免于未授权的代码执行的系统和方法。 在一个实施例中，采用多级主动白名单方式来通过仅允许执行授权的计算机程序代码来保护计算机系统，从而保护计算机系统免受恶意代码的执行，例如病毒，特洛伊木马，间谍软件， 和/或类似物。 各种实施例使用内核级驱动器，其拦截或“挂钩”某些系统应用编程接口（API）调用，以便在代码执行之前监视进程的创建。 内核级驱动程序也可以通过运行进程拦截和监视代码模块的加载，例如通过命令行选项将不可执行的代码模块（如脚本文件）传递到已批准或运行的代码模块。 一旦被拦截，可以使用多级白名单方法来授权代码执行。