iiui IIIIIIIIIIIIIIIIIII mi
`no MONOLULITIN MOLTI ANNI
`a NI uiu IIII1111111211Jilp! Jmu 1111
`
`I III IIIIIIII
`US 20170372070A1
`( 19 ) United States
`(19) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No . : US 2017 / 0372070 A1
`(12) Patent Application Publication (10) Pub. No.: US 2017/0372070 Al
`( 43 ) Pub . Date :
`Dec . 28 , 2017
`Burdett et al .
`Dec. 28, 2017
`Burdett et al.
`(43) Pub. Date:
`
`( 54 ) CLOUD STORAGE SCANNER
`(54)
`CLOUD STORAGE SCANNER
`( 71 ) Applicant : Sophos Limited , Abingdon ( GB )
`(71)
`Applicant: Sophos Limited, Abingdon (GB)
`( 72 ) Inventors : Mark R . Burdett , Abingdon ( GB ) ;
`(72)
`Inventors: Mark R. Burdett, Abingdon (GB);
`Guy A . Davies , Abingdon ( GB )
`Guy A. Davies, Abingdon (GB)
`( 21 ) Appl . No . : 15 / 635 , 279
`(21) Appl. No.: 15/635,279
`( 22 ) Filed :
`Jun . 28 , 2017
`(22) Filed:
`Jun. 28, 2017
`Foreign Application Priority Data
`( 30 )
`(30)
`Foreign Application Priority Data
`Jun . 28 , 2016
`( GB ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GB1611202 . 1
`Jun. 28, 2016
`(GB)
` GB1611202.1
`
`Publication Classification
`Publication Classification
`
`( 51 )
`Int . Ci .
`(51) Int. Cl.
`G06F 21 / 56
`G06F 21/56
`G06F 17 / 30
`G06F 17/30
`H04L 29 / 06
`H04L 29/06
`
`( 2013 . 01 )
`(2013.01)
`( 2006 . 01 )
`(2006.01)
`( 2006 . 01 )
`(2006.01)
`
`( 52 ) U . S . CI .
`(52) U.S. Cl.
`CPC . . . . . . . . G06F 21 / 565 ( 2013 . 01 ) ; H04L 63 / 1425
`G06F 21/565 (2013.01); H04L 63/1425
`CPC
`( 2013 . 01 ) ; G06F 17 / 30203 ( 2013 . 01 ) ; G06F
`(2013.01); G06F 17/30203 (2013.01); G06F
`2221 / 034 ( 2013 . 01 )
`2221/034 (2013.01)
`
`( 57 )
`ABSTRACT
`(57)
`ABSTRACT
`A system , method and computer program for a scanning
`A system, method and computer program for a scanning
`service is presented . A scanning service compatible with a
`service is presented. A scanning service compatible with a
`cloud storage system is configured to receive notifications
`cloud storage system is configured to receive notifications
`from a cloud storage service about storage event activity and
`from a cloud storage service about storage event activity and
`to access data in the cloud storage service . The scanning
`to access data in the cloud storage service. The scanning
`service receives a notification regarding storage activity
`service receives a notification regarding storage activity
`related to a file in the data . After the completion of the
`related to a file in the data. After the completion of the
`storage activity , the scanning service receives the file from
`storage activity, the scanning service receives the file from
`the cloud storage service and scans the file . When a deter
`the cloud storage service and scans the file. When a deter-
`mination is made based on the scan that at least a portion of
`mination is made based on the scan that at least a portion of
`the file should not be distributed then an action is taken with
`the file should not be distributed then an action is taken with
`respect to the cloud storage service based on the determi
`respect to the cloud storage service based on the determi-
`nation that at least a portion of the file should not be
`nation that at least a portion of the file should not be
`distributed .
`distributed.
`
`W
`
`E
`
`- H
`
`-
`
`-
`
`WE
`
`- YYYYYYYYYYYYYYYYYYY SECURITY
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`UPDATES
`UPDATES
`120
`120
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`AVV - AV - VW - AVA - VA V VI
`
`NETWORK THREATS 104
`NETWORK THREATS 104
`
`-
`
`- -
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`4
`
`-
`
`- !
`
`POLICY
`POLICY
`MANAGEMENT
`MANAGEMENT
`112
`112
`SECURITY
`MANAGEMENT
`MANAGEMENT
`122
`122
`DETECTION
`DETECTION
`TECHNIQUES
`TECHNIQUES
`130
`130
`
`DEFINITIONS
`DEFINITIONS
`114
`114
`NETWORK
`NETWORK
`ACCESS RULES
`ACCESS RULES
`124
`124
`THREAT
`RESEARCH
`THREAT
`132
`RESEARCH
`132
`
`TESTING
`TESTING
`118
`118
`REMEDIAL
`REMEDIAL
`ACTIONS
`ACTIONS
`128
`128
`THREAT MANAGEMENT
`THREAT MANAGEMENT
`FACILITY 100
`FACILITY 100
`
`1
`
`.
`
`- H
`
`E
`
`- HE . -
`
`E
`
`. -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- - -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- SECONDARY LOCATION
`SECONDARY LOCATION
`THREATS 108
`THREATS 108
`FIREWALL
`- FIREWALL
`138B
`138B
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- ENTERPRISE
`ENTERPRISE
`FACILITY 102
`FACILITY 102
`S IFIREWALL 138A I
`- IS FIREWALL 138A
`
`-
`
`-
`
`152
`152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`ADMINISTRATION 134
`ADMINISTRATION 134
`APPLIANCE 140A
`APPLIANCE 140A -
`-- 152
`on 152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`INTERNET
`INTERNET
`154
`154
`
`-
`
`SERVER 142C
`SERVER 1420
`CLIENT 144E S
`CLIENT 1445 S
`CLIENT 144D
`CLIENT 1440 SH
`
`CLIENT
`
`-
`
`.
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`1
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`.
`
`-
`
`-
`
`.
`
`-
`
`-
`
`*
`
`*
`
`APPLIANCE
`140B
`APPLIANCE
`140B
`SERVER 142B
`SERVER 1428
`I CLIENT 144G 1 (NET DEV 148C
`- CLIENT 344G
`NET DEV 1480
`NET DEV 148D
`NET DEV 148D
`CLIENT 144E S
`CLIENT 144F S
`11
`1 11 1 11
`.
`
`1 }
`
`=
`
`-
`
`-
`
`-
`
`-
`
`
`
`VW + YEYE + V VW
`
`PHYSICAL PROXIMITY THREATS 110
`PHYSICAL PROXIMITY THREATS 110
`
`.
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`LA .
`
`-
`
`-
`
`-
`
`S
`
`Y
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- * * -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`SERVER 142A
`SERVER 142A
`NET DEV 148A S
`NET DEV 148A S
`[NET DEV 1488
`NET DEV 1488
`CLIENT 1440 ,
`CLIENT 1440
`152 women
`152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`- -
`
`-
`
`- -
`
`-
`
`S I CLIENT 144A
`S CLIENT 144A
`- 152
`152
`S CLIENT 144B
`S CLIENT 144B
`S CLIENT 144C
`S CLIENT 1440
`m
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`AvYy4YYYY4AVWAYYY AYYAYYYYYY I -
`
`WIZ, Inc. EXHIBIT - 1095
`WIZ, Inc. v. Orca Security LTD.
`
`
`no MONOLULITIN MOLTI ANNI
`a NI uiu IIII1111111211Jilp! Jmu 1111
`
`I III IIIIIIII
`US 20170372070A1
`( 19 ) United States
`(19) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No . : US 2017 / 0372070 A1
`(12) Patent Application Publication (10) Pub. No.: US 2017/0372070 Al
`( 43 ) Pub . Date :
`Dec . 28 , 2017
`Burdett et al .
`Dec. 28, 2017
`Burdett et al.
`(43) Pub. Date:
`
`( 54 ) CLOUD STORAGE SCANNER
`(54)
`CLOUD STORAGE SCANNER
`( 71 ) Applicant : Sophos Limited , Abingdon ( GB )
`(71)
`Applicant: Sophos Limited, Abingdon (GB)
`( 72 ) Inventors : Mark R . Burdett , Abingdon ( GB ) ;
`(72)
`Inventors: Mark R. Burdett, Abingdon (GB);
`Guy A . Davies , Abingdon ( GB )
`Guy A. Davies, Abingdon (GB)
`( 21 ) Appl . No . : 15 / 635 , 279
`(21) Appl. No.: 15/635,279
`( 22 ) Filed :
`Jun . 28 , 2017
`(22) Filed:
`Jun. 28, 2017
`Foreign Application Priority Data
`( 30 )
`(30)
`Foreign Application Priority Data
`Jun . 28 , 2016
`( GB ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GB1611202 . 1
`Jun. 28, 2016
`(GB)
` GB1611202.1
`
`Publication Classification
`Publication Classification
`
`( 51 )
`Int . Ci .
`(51) Int. Cl.
`G06F 21 / 56
`G06F 21/56
`G06F 17 / 30
`G06F 17/30
`H04L 29 / 06
`H04L 29/06
`
`( 2013 . 01 )
`(2013.01)
`( 2006 . 01 )
`(2006.01)
`( 2006 . 01 )
`(2006.01)
`
`( 52 ) U . S . CI .
`(52) U.S. Cl.
`CPC . . . . . . . . G06F 21 / 565 ( 2013 . 01 ) ; H04L 63 / 1425
`G06F 21/565 (2013.01); H04L 63/1425
`CPC
`( 2013 . 01 ) ; G06F 17 / 30203 ( 2013 . 01 ) ; G06F
`(2013.01); G06F 17/30203 (2013.01); G06F
`2221 / 034 ( 2013 . 01 )
`2221/034 (2013.01)
`
`( 57 )
`ABSTRACT
`(57)
`ABSTRACT
`A system , method and computer program for a scanning
`A system, method and computer program for a scanning
`service is presented . A scanning service compatible with a
`service is presented. A scanning service compatible with a
`cloud storage system is configured to receive notifications
`cloud storage system is configured to receive notifications
`from a cloud storage service about storage event activity and
`from a cloud storage service about storage event activity and
`to access data in the cloud storage service . The scanning
`to access data in the cloud storage service. The scanning
`service receives a notification regarding storage activity
`service receives a notification regarding storage activity
`related to a file in the data . After the completion of the
`related to a file in the data. After the completion of the
`storage activity , the scanning service receives the file from
`storage activity, the scanning service receives the file from
`the cloud storage service and scans the file . When a deter
`the cloud storage service and scans the file. When a deter-
`mination is made based on the scan that at least a portion of
`mination is made based on the scan that at least a portion of
`the file should not be distributed then an action is taken with
`the file should not be distributed then an action is taken with
`respect to the cloud storage service based on the determi
`respect to the cloud storage service based on the determi-
`nation that at least a portion of the file should not be
`nation that at least a portion of the file should not be
`distributed .
`distributed.
`
`W
`
`E
`
`- H
`
`-
`
`-
`
`WE
`
`- YYYYYYYYYYYYYYYYYYY SECURITY
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`UPDATES
`UPDATES
`120
`120
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`AVV - AV - VW - AVA - VA V VI
`
`NETWORK THREATS 104
`NETWORK THREATS 104
`
`-
`
`- -
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`4
`
`-
`
`- !
`
`POLICY
`POLICY
`MANAGEMENT
`MANAGEMENT
`112
`112
`SECURITY
`MANAGEMENT
`MANAGEMENT
`122
`122
`DETECTION
`DETECTION
`TECHNIQUES
`TECHNIQUES
`130
`130
`
`DEFINITIONS
`DEFINITIONS
`114
`114
`NETWORK
`NETWORK
`ACCESS RULES
`ACCESS RULES
`124
`124
`THREAT
`RESEARCH
`THREAT
`132
`RESEARCH
`132
`
`TESTING
`TESTING
`118
`118
`REMEDIAL
`REMEDIAL
`ACTIONS
`ACTIONS
`128
`128
`THREAT MANAGEMENT
`THREAT MANAGEMENT
`FACILITY 100
`FACILITY 100
`
`1
`
`.
`
`- H
`
`E
`
`- HE . -
`
`E
`
`. -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- - -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- SECONDARY LOCATION
`SECONDARY LOCATION
`THREATS 108
`THREATS 108
`FIREWALL
`- FIREWALL
`138B
`138B
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- ENTERPRISE
`ENTERPRISE
`FACILITY 102
`FACILITY 102
`S IFIREWALL 138A I
`- IS FIREWALL 138A
`
`-
`
`-
`
`152
`152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`ADMINISTRATION 134
`ADMINISTRATION 134
`APPLIANCE 140A
`APPLIANCE 140A -
`-- 152
`on 152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`INTERNET
`INTERNET
`154
`154
`
`-
`
`SERVER 142C
`SERVER 1420
`CLIENT 144E S
`CLIENT 1445 S
`CLIENT 144D
`CLIENT 1440 SH
`
`CLIENT
`
`-
`
`.
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`1
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`.
`
`-
`
`-
`
`.
`
`-
`
`-
`
`*
`
`*
`
`APPLIANCE
`140B
`APPLIANCE
`140B
`SERVER 142B
`SERVER 1428
`I CLIENT 144G 1 (NET DEV 148C
`- CLIENT 344G
`NET DEV 1480
`NET DEV 148D
`NET DEV 148D
`CLIENT 144E S
`CLIENT 144F S
`11
`1 11 1 11
`.
`
`1 }
`
`=
`
`-
`
`-
`
`-
`
`-
`
`
`
`VW + YEYE + V VW
`
`PHYSICAL PROXIMITY THREATS 110
`PHYSICAL PROXIMITY THREATS 110
`
`.
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`LA .
`
`-
`
`-
`
`-
`
`S
`
`Y
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- * * -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`SERVER 142A
`SERVER 142A
`NET DEV 148A S
`NET DEV 148A S
`[NET DEV 1488
`NET DEV 1488
`CLIENT 1440 ,
`CLIENT 1440
`152 women
`152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`- -
`
`-
`
`- -
`
`-
`
`S I CLIENT 144A
`S CLIENT 144A
`- 152
`152
`S CLIENT 144B
`S CLIENT 144B
`S CLIENT 144C
`S CLIENT 1440
`m
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`AvYy4YYYY4AVWAYYY AYYAYYYYYY I -
`
`WIZ, Inc. EXHIBIT - 1095
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`Patent Application Publication
`
`L JO 1 WIN LJOZ `8Z 'aaa
`
`IV OLOZLĀ£0/LIOZ SR
`
`FIGURE 1
`
`PHYSICAL PROXIMITY THREATS 110
`
`152
`
`CLIENT 144D S
`
`S CLIENT 144C
`
`CLIENT 144F S
`
`S
`
`NET DEV 148B
`
`CLIENT 144D S
`
`S CLIENT 1448
`
`152
`
`NET DEV 148D
`
`152
`
`CLIENT 144E
`
`NET DEV 148A S
`
`S CLIENT 144A
`
`CLIENT 144G NET DEV 148C
`
`SERVER 142B
`
`140E
`
`APPLIANCE
`
`1388
`FIREWALL
`
`THREATS 108
`SECONDARY LOCATION
`
`NETWORK THREATS 104
`
`SERVER 142C
`
`---- 152 Di
`
`SERVER 142A S
`
`152
`
`154
`
`INTERNET
`
`APPLIANCE 140A
`
`S FIREWALL 138A
`
`ADMINISTRATION 134
`
`FACILITY 102
`ENTERPRISE
`
`FACILITY 100
`THREAT MANAGEMENT
`
`132
`RESEARCH
`THREAT
`
`130
`TECHNIQUES
`DETECTION
`
`128
`ACTIONS
`REMEDIAL
`
`124
`ACCESS RULES
`NETWORK
`
`122
`MANAGEMENT
`SECURITY
`
`120
`UPDATES
`
`118
`TESTING
`
`114
`DEFINITIONS
`
`112
`MANAGEMENT
`POLICY
`
`
`
`Patent Application Publication
`
`L JO Z WIN LJOZ `8Z 'aaa
`
`TV OLOZLĀ£0/LTOZ SR
`
`230
`USER
`
`FIGURE 2
`
`222
`
`PERIPHERALS
`
`220
`
`INPUT I OUTPUT
`
`COMPUTING DEVICE 210
`
`218
`
`STORE
`DATA
`
`226
`
`HARDWARE
`
`OTHER
`
`232
`BUS
`
`216
`
`INTERFACE
`NETWORK
`
`214
`
`MEMORY
`
`212
`
`PROCESSOR
`
`202
`
`204
`
`200
`
`
`
`Patent Application Publication Dec. 28, 2017 Sheet 3 of 7
`
`US 2017/0372070 Al
`
`300
`
`316
`
`320
`
`Security Manager
`
`318
`
`Data
`Lookup
`
`302
`
`Policies
`
`Events/Alerts
`
`DDS
`
`Live ?rotection
`
`Cloud Infrastructure
`
`Data Distribution
`
` (
`
`Scanning Service
`304
`
`VPC containing
`VM instances
`314
`
`File Acces
`
`File Scan Request
`
`File Modification
`
`Clean File
`308
`
`Clean File
`310
`
`Cloud Data
`Store
`306
`
`Malicious
`File
`312
`
`Block by
`Permissions
`
`322A
`
`File Upload
`
`322B
`
`FIGURE 3
`
`
`
`Patent Application Publication Dec. 28, 2017 Sheet 4 of 7
`
`US 2017/0372070 Al
`
`400
`
`( Create Security
`
`Manager Account
`
`Create user/role for
`scanning service on
`cloud infrastructure
`
`Customer adds account
`details to security
`manager
`
`402
`
`404
`
`406
`
`408
`
`Key-store
`
`Can scanning
`service scan for
`multiple data
`stores?
`
`410
`
`-- 412
`
` Yes- List cloud data stores
`available
`
`//---
`
`416
`
`414
`
`User selects one or
`more data stores
`
`418
`
`(Scanning service
`
`returns an error
`
`an scanning
`service scan a
`data store?
`
`Yes
`
`FIGURE 4A
`
`
`
`Patent Application Publication Dec. 28, 2017 Sheet 5 of 7
`
`US 2017/0372070 Al
`
`A
`
`Cloud data store
`registered as
`"protected" in security
`manager
`
`420
`
`/
`
`0----- 422
`
`Report status
`
`FIGURE 4B
`
`
`
`Patent Application Publication Dec. 28, 2017 Sheet 6 of 7
`
`US 2017/0372070 Al
`
`500
`
`(
`
`CONFIGURING A SCANNING SERVICE TO RECEIVE
`NOTIFICATIONS FROM A CLOUD STORAGE SERVICE ABOUT
`STORAGE ACTIVITY
`
`RECEIVE, BY THE SCANNING SERVICE FROM THE CLOUD
`STORAGE SERVICE, A NOTIFICATION REGARDING STORAGE
`ACTIVITY RELATED TO A FILE
`
`RECEIVE BY THE SCANNING SERVICE FROM THE CLOUD
`STORAGE SERVICE, THE FILE
`
`SCAN FILE
`
`DETERMINE FROM THE SCAN THAT AT LEAST A PORTION OF
`THE FILE SHOULD NOT BE DISTRIBUTED
`
`DETERMINE THAT AT LEAST A PORTION OF THE FILE
`CONTAINS ONE OR MORE OF MALWARE, CONTENT THAT
`MAY CAUSE DAMAGE TO ONE OR MORE COMPUTING
`DEVICES, COMPROMISE FILES ON ONE OR MORE
`COMPUTER DEVICES, OBTAIN PRIVATE INFORMATION
`FROM THE ONE OR MORE COMPUTING DEVICES
`
`DETERMINE THATAT LEAST A PORTION OF THE FILE
`CONTAINS ONE OR MORE OF CONFIDENTIAL
`INFORMATION, CREDIT CARD NUMBERS, SOCIAL
`SECURITY NUMBERS, MULTIPLE PHONE NUMBERS AND
`A PREDEFINED PATTERN
`
`502
`
`504
`
`506
`
`508
`
`510
`
`512
`
`514
`
`A
`
`FIGURE 5A
`
`
`
`Patent Application Publication Dec. 28, 2017 Sheet 7 of 7
`
`US 2017/0372070 Al
`
`A
`
`TAKE AN ACTION WITH RESPECT TO THE CLOUD STORAGE
`SERVICE BASED ON THE DETERMINATION THAT AT LEAST A
`PORTION OF THE ALE SHOULD NOT BE DISTRIBUTED
`
`SEND A NOTIFICATION
`
`SET A PROTECTION MODE FOR THE FILE ON THE CLOUD
`STORAGE SERVICE
`
`SET A FILE PERMISSION
`
`REFRAIN FROM CHANGING A FILE PERMISSION
`
`516
`
`518
`
`520
`
`522
`
`524
`
`FIGURE 5B
`
`
`
`US 2017/0372070 Al
`
`1
`
`Dec. 28, 2017
`
`CLOUD STORAGE SCANNER
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`[0001] This application claims priority to United Kingdom
`Pat. App. No. 1611202.1 filed on Jun. 28, 2016, which is
`incorporated herein by reference in its entirety.
`
`BACKGROUND
`
`[0002] Malicious exploits, such as malware, may be used
`to compromise one or more target computing devices, cause
`damage to one or more computing devices or obtain private
`information from one or more computing devices. For
`example, malware may include computer viruses, Trojan
`horses, rootkits, key loggers, spyware, adware, viruses,
`worms, spam, phishing explorations, etc. Some exploits may
`use websites to host components of malicious code and
`download the components to a target computing device.
`[0003] Some systems for the detection of malware in a
`computing device may employ signature-based detection.
`Such systems may also monitor the behavior or activity of
`applications on a computing device. However, such systems
`typically run on the protected computing device, with poten-
`tially some additional resources provided by other comput-
`ing devices.
`[0004] Cloud computing services have become increas-
`ingly popular. One example of cloud computing services is
`Amazon Web Services (AWS), which offers a suite of cloud
`computing services that provide an on-demand computing
`platform. AWS services span a wide range including com-
`pute, storage, networking, database, analytics, applications,
`deployment, management, developer tools, etc. One of the
`services, Amazon Simple Storage Service (S3), is a storage
`service. Cloud computing services provide computing
`capacity as an alternative to building an actual physical
`server farm.
`
`SUMMARY
`
`It is desired to provide protection against compro-
`[0005]
`mise (e.g., malware or other exploits) or confidential infor-
`mation exfiltration in cloud service environments in a man-
`ner that is simple and efficient, and with minimal
`performance impact on applications using the cloud com-
`puting services. It is desirable to accomplish this without use
`of an agent installed on the template image used in cloud-
`based environments. This may be accomplished in some
`implementations with an architecture that connects a scan-
`ning service directly to the cloud data storage associated
`with a target application, in a manner that is intended to be
`efficiently configured and managed.
`[0006] Embodiments of the invention may provide an
`agentless scanner for a cloud storage service. The scanner is
`agentless in that it does not require, for example, an agent to
`reside on the host of the application that is using the cloud
`storage service. In some implementations, a scanning ser-
`vice for cloud storage receives notifications of storage
`activity from a storage monitor. For example, the scanning
`service may receive a notification of a file event or the file
`event itself, and scan the file for specific data content (e.g.,
`potential or actual malicious content or content otherwise
`desired to be protected). If the scanning service returns a
`positive result (e.g., potential or actual malicious content or
`content otherwise desired to be protected), action may be
`
`taken. The action may include to quarantine the file by
`altering permissions on the file so that at least some other
`applications, such as the application that is using the cloud
`storage service, may not access it without administrator
`action. A user or administrator may be notified.
`[0007] As one example, an implementation of an agentless
`scanning service configured for AWS infrastructure uses S3
`buckets for file storage, registers with the S3 service to
`receive notifications of file activity, receives notifications of
`file activity, and scans files upon receiving the notifications.
`If the scan result is positive, action may be taken to protect
`the application, such as setting permissions to make the file
`unavailable, notifying an administrator, moving the file,
`renaming the file, encrypting the file, etc. The agentless
`scanning service simplifies workflow for deploying and
`managing data protection (e.g., anti-malware, data loss
`prevention) for applications making use of cloud resources.
`Applications that are fully implemented in the cloud and
`applications implemented elsewhere but that make use of
`cloud or remote storage resources may make use of an
`agentless scanning service.
`[0008]
`In general, in one aspect, a system includes a
`processor and a non-transitory computer readable storage
`medium having computer readable code thereon. The
`medium includes instructions executable by the processor to
`perform operations including configure a scanning service to
`receive notifications from a cloud storage service about
`storage activity and to access data in the cloud storage
`service, and receive, by the scanning service from the cloud
`storage service, a notification regarding storage activity
`related to a file in the data. The medium also includes
`instructions to, after the completion of the storage activity,
`receive by the scanning service from the cloud storage
`service, the file. The medium also includes instructions to
`scan, by the scanning service, the file. The medium also
`includes instructions to determine from the scan that at least
`a portion of the file should not be distributed; and take an
`action, for example, with respect to the cloud storage
`service, based on the determination that at least a portion of
`the file should not be distributed.
`[0009]
`In some implementations, the instructions are fur-
`ther executable by the processor to configure the scanning
`service to receive notifications from said cloud storage
`service about storage activity associated with a plurality of
`accounts associated with the cloud storage service. In some
`implementations, the instructions are further executable by
`the processor to take an action by setting a protection mode
`for the file on the cloud storage service. In some implemen-
`tations, the instructions are further executable by the pro-
`cessor such that the protection mode is a Notify Only mode,
`and based on a determination that at least a portion of the file
`should not be distributed, a notification is sent a to a
`customer associated with the file.
`[0010]
`In some implementations, when the protection
`mode is a Block File mode, upon on the determination that
`at least a portion of the file should not be distributed, a file
`permission is set to deny access to the file.
`[0011]
`In some implementations, a determination that at
`least a portion of the file should not be distributed is based
`on the file containing malware, such as disruptive computer
`instructions that may cause one or more of damage to one or
`more computing devices, compromising files on one or more
`computer devices, obtaining private information from one or
`more computing devices.
`
`
`
`US 2017/0372070 Al
`
`Dec. 28, 2017
`
`2
`
`In some implementations, a determination that at
`[0012]
`least a portion of the file should not be distributed is based
`on the file containing confidential information, the confi-
`dential information including one or more of credit card
`numbers, social security numbers, multiple phone numbers
`and a predefined pattern.
`[0013]
`In general, in one aspect, a method includes con-
`figuring a scanning service to receive notifications from a
`cloud storage service about storage activity, and receiving,
`by the scanning service from the cloud storage service, a
`notification regarding storage activity related to a file. The
`method includes, after the completion of the storage activity,
`loading by the scanning service from the cloud storage
`service, the file. The method may include scanning the file
`by the scanning service; determining from the scan that at
`least a portion of the file should not be distributed; and
`taking an action with respect to the cloud storage service
`based on the determination that at least a portion of the file
`should not be distributed.
`[0014]
`In some implementations, the method may include
`configuring the scanning service to receive notifications
`from the cloud storage service about storage activity asso-
`ciated with a plurality of accounts associated with the cloud
`storage service.
`[0015] The method may include setting a protection mode
`for the file on the cloud storage service. The protection mode
`may be a notify only mode, for example, wherein files may
`not be blocked, but an administrator may be notified. The
`protection mode may be a block file mode, for example,
`wherein an action will be taken to present access or distri-
`bution of a file. The method may include, when the protec-
`tion mode is a notify only mode, and based on the determi-
`nation that at least a portion of the file should not be
`distributed, sending notification to an administrator or a user
`associated with the file. The method may include, when the
`protection mode is a block file mode, and based on a
`determination that at least a portion of the file should not be
`distributed, denying application access to the file, for
`example, by setting a file permission, changing a file name,
`moving a file, etc.
`[0016] Determining that at least a portion of the file should
`not be distributed, based on a determination that the file
`contains malware, which may include one or more of a file
`capable of damage to one or more computing devices,
`compromising files on one or more computer devices,
`obtaining private information from the one or more com-
`puting devices. Determining that at least a portion of the file
`should not be distributed based on one or more of the file
`contains confidential information, the confidential informa-
`tion including one or more of credit card numbers, social
`security numbers, multiple phone numbers or predefined
`patterns.
`[0017]
`In general, in an aspect, a non-transitory computer
`readable storage medium may have computer readable code
`thereon for a scanning service, the medium includes instruc-
`tions executable by the processor to perform operations,
`including: configure a scanning service to receive notifica-
`tions from a cloud storage service about storage activity and
`to access data in the cloud storage service; receive, by the
`scanning service from the cloud storage service, a notifica-
`tion regarding storage activity related to a file in the data;
`after the completion of the storage activity, receive by the
`scanning service from the cloud storage service, the file,
`scan, by the scanning service, the file, determine from the
`
`scan that at least a portion of the file should not be distrib-
`uted, and take an action with respect to the cloud storage
`service based on the determination that at least a portion of
`the file should not be distributed.
`[0018] The instructions may be further executable by the
`processor to configure the scanning service to receive noti-
`fications from said cloud storage service about storage
`activity associated with a plurality of accounts associated
`with the cloud storage service.
`[0019] The instructions may be further executable by the
`processor to take an action by setting a protection mode for
`the file on the cloud storage service. The instructions may be
`further executable by the processor such that the protection
`mode is a Notify Only mode, based on the determination that
`at least a portion of the file should not be distributed, a
`notification is sent a to a customer associated with the file.
`The instructions may be further executable by the processor
`such that when said protection mode is a Block File mode,
`based on the determination that at least a portion of the file
`should not be distributed, a file permission is set to deny a
`customer access to said file.
`[0020] Determining that at least a portion of the file should
`not be distributed may be based on one or more of the file
`contains malware, said malware comprising disruptive com-
`puter instructions that may cause one of the group compris-
`ing damage to one or more computing devices, compromis-
`ing files on one or more computer devices, obtaining private
`information from the one or more computing devices.
`[0021] Determining that at least a portion of the file should
`not be distributed may be based on one or more of the file
`contains confidential information, the confidential informa-
`tion including one or more of credit card numbers, social
`security numbers, multiple phone numbers or predefined
`patterns.
`[0022] Note that each of the different features, techniques,
`configurations, etc. discussed in this disclosure can be
`executed independently or in combination. Accordingly, the
`present invention can be embodied and viewed in many
`different ways. Also, note that this summary section herein
`does not specify every embodiment and/or incrementally
`novel aspect of the present disclosure or claimed invention.
`Instead, this summary only provides a preliminary discus-
`sion of different embodiments and corresponding points of
`novelty over conventional techniques. For additional details,
`elements, and/or possible perspectives (permutations) of the
`invention, the reader is directed to the Detailed Description
`section and corresponding figures of the present disclosure
`as further discussed below.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0023] The foregoing will be apparent from the following
`more particular description of preferred embodiments of the
`invention, as illustrated in the accompanying drawings in
`which like reference characters refer to the same parts
`throughout the different views. The drawings are not nec-
`essarily to scale, emphasis instead being placed upon illus-
`trating the principles of the invention. The drawings are not
`necessarily to scale, emphasis instead being placed upon
`illustrating the principles of the invention.
`[0024] FIG. 1 depicts a diagram of a first particular
`environment of a threat management system.
`[0025] FIG. 2 depicts a block diagram of a computer
`system.
`
`
`
`US 2017/0372070 Al
`
`Dec. 28, 2017
`
`3
`
`[0026] FIG. 3 depicts a block diagram of an implementa-
`tion.
`[0027] FIGS. 4A and 4B are a flow diagram of an embodi-
`ment of a registration process for an agentless scanner.
`[0028] FIGS. 5A and 5B are a flow diagram of for an
`agentless scanner in accordance with an embodiment.
`
`DETAILED DESCRIPTION
`
`[0029] The embodiments set forth below represent the
`necessary information to enable those skilled in the art to
`practice the invention and illustrate the best mode of prac-
`ticing embodiments of the invention. Upon reading the
`following description in light of the accompanying figures,
`those skilled in the art will understand the concepts of the
`invention and recognize applications of these concepts not
`particularly addressed herein. It should be understood that
`these concepts and applications fall within the scope of the
`disclosure and the accompanying claims.
`[0030] References to items in the singular should be
`understood to include items in the plural, and vice versa,
`unless explicitly stated otherwise or clear from the context.
`Grammatical conjunctions are intended to express any and
`all disjunctive and conjunctive combinations of conjoined
`clauses, sentences, words, and the like, unless otherwise
`stated or clear from the context. Thus, the term "or" should
`generally be understood to mean "and/or" and so forth.
`[0031] The preferred embodiment of the invention will
`now be described with reference to the accompanying
`drawings. The invention may, however, be embodied in
`many different forms and should not be construed as limited
`to the embodiment set forth herein; rather, this embodiment
`is provided so that this disclosure will be thorough and
`complete, and will fully convey the scope of the invention
`to those skilled in the art. The terminology used in the
`detailed description of the particular embodiment illustrated
`in the accompanying drawings is not intended to be limiting
`of the invention. In the drawings, like numbers refer to like
`elements.
`[0032] FIG. 1 illustrates an environment for threat man-
`agement. Specifically, FIG. 1 depicts a block diagram of a
`threat management system providing protection to an enter-
`prise against a plurality of threats. A threat management
`facility 100 may be used to protect computer assets from
`many threats, both computer-generated threats and user-
`generated threats. The threat management facility 100 may
`be multi-dimensional in that it may be designed to protect
`corporate assets from a variety of threats and it may be
`adapted to learn about threats in one dimension (e.g. worm
`detection) and apply the knowledge in another dimension
`(e.g. spam detection). Policy management is one of the
`dimensions for which the threat management facility can
`provide a control capability. A corporation or other entity
`may institute a policy that prevents certain people (e.g.
`employees, groups of employees, types of employees, guest
`of the corporation, etc.) from accessing certain types of
`computer programs. For example, the corporation may elect
`to prevent its accounting department from using a particular
`version of an instant messaging service or all such services.
`In this example, the policy management facility 112 may be
`used to update the policies of all corporate computing assets
`with a proper policy control facility or it may update a select
`few. By using the threat management facility 100 to facili-
`tate the setting, updating and control of such policies the
`corporation only needs to be concerned with keeping the
`
`threat management facility 100 up to date on such policies.
`The threat management facility 100 can take care of updat-
`ing all of the other corporate computing assets.
`[0033] Over recent years, malware has become a problem
`across the Internet 154. From both a technical perspective
`and a user perspective, the categorization of a specific threat
`type, whether as virus, worm, spam, phishing exploration,
`spyware, adware, or the like, is becoming reduced in sig-
`nificance. The threat, no matter how it is categorized, may
`need to be stopped at various points of a networked com-
`puting environment, such as one of an enterprise facility
`102, including at one or more laptops, desktops, servers,
`gateways, communication ports, handheld or mobile
`devices, firewalls, and the like. Similarly, there may be less
`and less benefit to the user in having different solutions for
`known and unknown threats. As such, a consolidated threat
`management facility 100 may need to apply a similar set of
`technologies and capabilities for all threats. In certain
`embodiments, the threat management facility 100 may pro-
`vide a single agent on the desktop, and a single scan of any
`suspect file. This approach may eliminate the inevitable
`overlaps and gaps in protection caused by treating viruses
`and spyware as separate problems, while simultaneously
`simplifying administration and minimizing desktop load. As
`the number and range of types of threats has increased, so
`may have the level of connectivity available to all IT users.
`This may have led to a rapid increase in the speed at which
`threats may move. Today, an unprotected PC connected to
`the Internet 154 may be infected quickly (perhaps within 10
`minutes) which may require acceleration for the delivery of
`threat protection. Where once monthly updates may have
`been sufficient, the threat management facility 100 may
`automatically and seamlessly update its product set against
`spam and virus threats quickly, for instance, every five
`minutes, every minute, continuously, or the like. Analysis
`and testing may be increasingly automated, and also may be
`performed more frequently; for instance, it may be com-
`pleted in 15 minutes, and may do so without compromising
`quality. The threat management facility 100 may also extend
`techniques that may have been developed for virus and
`malware protection, and provide them to enterprise facility
`102 network administrators to better control their environ-
`ments. In addition to stopping malicious code, the threat
`management facility 100 may provide policy management
`that may be able to control legitimate applications, such as
`VoIP, instant messaging, peer-to-peer file-sharing, and the
`like, that may undermine productivity and network perfor-
`mance within the enterprise facility 102.
`[0034] The threat management facility 100 may provide
`an enterprise facility 102 protection from computer-based
`malware, including viruses, spyware, adware, Trojans, intru-
`sion, spam, policy abuse, uncontrolled access, and the like,
`where the enterprise facility 102 may be any entity with a
`networked computer-based infrastructure. In an embodi-
`ment, FIG. 1 may depict a block diagram of the threat
`management facility 100 providing protection to an enter-
`prise against a plurality of threats. The enterprise facility 102
`may be corporate, commercial, educational, governmental,
`or the like, and the enterprise facility's 102 computer
`network may be distributed amongst a plurality of facilities,
`and in a plurality of geographical locations, and may include
`administration 134, a firewall 138A, an appliance 140A,
`server 142A, network devices 148A-B, clients 144A-D,
`such as protected by computer security facilities 152, and the
`
`
`
`US 2017/0372070 Al
`
`Dec. 28, 2017
`
`4
`
`like. It will be understood that any reference herein to client
`facilities may include the clients 144A-D shown in FIG. 1
`and vice-versa. The threat management facility 100 may
`include a plurality of functions, such as security manage-
`ment facility 122, policy management facility 112, update
`facility 120, definitions facility 114, network access rules
`facility 124, remedial action facility 128, detection tech-
`niques facility 130, testing facility 118, threat research
`facility 132, and the like. In embodiments, the threat pro-
`tection provided by the threat management facility 100 may
`extend beyond the network boundaries of the enterprise
`facility 102 to include clients 144D (or client facilities) that
`have moved into network connectivity not directly associ-
`ated or controlled by the enterprise facility 102. Threats to
`client facilities may come from a plurality of sources, such
`as from network threats 104, physical proximity threats 110,
`secondary location threats 108, and the like. Clients 144A-D
`may be protected from threats even when the client 144A-D
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
