Method and apparatus for retroactively detecting malicious or otherwise undesirable software

摘要

A system retroactively detects malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy in found (i.e., a file that had been called malicious, but that is actually benign or vice versa), the server informs the client, which in turn takes an appropriate action based on this information.

主权项

1. A method comprising:
receiving at a server, information relating to files on a client device comprising metadata including at least one file attribute or behavioral characteristic associated with execution of the files; storing on the server, the information relating to the files on the client device; receiving at the server, information useful in classifying files as a threat; classifying at the server, each of the files on the client device based on the information relating to the files on the client device and the information useful in classifying files as a threat; receiving at the server, updated information useful in classifying files as a threat; determining at the server, whether a classification for each file on the client device has changed based on the updated information; and responsive to a determination that a classification for a particular file on the client device has changed to not be a threat, sending an instruction from the server to the client device or to an administrative device responsible for the client device that the particular file is available for use by the client device.