SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE

摘要

Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and results in an affirmative determination.

主权项

1. A method comprising:
monitoring, by a kernel mode driver of an operating system of a computer system, a set of events occurring within one or more of a file system accessible by the computer system and the operating system; in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture to determine whether to allow the second code module to be loaded into a random access memory (RAM) of the computer system, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third-party service provider containing cryptographic hash values of approved code modules, which have been identified by multiple sources as not containing viruses or malicious code, (ii) a local whitelist database stored local to the computer system and created based on the global whitelist and (iii) a most recently used (MRU) cache maintained within the RAM and containing entries corresponding to code modules that have previously been authenticated by the real-time authentication process, the entries each including a run option indicative of whether the corresponding code module was previously affirmatively authenticated by the real-time authentication process; allowing, by the kernel mode driver, the active process to load the second code module into the RAM (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and results in an affirmative determination; and preventing, by the kernel mode driver, the active process from loading the second code module into the memory when the real-time authentication process is performed and results in a negative determination.