Method and computer device to control software file downloads

摘要

A computer device includes a download unit which downloads one or more files into a storage device. A file logging unit records a resource locator identifying a source network location of the file, when the file is downloaded, and associates the resource locator with a first fingerprint of the file. A system policy unit stores the resource locator associated with a process control policy relevant to the file. A process control unit is arranged to obtain a second fingerprint of the file upon launching a process in a runtime execution environment, retrieve the resource locator from the file logging unit by matching the second fingerprint with the first fingerprint, retrieve the process control policy from the system policy unit according to the retrieved resource locator, and selectively apply process execution privileges which determine execution of the process in the runtime execution environment according to the retrieved process control policy.

主权项

1. A computer device, comprising:
a communication interface circuit configured to receive data from a remote device over a communication network; and a processing circuit configured to:
store a plurality of predetermined resource addresses in a process control policy table, each of the plurality of predetermined resource addresses being associated with a respective process control policy that identifies execution privileges;record a resource address identifying a network location of a file responsive to downloading the file to the computer device, and associate the resource address with a first fingerprint of the file, wherein both the resource address and the first fingerprint are stored in a file logging table;generate a second fingerprint of the file responsive to launching a process in a restricted security context of a runtime execution environment based on the file, wherein the second fingerprint is generated after the first fingerprint has been recorded, and wherein the restricted security context comprises execution privileges based on a user account;embed a hook module in the process as the process is launched;intercept by the hook module a system call from the process;compare, outside of the restricted security context, the second fingerprint to the first fingerprint;if the second fingerprint matches the first fingerprint, retrieve the resource address from the file logging table associated with the first fingerprint using the second fingerprint as an index into the file logging table, wherein the file logging table is stored outside of the restricted security context;retrieve the process control policy associated with the retrieved resource address from the process control policy table using the retrieved source address as an index into the process control policy table; anddynamically elevate or degrade the execution privileges of the restricted security context according to the retrieved process control policy to allow or block the intercepted system call.