GB2611756A - Apparatus and method for threat detection in a device - Google Patents

Apparatus and method for threat detection in a device Download PDF

Info

Publication number
GB2611756A
GB2611756A GB2114578.4A GB202114578A GB2611756A GB 2611756 A GB2611756 A GB 2611756A GB 202114578 A GB202114578 A GB 202114578A GB 2611756 A GB2611756 A GB 2611756A
Authority
GB
United Kingdom
Prior art keywords
application
trust
trusted
scanning
installation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB2114578.4A
Other versions
GB202114578D0 (en
Inventor
Turbin Pavel
Thure Marko
Reksha Oleg
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WithSecure Oyj
Original Assignee
F Secure Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Oyj filed Critical F Secure Oyj
Priority to GB2114578.4A priority Critical patent/GB2611756A/en
Publication of GB202114578D0 publication Critical patent/GB202114578D0/en
Publication of GB2611756A publication Critical patent/GB2611756A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A method for threat detection in a device comprises maintaining a trust state of installed applications at a device, the trust state comprising an application identifier for each application, such as an application ID or app ID, and trust state of the application, wherein trust state of the application comprises at least one of the following states: empty, trusted, untrusted. The method further comprises searching the trust status with an application identifier of the installed application when an application is installed or of the trust status with an application identifier of the application to be installed when the application is to be installed on the device, the installation requested by a user of the device and/or the installation being a first-time installation of the application on the device. If trust status of the application is trusted, skipping scanning of the installed application. If trust status of the application is empty or not trusted, performing a scanning for the application and/or performing a query for the application from the backend and/or cloud service.

Description

APPARATUS AND METHOD FOR THREAT DETECTION IN A DEVICE
Technical Field
The present invention relates to an apparatus and a method for threat detection in a device.
Background
Malware detection and scanning is a vital issue for the security of any kind of devices and networks. Malware detection and scanning is generally directed to identify and potentially also disinfect any kind of malware on a computer, on a device, such as a mobile device, and/or communication systems, such as e.g. viruses, Trojans, worms, or other kinds of security threats. Antimalware file scanning is commonly a slow process and usually also depends on how reliable results are desired. This can cause problems especially on mobile devices which have limited resources relating to computational power and battery power.
For example, Android malware is a prevalent security threat and thus a device running Android-based operating system needs security protection to prevent installing potentially malicious content. Antimalware Android application scanning is complex process and requires local and backend or cloud resources. Since the end point device is usually limited with resources, local scanning is mostly performed in a cloud service.
In the prior art solutions, an end point antivirus client queries the cloud service with application meta information like signature or uploads actual executable content. This kind of scanning process is costly both for the client as it needs stable network connection and a cloud service where heavy operations are performed. This is also multiplied with a large number of client devices.
On average users are installing less than 4 applications per month for a mobile device and average device has around 100 installed application after two years of usage and also many of them are system/pre-installed apps. By default, devices, such as Android devices iOS devices and Windows devices, automatically download updates for installed applications in background. Therefore, number of application updates is much higher than manual app download. Another important fact is that installed application may receive frequent updates as an application can get updated over and over again depending on release cycle of the vendor. This all causes performance challenge for the endpoint devices and also cloud services which are utilized in scanning of the installed applications.
Therefore, it would be desirable to provide a reliable malware detection which is also efficient and fast for the user of the device, especially for mobile devices with limited resources.
Summary
The following presents a simplified summary in order to provide basic understanding of some aspects of various invention embodiments. The summary is not an extensive overview of the invention. It is neither intended to identify key or critical elements of the invention nor to delineate the scope of the invention. The following summary merely presents some concepts of the invention in a simplified form as a prelude to a more detailed description of exemplifying embodiments of the invention.
According to a first aspect, the invention relates to a method, e.g. a computer implemented method, of threat detection for a device, such as a computer or a mobile device and/or a computer network. The method comprises maintaining a trust state of installed applications at a device, the trust state comprising an application identifier for each application, such as an application ID or app ID, and trust state of the application, wherein trust state of the application comprises at least one of the following states: empty, trusted, untrusted. The method further comprises searching the trust status with an application identifier of the installed application when an application, e.g. a new application, is installed or the trust status with an application identifier of the application to be installed when the application is to be installed on the device, the installation requested by a user of the device and/or the installation being a first-time installation of the application on the device. If trust status of the application is trusted, scanning of the installed application is skipped, i.e. scanning is not performed. If trust status of the application is empty or not trusted, a scanning for the application is performed and/or a query for the application is performed from the backend and/or cloud service.
In one embodiment of the invention the method further comprises skipping scanning of the application if the application installation is an automatic installation of the application, e.g. an installation of an updated version of the application, and/or not requested by the user of the device.
In one embodiment of the invention the method comprises querying backend or cloud-service about trust level of installed application with an application identifier, adding the queried and received trust level to local trust state and/or skipping scanning when installing an application with a trust state having value trusted.
In one embodiment of the invention the method comprises receiving a pre-populated trust state status of at least one application, e.g. as a database.
In one embodiment of the invention the method comprises performing scanning of all installed applications periodically and/or to a specific criteria, e.g. when device resumes from sleep and/or has good network connectivity.
In one embodiment of the invention the method comprises performing an initial application scan after antimalware and/or antivirus application deployment.
In one embodiment of the invention the method comprises automatically setting application trust state to trusted-state if the application is from a trusted application store, and in this case optionally skipping backend or cloud-service query on the trust level of the application.
In one embodiment of the invention the method is carried out and/or controlled by an anfimalware or antivirus application installed to the device.
In one embodiment of the invention the method is carried out in an Android-based device in which case the application id is an android application ID, in an i0S-based device in which case the application identifier is an iOS App ID and/or in a Windows-based device in which case the application identifier is a Windows Appl D. According to a second aspect, the invention relates to an apparatus, such as a device, a computer and/or a mobile device. The apparatus is configured to maintain a trust state of installed applications at the apparatus, the trust state comprising an application identifier for each application, such as an application ID or app ID, and trust state of the application, wherein trust state of the application comprises at least one of the following states: empty, trusted, untrusted. The apparatus is further configured to search the trust status with an application identifier of the installed application when an application, e.g. new, application is installed or of the application to be installed when a new application is to be installed on the apparatus, the installation requested by a user of the apparatus and/or the installation being a first-time installation of the application on the device. If trust status of the application is trusted, the apparatus is configured to skip scanning of the installed application and if trust status of the application is empty or not trusted, the apparatus is configured to perform a scanning for the application and/or to perform a query for the application from the backend and/or cloud service.
In one embodiment of the invention the apparatus is configured to implement any method according to the solution of the invention.
According to a third aspect, the invention relates to a computer program comprising instructions which, when executed by a computer, e.g. a device, cause the computer to carry out any method according to the solution of the invention.
According to a fourth aspect the invention relates to a computer-readable medium comprising the computer program according to claim solution of the invention.
With the solution of the invention, it's possible to implement anfimalware file scanning in an efficient way as manual or first-time installations are quite rare compared to daily app updates. With the solution of the invention slow and resource consuming scanning process can be avoided with the installations of low-risk application updates and thus number of rescannings of installed applications can be significantly reduced. Thereby an average device would call backend only few times per month and on large scale of end points this creates significant load reduction and, hence, much less costs. Also end point clients reduce amount of scanning which makes the devices quicker and makes it possible to quickly react to high-risk applications and especially to first-time installations.
Various exemplifying and non-limiting embodiments of the invention both as to constructions and to methods of operation, together with additional objects and advantages thereof, will be best understood from the following description of specific exemplifying and non-limiting embodiments when read in connection with the accompanying drawings.
The verbs "to comprise" and "to include" are used in this document as open limitations that neither exclude nor require the existence of unrecited features. The features recited in dependent claims are mutually freely combinable unless otherwise explicitly stated.
Furthermore, it is to be understood that the use of "a" or "an", i.e. a singular form, throughout this document does not exclude a plurality.
Brief description of the drawings
The embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.
Figure 1 presents as a schematic diagram a system or a computer network configuration, for which exemplifying embodiments of the present invention are applicable.
Figure 2 presents an example method according to one embodiment of the invention.
Figure 3 presents as a schematic diagram an example of a structure of an apparatus according to exemplifying embodiments of the present invention.
Detailed description
Figure 1 presents an environment in which the solution of the invention can be used. In the solution of Figure 1 an example system configuration is presented in which a host 1, e.g. a device, and a remote entity or server 2, e.g. a server of a cloud service, are connected via a network 3. Here, the host 1 exemplifies any device or communication system, including a single device, a network node or a combination of devices, on which malware scanning is to be performed. The scanning can be done at the host and/or at the server. For example, the host 1 may include a mobile device, a personal computer, a personal communication device, a network-enabled device, a client, a firewall, a mail server, a proxy server, a database server, or the like. The server 2 exemplifies any computer or communication system, including a single device, a network node or a combination of devices, on which malware scanning can be performed for the host 1, or which can provide data for the host 1 required to carry out the malware scanning at the host, such as reputation data. For example, the server 2 may include a security entity or a backend entity of a security provider, or the like, and the server 2 may be realized in a cloud implementation or the like.
According to exemplifying embodiments of the invention, malware scanning at the host 1 and/or by the server 2 can be realized using a malware analysis environment, such as a virtual machine or emulator environment, can be arranged at the host and/or at the server. E.g a malware scanning agent, such as e.g. an anti-virus software can be installed/arranged at the host 1 to be used for malware scanning.
In one embodiment of the invention the malware scanning environment, service and/or software can detect starting and closing of applications, all unusual processes and attach monitoring to the required applications and processes. Also, the services are started early, the service is able to detect and follow most of user's application. In one embodiment of the invention, when the software or service is started up, it can perform running application inventory.
The network 3 exemplifies any computer or communication network, including e.g. a (wired or wireless) local area network like LAN, VVLAN, Ethernet, or the like, a (wired or wireless) wide area network like WMAX, GSM, UMTS, LTE, or the like, and so on. Hence, the host 1 and the server 2 can but do not need to be located at different locations. For example, the network 3 may be any kind of TCP/IP-based network. Insofar, communication between the host 1 and the server 2 over the network 3 can be realized using for example any standard or proprietary protocol carried over TCP/IP, and in such protocol the malware scanning agent at the host 1 and the malware analysis sandbox or application at the server 2 can be represented on/as the application layer.
In the solution of the invention trust states of installed applications are stored at a device.
The trust state comprises an application identifier for each application and trust state of that application. The application identifier is used to identify the application and it can be for example, an application ID or app ID. Trust state of the application defines whether the application is trusted or not or whether there is information available on the trust level of the application. The trust state of the application can for example comprises at least one of the following states: empty, trusted, untrusted. In the solution of the invention the trust status with an application identifier of the installed application is checked when a new application is installed. The trust status can be checked before or after the installation. In one embodiment of the invention the trust status is checked after installation of the application. In one embodiment of the invention the trust status is checked before the application installation, e.g. when the application is to be installed on the device. In one embodiment of the invention the application is only scanned if installation of the application is requested by a user of the device and/or if the installation is a first-time installation of the application on the device. If trust status of the application is trusted, scanning of the installed application can be skipped. If trust status of the application is empty or not trusted, scanning for the application is performed and/or a query for the application is made to the backend and/or cloud service to find the reputation of the file from the backend and/ cloud service. The scanning of the application can comprise performing an antivirus or antimalware scanning for the application and the application data.
In the solution of the invention an application, such as an antivirus and/or antimalware application can be responsible to coordinate the functionality of the device according to the solution of the invention and e.g. according to any method according to the invention.
In one embodiment of the invention the device and/or the antivirus or antimalware application can receive pre-populated trust state database for multiple applications, e.g. for commonly used applications.
In one embodiment of the invention the device and/or the antivirus or antimalware application may perform periodical scanning of all installed applications periodically and/or according to certain criteria, for example when device resumes from sleep and/or has good network connectivity. In one embodiment of the invention an (initial) inventory scan can be performed after antivirus or antimalware application deployment.
In one embodiment of the invention the device and/or antivirus or antimalware application may automatically assume application status as trusted if it comes from trusted application source, e.g. from a trusted application store. In this case the application doesn't have to be scanned, and e.g. local or backend or cloud based scanning is not performed.
In one implementation example the solution of the invention can be used in the following way. A local antivirus or antimalware application maintains at the device trust state of installed applications. The data which is stored in relation to each application can comprise an application identifier, such as an application ID or app ID, and a property whether the application was found as trusted or not. Initially the state relating to the application is empty. Wien an application, e.g. a new application, is installed on the device by a user, the antivirus or antimalware application gets notification about the installed application or intent about the installation of the application. Based on this the antivirus or antimalware application searches the trust status with application identifier and the trust state of the application. If trust status "trusted" is found, scanning of the installed application can be skipped, assuming the application is clean. If no trust status is found, then the antimalware or antivirus application proceeds to next step. In the next step the antimalware or antivirus application queries backend or cloud service about trust level of installed application with the application identifier and adds the received trust state local trust state database and skips scanning if trusted application is installed. If the application is not trusted, it can be scanned locally at the device and/or at the backend or cloud service.
The application identifier can be selected in different ways, and e.g. from different sources. One option is to use an actual application identifier, such as an Android application ID, assigned for every application. Another option for identifying the application can be a property derived from certificate data relating to the application. For example, application signatures can be used for this purpose. E.g. every Android application is signed and Android checks that signature matches to actual APK file. If signature check fails and APK doesn't match to its content, then installation is aborted. The signature validation signature information of an APK file can be trusted. Also, an RSA public certificate has multiple properties which could be selected as application identifier such as: certificate owner, CN, OU, certificate fingerprint and/or even full hash of RSA file. These are only some examples, but the idea of the invention is that the applications can be identified reliably with the selected type of application identifier.
In one embodiment of the invention all updates of an application, recognized by the application identifier, are skipped from antimalware scanning. In one example case for example all applications from a certain trusted signer (e.g. a certain vendor) can be installed without performing antimalware or antivirus scanning. In one embodiment of the installation the client may additionally get the package source and automatically assume that the application can be trusted if that package was received from a trusted source, e.g. well-known Application stores like Google Play or Apple Store. This trust level can be additionally checked together with other properties like querying Cloud.
In the solution of the invention the installation of the application or the intent to install the application can be provided to the device and/or antimalware or antivirus application by the operating system of the device, e.g. by a broadcast notifications provided by the operating system of the device. Installation notifications can be used to keep trust state database of the applications consistent when application gets removed or changed.
In some embodiments of the invention the trust state can be requested, or antivirus or antimalware scanning can be performed by the backend and/or a cloud service. These can be carried out for example by a request from the device.
In one embodiment of the invention an application package hash, such as APK file hash, can be used as key to lookup trusted information from the backend and/or cloud service.
In this scenario backend or cloud can maintain lists on known clean, highly prevalent applications and information relating to this can be responded to devices.
In one embodiment of the invention, manifest MANIFEST.MF properties can be used to query application related information from the backend and/or a cloud. The MANI FEST.MF file lists all included into APK files and their full hashes. Android validates consistency of manifest during installation signature checking. Hence, the device and/or antimalware application could query full hash of manifest to query all hashes listed in the manifest. If manifest or all hashes are found as known clean then installed application can be trusted and this information can be added to the local trust database.
In one embodiment of the invention RSA public certificate properties or similar as described above can be used to query application related information from the backend and/or a cloud. These can comprise e.g. certificate owner, certificate finger print, or full hash of RSA.
Backend or cloud service can have multiple sources to support and determine trust level of different applications. One method is to crawl app-store like Google play, download the actual application package, such as an APK, and manually analyse them. Certain vendors, such as trusted and/or popular vendors, could be whitelisted.
In one embodiment of the invention, if same application identifier, e.g. hash of application package file, such as APK file, was queried multiple times then backend or cloud service can automatically classify this application identifier (and the related application) as trusted.
Figure 2 presents an example method according to one embodiment of the invention. In the method a trust state of installed applications is maintained at a device, the trust state comprising an application identifier for each application, such as an application ID or app ID, and trust state of the application, wherein trust state of the application comprises at least one of the following states: empty, trusted, untrusted. In the method the trust status with an application identifier of the installed application is searched when an application, e.g. a new application, is installed or the trust status with an application identifier of the application to be installed is searched before installation of the application on the device, the installation requested by a user of the device and/or the installation being a first-time installation of the application to the device. If trust status of the application is trusted, scanning of the installed application (or application to be installed) is skipped. If trust status of the application is empty or not trusted, a scanning is performed for the application and/or a query is performed for the application from the backend and/or cloud service.
As presented in Figure 3, an apparatus 310 or at least part of the apparatus, e.g. an endpoint, device and/or a server, according to exemplifying embodiments of the present invention may comprise at least one processor 311 and at least one memory 312 (and possibly also at least one interface 313), which may be operationally connected or coupled, for example by a bus 314 or the like, respectively. The apparatus 310, e.g. a device, may be configured to perform a procedure and/or exhibit a functionality as described e.g. in Figure 2.
The processor 311 of the apparatus 310 is configured to read and execute computer program code stored in the memory 312. The processor may be represented by a CPU (Central Processing Unit), a MPU (Micro Processor Unit), etc., or a combination thereof. The memory 312 of the apparatus 310 is configured to store computer program code, such as respective programs, computer/processor-executable instructions, macros or applets, etc. or parts of them. Such computer program code, when executed by the processor 311, enables the apparatus 310 to operate in accordance with exemplifying embodiments of the present invention. The memory 312 may be represented by a RAM (Random Access Memory), a ROM (Read Only Memory), a hard disk, a secondary storage device, etc., or a combination of two or more of these. The interface 313 of the apparatus 310 is configured to interface with another arrangement and/or the user of the apparatus 310. That is, the interface 313 may represent a communication interface (including e.g. a modem, an antenna, a transmitter, a receiver, a transceiver, or the like) and/or a user interface (such as a display, touch screen, keyboard, mouse, signal light, loudspeaker, or the like).
According to exemplifying embodiments of the present invention, the electronic file to be analyzed for malware can be any electronic file, particularly encompassing any electronic file including a runnable/executable part, such as any kind of application file. Insofar, exemplifying embodiments of the present invention are applicable to any such electronic file, including for example a file of an Android Application Package (APK), a Portable Executable (PE), a Microsoft Soft Installer (MSI) or any other format capable of distributing and/or installing application software or middleware on a computer.
The data collected with the solution of the invention may be stored in a database or similar model for information storage for further use.
In an embodiment, further actions may be taken to secure the device or the network when a malicious file, application or activity has been detected. Also, actions by changing the settings of the devices or other network nodes can be done. Changing the settings may include, for example, one or more nodes (which may be computers or other devices) being prevented from being switched off in order to preserve information in RAM, a firewall may be switched on at one or more nodes to cut off the attacker immediately, network connectivity of one or more of the network nodes may be slowed down or blocked, suspicious files may be removed or placed into quarantine, logs may be collected from network nodes, sets of command may be executed on network nodes, users of the one or more nodes may be warned that a threat or anomaly has been detected and that their device is under investigation, and/or a system update or software patch may be sent from the security backend to the nodes. In one embodiment of the invention one or more of these actions may be initiated automatically.
Although the invention has been described in terms of preferred embodiments as set forth above, it should be understood that these embodiments are illustrative only and that the claims are not limited to those embodiments. Those skilled in the art will be able to make modifications and alternatives in view of the disclosure which are contemplated as falling within the scope of the appended claims. Each feature disclosed or illustrated in the present specification may be incorporated in the invention, whether alone or in any appropriate combination with any other feature disclosed or illustrated herein. Lists and groups of examples provided in the description given above are not exhaustive unless otherwise explicitly stated.

Claims (13)

  1. Claims 1. A method for threat detection, the method comprising: - maintaining a trust state of installed applications at a device, the trust state comprising an application identifier for each application, such as an application ID or app ID, and trust state of the application, wherein trust state of the application comprises at least one of the following states: empty, trusted, untrusted, - searching the trust status with an application identifier of the installed application when an application is installed or of the application to be installed before installation on the device, the installation requested by a user of the device and/or the installation being a first-time installation of the application on the device, - wherein if trust status of the application is trusted, skipping scanning of the installed application, - wherein if trust status of the application is empty or not trusted, performing a scanning for the application and/or performing a query for the application from the backend and/or cloud service.
  2. 2. A method according to claim 1, wherein the method further comprises skipping scanning of the application if the application installation is an automatic installation of the application, e.g. an installation of an updated version of the application, and/or not requested by the user of the device.
  3. 3. A method according to claim 1 or 2, wherein the method comprises querying backend or cloud-service about trust level of installed application with an application identifier, adding the queried and received trust level to local trust state and/or skipping scanning when installing an application with a trust state having value trusted.
  4. 4. A method according to claim 1, wherein the method comprises receiving a pre-populated trust state status of at least one application, e.g. as a database.
  5. 5. A method according to any previous claim, wherein the method comprises performing scanning of all installed applications periodically and/or to a specific criteria, e.g. when device resumes from sleep and/or has good network connectivity.
  6. 6. A method according to any previous claim, wherein the method comprises performing an initial application scan after anfimalware and/or antivirus application deployment.
  7. 7. A method according to any previous claim, wherein the method comprises automatically setting application trust state to trusted-state if the application is from a trusted application store, and in this case optionally skipping backend or cloud-service query on the trust level of the application.
  8. 8. A method according to any previous claim, wherein the method is carried out and/or controlled by an anfimalware or antivirus application installed to the device.
  9. 9. A method according to any previous claim, wherein the method is carried out in an Android-based device in which case the application id is an android application ID, on an i0S-based device in which case the application identifier is an iOS App ID and/or in a Windows-based device in which case the application identifier is a Windows Appl D.
  10. 10. An apparatus configured: - to maintain a trust state of installed applications at the apparatus, the trust state comprising an application identifier for each application, such as an application ID or app ID, and trust state of the application, wherein trust state of the application comprises at least one of the following states: empty, trusted, untrusted, - to search the trust status with an application identifier of the installed application when an application is installed or of the application to be installed when a new application is to be installed on the apparatus, the installation requested by a user of the apparatus, - wherein if trust status of the application is trusted, to skip scanning of the installed application, - wherein if trust status of the application is empty or not trusted, to perform a scanning for the application and/or to performing a query for the application from the backend and/or cloud service.
  11. 11. An apparatus according to claim 10, wherein the apparatus is configured to implement a method according to any claim 2 -9.
  12. 12. A computer program comprising instructions which, when executed by a computer, cause the computer to carry out the method according to any of claims 1 -9.
  13. 13. A computer-readable medium comprising the computer program according to claim 12.
GB2114578.4A 2021-10-12 2021-10-12 Apparatus and method for threat detection in a device Withdrawn GB2611756A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2114578.4A GB2611756A (en) 2021-10-12 2021-10-12 Apparatus and method for threat detection in a device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2114578.4A GB2611756A (en) 2021-10-12 2021-10-12 Apparatus and method for threat detection in a device

Publications (2)

Publication Number Publication Date
GB202114578D0 GB202114578D0 (en) 2021-11-24
GB2611756A true GB2611756A (en) 2023-04-19

Family

ID=78595065

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2114578.4A Withdrawn GB2611756A (en) 2021-10-12 2021-10-12 Apparatus and method for threat detection in a device

Country Status (1)

Country Link
GB (1) GB2611756A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180139216A1 (en) * 2016-11-15 2018-05-17 F-Secure Corporation Remote Malware Scanning Capable of Static and Dynamic File Analysis
EP3706022A2 (en) * 2019-03-07 2020-09-09 Lookout Inc. Permissions policy manager to configure permissions on computing devices
US20200327227A1 (en) * 2019-04-15 2020-10-15 AO Kaspersky Lab Method of speeding up a full antivirus scan of files on a mobile device
EP3758330A1 (en) * 2019-06-28 2020-12-30 AO Kaspersky Lab System and method of determining a trust level of a file

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180139216A1 (en) * 2016-11-15 2018-05-17 F-Secure Corporation Remote Malware Scanning Capable of Static and Dynamic File Analysis
EP3706022A2 (en) * 2019-03-07 2020-09-09 Lookout Inc. Permissions policy manager to configure permissions on computing devices
US20200327227A1 (en) * 2019-04-15 2020-10-15 AO Kaspersky Lab Method of speeding up a full antivirus scan of files on a mobile device
EP3758330A1 (en) * 2019-06-28 2020-12-30 AO Kaspersky Lab System and method of determining a trust level of a file

Also Published As

Publication number Publication date
GB202114578D0 (en) 2021-11-24

Similar Documents

Publication Publication Date Title
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
US9973531B1 (en) Shellcode detection
US10893059B1 (en) Verification and enhancement using detection systems located at the network periphery and endpoint devices
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
US7650639B2 (en) System and method for protecting a limited resource computer from malware
US8196201B2 (en) Detecting malicious activity
US10542020B2 (en) Home network intrusion detection and prevention system and method
US7814543B2 (en) System and method for securing a computer system connected to a network from attacks
US7716727B2 (en) Network security device and method for protecting a computing device in a networked environment
US8301904B1 (en) System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US9055090B2 (en) Network based device security and controls
US7941852B2 (en) Detecting an audio/visual threat
AU2011317734B2 (en) Computer system analysis method and apparatus
US20080028469A1 (en) Real time malicious software detection
EP3038006B1 (en) System and method for distributed detection of malware
US20130247183A1 (en) System, method, and computer program product for preventing a modification to a domain name system setting
EP2754081A1 (en) Dynamic cleaning for malware using cloud technology
USRE48043E1 (en) System, method and computer program product for sending unwanted activity information to a central system
US8640242B2 (en) Preventing and detecting print-provider startup malware
GB2611756A (en) Apparatus and method for threat detection in a device
CN111158736B (en) Method for intelligently capturing WINDOWS operating system patch update files
US11188644B2 (en) Application behaviour control
US20230388340A1 (en) Arrangement and method of threat detection in a computer or computer network
US20230269261A1 (en) Arrangement and method of privilege escalation detection in a computer or computer network
US20230385415A1 (en) Arrangement and method of threat detection in a computer or computer network

Legal Events

Date Code Title Description
COOA Change in applicant's name or ownership of the application

Owner name: F-SECURE CORPORATION

Free format text: FORMER OWNER: WITHSECURE CORPORATION

WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)