Secure system for allowing the execution of authorized computer program code

(54) SECURE SYSTEM FOR ALLOWING THE

EXECUTION OF AUTHORIZED COMPUTER
PROGRAM CODE

(75) Inventors: Andrew F. Fanton, Westminster, CO
(US); John J. Gandee, Loveland, CO
(US); William H. Lutton, Fort Collins,
CO (US); Edwin L. Harper, Fort
Collins, CO (US); Kurt E. Godwin,
Loveland, CO (US); Anthony A. Rozga,
Wellington, CO (US)

(73) Assignee: Whitecell Software Inc., Fort Collins, CO (US)

( * ) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 1103 days.

(21) Appl.No.: 11/296,094

(22) Filed: Dec. 5, 2005

(65) Prior Publication Data

US 2006/0150256 Al Jul. 6, 2006

Related U.S. Application Data

(60) Provisional application No. 60/633,272, filed on Dec. 3, 2004.

Systems and methods are described for allowing the execution of authorized computer program code and for protecting computer systems and networks from unauthorized code execution. In one embodiment, a multi-level proactive whitelist approach is employed to secure a computer system by allowing only the execution of authorized computer program code thereby protecting the computer system against the execution of malicious code such as viruses, Trojan horses, spy-ware, and/or the like. Various embodiments use a kernel-level driver, which intercepts or "hooks" certain system Application Programming Interface (API) calls in order to monitor the creation of processes prior to code execution. The kernel-level driver may also intercept and monitor the loading of code modules by running processes, and the passing of non-executable code modules, such as script files, to approved or running code modules via command line options, for example. Once intercepted, a multi-level whitelist approach may be used to authorize the code execution.

6,823,460 Bl 11/2004 Hollander et al.

46 Claims, 6 Drawing Sheets

"F-Secure DeepGuardTM—A Proactive Response to the Evolving Threat Scenario." F-Secure. Nov. 2006. 11 pages. "F-Secure DeepGuardTM 2.0." F-Secure. Sep. 2008. 13 pages. Leyden, J., "SecureWave Revamps Alternative to Desktop AV [printer-friendly] • The Register." http://www.fheregister.co.uk/ 2004/03/30/securewave_revamps_alternative_to_desktop/pri... Mar. 2004. 2 pages.

"From Zero-day to Real-time—How McAfee Artemis Technology Combats Real-Time Cybercrime With Community Threat Intelligence." McAfee, www.mcafee.com. 9 pages.

"McAfee Artemis Technology—Always-On, Real-Time Protection." McAfee, www.mcafee.com. 3 pages.

Solidcore S3 Control—Embedded. Certification Report. NSS Labs. Sep. 2008. 32 pages.

"Runtime Control the Perfect Antivirus Solution—Be prepared and decrease your risk from today's targeted attacks and threat landscape." Solidcore. 4 pages.

Virtualized Laptop and Desktop Management Viewfinity Compliance and Security. ViewFinity. 5 pages. "S3 Control Product Comparison." Solidcore. 1 page. "Prevx 3.0." PC Magazine, www.pcmag.com. May 2009. 3 pages. "BOUNCER by CoreTraceTM—High-Security / Easy-Change Application Whitelisting." coreTrace. 4 pages, 2009. True Endpoint Security—A Matter of 180 degrees. coreTrace. Jul. 2008. 9 pages.

"White Paper: Application Whitelisting and Energy Systems—A
Good Match?" coreTrace, 6 pages, 2009.

"Bouncer by CoreTraceTM—Provides True Endpoint Security with
Rapid Breakeven." coreTrace. Jul. 2008. 10 pages.
"Regulatory Compliance Protecting PCI Systems and Data."
coreTrace. 2 pages, 2009.

"CoreTrace Continues to Knock Down Application Whitelisting Barriers." EMA. 3 pages, 2009.

Luallen, M. E., et al. "Malicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications." 8 pages.

Wakeham, R., "White Paper—Hardening Critical Systems at Electrical Utilities—Meeting Regulatory Requirements Through Endpoint Controls." NetSPI. 5 pages.

Ogren, E., "The Tenets of Endpoint Control." Ogren Group. 7 pages, 2008.

"Product Data Sheet." Faronics Anti-ExecutableTM. 2 pages.
"Faronics Anti-Executable Enterprise." Faronics Anti-ExecutableTM.
Oct. 2009. 4 pages.

"Anti-Executable Key Features." Faronics Anti-ExecutableTM, http://
www.faronics.com/html/AEFeatures.asp. 2 pages.
"Faronics Anti-Executable Standard." Faronics Anti-ExecutableTM.
Oct. 2009. 3 pages.

"Faronics Anti-Executable—Application Whitelisting for Endpoint Security." Faronics Anti-ExecutableTM, http://www.faronics.corn/ html/AntiExec.asp. 2 pages.

"Blacklist Versus Whitelist Software Solutions." Faronics. Aug. 2005. 6 pages.

"User Guide." Faronics Anti-ExecutableTM Enterprise. Aug. 2009.67 pages.

* cited by examiner