`
`iiui IIIIIIIIIIIIIIIIIII mi iiui IIIIIIIIIIIIIIIIIII mi iiui IIIIIIIIIIIIIIIIIII mi
`no MONOLULITIN MOLTI ANNI
`
`
`
`
`
`a NI uiu IIII1111111a NI uiu IIII1111111a NI uiu IIII1111111211Jilp! Jmu 1111 211Jilp! Jmu 1111 211Jilp! Jmu 1111
`
`
`I III IIIIIIII I III IIIIIIII I III IIIIIIII
`US 20170372070A1
`( 19 ) United States
`
`
`(19) United States (19) United States (19) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No . : US 2017 / 0372070 A1
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2017/0372070 Al (12) Patent Application Publication (10) Pub. No.: US 2017/0372070 Al (12) Patent Application Publication (10) Pub. No.: US 2017/0372070 Al
`( 43 ) Pub . Date :
`Dec . 28 , 2017
`Burdett et al .
`Dec. 28, 2017
`
`Dec. 28, 2017 Dec. 28, 2017
`
`
`Burdett et al. Burdett et al. Burdett et al.
`
`
`(43) Pub. Date: (43) Pub. Date: (43) Pub. Date:
`
`( 54 ) CLOUD STORAGE SCANNER
`
`
`(54) (54) (54)
`
`
`CLOUD STORAGE SCANNER CLOUD STORAGE SCANNER CLOUD STORAGE SCANNER
`( 71 ) Applicant : Sophos Limited , Abingdon ( GB )
`(71)
`Applicant: Sophos Limited, Abingdon (GB)
`
`(71) (71)
`
`Applicant: Sophos Limited, Abingdon (GB) Applicant: Sophos Limited, Abingdon (GB)
`( 72 ) Inventors : Mark R . Burdett , Abingdon ( GB ) ;
`(72)
`Inventors: Mark R. Burdett, Abingdon (GB);
`
`(72) (72)
`
`Inventors: Mark R. Burdett, Abingdon (GB); Inventors: Mark R. Burdett, Abingdon (GB);
`Guy A . Davies , Abingdon ( GB )
`
`
`Guy A. Davies, Abingdon (GB) Guy A. Davies, Abingdon (GB) Guy A. Davies, Abingdon (GB)
`( 21 ) Appl . No . : 15 / 635 , 279
`(21) Appl. No.: 15/635,279
`
`(21) Appl. No.: 15/635,279 (21) Appl. No.: 15/635,279
`( 22 ) Filed :
`Jun . 28 , 2017
`(22) Filed:
`Jun. 28, 2017
`
`(22) Filed: (22) Filed:
`
`Jun. 28, 2017 Jun. 28, 2017
`Foreign Application Priority Data
`( 30 )
`
`
`(30) (30) (30)
`
`
`Foreign Application Priority Data Foreign Application Priority Data Foreign Application Priority Data
`Jun . 28 , 2016
`( GB ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GB1611202 . 1
`Jun. 28, 2016
`(GB)
` GB1611202.1
`
`Jun. 28, 2016 Jun. 28, 2016
`
`(GB) (GB)
`
` GB1611202.1 GB1611202.1
`
`Publication Classification
`
`
`Publication Classification Publication Classification Publication Classification
`
`( 51 )
`Int . Ci .
`(51) Int. Cl.
`
`(51) Int. Cl. (51) Int. Cl.
`G06F 21 / 56
`
`
`G06F 21/56 G06F 21/56 G06F 21/56
`G06F 17 / 30
`
`
`G06F 17/30 G06F 17/30 G06F 17/30
`H04L 29 / 06
`H04L 29/06
`
`H04L 29/06 H04L 29/06
`
`( 2013 . 01 )
`
`
`(2013.01) (2013.01) (2013.01)
`( 2006 . 01 )
`
`
`(2006.01) (2006.01) (2006.01)
`( 2006 . 01 )
`(2006.01)
`
`(2006.01) (2006.01)
`
`( 52 ) U . S . CI .
`
`
`(52) U.S. Cl. (52) U.S. Cl. (52) U.S. Cl.
`CPC . . . . . . . . G06F 21 / 565 ( 2013 . 01 ) ; H04L 63 / 1425
`
`
`
`CPC CPC CPC
`
`G06F 21/565 (2013.01); H04L 63/1425 G06F 21/565 (2013.01); H04L 63/1425 G06F 21/565 (2013.01); H04L 63/1425
`( 2013 . 01 ) ; G06F 17 / 30203 ( 2013 . 01 ) ; G06F
`(2013.01); G06F 17/30203 (2013.01); G06F
`
`(2013.01); G06F 17/30203 (2013.01); G06F (2013.01); G06F 17/30203 (2013.01); G06F
`2221 / 034 ( 2013 . 01 )
`
`
`2221/034 (2013.01) 2221/034 (2013.01) 2221/034 (2013.01)
`
`( 57 )
`ABSTRACT
`(57)
`ABSTRACT
`
`(57) (57)
`
`ABSTRACT ABSTRACT
`A system , method and computer program for a scanning
`A system, method and computer program for a scanning
`
`A system, method and computer program for a scanning A system, method and computer program for a scanning
`service is presented . A scanning service compatible with a
`
`
`service is presented. A scanning service compatible with a service is presented. A scanning service compatible with a service is presented. A scanning service compatible with a
`cloud storage system is configured to receive notifications
`
`
`cloud storage system is configured to receive notifications cloud storage system is configured to receive notifications cloud storage system is configured to receive notifications
`from a cloud storage service about storage event activity and
`from a cloud storage service about storage event activity and
`
`from a cloud storage service about storage event activity and from a cloud storage service about storage event activity and
`to access data in the cloud storage service . The scanning
`
`
`to access data in the cloud storage service. The scanning to access data in the cloud storage service. The scanning to access data in the cloud storage service. The scanning
`service receives a notification regarding storage activity
`service receives a notification regarding storage activity
`
`service receives a notification regarding storage activity service receives a notification regarding storage activity
`related to a file in the data . After the completion of the
`related to a file in the data. After the completion of the
`
`related to a file in the data. After the completion of the related to a file in the data. After the completion of the
`storage activity , the scanning service receives the file from
`
`
`storage activity, the scanning service receives the file from storage activity, the scanning service receives the file from storage activity, the scanning service receives the file from
`the cloud storage service and scans the file . When a deter
`the cloud storage service and scans the file. When a deter-
`
`the cloud storage service and scans the file. When a deter-the cloud storage service and scans the file. When a deter-
`mination is made based on the scan that at least a portion of
`mination is made based on the scan that at least a portion of
`
`mination is made based on the scan that at least a portion of mination is made based on the scan that at least a portion of
`the file should not be distributed then an action is taken with
`
`
`the file should not be distributed then an action is taken with the file should not be distributed then an action is taken with the file should not be distributed then an action is taken with
`respect to the cloud storage service based on the determi
`respect to the cloud storage service based on the determi-
`
`respect to the cloud storage service based on the determi-respect to the cloud storage service based on the determi-
`nation that at least a portion of the file should not be
`nation that at least a portion of the file should not be
`
`nation that at least a portion of the file should not be nation that at least a portion of the file should not be
`distributed .
`
`
`distributed. distributed. distributed.
`
`W
`
`E
`
`- H
`
`-
`
`-
`
`WE
`
`- YYYYYYYYYYYYYYYYYYY SECURITY
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`UPDATES
`
`UPDATES UPDATES
`UPDATES
`120
`
`120 120
`120
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`AVV - AV - VW - AVA - VA V VI
`
`NETWORK THREATS 104
`NETWORK THREATS 104 NETWORK THREATS 104 NETWORK THREATS 104
`
`
`
`-
`
`-
`
`- -
`
`- -
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`4
`
`-
`
`- !
`
`
`
`POLICY POLICY POLICY
`POLICY
`
`
`MANAGEMENT MANAGEMENT MANAGEMENT
`MANAGEMENT
`112
`
`112 112
`112
`SECURITY
`
`SECURITY SECURITY
`
`
`MANAGEMENT MANAGEMENT MANAGEMENT
`MANAGEMENT
`
`
`122 122 122
`122
`
`
`DETECTION DETECTION DETECTION
`DETECTION
`
`
`TECHNIQUES TECHNIQUES TECHNIQUES
`TECHNIQUES
`130
`
`130 130
`130
`
`DEFINITIONS
`
`DEFINITIONS DEFINITIONS
`DEFINITIONS
`
`
`114 114 114
`114
`NETWORK
`
`NETWORK NETWORK
`NETWORK
`
`
`ACCESS RULES ACCESS RULES ACCESS RULES
`ACCESS RULES
`
`
`124 124 124
`124
`
`
`THREAT THREAT THREAT
`
`
`RESEARCH RESEARCH RESEARCH
`THREAT
`132
`
`132 132
`RESEARCH
`132
`
`TESTING
`
`TESTING TESTING
`TESTING
`118
`
`118 118
`118
`REMEDIAL
`
`REMEDIAL REMEDIAL
`REMEDIAL
`
`
`ACTIONS ACTIONS ACTIONS
`ACTIONS
`
`
`128 128 128
`128
`THREAT MANAGEMENT
`THREAT MANAGEMENT
`
`THREAT MANAGEMENT THREAT MANAGEMENT
`FACILITY 100
`
`
`FACILITY 100 FACILITY 100 FACILITY 100
`
`1
`
`.
`
`- H
`
`E
`
`- HE . -
`
`E
`
`. -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- - -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- SECONDARY LOCATION
`
`
`SECONDARY LOCATION SECONDARY LOCATION SECONDARY LOCATION
`THREATS 108
`
`
`THREATS 108 THREATS 108 THREATS 108
`
`
`FIREWALL FIREWALL FIREWALL
`- FIREWALL
`138B
`
`138B 138B
`138B
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- ENTERPRISE
`ENTERPRISE
`
`ENTERPRISE ENTERPRISE
`FACILITY 102
`FACILITY 102
`
`FACILITY 102 FACILITY 102
`
`
`S IFIREWALL 138A I S IFIREWALL 138A I S IFIREWALL 138A I
`- IS FIREWALL 138A
`
`-
`
`-
`
`152
`152
`
`152 152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`ADMINISTRATION 134
`
`ADMINISTRATION 134 ADMINISTRATION 134
`ADMINISTRATION 134
`
`
`APPLIANCE 140A APPLIANCE 140A APPLIANCE 140A
`APPLIANCE 140A -
`
`
`-- 152 -- 152 -- 152
`on 152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`INTERNET
`
`INTERNET INTERNET
`INTERNET
`154
`
`154 154
`154
`
`-
`
`SERVER 142C
`
`SERVER 142C SERVER 142C
`SERVER 1420
`CLIENT 144E S
`
`CLIENT 144E S CLIENT 144E S
`CLIENT 1445 S
`
`
`CLIENT 144D CLIENT 144D CLIENT 144D
`CLIENT 1440 SH
`
`CLIENT
`
`.
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`1
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`.
`
`-
`
`-
`
`.
`
`-
`
`-
`
`*
`
`*
`
`S I CLIENT 144A S I CLIENT 144A S I CLIENT 144A
`
`
`S CLIENT 144A
`- 152
`
`
`152 152 152
`S CLIENT 144B
`
`S CLIENT 144B S CLIENT 144B
`S CLIENT 144B
`
`
`S CLIENT 144C S CLIENT 144C S CLIENT 144C
`S CLIENT 1440
`m
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`AvYy4YYYY4AVWAYYY AYYAYYYYYY I -
`
`SERVER 142A
`
`SERVER 142A SERVER 142A
`SERVER 142A
`NET DEV 148A S
`
`NET DEV 148A S NET DEV 148A S
`NET DEV 148A S
`
`
`[NET DEV 1488 [NET DEV 1488 [NET DEV 1488
`NET DEV 1488
`
`
`CLIENT 1440 , CLIENT 1440 , CLIENT 1440 ,
`CLIENT 1440
`152 women
`152 152 152
`
`
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- -
`
`- -
`
`-
`
`- -
`
`-
`
`APPLIANCE
`
`APPLIANCE APPLIANCE
`140B
`
`140B 140B
`APPLIANCE
`140B
`SERVER 142B
`
`SERVER 142B SERVER 142B
`SERVER 1428
`I CLIENT 144G 1 (NET DEV 148C
`
`I CLIENT 144G 1 (NET DEV 148C I CLIENT 144G 1 (NET DEV 148C
`- CLIENT 344G
`NET DEV 1480
`NET DEV 148D
`
`NET DEV 148D NET DEV 148D
`NET DEV 148D
`
`
`CLIENT 144E S CLIENT 144E S CLIENT 144E S
`CLIENT 144F S
`11
`1 11 1 11
`.
`
`1 }
`
`=
`
`-
`
`-
`
`-
`
`-
`
`
`
`VW + YEYE + V VW
`
`PHYSICAL PROXIMITY THREATS 110
`PHYSICAL PROXIMITY THREATS 110
`
`PHYSICAL PROXIMITY THREATS 110 PHYSICAL PROXIMITY THREATS 110
`
`.
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`LA .
`
`-
`
`-
`
`-
`
`S
`
`Y
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`- * * -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`WIZ, Inc. EXHIBIT - 1032
`WIZ, Inc. EXHIBIT - 1095
`
`WIZ, Inc. v. Orca Security LTD. WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1032
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`
`
`NETWORK THREATS 104
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`
`SECONDARY LOCATION THREATS
`108
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`
`
`SERVER 142B
`
`
`
`NET DEV 1480
`
`
`
`CLIENT 144G
`
`FIGURE 1
`
`
`
`NET DEV 148D
`
`HOLASSA
`
`
`
`CLIENT 1445 S
`
`C
`
`APPLIANCE 140B
`FIREWALL 138B
`
`TESTING
`118
`
`UPDATES
`120
`
`-
`
`DEFINITIONS
`114
`
`-
`
`-
`
`-
`
`POLICY
`MANAGEMENT
`wwwwwww
`112
`
`-
`
`SECURITY
`MANAGEMENT
`122
`
`NETWORK
`ACCESS RULES
`124
`
`DETECTION
`TECHNIQUES
`130
`
`THREAT
`RESEARCH
`132
`
`- - - - -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`??????????????????????????????????????????????
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`120
`ENTERPRISE
`FACILITY 102
`
`- - - - - - - - - -
`
`152
`
`ADMINISTRATION 134
`-
`-
`-
`-
`-
`-
`-
`-
`-
`-
`
`- - - - - - - - -
`
`O
`-
`-
`-
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`APPLIANCE 140A
`
`INTERNET
`154
`
`-
`
`.
`
`*
`
`- - -
`
`vu
`
`-
`
`-
`
`Patent Application Publication
`
`
`
`
`
`www rmve wwww
`
`NETWORK THREATS 104
`
`
`
`we were wewe na
`
`SECONDARY LOCATION
`THREATS 108
`
`FIREWALL
`1388
`
`APPLIANCE
`140E
`
`
`
`
`
`PHYSICAL PROXIMITY THREATS 110
`
`REMEDIAL
`ACTIONS
`128
`
`
`
`SERVER 1420
`
`INTERNET 154
`
`THREAT MANAGEMENT
`FACILITY 100
`
`
`CLIENT 1440 S
`CLIENT 144E 5
`
`
`
`riwwimwimwimwimmiminiminimisiminimisiminimiwiwiwiwiwinin
`
`UPDATES
`TESTING
`DEFINITIONS 114
`POLICY MANAGEMENT 112
`
`124
`S CLIENT 1448
`
`S CLIENT 144C
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`?????????????????????????????????????????? ??? ??? ?????
`
`
`
`
`
`-
`
`-
`
`-
`
`-
`
`
`THREAT MANAGEMENT FACILITY 100
`THREAT RESEARCH 132
`DETECTION TECHNIQUES 130
`
`152
`
`- - - -
`
`-
`
`-
`
`-
`
`- - - -
`
`-
`
`- - - - - - -
`
`-
`
`-
`
`-
`
`-
`
`REMEDIAL ACTIONS
`
`NETWORK ACCESS RULES
`SECURITY MANAGEMENT 122
`
`IV OLOZL£0/LIOZ SR
`
`wwwwwwwwwwwwwwwwwwwwwwwwwwwwwww en
`
`
`S CLIENT 344B
`
`PHYSICAL PROXIMITY THREATS 110
`- 152
`
`S CLIENT 144A
`
`
`
`S CLIENT 1440
`
`CLIENT 144F S
`
`FIGURE 1
`
`S
`
`
`
`S FIREWALL 138A
`
`152
`
`102
`
`ENTERPRISE FACILITY
`
`-
`
`-
`
`-
`
`•
`
`-
`
`-
`
`-
`
`-
`
`-
`
`•
`
`i
`
`- .
`
`•
`
`•
`
`-
`
`-
`
`- .
`
`.
`
`•
`
`-
`
`-
`
`•
`
`.
`
`•
`
`• .
`
`-
`
`.
`
`.
`
`- .
`
`CLIENT 144D S
`
`NET DEV 148B
`
`- - - - -
`
`wwwwwwwwwwwwwwwwwwwwwwwww
`
`L JO 1 WIN LJOZ `8Z 'aaa
`
`SERVER 142B
`
`CLIENT 144G NET DEV 148C
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- -
`
`
`
`SERVER 142C
`
`- - - - -
`
`NET DEV 148A S
`
`-
`
`-
`
`CLIENT 144E
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`CLIENT 144D S
`
`-
`
`W
`
`-
`
`-
`
`-
`
`152
`
`NET DEV 148D
`
`S FIREWALL 138A
`128
`118
`152
`
`S CLIENT 144A
`
`152
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`.
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`miyimi
`
`- - - - -
`
`-
`
`-
`
`-
`
`SERVER 142A S
`
`-
`
`- - - -
`
`-
`
`-
`
`
`
`ADMINISTRATION 134
`
`
`
`APPLIANCE 140A
`
`---- 152 Di
`
`SERVER 142A S
`
`NET DEV 148A S
`
`
`
`NET DEV 148B
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`CLIENT 144DS
`
`

`

`Patent Application Publication
`
`L JO Z WIN LJOZ `8Z 'aaa
`
`TV OLOZL£0/LTOZ SR
`
`202
`
`PERIPHERALS
`222
`
`USER
`230
`
`202
`
`NETWORK INTERFACE 216
`
`204
`
`200
`
`PROCESSOR
`212
`
`MEMORY
`214
`
`PERIPHERALS
`PERIPHERALS 222
`
`USER 230
`
`204
`
`
`INPUT 400TPUT
`INPUT / OUTPUT 220
`
`NETWORK
`INTERFACE
`216
`
`FIGURE 2
`
`BUS
`232
`
`BUS 232
`
`MEMORY 214
`PROCESSOR 212
`
`OTHER
`HARDWARE
`226
`
`DATA
`STORE
`218
`
`COMPUTING DEVICE 210
`200
`
`INPUT I OUTPUT
`220
`
`
`
`
`
`COMPUTING DEVICE 210
`
`DATA STORE 218
`OTHER HARDWARE 226
`
`FIGURE 2
`
`

`

`Patent Application Publication
`Dec . 28 , 2017 Sheet 3 of 7
`Patent Application Publication Dec. 28, 2017 Sheet 3 of 7
`
`US 2017 / 0372070 A1
`US 2017/0372070 Al
`
`300
`300 -
`
`316
`316
`
`320
`320
`
`Security Manager
`Security Manager
`
`31 . 8
`318
`
`Data
`Data
`Lookup
`Lookup
`
`302
`302
`
`Policies
`Policies
`
`?????
`?????? ?? ??
`
`??
`
`
`???? ????? ??
`
`??
`???
`?????
`w
`Cloud Infrastructure
`Cloud Infrastructure
`
`???????????
`
`??????
`
`
`
`?? ??
`
`Events / Alerts
`Events/Alerts
`?? ?????
`
`
`?? ?? ?? ?? ?? ??
`
`??
`
`
`
`
`
` ?? ?? ??
`??
`??
`
`?? ??
`
` (
`
`* * * * *
`
`Scanning Service
`Scanning Service
`304
`304
`
`DDS
`DDS
`bewoninigariinid
`
`Live Protection
`Live ?rotection
`
`Data Distribution
`Data Distribution
`
`File Scan Request
`File Scan Request
`File Modification
`File Modification
`
`VPC containing
`VPC containing
`VM instances
`VM instances
`314
`
`to the toto tato tato tato tato tanto
`File Acces
`File Access
`
`314 = Clean File
`308 = = =
`
`Clean File
`308
`
`Clean File
`Clean File
`310
`310
`
`Cloud Data
`Cloud Data
`Store
`Store
`306
`306
`
`Malicious
`Malicious
`File
`File
`312
`312
`Block by
`Block by
`Permissions
`Permissions
`
`322A -
`322A
`
`File Upload
`File Upload
`
`322B
`322B
`
`FIGURE 3
`FIGURE 3
`
`

`

`Patent Application Publication
`Dec . 28 , 2017 Sheet 4 of 7
`Patent Application Publication Dec. 28, 2017 Sheet 4 of 7
`
`US 2017 / 0372070 A1
`US 2017/0372070 Al
`
`400 . . . . .
`400
`
`( Create Security
`
`Create Security
`Manager Account
`Manager Account
`TERKLOKKERKLOKKKKKKKKKKK
`
`wwwwwwwwwwwwww
`w wwwwwwwwwwwww
`Create user role for
`Create user/role for
`scanning service on
`scanning service on
`cloud infrastructure
`cloud infrastructure
`
`* 402
`402
`
`404
`404
`
`* * * ' s 406
`406
`
`408
`408
`
`Customer adds account
`Customer adds account
`details to security
`details to security
`manager
`manager
`
`Key - store
`Key-store
`
`Can scanning
`Can scanning
`service scan for
`service scan for
`multiple data
`multiple data
`stores ?
`stores?
`
`410
`410
`
`412
`-- 412
`
`mm . . . Yesu List cloud data stores
` Yes- List cloud data stores
`available
`available
`wwwwwwwwwwwwwwwwwwwwwwwwww
`
`//---
`
`- 416
`416
`
`- 418
`418
`
`p
`
`. 414
`414
`
`(Scanning service
`
`Scanning service
`returns an error
`returns an error
`
`NO
`
`Can scanning
`an scanning
`service scan a
`service scan a
`data store ?
`data store?
`
`User selects one or
`User selects one or
`more data stores
`more data stores
`
`Yes
`
`FIGURE 4A
`FIGURE 4A
`
`

`

`Patent Application Publication
`Dec . 28 , 2017 Sheet 5 of 7
`Patent Application Publication Dec. 28, 2017 Sheet 5 of 7
`
`US 2017 / 0372070 A1
`US 2017/0372070 Al
`
`A
`
`Cloud data store
`Cloud data store
`registered as
`registered as
`" protected " in security
`"protected" in security
`manager
`manager
`
`420
`w 420
`
`/
`
`422
`0----- 422
`
`Report status
`Report status
`
`FIGURE 4B
`FIGURE 4B
`
`

`

`Patent Application Publication
`Dec . 28 , 2017 Sheet 6 of 7
`Patent Application Publication Dec. 28, 2017 Sheet 6 of 7
`
`US 2017 / 0372070 A1
`US 2017/0372070 Al
`
`500 - - . . .
`500
`
`(
`
`CONFIGURING A SCANNING SERVICE TO RECEIVE
`CONFIGURING A SCANNING SERVICE TO RECEIVE
`NOTIFICATIONS FROM A CLOUD STORAGE SERVICE ABOUT
`NOTIFICATIONS FROM A CLOUD STORAGE SERVICE ABOUT
`STORAGE ACTIVITY
`STORAGE ACTIVITY
`
`RECEIVE , BY THE SCANNING SERVICE FROM THE CLOUD
`RECEIVE, BY THE SCANNING SERVICE FROM THE CLOUD
`STORAGE SERVICE , A NOTIFICATION REGARDING STORAGE
`STORAGE SERVICE, A NOTIFICATION REGARDING STORAGE
`ACTIVITY RELATED TO A FILE
`ACTIVITY RELATED TO A FILE
`
`RECEIVE BY THE SCANNING SERVICE FROM THE CLOUD
`RECEIVE BY THE SCANNING SERVICE FROM THE CLOUD
`STORAGE SERVICE , THE FILE
`STORAGE SERVICE, THE FILE
`
`SCAN FILE
`SCAN FILE
`
`wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww wwwwwwwwwwwwwww
`DETERMINE FROM THE SCAN THAT AT LEAST A PORTION OF
`DETERMINE FROM THE SCAN THAT AT LEAST A PORTION OF
`THE FILE SHOULD NOT BE DISTRIBUTED
`THE FILE SHOULD NOT BE DISTRIBUTED
`
`DETERMINE THAT AT LEAST A PORTION OF THE FILE
`DETERMINE THAT AT LEAST A PORTION OF THE FILE
`CONTAINS ONE OR MORE OF MALWARE , CONTENT THAT
`CONTAINS ONE OR MORE OF MALWARE, CONTENT THAT
`MAY CAUSE DAMAGE TO ONE OR MORE COMPUTING
`MAY CAUSE DAMAGE TO ONE OR MORE COMPUTING
`DEVICES , COMPROMISE FILES ON ONE OR MORE
`DEVICES, COMPROMISE FILES ON ONE OR MORE
`COMPUTER DEVICES , OBTAIN PRIVATE INFORMATION
`COMPUTER DEVICES, OBTAIN PRIVATE INFORMATION
`FROM THE ONE OR MORE COMPUTING DEVICES
`FROM THE ONE OR MORE COMPUTING DEVICES
`
`Wiwiminiminimiminiminiminiminiminiminiminiminimiminiminiminiminiminiminimi
`iiiiiiiiii
`DETERMINE THATAT LEAST A PORTION OF THE FILE
`DETERMINE THATAT LEAST A PORTION OF THE FILE
`CONTAINS ONE OR MORE OF CONFIDENTIAL
`CONTAINS ONE OR MORE OF CONFIDENTIAL
`INFORMATION , CREDIT CARD NUMBERS , SOCIAL
`INFORMATION, CREDIT CARD NUMBERS, SOCIAL
`SECURITY NUMBERS , MULTIPLE PHONE NUMBERS AND
`SECURITY NUMBERS, MULTIPLE PHONE NUMBERS AND
`A PREDEFINED PATTERN
`A PREDEFINED PATTERN
`
`- 502
`502
`
`* 504
`504
`
`K * * * * 506
`506
`
`508
`508
`
`a
`
`pe
`
`510
`510
`
`512
`512
`
`514
`514
`
`A
`
`FIGURE 5A
`FIGURE 5A
`
`

`

`Patent Application Publication
`Dec . 28 , 2017 Sheet 7 of 7
`Patent Application Publication Dec. 28, 2017 Sheet 7 of 7
`
`US 2017 / 0372070 A1
`US 2017/0372070 Al
`
`A
`
`TAKE AN ACTION WITH RESPECT TO THE CLOUD STORAGE
`TAKE AN ACTION WITH RESPECT TO THE CLOUD STORAGE
`SERVICE BASED ON THE DETERMINATION THAT AT LEAST A
`SERVICE BASED ON THE DETERMINATION THAT AT LEAST A
`PORTION OF THE FILE SHOULD NOT BE DISTRIBUTED
`PORTION OF THE ALE SHOULD NOT BE DISTRIBUTED
`SEND A NOTIFICATION
`SEND A NOTIFICATION
`
`WWWWWWWWWWWWWWWW
`SET A PROTECTION MODE FOR THE FILE ON THE CLOUD
`SET A PROTECTION MODE FOR THE FILE ON THE CLOUD
`STORAGE SERVICE
`STORAGE SERVICE
`
`SET A FILE PERMISSION
`SET A FILE PERMISSION
`
`wwwwwwwwwwwwww
`REFRAIN FROM CHANGING A FILE PERMISSION
`REFRAIN FROM CHANGING A FILE PERMISSION
`
`516
`
`wwwwww
`
`518
`
`520
`
`522
`
`524
`
`FIGURE 5B
`FIGURE 5B
`
`

`

`US 2017 / 0372070 A1
`US 2017/0372070 Al
`
`1
`
`Dec . 28 , 2017
`Dec. 28, 2017
`
`CLOUD STORAGE SCANNER
`
`CLOUD STORAGE SCANNER
`CROSS - REFERENCE TO RELATED
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`APPLICATIONS
`This application claims priority to United Kingdom
`[ 0001 ]
`[0001] This application claims priority to United Kingdom
`Pat . App . No . 1611202 . 1 filed on Jun . 28 , 2016 , which is
`Pat. App. No. 1611202.1 filed on Jun. 28, 2016, which is
`incorporated herein by reference in
`its entirety .
`incorporated herein by reference in its entirety.
`BACKGROUND
`BACKGROUND
`[ 0002 ] Malicious exploits , such as malware , may be used
`[0002] Malicious exploits, such as malware, may be used
`to compromise one or more target computing devices , cause
`to compromise one or more target computing devices, cause
`damage to one or more computing devices or obtain private
`damage to one or more computing devices or obtain private
`information from one or more computing devices . For
`information from one or more computing devices. For
`example , malware may include computer viruses , Trojan
`example, malware may include computer viruses, Trojan
`horses , rootkits , key loggers , spyware , adware , viruses ,
`horses, rootkits, key loggers, spyware, adware, viruses,
`worms , spam , phishing explorations , etc . Some exploits may
`worms, spam, phishing explorations, etc. Some exploits may
`use websites to host components of malicious code and
`use websites to host components of malicious code and
`download the components to a target computing device .
`download the components to a target computing device.
`[ 0003 ] Some systems for the detection of malware in a
`[0003] Some systems for the detection of malware in a
`computing device may employ signature - based detection .
`computing device may employ signature-based detection.
`Such systems may also monitor the behavior or activity of
`Such systems may also monitor the behavior or activity of
`applications on a computing device . However , such systems
`applications on a computing device. However, such systems
`typically run on the protected computing device , with poten
`typically run on the protected computing device, with poten-
`tially some additional resources provided by other comput
`tially some additional resources provided by other comput-
`ing devices .
`ing devices.
`[ 0004 ] Cloud computing services have become increas
`[0004] Cloud computing services have become increas-
`ingly popular . One example of cloud computing services is
`ingly popular. One example of cloud computing services is
`Amazon Web Services ( AWS ) , which offers a suite of cloud
`Amazon Web Services (AWS), which offers a suite of cloud
`computing services that provide an on - demand computing
`computing services that provide an on-demand computing
`platform . AWS services span a wide range including com
`platform. AWS services span a wide range including com-
`pute , storage , networking , database , analytics , applications ,
`pute, storage, networking, database, analytics, applications,
`deployment , management , developer tools , etc . One of the
`deployment, management, developer tools, etc. One of the
`services , Amazon Simple Storage Service ( S3 ) , is a storage
`services, Amazon Simple Storage Service (S3), is a storage
`service . Cloud computing services provide computing
`service. Cloud computing services provide computing
`capacity as an alternative to building an actual physical
`capacity as an alternative to building an actual physical
`server farm .
`server farm.
`
`SUMMARY
`SUMMARY
`It is desired to provide protection against compro
`[ 0005 ]
`It is desired to provide protection against compro-
`[0005]
`mise ( e . g . , malware or other exploits ) or confidential infor
`mise (e.g., malware or other exploits) or confidential infor-
`mation exfiltration in cloud service environments in a man
`mation exfiltration in cloud service environments in a man-
`ner that is simple and efficient , and with minimal
`ner that is simple and efficient, and with minimal
`performance impact on applications using the cloud com
`performance impact on applications using the cloud com-
`puting services . It is desirable to accomplish this without use
`puting services. It is desirable to accomplish this without use
`of an agent installed on the template image used in cloud
`of an agent installed on the template image used in cloud-
`based environments . This may be accomplished in some
`based environments. This may be accomplished in some
`implementations with an architecture that connects a scan
`implementations with an architecture that connects a scan-
`ning service directly to the cloud data storage associated
`ning service directly to the cloud data storage associated
`with a target application , in a manner that is intended to be
`with a target application, in a manner that is intended to be
`efficiently configured and managed .
`efficiently configured and managed.
`10006 ] Embodiments of the invention may provide an
`[0006] Embodiments of the invention may provide an
`agentless scanner for a cloud storage service . The scanner is
`agentless scanner for a cloud storage service. The scanner is
`agentless in that it does not require , for example , an agent to
`agentless in that it does not require, for example, an agent to
`reside on the host of the application that is using the cloud
`reside on the host of the application that is using the cloud
`storage service . In some implementations , a scanning ser
`storage service. In some implementations, a scanning ser-
`vice for cloud storage receives notifications of storage
`vice for cloud storage receives notifications of storage
`activity from a storage monitor . For example , the scanning
`activity from a storage monitor. For example, the scanning
`service may receive a notification of a file event or the file
`service may receive a notification of a file event or the file
`event itself , and scan the file for specific data content ( e . g . ,
`event itself, and scan the file for specific data content (e.g.,
`potential or actual malicious content or content otherwise
`potential or actual malicious content or content otherwise
`desired to be protected ) . If the scanning service returns a
`desired to be protected). If the scanning service returns a
`positive result ( e . g . , potential or actual malicious content or
`positive result (e.g., potential or actual malicious content or
`content otherwise desired to be protected ) , action may be
`content otherwise desired to be protected), action may be
`
`taken . The action may include to quarantine the file by
`taken. The action may include to quarantine the file by
`altering permissions on the file so that at least some other
`altering permissions on the file so that at least some other
`applications , such as the application that is using the cloud
`applications, such as the application that is using the cloud
`storage service , may not access it without administrator
`storage service, may not access it without administrator
`action . A user or administrator may be notified .
`action. A user or administrator may be notified.
`[ 0007 ] As one example , an implementation of an agentless
`[0007] As one example, an implementation of an agentless
`scanning service configured for AWS infrastructure uses S3
`scanning service configured for AWS infrastructure uses S3
`buckets for file storage , registers with the S3 service to
`buckets for file storage, registers with the S3 service to
`receive notifications of file activity , receives notifications of
`receive notifications of file activity, receives notifications of
`file activity , and scans files upon receiving the notifications .
`file activity, and scans files upon receiving the notifications.
`If the scan result is positive , action may be taken to protect
`If the scan result is positive, action may be taken to protect
`the application , such as setting permissions to make the file
`the application, such as setting permissions to make the file
`unavailable , notifying an administrator , moving the file ,
`unavailable, notifying an administrator, moving the file,
`renaming the file , encrypting the file , etc . The agentless
`renaming the file, encrypting the file, etc. The agentless
`scanning service simplifies workflow for deploying and
`scanning service simplifies workflow for deploying and
`managing data protection ( e . g . , anti - malware , data loss
`managing data protection (e.g., anti-malware, data loss
`prevention ) for applications making use of cloud resources .
`prevention) for applications making use of cloud resources.
`Applications that are fully implemented in the cloud and
`Applications that are fully implemented in the cloud and
`applications implemented elsewhere but that make use of
`applications implemented elsewhere but that make use of
`cloud or remote storage resources may make use of an
`cloud or remote storage resources may make use of an
`agentless scanning service .
`agentless scanning service.
`[ 0008 ]
`In general , in one aspect , a system includes a
`[0008]
`In general, in one aspect, a system includes a
`processor and a non - transitory computer readable storage
`processor and a non-transitory computer readable storage
`medium having computer readable code thereon . The
`medium having computer readable code thereon. The
`medium includes instructions executable by the processor to
`medium includes instructions executable by the processor to
`perform operations including configure a scanning service to
`perform operations including configure a scanning service to
`receive notifications from a cloud storage service about
`receive notifications from a cloud storage service about
`storage activity and to access data in the cloud storage
`storage activity and to access data in the cloud storage
`service , and receive , by the scanning service from the cloud
`service, and receive, by the scanning service from the cloud
`storage service , a notification regarding storage activity
`storage service, a notification regarding storage activity
`related to a file in the data . The medium also includes
`related to a file in the data. The medium also includes
`instructions to , after the completion of the storage activity ,
`instructions to, after the completion of the storage activity,
`receive by the scanning service from the cloud storage
`receive by the scanning service from the cloud storage
`service , the file . The medium also includes instructions to
`service, the file. The medium also includes instructions to
`scan , by the scanning service , the file . The medium also
`scan, by the scanning service, the file. The medium also
`includes instructions to determine from the scan that at least
`includes instructions to determine from the scan that at least
`a portion of the file should not be distributed ; and take an
`a portion of the file should not be distributed; and take an
`action , for example , with respect to the cloud storage
`action, for example, with respect to the cloud storage
`service , based on the determination that at least a portion of
`service, based on the determination that at least a portion of
`the file should not be distributed .
`the file should not be distributed.
`10009 ]
`In some implementations , the instructions are fur
`[0009]
`In some implementations, the instructions are fur-
`ther executable by the processor to configure the scanning
`ther executable by the processor to configure the scanning
`service to receive notifications from said cloud storage
`service to receive notifications from said cloud storage
`service about storage activity associated with a plurality of
`service about storage activity associated with a plurality of
`accounts associated with the cloud storage service . In some
`accounts associated with the cloud storage service. In some
`implementations , the instructions are further executable by
`implementations, the instructions are further executable by
`the processor to take an action by setting a protection mode
`the processor to take an action by setting a protection mode
`for the file on the cloud storage service . In some implemen
`for the file on the cloud storage service. In some implemen-
`tations , the instructions are further executable by the pro
`tations, the instructions are further executable by the pro-
`cessor such that the protection mode is a Notify Only mode