CPC G06F 21/554 (2013.01) [G06F 21/566 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
1. A system, comprising:
a processor configured to:
monitor file system activities on a computing device;
detect an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver, and wherein the virtual folder is not generated for the spoofed file system in response to legitimate directory activities based on an endpoint agent executing on the computing device determining that a return address associated with a request to access a protected directory is associated with a predetermined set of shell related Dynamic Link Libraries (DLLs);
perform an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder; and
a memory coupled to the processor and configured to provide the processor with instructions.
|