| CPC H04L 9/3239 (2013.01) [H04L 63/1425 (2013.01)] | 20 Claims |
|
1. A computer-implemented method performed at an endpoint device, the method comprising:
identifying, with a kernel-mode driver executing on the endpoint device, one or more software processes that execute on the endpoint device and that perform opening a first file;
storing, in a kernel space of an operating system on the endpoint device, for each software process of the one or more software processes, identification information about the first file;
responsive to the one or more software processes opening the first file, generating a first cryptographic hash of a portion of the first file;
responsive to determining that a triggering event has occurred,
transmitting the first cryptographic hash of the first file to a server;
responsive to the one or more software processes transmitting a second file over a network, generating a second cryptographic hash of the second file; and
determining that the first cryptographic hash matches the second cryptographic hash and identifying the one or more software processes that performed the transmitting the second file over the network as suspicious.
|