公开(公告)号：US20190205533A1

公开(公告)日：2019-07-04

申请号：US15857007

申请日：2017-12-28

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Milos Petrbok ,  Colin Christopher McCambridge ,  Aaron Putnam

IPC: G06F21/55 ,  G06F21/53 ,  G06F21/56 ,  H04L9/32

Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.

公开(公告)号：US10740459B2

公开(公告)日：2020-08-11

申请号：US15857007

申请日：2017-12-28

Applicant: CrowdStrike, Inc.

Inventor： David F. Diehl ,  Milos Petrbok ,  Colin Christopher McCambridge ,  Aaron Putnam

IPC: G06F21/56 ,  G06F21/55 ,  G06F21/53 ,  H04L9/32 ,  G06F21/60 ,  H04L29/06

Abstract: Some examples detect malicious activity on a computing device. A processor in kernel mode detects an event on the computing device. The processor provides a validation request on a kernel-level bus. A bidirectional bridge component transmits the request to a user-level bus. The processor in user mode determines that the event is associated with malicious activity and provides a validation response on the user-level bus. The bridge component transmits the validation response to the kernel-level bus. In some examples, the processor in user mode receives security-relevant information from a system service of the computing device, and analyzes the event based at least in part on the security-relevant information. In some examples, the processor in user mode receives a security query, queries the kernel mode via the bridge component, and responds to the security query indicating that the data stream is associated with malware.