GB2627941A

GB2627941A - File-system protection

Info

Publication number: GB2627941A
Application number: GB2303373.1A
Authority: GB
Inventors: Rothwell William
Original assignee: Platinum High Integrity Tech Ltd
Current assignee: Platinum High Integrity Tech Ltd
Priority date: 2023-03-08
Filing date: 2023-03-08
Publication date: 2024-09-11
Also published as: WO2024184646A1; GB202303373D0

Abstract

A request to open an existing file is intercepted. The file type of the file and the name of the requesting process are identified. If the process is a registered file handler for the file type, then the request is allowed. Otherwise, the request is refused. The file type may be identified using the filename extension of the file. Multiple processes may be registered for one file type. If the request is refused, the user may be asked whether to allow the request. If the user allows the request, the process name may be added to the registered file handlers. There may be a list of applications which can open any file type. There may be file types that can be opened by any application. If a request is denied, the process may be terminated, and an alert may be generated.

Description

Intellectual Property Office Application No G132303373.1 RTM Date:19 July 2023 The following terms are registered trade marks and should be read as such wherever they occur in this document: Microsoft Excel Microsoft Office Intellectual Property Office is an operating name of the Patent Office www.gov.uk /ipo

FILE-SYSTEM PRO ILC TION

Field

100011 The present invention relates to a method for the prevention of attacks seeking to damage or render inaccessible the file-system of a computer.

Background

100021 In the last few years, a new type of computer malicious software (malware), commonly called ransomware, has emerged. Ransomware has quickly become the most prominent and damaging type of malware. Recent ransomware attacks have impacted hospitals' ability to provide medical care and so endangering human lives, crippled public services, caused significant financial damages to businesses, commercial entities and organisations, and even law enforcement agencies. Ransomware is a very serious worldwide cyber threat.

100031 Ransomware is a class of malware which has the characteristics of encrypting the data files on the victim's computer, and demands ransom payment within a short period in return for the decryption key for the victim to recover the company's data. Many variants of ransomware also steal the victim's data and threaten to disclose the data content on the Internet if the victim does not pay up the ransom. There are incidents of a 'double extortion attack' where ransom was paid but the cyber criminals still uploaded company's data online.

100041 Household name companies are reported in the news on a regular basis to have fallen victim to ransomware attacks. It is estimated there are many more other lesser known and small enterprises have fallen victim on a daily basis unreported in the news.

100051 The ransomware situation is so prevalent and serious that new industries have spawned up. For example, companies offering ransomware negotiation services specially act for the victims to negotiate payment terms with the cyber criminals. Another new industry is new cyber insurance which covers ransom payment.

100061 Because of compliance requirements, all the large victims companies and organisations have anti-malware and other security controls in place. It is apparent that the technologies of the current anti-malware and security applications are inadequate and ineffective protection against today's ransomware attacks. The damages to the ransomware victims are immense and the consequence is dire to the business. Many reported ransom demands are in the millions of dollars, depending on the size and business sector of the victim company.

100071 The approaches of the anti-ransomware/anti-malware solutions on the market focus on detection, elimination and mitigation of ransomware attacks. Inevitably, these solutions examine the potential ransomware threat actors, i.e. program file, that have gained entry to the computer. The security applications adopt a cocktail of methods including pattern scanning, heuristics analysis, sandboxing, application whitelisting, cloud-based intelligence, AI and machine learning etc. to detect if the potential threat actor is malicious, and act upon the result. Motivated by financial gains, the cyber criminals have constantly morphed and improved the ransomware attack techniques to successfully bypass the protection methods. This is evidenced by the frequent report of successful ransomware attacks causing significant damages to the victim organisations/business.

Summary

100081 According to the present invention, there is provided a computer implemented method for the protection of data, comprising: intercepting an I/0 request packet made by a requesting process to a filesystem to open an existing file; determining the file type of the existing file; checking whether the requesting process name is an appropriate file handler for the file type; denying the request when the result of the check is negative.

100091 This is advantageous as it prevents a suspicious executable (e.g. ransomware) currently running on a computer from encrypting stored data, as it will not be a registered file handler and so will not pass the check. It also does not require the suspicious executable to be identified, providing more general protection than anti-malware solutions that do require this.

100101 Desirably, determining the file type comprises inspecting the filename extension of the existing file.

100111 Desirably, checking comprises checking whether the requesting process name is a registered file handler of the file type.

100121 Optionally, the invention further comprises forwarding the I/O request packet to the filesystem when the result of the check is positive. This is advantageous as it ensures that valid requests can then be acted upon without any user interaction, making the process seamless for the user during normal operation. A further advantage is that the method is transparent to both the user and to the registered file handler, as the request will be sent to the filesystem exactly as it would without the method acting upon the request.

100131 Optionally, the check further includes comparing the requesting process' parent process name with the file handler's parent process name. This is advantageous as it provides more advanced protection than checking just the process name. In particular, it can prevent an attack involving the ransomware compromising and launching the registered file handler to perform I/O operations. In this case, the parent process would differ from the file handler's parent process, allowing the malicious I/0 operation to be detected.

100141 Optionally, the check is performed using a map data structure that maps a file extension to one or more file handlers. This is advantageous as it allows for the file handlers for each file type to be found quickly, reducing the time taken for the check to be performed. Performance is important if the system undergoes a large amount of I/O operations at once.

100151 Optionally, the invention further comprises sending a user a runtime query, allowing them to approve the request if the result of the check is negative. The advantage of this is that unregistered but legitimate file handlers are still able to perform I/0 operations on the file type if required, when confirmed it is safe to do so by a user.

100161 Optionally, the invention further comprises adding the requesting process name to the mapping list as a registered file handler for that file extension if the request is approved by the user. This is advantageous as it allows for new registered file handlers to be created, preventing the user from having to approve the application every time that application is used to perform I/O operations on a file.

100171 Optionally, the invention further comprises checking a list of predefined applications and immediately forwarding the 110 request packet when the requesting process name is found to be in the list. This is advantageous as it allows for certain applications that perform I/O operations on all file types and extensions to operate. This includes applications such as anti-virus and backup applications. Allowing these applications to perform I/O operations without performing a check leads to faster performance compared to having to check each I/O operation.

100181 Optionally, the invention further comprises checking a list of excluded file extensions, and immediately forwarding the PO request packet when the file extension is found to be within the list. This is advantageous as it allows for faster performance. Ransomware does not usually target certain file types crucial to the functioning of the computer, and so not performing a check for those file types allows for faster operation without compromising protection.

100191 Optionally, the invention further comprises checking the process name against a list of previously denied processes before the check is performed, and denying the request when the process name is found within the list. This is advantageous as it allows for likely ransomware to be dealt with both quickly and easily. If a process is identified as likely being ransomware, it can be quickly denied without spending time performing the check.

100201 Optionally, the invention further comprises terminating the requesting process after the request is denied. This is advantageous as it prevents a potentially malicious program from running and making more requests, slowing the computer down.

100211 Optionally, the invention further comprises logging an alert after the request is denied. This is advantageous as it allows a user to be notified when a potentially malicious process is identified. The reason to record denied 10 is that the system owner is informed what files the suspicious executable attempted to encrypt. The allowed 1/0 records assist the admin/user to examine and define exception rules if required, e.g. those processes approved during runtime queries.

100221 Optionally, the method is performed by a driver. The ADP driver audit logs all Read VO requests irrespective of whether they are allowed or denied. Technically, performing the logging task at the kernel driver level is much more efficient because the driver does not need to send the I/O request details to the userland components, which takes time. A further advantage is that the kernel driver cannot be terminated by hostile actors to stop audit logging while the userland components can be easily terminated.

[00231 Optionally, the invention further comprises storing its operating parameters in the Windows registry. This is advantageous as it allows for the invention to protect the parameters from modification by intercepting any requests to change them.

100241 According to the present invention there is further provided a system comprising: a memory storing computer-readable instructions thereon; and a processor that executes the computer-readable instructions to perform the invention described above.

100251 According to the present invention there is further provided computer-readable instructions that when executed by a processor of a system cause the processor to perform the invention described above.

Brief introduction to the drawings

100261 The invention will be described further below with reference to example embodiments and the accompanying schematic drawings, in which: Fig. I shows a diagram of the placement of different components within the operating system of a computer in an embodiment of the present invention.

Fig. 2 shows a diagram illustrating the different steps of the method of an embodiment of the present invention.

Fig. 3 shows a diagram of the operation flow of an embodiment of the present invention when the method is carried out using two exemplary processes.

Fig. 4 shows the usual flow of operations when a subsystem attempts to perform an 1/0 operation on a file, and the point where the interception occurs.

Fig. 5 shows a diagram of the high level steps involved in an embodiment of the present invention.

In the accompanying drawings, like reference numerals are used to indicate like components.

Detailed explanation of example embodiments 100271 The current invention introduces a novel technical method to proactively prevent unauthorised access to a file system by a suspicious executable, and thereby defeat ransomware attacks. The innovative method requires zero knowledge of the threat actor (i.e. suspicious executable / script file) whether it is a ransomware and malicious or not.

Therefore, it does not employ any of the above mentioned existing anti-ransomware/antimalware technologies.

100281 It is important to note the invention is not solely intended for anti-ransomware/anti-malware purposes and it has no functionality to detect, mitigate and remove any ransomware it is not an anti-ransomware/anti-malware solution. The present invention can neutralise the threat of data encryption and/or exfiltration posed by a suspicious executable but does not remove or quarantine the responsible executable. Its protection is effective in a computer environment whereby a suspicious executable has presumably compromised the computer. It takes a totally different direction to current approaches by applying protection control to I/O operations performed on data files, which the suspicious executable targets to encrypt, ensuring only legitimate application programs can perform 1/O operations on the data files. The novel method provides a high-confidence and robust protection on the threat targets, i.e. the data files, without the needs of regular updates/patching to the protection. This is achievable based on the file I/O operation intercepting mechanism provided by underlying Operating System (OS) architecture, which is explained in full detail below.

100291 The following discussion covers only the essential elements referenced in the current 25 invention.

100301 Firstly, the structure of a computer file will be discussed, with reference to Fig. 1. In modern OS architecture, computer data is organised and stored in a special data structure container referred to as a 'computer file'. The computer files are stored on permanent storage devices also known as secondary memory, e.g. mechanical hard disk, solid state drive, flash memory device, optical storage and magnetic tape device etc. Typically, a computer application program is used to create and manipulate a computer data file. The data is mostly encoded and laid out in a proprietary data structure defined by the application vendor.

100311 On a common OS, e.g. Microsoft Windows, by convention a computer file is assigned a textual description (a.k.a filename) by the data creator (human or computer) together with one or more characters to indicate its data type, e.g. an image file or a spreadsheet file. The data type descriptor, known as the file extension, is appended to the end of the textual filename separated by a dot "." character, e.g. "budget forecastx.15x"; The "budget forecast" is the filename part and ".x/sic" is the file extension. The primarily purpose of the filename part is for human readability. The file extension is mainly for the OS to efficiently associate a file type to the default application that is used to process the file content -which we will describe hereafter as the "default file handler". Because of the proprietary data structure, data format and encoding, a compatible file handler is required to operate on the file. For example, a PDF application may not correctly open and process a "..risx" Excel spreadsheet file. Nowadays, it is common for 3rd party applications, other than the original application, to be compatible to interpret and process these proprietary data files. These 3rd party applications are called "file handlers" of a particular file type in the description.

100321 The mapping of each file extension and its "default file handler" is stored in the Windows Registry 20. The mapping information can be acquired via an Application Programming Interface (API) call, AssocQuelyString0, or query of the Windows Registry 20 directly. The association of a data file and its "file handler" allows for the verification of a process to prevent suspicious processes from performing 1/0 operations on data files. Although certain API calls are discussed below, this is not intended to be limiting, as there are other API calls that can provide access to data files, in particular, different operating systems will use different API calls.

100331 When a human user desires to perform an action on a file such as to open the file to read, edit and save, the file handler (application) that contains the computer instruction code, is launched/instantiated to run on the computer. The file handler is known as a 'computer process' or 'process' running in the computer memory. Acting in the user's or system's context, the 'process' makes Input/Output (1/0) requests to the OS via a series of API calls.

Typically, the 'process' first makes a Crewel-7HO APT call to get a 'file handle object' to the required computer file specifying in the request parameters the full filename and intended file TO operation to perform, e.g. Read and/or Write operation etc. Of interest is the same CreateFile() API call is used to create a new file as well as to open an existing file for editing.

The CreateFileO's operation depends on the parameters passed to it by the caller. This invention is interested only in I/O request to open an existing file and not to create a new file.

100341 To avoid ambiguity in the explanation, a 'file handler' refers to the application program process that manipulates a specific file, whereas a 'file handle object' is system generated data (4 bytes on 32-bit computer and 8 bytes on 64-bit computer) to associate a computer file in an I/O API call, e.g. CreateFile0. It is the OS architecture that a 'file handle object' is a prerequisite in I/O API calls. A 'file handler' (process) is unable to perform Create/Read/Write I/O operation on a file without a valid 'file handle object'.

100351 The Createrile0 request is passed to the 10 subsystem in the kernel space (also called kernel mode) which performs the standard sanity and security checks validating the caller's PO operation request. If the request is valid, a kernel module known as the Input/Output (PO) Manager 32 creates and sends an I/0 Request Package (IRP) IRP AIJ CREATE to the filesystem drivers to either create a new file or open an existing file as required. After the requested file is created or opened successfully by the filesystem driver, the PO Manager 32 receives a 'file handle object' from the filesystem driver and it returns the 'file handle object' to the calling 'process' for subsequent PO operations.

100361 When the requesting 'process' obtains a 'file handle object' to operate on the file, for example, to read and write data to the file, it passes in the 'file handle object' as a parameter in the subsequent Readl-ille() API calls to read in the file data for manipulation before writing back the data to the file by a Writerile0 API calls also with the 'file handle object' as a parameter.

100371 The PO Manager 32 always return a success or fail status code for each Createllile(), ReadFile() and WriteFile0API calls to the caller process. A failed status code indicates the required file operation cannot be performed and aborted.

100381 Next, the 1/0 workflow processes followed by a computer during operation and in particular during PO will be discussed. This I/O workflow process involves validating a request to perform an I/O operation on a file by a computer process. The full scope of how a computer process functions on any operating system (such as Microsoft Windows) is a very complex topic outside the scope of discussion. The following is a necessarily simplified overview, which covers only the relevant elements of a computer process referenced in the invention.

100391 An application program and a process are different fundamentally. A program is a static sequence of instructions contained in an executable file, e.g. *.exe. A process is a container for a set of system resources used such as memory, an image of the program in memory and at least one execution thread. A process is, therefore, a running instance of an application program. A process also contains information relating to its parent or creator process. When a process launches a program, e.g. *.exe, to instantiate it as a running process, there exists a parent/child relationship. Therefore, a process always has a parent process when it is instantiated even though the parent process may be terminated later on.

100401 After a computer completes the boot up sequence, it is ready for user logon. When a user logs on, the system prepares the user's computing environment and a system process called Winlogon launches the user's default shell explorer.exe which is specified in the Windows Registry 20. Explorer.exe is a process running in the security context of the logged on user. From this point onwards, when the user executes an application program, e.g. excelexe, explorer.exe becomes the parent process and excel.exe is the child process.

100411 The invention leverages the fundamentals that there always exists a requesting process when an 1/0 operation is to be performed on a computer file, and secondly the I/0 requesting process has a parent process. The two fundamentals are used to validate if the requesting process's 1/0 operations on files are valid or not.

100421 Finally, ransomware will be discussed. Ransomware is a type of malware. Similar to malware infection attacks, the ransomware needs to gain access to a victim computer to effect its malicious purposes Ransomware uses a number of tactics to infect a computer with the most common tactic being phishing emails. A phishing email may contain a downloader as an attachment that downloads the ransomware, or a link to a website that is hosting a malicious download. When an email recipient falls for the phishing trick the ransomware is downloaded and executed on the computer. Another recent popular attack vector is remote access with stolen or broken login passwords, where the ransomware operator, having gained remote access, directly performs the ransomware attack on the victim computer.

10043] The ultimate objective of a ransomware attack is to render computer data inaccessible to the legitimate data owner, by encrypting or corrupting the data files on disk. Recent ransomware also exfiltrates data back to the ransomware operators as a part of the extortion. The data owner is demanded to pay a ransom payment or the ransomware operator will disclose the data content publicly causing reputational and financial damages.

10044] To encrypt computer data files, ransomware must be able to perform an 1/0 operation on the data files in the first place. When a ransomware executes, it obtains a list of data files on the computer storages including local storage, removable devices, networked remote storages and backup/archive storage. Most ransomware are cautious in their selection of files not including system and executable files for encryption to ensure system stability. This is because a corrupted and inoperable computer would foil the extortion effort of the ransomware operator.

100451 With the list of selected data files, the ransomware opens each of the data files and reads in the file data to encrypt before saving the encrypted data back to the file replacing the original contents. An alternative technique is to delete the original data file and save the encrypted data in a newly named file, often with an indicator in the filename it is created by the ransomware. For each of the selected files, the ransomware makes a Createrile0 API call to first obtain a 'file handle object' for the following Readrile0 API calls. The read-in data is enciphered with the chosen encryption algorithm and an encryption key. A WriteFile0 API call is made to save the encrypted data. To complete the I/O operation, a Closet-1116,0 API call is required. The ransomware may open the selected files one by one sequentially or open more than one file concurrently. There is no difference to the I/O calling and processing sequence described.

100461 It is noted that the 'file handle object' that is returned by a successful Create/We° API call is the prerequisite for the subsequent processing by the ReadFileOlWriteFile 0 API calls. Without a valid 'file handle object', the ransomware is not able to perform an encryption operation on any file, effectively terminating its attack. The invention is based on the technical fundamental of denying the ransomware access to a 'file handle object'.

10047] An embodiment of the present invention is now described. The invention introduces a novel and purely technical method to proactively block any attempts to perform an I/O operation on data files by a suspicious executable, without the requirement of any knowledge about whether the suspicious executable (requesting process) is malicious or not. The core motive of the invention is to deny a suspicious process such as ransomware to have access to the data files, thereby defeating the ransomware's objective of rendering the data files inaccessible by means of encryption and data corruption 100481 The invention departs from the existing malware/ransomware defence approaches of pattern scanning, heuristics analysis, sandboxing, application whiteli sting, cloud-based intelligence, AI and machine learning, application/system patching, user awareness training, containment, data backup and mitigation etc. These approaches have been tried and proven inadequate protection against today's ransomware attacks. The invention provides a robust protection to data files and may not be bypassed by a ransomware and any new variants, even where the ransomware has obtained high system and account privileges through vulnerability exploitation. The inventive novel method requires zero knowledge of the ransomware execution code and has no requirement for updating and patching. It also operates without any noticeable performance impact.

100491 The present invention will sometimes be referred to by the term "ADP", which stands for Aegis Data Protector.

100501 The inventive method is based on the computing fundamentals that computer data is stored in a static computer data file on permanent storage, and there exists one or more known user application programs 11 on the computer which are used to process and manipulate the data file. The ADP protection covers data files only excluding executable binary files and system generated temporary files, because ransomware does not encrypt executable binary files that will render the computer inoperable. The realization of the invention as a practical ransomware protection solution is through the implementation of a kernel driver software operating in Ring 0 of the OS (the kernel), with supplementary user-mode software components in Ring 3 (the application ring). The majority of modern operating systems operate using a ring structure like this.

[0051] A ransomware is a standard computer program from the OS's perspective, and it must follows the same file I/O request procedure when it attempts to operate on a computer file. The ultimate objective of ransomware is to encrypt data files on the compromised computer disk and extort money from the data owner before releasing the decryption key and method.

[0052] The ransomware must obtain access to the data files on the computer to perform its intended malicious purposes. Blocking unknown and unauthorized access by default to data files on a computer prevents ransomware to encrypt and overwrite data files and effectively terminates the ransomware attack. The inventive method enforces that only the registered 'file handlers' and user-allowed application programs can access data files unhindered. The method is integrated into the file I/O access workflow of the OS kernel, its protection is nonbypassable and transparent to both the application program and the computer user.

[0053] The Windows.RTM (Release To Manufacturing) architecture does not allow applications direct access to hardware, using the software protection layer called 'Hardware Abstraction Layer' (HAL) 35, and it defines device-independent interfaces for applications to I/O operations on hardware devices. This abstraction enables applications to request I/0 operations without regard to the physical characteristics of the underlying hardware devices.

[0054] Typical I/O operations on a hardware storage device are read and write requests. The kernel maintains a data structure called "services dispatch" tables. The tables map user-mode function calls to Windows native APIs (Application Programming Interface), which are not fully documented. When an application makes a function call, the user-mode function call (API) is mapped to the appropriate kernel native API call(s) and serviced by the kernel. For example, a user-mode API call to Createbile 0 is mapped to kernel function call ZwerealeFile0.

[0055] Some applications, for example the FileMonster.RTM. application, manipulate these 30 undocumented dispatch tables ["Undocumented Windows 2000 Secrets: A Programmer's Cookbook" by Sven Schreiber, ISBN: 0201721872] and modify the entries to intercept system calls. Since Microsoft.RTM. has not documented nor recommended this approach, it is not considered good practice for system stability. For example, if two applications modify the dispatch tables, the system may not work correctly.

100561 Windows provides 1/0 services by the I/O system services 31 and I/O Manager 32 kernel components. When an PO request is received from the I/O system services 31 component, the 1/0 Manager 32 creates a data structure called an I/O Request Packet (IRP). The IRP is used to package and to dispatch the request and control messages to the target device driver via function codes, e.g. filesystem drivers. The function code is embedded in an 1RP that a driver receives and acts on.

[00571 A kernel driver implements and services function codes such as IRP AV CREATE, IRP Alf READ, IRP Alf WRITE, TRP A/LI CLOSE and IRP NU DEVICE CONTROL etc. and reports back status on completion. For example, when an application makes a Crealeille0 call, the 110 Manager 32 calls the target driver's IRP _AV CREATE function code. Later, when the application calls I?eadFile0 or WriteFile0, the 1/0 Manager 32 dispatches IRP AV READ or IRP Alf WRITE calls in the 1RP. Likewise, when the application finishes the I/O operation and closes the file handle object, IRP AV CLOSE is called and the file handle object will not be usable later. The 1/0 Manager 32 also returns an I/O request result to the caller, e.g. succeeded or failed.

100581 Windows has a layered-drivers architecture that allows other kernel drivers to intercept IRPs destined to a target device driver. The intended purpose is to provide additional services; these intercepting drivers are called filesystem filter drivers, or just filter drivers. The filter driver used in the present invention will be referred to herein as the ADP (filter) driver 33, or Aegis Data Protector filter driver, and is a filesystem filter driver that intercepts 1/0 requests to the file systems, e.g. NTFS.

100591 The ADP driver 33 stores its operating parameters in the Windows Registry 20, which is protected from unauthorized modification by the driver itself It reads in the operating parameters when it is loaded at boot time and the operating parameters affect its operating behaviour.

100601 The ADP driver 33 is supported by its supplementary user-mode components which provide services to the driver such as an administration program for the user to manage and adjust the driver's operation parameters, an interactive communication channel with the user, proxy services to user-mode Windows API callings and log files collation and analysis etc. The communication channels between the ADP driver 33 and its user-mode components may be protected by cryptographic method.

100611 Specifically, the above mentioned administration program operating in the userland context provides a tool for the human user to manage and control the protection parameters of the ADP driver 33 by issuing instructions to the driver manually and directly, e.g. to turn on and off protection. A second userland program, which is implemented as a NT Service to run continuously when the computer has started up, facilitates a secure two-way communication channel between the ADP driver 33 and the human user, for the latter to approve or deny access to data files by unknown application programs. The NT Service program may optionally also provide API calling proxy services and other supporting functionality to the ADP driver 33. Log files collation and analysis functionality may optionally be provided by a third userland application, which forwards the audit log data to one or more remote centralized log data repository where further log data processing by A.I and machine learning functions are implemented.

100621 A kernel filesystem filter driver is required to register with the I/O Manager 32 to receive I/O notifications to process IRPs. In its initialization routine DriverEntry0, the ADP driver 33 informs the I/O Manager 32 the I/O requests it wants to intercept, by registering the necessary I/O function codes, and calls loAliachDericeByPoinier0. The I/O Manager 32 then reroutes 1RPs, that are destined to the target drivers, first to the ADP filter driver 33 for processing. ADP can request to receive only IRPs of interest but not all IRPs as explained here.

100631 The I/O Manager 32, on loading a driver, calls the "entry point" DriverEntry(jand passes in a pointer of a data structure (the driver's Driver Object) together with a text string of its Registry path so that ADP driver 33 knows where to find its parameters in the Registry.

ADP driver 33 performs initialization in DriverEntry() and fills out some, although not necessarily all, of the Driver Object structure's data members before returning to the I/O Manager 32. One data member is an array of IRPs of interest, for example, "DriverObjectlivdn.MajorFunctionfIRP M.7 CREATE/-ADPereate;". In this case, ADPCreate0 in the ADP driver 33 code is called when there is a IRP MI CREAIL; one or more of IRP MI READ, IRP MI WRITE, IRP MI FILE SYSTEM CONTROL and IRP MJ DEVICE CONTROL are also registered (it is useful to intercept READ to protect the ADP application image files themselves from unauthorized access so that other processes are prevented from opening the application files relating to ADP).

100641 To protect its Registry parameters from malicious modification, the ADP driver 33 also registers a callback function CinRegisterCallbackEx0. When there is an attempt to change and delete the ADP driver parameters in the Registry, the system notifies the ADP driver 33 of the intended action. The ADP driver 33 blocks and denies the unauthorized Registry modification attempt. The protection ensures the ADP driver 33 always operates in the expected configuration.

100651 An embodiment of the present invention will now be described with reference to Fig. 2 and Fig. 4. This exemplary embodiment implements a four step method. The first step of this method involves intercepting an I/O request packet made by a requesting process to a filesystem to open an existing file. The second step involves inspecting the file extension of the existing file. The third step involves checking whether the requesting process name is a registered file handler for that file's extension. Finally, the method involves denying the request when the result of the check is negative, meaning that the process name and registered file handler do not match. Each of these steps will be discussed in further detail below.

100661 Fig. 2 shows the program flow of an implementation of the ADP method. When the system is first configured, the ADP driver 33 must be registered with the operating system (step 110), and have the relevant parameters installed in the registry (step 115). The ADP driver 33 maintains some or all of the following data in the registry, and applies protection against unauthorised modification. The ADP registry parameters can only be modified when ADP operating status is set to deactivated mode. This ensures that the values cannot be maliciously modified to bypass the protection provided by the method.

100671 The values stored within include the Configuration value, an 8-hex digit DWORD value that controls the start-up default operating behaviour of the driver. Another stored value is the RegisteredProcess value, a string that contains the user defined applications to handle a specific file type. The user may define additional applications to handle a file type, e.g. *.docx can be processed by WinWord.exe and wps.exe (assuming WinWord is the default file handler). A wild card '*' allows an application unrestricted access to all data files, such as FTP, anti-malvv-are, data backup/archive programs, e.g. filezillane:*;. The data values stored in this registry key is added to the driver's mapping list, i.e. file extension and application handler data value pair. An example of this string could be ups.exe:.doc"doexioxit.exe:441....' 10068_1 Other values that are stored within the register include a list of file extensions for the protection scope (ProtectedExtensions), a list of file extensions that are excluded from the protection scope (ExcludedExtensions), the folder path for the ADP log file (LogPath), the process security identifier for unrestricted access to the data file (Sids2), the user security identifier for unrestricted access to the data file (UserSids2) and the process name of suspicious executables that should be denied execution (Quarantine). The ADP driver 33 can maintain additional data in the registry, such as a license key, the version number of the ADP driver 33 version, the installer version information (which is filled in by the installer).

100691 After starting the system boot-up process (step 120), the operating parameters are read from the Windows Registry 20 (step 125). The identifier for the IRPs of interest are then registered with the operating system for control application access (step 130). This step involves registering the IRPs of interest that the ADP driver wants to intercept with the system in order to allow the ADP driver to receive those IRPs for inspection and processing. This ensures that the I/O Manager 32 will only send registered IRPs to the ADP driver. The ADP driver 33 operates in either an activated mode or deactivated mode. Activated mode refers to the state that ADP enforces IRP interception and making allow/deny decision based on the operations described (e.g. deny or allow an IO request). There are two operating states in deactivated mode. In status 1, ADP continues to examine IRPs but does not deny IO requests, which is the same as it being turned off, and all 10 requests are allowed. The self-protection of Registry data and its own application files is active. In status 2, ADP is totally deactivated and all protection functions disabled. This mode allows the admin user to change ADP operating parameters.

Interception 100701 In the current embodiment of the invention, the ADP driver 33 intercepts all I/O requests to open an existing file in a /RP MJ CREATE, IRP. This request 1RP will be made by the I/0 Manager 32 to either create a new file or open an existing file. Instead of the request IRP being sent to the filesystem, as would happen in normal operation, the request IRP is rerouted by the I/0 Manager 32 to the ADP driver 33 which then intercepts the request IRP (step 135). The driver then optionally checks to see if it is in the activated state (step 140), and if not, passes the request to the next driver in the kernel (Step 180). This means the IO operation will be processed by the IO system normally, i.e. ADP is not denying IO although it still intercepts and inspects the IRPs. This allows the ADP driver 33 to protect its files on the registry from being modified, while still being inactive and not preventing any form of 10.

100711 Next, the driver checks the type of the request IRP intercepted (step 150). If the IRP lvIJ CREATE IRP is related to creating a new file, which is of no interest to the ADP driver 33, and not to open an existing file, the ADP driver 33 does not process the IRP MJ CREATE IRP further and forwards the IRP to the next drivers (step 180) by calling foCallDriver(), as mandated in the Microsoft kernel development documentation. This is to minimize any unnecessary delay in the file I/O processing by the I/O system services. IRP MI CREATE IRPs relating to creating a new file are not of interest as ransomware does not create new files, but encrypts existing ones. Fig. 4 illustrates the standard operation flow when accessing a file, as well as the moment when the driver intercepts the request.

Inspection 100721 During this stage, the file type is determined. In the present embodiment of the invention, the interception allows the ADP driver 33 to inspect the file extension of the impending file open operation. Both the requesting process name and its parent process name are obtained in the ADI'Creaie() function code, which handles the IRP MI CREATE IRP, via a native API call to ZwOzieryThfiffmationProcess0. After this stage, optionally, the type of the file is inspected (step 160). If the file is not a data file, the ADP driver 33 does not process the 1RP request further, but instead passes it to the next driver in the kernel (step 180). Check

100731 The next stage involves checking (step 170) whether the requesting process name is an appropriate file handler for the file type. In the present embodiment of the invention, this check comprises checking whether the requesting process name is a registered file handler for the file extension found when inspecting the IRP AIJ CREATE IRP. In the present embodiment, this check is implemented through the use of a mapping list (although any form of mapping data structure could be used). The ADP driver 33 maintains an internal mapping list of (i) file extensions (file types), (ii) its registered 'file handler' and optionally (iii) the parent process of the 'file handler'. It acquires the mapping details from an API call, AssocOnety,S'Ong0, or from the Windows Registry 20 directly or provided by its user-mode software components. There is only a single registered file handler for each file extension, however the ADP driver 33 may optionally allow for multiple file handlers to perform 1/0 operations.

100741 During the checking process, the ADP driver 33 compares (i) the requested file's file extension (filename ignored) embedded in the TRP NIT CREATE IRP as a key against the ADP driver's internal mapping list to locate the registered file handler. If a registered file handler is found, it is compared with (ii) the requesting process name for a match. if the requesting process matches the registered file handler then the check is positive, if not, the check is negative.

100751 The check could also be implemented in a variety of alternative ways that also compare the requesting process to the registered file handler for that process. The use of a mapping data structure is not required, just some form of check that a process is a registered file handler for that file type. Examples of this include a list of tuples containing a file extension and its registered file handler.

100761 If the process names matched, the ADP driver 33 may optionally further match (iii) the requesting process's parent process name with the corresponding parent's process name in the mapping list. The optional second stage matching of the parent process names is an enhanced protection against a hypothetical but potentially possible advanced ransomware technique, whereby the ransomware could have compromised and launched the registered 'file handler' to perform malicious I/O operations on the specific file type, e.g. *.x/sx. In this scenario, the parent process of the requesting process (which is suspected ransomware) will not be the user's default shell, i.e. explorer.exe, but an arbitrary unknown process (possibly the ransomware).

100771 An example structure of such mapping could be: (File extension::File handler_process name::Parent_process of file handler). An example mapping using real processes would be: .xistc::C:\Progrant PilesAlicrasty? Office\RootQffice16^EXCEL.EXE:: C:',Windowsiexplorer.exe An alternative mapping could include just the file extension and file handler process name.

100781 The example shows that for the spreadsheet file type with the file extension of ".x/sx", Microsoft Office's Excel application (excetexe)is the registered 'file handler' registered on the computer. It also shows that exp1orer.exe, the user's default shell that is assigned by the OS, is the parent process of eircelexe, which is the I/O requesting process.

100791 Optionally, the mapping also includes application programs that require unrestricted access to all data files (e.g. backup programs and anti-malware applications), and, if any, user-selected application programs that could manipulate a specific file type in addition to the default registered 'file handler'. This is advantageous as it allows applications that require access to all data files to function as intended and prevents them from having to be checked whenever they attempt to access a file.

100801 Optionally the ADP driver 33 excludes protection of executable files, e.g. *.exe,*.dII and *.sys etc., system and application generated temporary working files, e.g. *.tmp, *,temp, because ransomware typically does not encrypt executables/system files so as not to cause the computer to malfunction and become inoperable. On receiving a CREAM,' IRP from the PO Manager 32, the ADP driver 33 checks (step 170) the requested file's file extension (filename ignored) embedded in the IRP MI CREATE IRP is not one of the excluded file extensions. If an I/O operation of the excluded file type is intercepted, the ADP driver 33 does not process the IRP VIJ CREATE IRP and forwards the IRP to the next drivers by calling IoCalllfriver0. The ADP driver's interception for this 1/0 request is completed and the I/O operation by the filesystem proceeds as normal. When the IRP A/LI CREATE IRP is for a file extension other than an excluded file extension, the check is performed as described above. Deny

100811 In the present embodiment, the final stage involves denying the request when a negative check occurs (step 190). When the check is negative, meaning that there is no match between the requesting process name and the registered file handler process name or, if optionally activated, the parent process names are not matched (in the mapping list), and the user rejects the file access by the unknown requesting process, the ADP driver 33 completes the IRP)14-,I CREATE IRP processing with a API call IoCompleteRequestO and return a status code STATUS ACCESS DENIED to the I/O Manager 32. The ADP driver 33 does not forward the IRP MJ CREATE IRP to the next filesystem drivers for further VO processing, and the 1/0 call is curtailed to indicate the 'requesting process' is not allowed to access the data file and could be malicious, for example, a ransomware. The I/O Manager 32 sends an "Access Denied/Failed" message code to the 'requesting process' and the IO operation is aborted. The method of denying access to the data file not only prevents an unauthorized/unknown requesting process from encrypting the file content, it also blocks file data being exfiltrated outside the computer without the user's approval. If the 'requesting process' is ransomware, all of its data encryption and data stealing attempts are blocked and the ransomware attack is thwarted. Any other suspicious executable will also be denied access.

100821 Optionally, if the check is negative meaning there is no matching registered file handler for the file handler in the mapping list, the ADP driver 33 allows the user to approve the request. The ADP driver 33 sends a runtime query to the user, via its user-mode component. This query asks if the user would like to allow the unknown 'requesting process' (application program) to access the data file under ADP protection, with suitable advisory warning of possible malicious program access attempt and showing the user the full path of the unknown requesting process. This is to allow the user to confirm an alternative application program other than the default application to edit the specific file type at that point in time. The unknown application that the user approves may optionally be added to the mapping list for later matching purposes. This allows the user to add new registered file handlers, preventing them from having to authorise the process every time it attempts to access a file. There is also a provision for the user to exclude known applications programs that require unrestricted access to data files in the ADP Registry parameters, such as for data backup/archive and anti-malw-are applications. The ADP driver 33 loads the parameters in its internal mapping list on starting up. Sending this runtime query does not depend on the existence of a mapping list, meaning that the feature can be performed with any alternate form of check.

100831 If the same requesting process attempts to sequentially access various data files (e.g. *.x/sx, *. doer, *pay) in a very short time period on the computer and was rejected by the ADP driver 33, it is an indication the requesting process is likely ransomware. In an optional feature of the current embodiment, the ADP driver 33 may put the requesting process name in an internal list for faster denial processing. Optionally, the ADP driver 33 may also terminates the requesting process or instruct its user-mode component to terminate the requesting process and to raise an alert to the logged on user and system administrator. The ADP driver 33 audit may also log in a log file all its processing of IRP M.I CREATE IRPs and whether it allows or denies the I/0 operation by the requesting process.

100841 In the scenario where a match is found for (i) the requesting process name with the registered file handler process name and, if optionally activated, (ii) the parent process name validated (in the mapping list), or (iii) if the user approves the access by an unknown process, the ADP driver 33 forwards the IRP A,LI CREATE IRP to the next filesystem drivers for normal I/O processing via a native API call IoCuliDriver0 similar to the description above.

When the target filesystem driver (e.g. NTFS) has completed the CrealeFile0 request, it returns to the I/O Manager 32 the file handle object of the requested file in the IRP AV CREATE, IRP with a STATUS SUCCESS code. The 'requesting process', e.g exceLexe, then succeeds in getting the file handle object for subsequent 1/0 operations. The I/O operation by the requesting process is not affected by the ADP driver's protection, which is transparent to the requesting process and the human user.

100851 This inventive method has significant advantages over the current ransomware protection technologies. It requires zero knowledge of the content and activity of a suspicious executable which means that it is not necessary to scan the file contents, check any local and online databases of suspicious executables, and it is not necessary to track the API calls and activities of all processes on the computer looking for suspicious and known ransomware activity footprints and patterns. All the mentioned protective technologies are computing resource intensive and impact on the computer performance. Known protections have also not proven reliably effective. In contrast, the ADP method described in the above embodiment requires minimal system resources because it has no active scanning and detecting requirement.

100861 Another technical advantage over current approaches is that the claimed invention is equally effective against known and unknown variants of ransomware and other suspicious executables. New and unknown ransomware techniques are unable to bypass ADP blocking interception, because all ransomware attacks require opening the data files for malicious activities such as encryption and/or data stealing.

100871 The claimed invention also does not require that the computer is patched and up-to-date to be effective. It presumes the suspicious executable has already breached the computer anti-malware and security defence and running unrestrictedly.

100881 An example of an embodiment of the method will now be described with reference to Fig. 3. Fig. 3 shows the operation flow of the method when two different processes attempt to access a file stored on the computer permanent storage medium 36. The first path (labelled a' in Fig. 3) involves the suspicious program "ransom.exe", as an example of a suspicious executable. In step 310a, the program opens a file on the computer, which makes a request to the I/O Manager 32 to access the file. In step 320a, the I/0 Manager 32 sends an IRP MJ CREA1E,IRP to the ADP driver 33 so that the request can be inspected. The driver compares the requesting process name to any registered file handlers using an internal mapping list. In some embodiments, the ADP driver 33 also compares the parent process to the parent process of the file handler. In step 330a, the request made by the suspicious process is blocked by the driver as that particular process was not listed as a registered file handler for that file extension. The I/0 Manager 32 has an access denied code returned to it. The requesting process is not able to edit the file in question. In some embodiments of the invention, the driver may send a runtime request to the user to allow the unknown process access before sending the denial.

100891 The second path (labelled 'b') involves the legitimate process "excel.exe". In step 310b, the program opens a file on the computer, which again makes a request to the I/O Manager 32 to access the file. In step 320, an IRP containing the process name and the requested file is again sent to the ADP driver 33. In this scenario, "excelexe" is found to be a registered file handler for the requested file extension, meaning that the request is allowable. In step 330b, the ADP driver 33 forwards the IRP AJJ CREATE IRP to the file systems drivers 34 for normal processing. Finally, in step 340 the file system completes the I/O request and returns the file handle object. The requesting process is then able to edit the file in question.

100901 Although the above embodiments are described using the Windows operating system, this method would also work when carried out using an alternative operating system, such as Linux or MacOS. In an alternative operating system, the file type may be determined by other means than filename extensions, e.g. by looking at the beginning of the file content, and comparing it to a list of known indicators. A check can then be performed to determine whether the requesting process is an appropriate file handler for the file type.

100911 As discussed above, the various embodiments can be implemented in a wide variety of operating environments, which in some cases can include one or more user computers, computing devices, or processing devices which can be used to operate any of a number of applications. User devices can include any of a number of general purpose personal computers, such as desktop or laptop computers running a standard operating system, as well as cellular, wireless, and handheld devices running mobile software and capable of supporting a number of networking and messaging protocols. Such a system also can include a number of workstations running any of a variety of commercially-available operating systems and other known applications for purposes such as development and database management. These devices also can include other electronic devices, such as thin-clients, gaming systems, and other devices capable of communicating via a network, provided the devices include a file system to protect.

100921 Various aspects also can be implemented as part of at least one service or Web service, such as may be part of a service-oriented architecture. Services such as Web services can communicate using any appropriate type of messaging, such as by using messages in extensible markup language (XML) format and exchanged using an appropriate protocol such as SOAP (derived from the "Simple Object Access Protocol") Processes provided or executed by such services can be written in any appropriate language, such as the Web Services Description Language (WSDL). Using a language such as WSDL allows for functionality such as the automated generation of client-side code in various SOAP frameworks.

100931 In embodiments utilizing a Web server, the Web server can run any of a variety of sewer or mid-tier applications, including HTTP sewers, FTP sewers, CGI sewers, data sewers, Java servers, and business application sewers. The server(s) also may be capable of executing programs or scripts in response requests from user devices, such as by executing one or more Web applications that may be implemented as one or more scripts or programs written in any programming language, such as Java®, C, C# or C++, or any scripting language, such as Pert, Python, or TCL, as well as combinations thereof. The server(s) may also include database sewers, including without limitation those commercially available from Oracle', Microsoft', SybaseX, and IBM".

100941 The environment can include a variety of data stores and other memory and storage media as discussed above. These can reside in a variety of locations, such as on a storage medium 36 local to (and/or resident in) one or more of the computers or remote from any or all of the computers across the network. In a particular set of embodiments, the information may reside in a storage-area network ("SAW) familiar to those skilled in the art. Similarly, any necessary files for performing the functions attributed to the computers, servers, or other network devices may be stored locally and/or remotely, as appropriate. Where a system includes computerized devices, each such device can include hardware elements that may be electrically coupled via a bus, the elements including, for example, at least one central processing unit (CPU), at least one input device (e.g., a mouse, keyboard, controller, touch screen, or keypad), and at least one output device (e.g., a display device, printer, or speaker). Such a system may also include one or more storage devices, such as disk drives, optical storage devices, and solid-state storage devices such as random access memory (RAM") or read-only memory ("ROM"), as well as removable media devices, memory cards, flash cards, etc. 100951 Such devices also can include a computer-readable storage media reader, a communications device (e.g., a modem, a network card (wireless or wired), an infrared communication device, etc.), and working memory as described above. The computer-readable storage media reader can be connected with, or configured to receive, a computer-readable storage medium 36, representing remote, local, fixed, and/or removable storage devices as well as storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information. The system and various devices also typically will include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs. It should be appreciated that alternate embodiments may have numerous variations from that described above. For example, customized hardware might also be used and/or particular elements might be implemented in hardware, software (including portable software, such as applets), or both. Further, connection to other computing devices such as network input/output devices may be employed.

100961 Storage media and other non-transitory computer readable media for containing code, or portions of code, can include any appropriate media known or used in the art, such as but not limited to volatile and non-volatile, removable and non-removable non-transitory media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the a system device. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods to implement the various embodiments.

100971 Having described the invention it will be appreciated that variations may be made on the above described embodiment, which is not intended to be limiting. The invention is defined in the appended claims and their equivalents.

Claims

CLAIMS1. A computer implemented method for the protection of data, comprising: intercepting an I/O request packet made by a requesting process to a filesystem to open an existing file; determining the file type of the existing file; checking whether the requesting process name is an appropriate file handler for the file type; denying the request when the result of the check is negative.
2. The method of claim I, wherein determining the file type comprises inspecting the filename extension of the existing file.
3. The method of claim 1 or 2, wherein checking comprises checking whether the requesting process name is a registered file handler of the file type.
4. The method of claim 1, 2 or 3 further comprising forwarding the I/O request packet to the filesystem when the result of the check is positive.
5. The method of any one of claims 1 to 4, wherein the check further includes comparing the requesting process' parent process name with the file handler's parent process name.
6. The method of claims 1 to 5, wherein the check is performed using a map data structure that maps a file extension to one or more file handlers.
7. The method of claim 6, further comprising sending a user a runtime query, allowing them to approve the request if the result of the check is negative.
8. The method of claim 7, further comprising adding the requesting process name to the mapping list as a registered file handler for that file extension if the request is approved by the user.
9. The method of claims 1 to 8, further comprising checking a list of predefined applications and immediately forwarding the 1/0 request packet when the requesting process name is found to be in the list.
10. The method of claims I to 9, further comprising checking a list of excluded file extensions, and immediately forwarding the 110 request packet when the file extension is found to be within the list.
11. The method of claims 1 to 10, further comprising checking the process name against a list of previously denied processes before the check is performed, and denying the request when the process name is found within the list.
12. The method of claims 1 to 11, further comprising terminating the requesting process after the request is denied.
13. The method of claims 1 to 12, further comprising logging an alert after the request is denied.
14. The method of claims 1 to 13, wherein the method is performed by a driver.
15. The method of claim 14, wherein the driver stores its operating parameters in the Windows Registry.
16. A system comprising: a memory storing computer-readable instructions thereon; and a processor that executes the computer-readable instructions to perform any of the methods defined in claims 1 to 15.
17. Computer-readable instructions that, when executed by a processor of a system, cause 30 the processor to perform any of the methods defined in claims 1 to 15.