Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and results in an affirmative determination.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel-level driver within a kernel of an operating system of a computer system intercepts activity in connection with a file system associated with the computer system or the operating system relating to a code module. A determination is made by the kernel-level driver regarding whether to allow the intercepted activity to proceed by performing a real-time authentication process of the code module with reference to a multi-level whitelist database architecture, including a local copy of a remote global whitelist database hosted by a trusted their-party service provider, a local whitelist database and a most recently used (MRU) cache. When the intercepted activity is allowed to proceed as a result of the determination, the code module is permitted by the kernel-level driver to be loaded and executed by the computer system.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel-level driver within a kernel of an operating system of a computer system intercepts activity in connection with a file system associated with the computer system or the operating system relating to a code module. A determination is made by the kernel-level driver regarding whether to allow the intercepted activity to proceed by performing a real-time authentication process of the code module with reference to a multi-level whitelist database architecture, including a local copy of a remote global whitelist database hosted by a trusted their-party service provider, a local whitelist database and a most recently used (MRU) cache. When the intercepted activity is allowed to proceed as a result of the determination, the code module is permitted by the kernel-level driver to be loaded and executed by the computer system.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and results in an affirmative determination.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing content authenticators of approved code modules, which are known not to contain viruses or malicious code. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and determines a content authenticator of the code module matches one of the content authenticators.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing content authenticators of approved code modules, which are known not to contain viruses or malicious code. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and determines a content authenticator of the code module matches one of the content authenticators.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, file system or operating system activity relating to a code module is intercepted by a kernel mode driver of a computer system. The code module is selectively authorized by the kernel mode driver by authenticating a content authenticator of the code module with reference to a multi-level whitelist. The multi-level whitelist includes (i) a global whitelist database remote from the computer system that contains content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules. The activity relating to the code module is allowed when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, file system or operating system activity relating to a code module is intercepted by a kernel mode driver of a computer system. The code module is selectively authorized by the kernel mode driver by authenticating a content authenticator of the code module with reference to a multi-level whitelist. The multi-level whitelist includes (i) a global whitelist database remote from the computer system that contains content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules. The activity relating to the code module is allowed when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a trusted service provider maintain a cloud-based whitelist containing cryptographic hash values including those of code modules that are approved for execution on computer systems of subscribers of the service provider. A code module information query, including a cryptographic hash value of a code module, is received from a computer system of a subscriber by the service provider. If the cryptographic hash value matches one the cryptographic hash values contained within the cloud-based whitelist and the code module is an approved code module, then the service provider responds with an indication that the code module is authorized for execution; otherwise, it (i) responds with an indication that the code module is an unknown code module; and (ii) causes one or more behavior analysis techniques to be performed on the code module.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, file system or operating system activity relating to a code module is intercepted by a kernel mode driver of a computer system. The code module is selectively authorized by authenticating a cryptographic hash value of the code module with reference to a multi-level whitelist. The multi-level whitelist includes (i) a global whitelist database remote from the computer system that is maintained by a trusted service provider and that contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules. The activity relating to the code module is allowed when the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, responsive to a monitored file system or operating system event initiated by an active process, a real-time authentication process is performed or bypassed on a code module to which the monitored event relates with reference to a whitelist that includes cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code. The active process is allowed to load the code module when the authentication process is bypassed or when the cryptographic hash value of the code module matches one of the cryptographic hash values of approved code modules within the whitelist.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of a computer system and execution on the computer system is maintained by a kernel mode driver of the computer system. At least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules. The kernel mode driver monitors a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system. The kernel mode driver causes a cryptographic hash value of a code module relating to an observed event of the set of events to be authenticated with reference to the whitelist.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, file system or operating system activity relating to a code module is intercepted by a kernel mode driver of a computer system. The code module is selectively authorized by authenticating a cryptographic hash value of the code module with reference to a multi-level whitelist. The multi-level whitelist includes (i) a global whitelist database remote from the computer system that is maintained by a trusted service provider and that contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules. The activity relating to the code module is allowed when the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a trusted service provider maintain a cloud-based whitelist containing cryptographic hash values including those of code modules that are approved for execution on computer systems of subscribers of the service provider. A code module information query, including a cryptographic hash value of a code module, is received from a computer system of a subscriber by the service provider. If the cryptographic hash value matches one the cryptographic hash values contained within the cloud-based whitelist and the code module is an approved code module, then the service provider responds with an indication that the code module is authorized for execution; otherwise, it (i) responds with an indication that the code module is an unknown code module; and (ii) causes one or more behavior analysis techniques to be performed on the code module.

Abstract: Systems and methods for selective authorization of code modules are provided. According to one embodiment, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of a computer system and execution on the computer system is maintained by a kernel mode driver of the computer system. At least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules. The kernel mode driver monitors a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system. The kernel mode driver causes a cryptographic hash value of a code module relating to an observed event of the set of events to be authenticated with reference to the whitelist.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, responsive to a monitored file system or operating system event initiated by an active process, a real-time authentication process is performed or bypassed on a code module to which the monitored event relates with reference to a whitelist that includes cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code. The active process is allowed to load the code module when the authentication process is bypassed or when the cryptographic hash value of the code module matches one of the cryptographic hash values of approved code modules within the whitelist.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, responsive to a monitored file system or operating system event initiated by an active process, a real-time authentication process is performed or bypassed on a code module to which the monitored event relates with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The active process is allowed to load the code module when the authentication process is bypassed or when the cryptographic hash value of the code module matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, responsive to a monitored file system or operating system event initiated by an active process, a real-time authentication process is performed or bypassed on a code module to which the monitored event relates with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The active process is allowed to load the code module when the authentication process is bypassed or when the cryptographic hash value of the code module matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, a kernel mode driver of a computer system intercepts file system or operating system activity, by a running process, relating to a dependent code module. Loading of the dependent code module is selectively authorized by authenticating a cryptographic hash value of the dependent code module with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules known not to contain viruses or malicious code; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The running process is allowed to load the dependent code module when the cryptographic hash value matches one of the cryptographic hash values of the approved code modules.

Abstract: Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, a kernel mode driver of a computer system intercepts file system or operating system activity, by a running process, relating to a dependent code module. Loading of the dependent code module is selectively authorized by authenticating a cryptographic hash value of the dependent code module with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules known not to contain viruses or malicious code; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The running process is allowed to load the dependent code module when the cryptographic hash value matches one of the cryptographic hash values of the approved code modules.