Edwin Lynn Harper

US Patent:

7865947, Jan 4, 2011

Filed:

Apr 12, 2010

Appl. No.:

12/758793

Inventors:

Andrew F. Fanton - Westminster CO, US
John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

WhiteCell Software, Inc. - Platteville CO

International Classification:

G06F 12/14

US Classification:

726 16, 726 27, 713150, 713165, 713166

Abstract:

Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, a method is provided for locking down a computer system. A customized, local whitelist database is stored with a memory of the computer system. The whitelist database forms a part of an authentication system operable within the computer system and contains therein cryptographic hash values of code modules expressly approved for execution by the computer system. A kernel mode driver of the authentication system intercepts a request to create a process associated with a code module. The authentication system determines whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated against the whitelist database. The authentication system allows the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values.

US Patent:

8069487, Nov 29, 2011

Filed:

Oct 15, 2010

Appl. No.:

12/905193

Inventors:

Andrew F. Fanton - Westminster CO, US
John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

Fortinet, Inc. - Sunnyvale CA

International Classification:

G06F 17/30

US Classification:

726 27, 713155, 713164, 713165, 726 16

Abstract:

Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, an in-memory cache is maintained having entries containing execution authorization information regarding recently used modules. After authenticating a module, its execution authorization information is added to the cache. Activity relating to a module is intercepted. A hash value of the module is generated. The module is authenticated with reference to a multi-level whitelist including a global whitelist, a local whitelist and the cache. The authentication includes first consulting the cache and if the module is not found, then looking up its hash value in the local whitelist and if it is not found, then looking it up in the global whitelist. Finally, the module is allowed to be loaded and executed if its hash value matches a hash value of an approved code modules within the global whitelist.

US Patent:

8151109, Apr 3, 2012

Filed:

Mar 11, 2011

Appl. No.:

13/045781

Inventors:

Andrew F. Fanton - Westminster CO, US
John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

Fortinet, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713165, 713150, 713164, 726 16, 726 22, 726 23, 726 24, 726 25, 726 26, 726 27, 380270, 709224, 709225, 707769, 707999004, 707999102, 707999103

Abstract:

Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, file system or operating system activity relating to a first code module is initiated by a running process associated with a second code module. The file system or operating system activity is intercepted by a kernel mode driver of a computer system. The kernel mode driver selectively authorizes loading of the first code module by the running process based at least in part on one or more attributes of the second code module.

US Patent:

8195938, Jun 5, 2012

Filed:

Nov 28, 2011

Appl. No.:

13/305740

Inventors:

Andrew F. Fanton - Westminster CO, US
John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

Fortinet, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713165, 713150, 713164, 726 16, 726 27, 707769

Abstract:

Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, an in-memory cache is maintained having entries containing execution authorization information regarding recently used modules. After verifying a module, its execution authorization information is added to the cache. Activity relating to a module is intercepted. A hash value of the module is generated. The module is verified with reference to a multi-level whitelist including a global whitelist, a local whitelist and the cache. The verification includes first consulting the cache and if the module is not found, then looking up its hash value in the local whitelist and if it is not found, then looking it up in the global whitelist. Finally, the module is allowed to be executed if the code module is approved by the multi-level whitelist database architecture.

US Patent:

8464050, Jun 11, 2013

Filed:

Apr 3, 2012

Appl. No.:

13/438799

Inventors:

Andrew F. Fanton - Westminster CO, US
John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

Fortinet, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713165, 713150, 713164, 726 16, 726 22, 726 23, 726 24, 726 25, 726 26, 726 27, 709224, 709225, 707769, 707999004, 707999102, 707999103, 380270

Abstract:

Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, a kernel mode driver of a computer system intercepts file system or operating system activity, by a running process, relating to a dependent code module. Loading of the dependent code module is selectively authorized by authenticating a cryptographic hash value of the dependent code module with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules known not to contain viruses or malicious code; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The running process is allowed to load the dependent code module when the cryptographic hash value matches one of the cryptographic hash values of the approved code modules.

US Patent:

8589681, Nov 19, 2013

Filed:

Jun 7, 2013

Appl. No.:

13/912454

Inventors:

John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

Fortinet, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713165, 726 11, 726 22, 726 23, 726 25, 726 26, 726 27, 726 24, 713150, 713164, 709224, 709225, 707769, 707999004, 707999102, 707999103

Abstract:

Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, responsive to a monitored file system or operating system event initiated by an active process, a real-time authentication process is performed or bypassed on a code module to which the monitored event relates with reference to a multi-level whitelist. The multi-level whitelist includes a global whitelist database remote from the computer system, maintained by a trusted service provider and which contains cryptographic hash values of approved code modules; and a local whitelist database that includes cryptographic hash values of a subset of the approved code modules. The active process is allowed to load the code module when the authentication process is bypassed or when the cryptographic hash value of the code module matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.

US Patent:

20060150256, Jul 6, 2006

Filed:

Dec 5, 2005

Appl. No.:

11/296094

Inventors:

Andrew Fanton - Westminster CO, US
John Gandee - Loveland CO, US
William Lutton - Fort Collins CO, US
Edwin Harper - Fort Collins CO, US
Kurt Godwin - Loveland CO, US
Anthony Rozga - Wellington CO, US

International Classification:

H04L 9/32

US Classification:

726027000

Abstract:

Systems and methods are described for allowing the execution of authorized computer program code and for protecting computer systems and networks from unauthorized code execution. In one embodiment, a multi-level proactive whitelist approach is employed to secure a computer system by allowing only the execution of authorized computer program code thereby protecting the computer system against the execution of malicious code such as viruses, Trojan horses, spy-ware, and/or the like. Various embodiments use a kernel-level driver, which intercepts or “hooks” certain system Application Programming Interface (API) calls in order to monitor the creation of processes prior to code execution. The kernel-level driver may also intercept and monitor the loading of code modules by running processes, and the passing of non-executable code modules, such as script files, to approved or running code modules via command line options, for example. Once intercepted, a multi-level whitelist approach may be used to authorize the code execution.

US Patent:

20110167050, Jul 7, 2011

Filed:

Feb 17, 2011

Appl. No.:

13/029119

Inventors:

Andrew F. Fanton - Westminster CO, US
John J. Gandee - Loveland CO, US
William H. Lutton - Fort Collins CO, US
Edwin L. Harper - Platteville CO, US
Kurt E. Godwin - Loveland CO, US
Anthony A. Rozga - Wellington CO, US

Assignee:

FORTINET, INC. - Sunnyvale CA

International Classification:

G06F 17/30

US Classification:

707698, 707E17007

Abstract:

Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, file or operating system activity relating to a code module is intercepted. A cryptographic hash value of the code module is authenticated with reference to a multi-level whitelist, which includes a remote global whitelist and a local whitelist. The remote global whitelist is maintained by a trusted service provider and contains cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist is accessible by computer systems within the LAN and contains cryptographic hash values of a subset of the approved code modules. The cryptographic hash value is checked against the local whitelist. If no match is found, it is checked against the global whitelist. The code module is allowed to be loaded and executed if the cryptographic hash value corresponds to an approved code module.