[go: up one dir, main page]

WO2024184646A1 - Protection de système de fichiers - Google Patents

Protection de système de fichiers Download PDF

Info

Publication number
WO2024184646A1
WO2024184646A1 PCT/GB2024/050602 GB2024050602W WO2024184646A1 WO 2024184646 A1 WO2024184646 A1 WO 2024184646A1 GB 2024050602 W GB2024050602 W GB 2024050602W WO 2024184646 A1 WO2024184646 A1 WO 2024184646A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
request
driver
computer
ransomware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/GB2024/050602
Other languages
English (en)
Inventor
William ROTHWELL
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Platinum High Integrity Technologies Ltd
Original Assignee
Platinum High Integrity Technologies Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Platinum High Integrity Technologies Ltd filed Critical Platinum High Integrity Technologies Ltd
Publication of WO2024184646A1 publication Critical patent/WO2024184646A1/fr
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the present invention relates to a method for the prevention of attacks seeking to damage or render inaccessible the file-system of a computer.
  • ransomware a new type of computer malicious software (malware), commonly called ransomware, has emerged. Ransomware has quickly become the most prominent and damaging type of malware. Recent ransomware attacks have impacted hospitals' ability to provide medical care and so endangering human lives, crippled public services, caused significant financial damages to businesses, commercial entities and organisations, and even law enforcement agencies. Ransomware is a very serious worldwide cyber threat.
  • Ransomware is a class of malware which has the characteristics of encrypting the data files on the victim's computer, and demands ransom payment within a short period in return for the decryption key for the victim to recover the company's data. Many variants of ransomware also steal the victim's data and threaten to disclose the data content on the Internet if the victim does not pay up the ransom. There are incidents of a 'double extortion attack' where ransom was paid but the cyber criminals still uploaded company's data online.
  • Household name companies are reported in the news on a regular basis to have fallen victim to ransomware attacks. It is estimated there are many more other lesser known and small enterprises have fallen victim on a daily basis unreported in the news.
  • ransomware situation is so prevalent and serious that new industries have spawned up.
  • companies offering ransomware negotiation services specially act for the victims to negotiate payment terms with the cyber criminals.
  • Another new industry is new cyber insurance which covers ransom payment.
  • the approaches of the anti-ransomware/anti-malware solutions on the market focus on detection, elimination and mitigation of ransomware attacks.
  • these solutions examine the potential ransomware threat actors, i.e. program file, that have gained entry to the computer.
  • the security applications adopt a cocktail of methods including pattern scanning, heuristics analysis, sandboxing, application whitelisting, cloud-based intelligence, Al and machine learning etc. to detect if the potential threat actor is malicious, and act upon the result.
  • Motivated by financial gains, the cyber criminals have constantly morphed and improved the ransomware attack techniques to successfully bypass the protection methods. This is evidenced by the frequent report of successful ransomware attacks causing significant damages to the victim organisations/business.
  • a computer implemented method for the protection of data comprising: intercepting an I/O request packet made by a requesting process to a filesystem to open an existing file; determining the file type of the existing file; checking whether the requesting process name is an appropriate file handler for the file type; denying the request when the result of the check is negative.
  • a suspicious executable e.g. ransomware
  • determining the file type comprises inspecting the filename extension of the existing file.
  • checking comprises checking whether the requesting process name is a registered file handler of the file type.
  • the invention further comprises forwarding the I/O request packet to the filesystem when the result of the check is positive.
  • This is advantageous as it ensures that valid requests can then be acted upon without any user interaction, making the process seamless for the user during normal operation.
  • a further advantage is that the method is transparent to both the user and to the registered file handler, as the request will be sent to the filesystem exactly as it would without the method acting upon the request.
  • the check further includes comparing the requesting process’ parent process name with the file handler’s parent process name. This is advantageous as it provides more advanced protection than checking just the process name. In particular, it can prevent an attack involving the ransomware compromising and launching the registered file handler to perform I/O operations. In this case, the parent process would differ from the file handler’s parent process, allowing the malicious I/O operation to be detected.
  • the check is performed using a map data structure that maps a file extension to one or more file handlers. This is advantageous as it allows for the file handlers for each file type to be found quickly, reducing the time taken for the check to be performed. Performance is important if the system undergoes a large amount of I/O operations at once.
  • the invention further comprises sending a user a runtime query, allowing them to approve the request if the result of the check is negative.
  • a runtime query allowing them to approve the request if the result of the check is negative.
  • the invention further comprises adding the requesting process name to the mapping list as a registered file handler for that file extension if the request is approved by the user.
  • This is advantageous as it allows for new registered file handlers to be created, preventing the user from having to approve the application every time that application is used to perform I/O operations on a file.
  • the invention further comprises checking a list of predefined applications and immediately forwarding the I/O request packet when the requesting process name is found to be in the list.
  • This is advantageous as it allows for certain applications that perform I/O operations on all file types and extensions to operate. This includes applications such as anti-virus and backup applications. Allowing these applications to perform I/O operations without performing a check leads to faster performance compared to having to check each I/O operation.
  • the invention further comprises checking a list of excluded file extensions, and immediately forwarding the I/O request packet when the file extension is found to be within the list. This is advantageous as it allows for faster performance. Ransomware does not usually target certain file types crucial to the functioning of the computer, and so not performing a check for those file types allows for faster operation without compromising protection.
  • the invention further comprises checking the process name against a list of previously denied processes before the check is performed, and denying the request when the process name is found within the list. This is advantageous as it allows for likely ransomware to be dealt with both quickly and easily. If a process is identified as likely being ransomware, it can be quickly denied without spending time performing the check.
  • the invention further comprises terminating the requesting process after the request is denied. This is advantageous as it prevents a potentially malicious program from running and making more requests, slowing the computer down.
  • the invention further comprises logging an alert after the request is denied.
  • logging an alert after the request is denied is advantageous as it allows a user to be notified when a potentially malicious process is identified.
  • the reason to record denied IO is that the system owner is informed what files the suspicious executable attempted to encrypt.
  • the allowed I/O records assist the admin/user to examine and define exception rules if required, e.g. those processes approved during runtime queries.
  • the method is performed by a driver.
  • the ADP driver audit logs all Read I/O requests irrespective of whether they are allowed or denied.
  • performing the logging task at the kernel driver level is much more efficient because the driver does not need to send the I/O request details to the userland components, which takes time.
  • a further advantage is that the kernel driver cannot be terminated by hostile actors to stop audit logging while the userland components can be easily terminated.
  • the invention further comprises storing its operating parameters in the Windows registry. This is advantageous as it allows for the invention to protect the parameters from modification by intercepting any requests to change them.
  • a system comprising: a memory storing computer-readable instructions thereon; and a processor that executes the computer-readable instructions to perform the invention described above.
  • Fig. 1 shows a diagram of the placement of different components within the operating system of a computer in an embodiment of the present invention.
  • Fig. 2 shows a diagram illustrating the different steps of the method of an embodiment of the present invention.
  • Fig. 3 shows a diagram of the operation flow of an embodiment of the present invention when the method is carried out using two exemplary processes.
  • Fig. 4 shows the usual flow of operations when a subsystem attempts to perform an VO operation on a file, and the point where the interception occurs.
  • Fig. 5 shows a diagram of the high level steps involved in an embodiment of the present invention.
  • the current invention introduces a novel technical method to proactively prevent unauthorised access to a file system by a suspicious executable, and thereby defeat ransomware attacks.
  • the innovative method requires zero knowledge of the threat actor (i.e. suspicious executable / script file) whether it is a ransomware and malicious or not. Therefore, it does not employ any of the above mentioned existing anti-ransomware/anti- malware technologies.
  • the invention is not solely intended for anti-ransomware/anti- malware purposes and it has no functionality to detect, mitigate and remove any ransomware - it is not an anti-ransomware/anti-malware solution.
  • the present invention can neutralise the threat of data encryption and/or exfiltration posed by a suspicious executable but does not remove or quarantine the responsible executable. Its protection is effective in a computer environment whereby a suspicious executable has presumably compromised the computer. It takes a totally different direction to current approaches by applying protection control to I/O operations performed on data files, which the suspicious executable targets to encrypt, ensuring only legitimate application programs can perform I/O operations on the data files.
  • the novel method provides a high-confidence and robust protection on the threat targets, i.e. the data files, without the needs of regular updates/patching to the protection. This is achievable based on the file I/O operation intercepting mechanism provided by underlying Operating System (OS) architecture, which is explained in full detail below.
  • OS Operating System
  • a computer file In modern OS architecture, computer data is organised and stored in a special data structure container referred to as a 'computer file'.
  • the computer files are stored on permanent storage devices also known as secondary memory, e.g. mechanical hard disk, solid state drive, flash memory device, optical storage and magnetic tape device etc.
  • secondary memory e.g. mechanical hard disk, solid state drive, flash memory device, optical storage and magnetic tape device etc.
  • a computer application program is used to create and manipulate a computer data file.
  • the data is mostly encoded and laid out in a proprietary data structure defined by the application vendor.
  • a common OS e.g.
  • Microsoft Windows by convention a computer file is assigned a textual description (a.k.a filename) by the data creator (human or computer) together with one or more characters to indicate its data type, e.g. an image file or a spreadsheet file.
  • the data type descriptor known as the file extension, is appended to the end of the textual filename separated by a dot ".” character, e.g. "budget forecast. xlsx”
  • the “budget forecast” is the filename part and ".xlsx” is the file extension.
  • the primarily purpose of the filename part is for human readability.
  • the file extension is mainly for the OS to efficiently associate a file type to the default application that is used to process the file content - which we will describe hereafter as the "default file handler".
  • a compatible file handler is required to operate on the file.
  • a PDF application may not correctly open and process a " .xlsx” Excel spreadsheet file.
  • 3rd party applications other than the original application, to be compatible to interpret and process these proprietary data files. These 3rd party applications are called “file handlers" of a particular file type in the description.
  • mapping of each file extension and its "default file handler" is stored in the Windows Registry 20.
  • the mapping information can be acquired via an Application Programming Interface (API) call, AssocQueryStringQ. or query of the Windows Registry 20 directly.
  • API Application Programming Interface
  • AssocQueryStringQ or query of the Windows Registry 20 directly.
  • the association of a data file and its "file handler” allows for the verification of a process to prevent suspicious processes from performing VO operations on data files.
  • API calls are discussed below, this is not intended to be limiting, as there are other API calls that can provide access to data files, in particular, different operating systems will use different API calls.
  • the file handler (application) that contains the computer instruction code, is launched/instantiated to run on the computer.
  • the file handler is known as a 'computer process' or 'process' running in the computer memory. Acting in the user's or system's context, the 'process' makes Input/Output (VO) requests to the OS via a series of API calls. Typically, the 'process' first makes a CreateFile() API call to get a 'file handle object' to the required computer file specifying in the request parameters the full filename and intended file IO operation to perform, e.g. Read and/or Write operation etc.
  • a 'file handler' refers to the application program process that manipulates a specific file
  • a 'file handle object' is system generated data (4 bytes on 32-bit computer and 8 bytes on 64-bit computer) to associate a computer file in an I/O API call, e.g. CreateFileQ.
  • I/O API call e.g. CreateFileQ
  • a 'file handler' (process) is unable to perform Create/Read/Write I/O operation on a file without a valid 'file handle object'.
  • the CreateFileQ request is passed to the IO subsystem in the kernel space (also called kernel mode) which performs the standard sanity and security checks validating the caller's I/O operation request. If the request is valid, a kernel module known as the Input/Output (I/O) Manager 32 creates and sends an VO Request Package (IRP) IRP MJ CREATE to the filesystem drivers to either create a new file or open an existing file as required. After the requested file is created or opened successfully by the filesystem driver, the VO Manager 32 receives a 'file handle object' from the filesystem driver and it returns the 'file handle object' to the calling 'process' for subsequent VO operations.
  • IRP VO Request Package
  • the requesting 'process' When the requesting 'process' obtains a 'file handle object' to operate on the file, for example, to read and write data to the file, it passes in the 'file handle object' as a parameter in the subsequent ReadFile () API calls to read in the file data for manipulation before writing back the data to the file by a WriteFile() API calls also with the 'file handle object' as a parameter.
  • the VO Manager 32 always return a success or fail status code for each CreateFileQ, ReadFile() and WriteFile()NPI calls to the caller process.
  • a failed status code indicates the required file operation cannot be performed and aborted.
  • This VO workflow process involves validating a request to perform an VO operation on a file by a computer process.
  • the full scope of how a computer process functions on any operating system is a very complex topic outside the scope of discussion.
  • the following is a necessarily simplified overview, which covers only the relevant elements of a computer process referenced in the invention.
  • a program is a static sequence of instructions contained in an executable file, e.g. * exe.
  • a process is a container for a set of system resources used such as memory, an image of the program in memory and at least one execution thread.
  • a process is, therefore, a running instance of an application program.
  • a process also contains information relating to its parent or creator process. When a process launches a program, e.g. * exe, to instantiate it as a running process, there exists a parent/child relationship. Therefore, a process always has a parent process when it is instantiated even though the parent process may be terminated later on.
  • a computer After a computer completes the boot up sequence, it is ready for user logon.
  • the system prepares the user's computing environment and a system process called Winlogon launches the user's default shell explorer.exe which is specified in the Windows Registry 20.
  • Explorer.exe is a process running in the security context of the logged on user. From this point onwards, when the user executes an application program, e.g. excel.exe, explorer.exe becomes the parent process and excel.exe is the child process.
  • the invention leverages the fundamentals that there always exists a requesting process when an I/O operation is to be performed on a computer file, and secondly the I/O requesting process has a parent process.
  • the two fundamentals are used to validate if the requesting process's I/O operations on files are valid or not.
  • ransomware is a type of malware. Similar to malware infection attacks, the ransomware needs to gain access to a victim computer to effect its malicious purposes. Ransomware uses a number of tactics to infect a computer with the most common tactic being phishing emails. A phishing email may contain a downloader as an attachment that downloads the ransomware, or a link to a website that is hosting a malicious download. When an email recipient falls for the phishing trick the ransomware is downloaded and executed on the computer. Another recent popular attack vector is remote access with stolen or broken login passwords, where the ransomware operator, having gained remote access, directly performs the ransomware attack on the victim computer.
  • ransomware attack The ultimate objective of a ransomware attack is to render computer data inaccessible to the legitimate data owner, by encrypting or corrupting the data files on disk. Recent ransomware also exfiltrates data back to the ransomware operators as a part of the extortion. The data owner is demanded to pay a ransom payment or the ransomware operator will disclose the data content publicly causing reputational and financial damages.
  • ransomware To encrypt computer data files, ransomware must be able to perform an I/O operation on the data files in the first place. When a ransomware executes, it obtains a list of data files on the computer storages including local storage, removable devices, networked remote storages and backup/archive storage. Most ransomware are cautious in their selection of files not including system and executable files for encryption to ensure system stability. This is because a corrupted and inoperable computer would foil the extortion effort of the ransomware operator.
  • the ransomware opens each of the data files and reads in the file data to encrypt before saving the encrypted data back to the file replacing the original contents.
  • An alternative technique is to delete the original data file and save the encrypted data in a newly named file, often with an indicator in the filename it is created by the ransomware.
  • the ransomware makes a CreateFileQ API call to first obtain a 'file handle object' for the following ReadFileQ API calls. The read-in data is enciphered with the chosen encryption algorithm and an encryption key.
  • a WriteFile() API call is made to save the encrypted data.
  • a CloseFile() API call is required.
  • the ransomware may open the selected files one by one sequentially or open more than one file concurrently. There is no difference to the I/O calling and processing sequence described.
  • the 'file handle object' that is returned by a successful CreateFile() API call is the prerequisite for the subsequent processing by the ReadFile()IWriteFile() API calls. Without a valid 'file handle object', the ransomware is not able to perform an encryption operation on any file, effectively terminating its attack.
  • the invention is based on the technical fundamental of denying the ransomware access to a 'file handle object'.
  • the invention introduces a novel and purely technical method to proactively block any attempts to perform an I/O operation on data files by a suspicious executable, without the requirement of any knowledge about whether the suspicious executable (requesting process) is malicious or not.
  • the core motive of the invention is to deny a suspicious process such as ransomware to have access to the data files, thereby defeating the ransomware's objective of rendering the data files inaccessible by means of encryption and data corruption.
  • the invention departs from the existing malware/ransomware defence approaches of pattern scanning, heuristics analysis, sandboxing, application whitelisting, cloud-based intelligence, Al and machine learning, application/system patching, user awareness training, containment, data backup and mitigation etc. These approaches have been tried and proven inadequate protection against today's ransomware attacks.
  • the invention provides a robust protection to data files and may not be bypassed by a ransomware and any new variants, even where the ransomware has obtained high system and account privileges through vulnerability exploitation.
  • the inventive novel method requires zero knowledge of the ransomware execution code and has no requirement for updating and patching. It also operates without any noticeable performance impact.
  • ADP Aegis Data Protector
  • the inventive method is based on the computing fundamentals that computer data is stored in a static computer data file on permanent storage, and there exists one or more known user application programs 11 on the computer which are used to process and manipulate the data file.
  • the ADP protection covers data files only excluding executable binary files and system generated temporary files, because ransomware does not encrypt executable binary files that will render the computer inoperable.
  • the realization of the invention as a practical ransomware protection solution is through the implementation of a kernel driver software operating in Ring 0 of the OS (the kernel), with supplementary user-mode software components in Ring 3 (the application ring). The majority of modem operating systems operate using a ring structure like this.
  • ransomware is a standard computer program from the OS's perspective, and it must follows the same file I/O request procedure when it attempts to operate on a computer file.
  • the ultimate objective of ransomware is to encrypt data files on the compromised computer disk and extort money from the data owner before releasing the decryption key and method.
  • the ransomware must obtain access to the data files on the computer to perform its intended malicious purposes. Blocking unknown and unauthorized access by default to data files on a computer prevents ransomware to encrypt and overwrite data files and effectively terminates the ransomware attack.
  • the inventive method enforces that only the registered 'file handlers' and user-allowed application programs can access data files unhindered. The method is integrated into the file I/O access workflow of the OS kernel, its protection is non- bypassable and transparent to both the application program and the computer user.
  • the Windows. RTM (Release To Manufacturing) architecture does not allow applications direct access to hardware, using the software protection layer called 'Hardware Abstraction Layer' (HAL) 35, and it defines device-independent interfaces for applications to I/O operations on hardware devices. This abstraction enables applications to request VO operations without regard to the physical characteristics of the underlying hardware devices.
  • HAL 'Hardware Abstraction Layer'
  • Typical VO operations on a hardware storage device are read and write requests.
  • the kernel maintains a data structure called "services dispatch" tables.
  • the tables map user-mode function calls to Windows native APIs (Application Programming Interface), which are not fully documented.
  • the user-mode function call API
  • the appropriate kernel native API call(s) and serviced by the kernel For example, a user-mode API call to CreateFileQ is mapped to kernel function call Zw CreateFile () .
  • Windows provides I/O services by the I/O system services 31 and I/O Manager 32 kernel components.
  • I/O Request Packet The IRP is used to package and to dispatch the request and control messages to the target device driver via function codes, e.g. filesystem drivers.
  • function codes e.g. filesystem drivers.
  • the function code is embedded in an IRP that a driver receives and acts on.
  • a kernel driver implements and services function codes such as IRP MJ CREATE, IRP MJ READ, IRP MJ WRITE, IRP MJ CLOSE and IRP MJ DEVICE CONTROL etc. and reports back status on completion.
  • function codes such as IRP MJ CREATE, IRP MJ READ, IRP MJ WRITE, IRP MJ CLOSE and IRP MJ DEVICE CONTROL etc.
  • the VO Manager 32 calls the target driver's IRP MJ CREATE function code. Later, when the application calls ReadFileQ or WriteFileQ, the VO Manager 32 dispatches IRP MJ READ or IRP MJ VRITE calls in the IRP.
  • IRP MJ CLOSE is called and the file handle object will not be usable later.
  • the I/O Manager 32 also returns an I/O request result to the caller, e.g. succeeded or failed.
  • Windows has a layered-drivers architecture that allows other kernel drivers to intercept IRPs destined to a target device driver.
  • the intended purpose is to provide additional services; these intercepting drivers are called filesystem filter drivers, or just filter drivers.
  • the filter driver used in the present invention will be referred to herein as the ADP (filter) driver 33, or Aegis Data Protector filter driver, and is a filesystem filter driver that intercepts I/O requests to the file systems, e.g. NTFS.
  • the ADP driver 33 stores its operating parameters in the Windows Registry 20, which is protected from unauthorized modification by the driver itself. It reads in the operating parameters when it is loaded at boot time and the operating parameters affect its operating behaviour.
  • the ADP driver 33 is supported by its supplementary user-mode components which provide services to the driver such as an administration program for the user to manage and adjust the driver's operation parameters, an interactive communication channel with the user, proxy services to user-mode Windows API callings and log files collation and analysis etc.
  • the communication channels between the ADP driver 33 and its user-mode components may be protected by cryptographic method.
  • the above mentioned administration program operating in the userland context provides a tool for the human user to manage and control the protection parameters of the ADP driver 33 by issuing instructions to the driver manually and directly, e.g. to turn on and off protection.
  • a second userland program which is implemented as a NT Service to run continuously when the computer has started up, facilitates a secure two-way communication channel between the ADP driver 33 and the human user, for the latter to approve or deny access to data files by unknown application programs.
  • the NT Service program may optionally also provide API calling proxy services and other supporting functionality to the ADP driver 33.
  • Log files collation and analysis functionality may optionally be provided by a third userland application, which forwards the audit log data to one or more remote centralized log data repository where further log data processing by A.I and machine learning functions are implemented.
  • a kernel filesystem filter driver is required to register with the VO Manager 32 to receive VO notifications to process IRPs.
  • the ADP driver 33 informs the VO Manager 32 the VO requests it wants to intercept, by registering the necessary VO function codes, and calls IoAttachDeviceByPointer() .
  • the VO Manager 32 then reroutes IRPs, that are destined to the target drivers, first to the ADP filter driver 33 for processing.
  • ADP can request to receive only IRPs of interest but not all IRPs as explained here.
  • the VO Manager 32 on loading a driver, calls the "entry point" DriverEntryQ&n passes in a pointer of a data structure (the driver's Driver Object) together with a text string of its Registry path so that ADP driver 33 knows where to find its parameters in the Registry.
  • ADP driver 33 performs initialization in DriverEntry() and fills out some, although not necessarily all, of the Driver Object structure's data members before returning to the VO Manager 32.
  • One data member is an array of IRPs of interest, for example,
  • ADPCreateQ in the ADP driver 33 code is called when there is a IRP M J CREATE,' one or more of IRP MJ READ, IRP MJ WRITE, IRP MJ FILE SYSTEM CONTROL and IRP MJ DEVICE CONTROL are also registered (it is useful to intercept READ to protect the ADP application image files themselves from unauthorized access so that other processes are prevented from opening the application files relating to ADP).
  • the ADP driver 33 also registers a callback function CmRegisterCallbackEx() .
  • the system When there is an attempt to change and delete the ADP driver parameters in the Registry, the system notifies the ADP driver 33 of the intended action.
  • the ADP driver 33 blocks and denies the unauthorized Registry modification attempt. The protection ensures the ADP driver 33 always operates in the expected configuration.
  • This exemplary embodiment implements a four step method.
  • the first step of this method involves intercepting an VO request packet made by a requesting process to a filesystem to open an existing file.
  • the second step involves inspecting the file extension of the existing file.
  • the third step involves checking whether the requesting process name is a registered file handler for that file’s extension.
  • the method involves denying the request when the result of the check is negative, meaning that the process name and registered file handler do not match.
  • Fig. 2 shows the program flow of an implementation of the ADP method.
  • the ADP driver 33 When the system is first configured, the ADP driver 33 must be registered with the operating system (step 110), and have the relevant parameters installed in the registry (step 115).
  • the ADP driver 33 maintains some or all of the following data in the registry, and applies protection against unauthorised modification.
  • the ADP registry parameters can only be modified when ADP operating status is set to deactivated mode. This ensures that the values cannot be maliciously modified to bypass the protection provided by the method.
  • the values stored within include the Configuration value, an 8-hex digit DWORD value that controls the start-up default operating behaviour of the driver.
  • Another stored value is the RegisteredProcess value, a string that contains the user defined applications to handle a specific file type. The user may define additional applications to handle a file type, e.g. *.docx can be processed by WinWordexe and wps.exe (assuming WinWord is the default file handler).
  • a wild card allows an application unrestricted access to all data files, such as FTP, anti-malware, data backup/ar chive programs, e.g. fdezilla.exe:*;.
  • the data values stored in this registry key is added to the driver's mapping list, i.e.
  • ADP driver 33 can maintain additional data in the registry, such as a license key, the version number of the ADP driver 33 version, the installer version information (which is filled in by the installer).
  • the operating parameters are read from the Windows Registry 20 (step 125).
  • the identifier for the IRPs of interest are then registered with the operating system for control application access (step 130). This step involves registering the IRPs of interest that the ADP driver wants to intercept with the system in order to allow the ADP driver to receive those IRPs for inspection and processing. This ensures that the VO Manager 32 will only send registered IRPs to the ADP driver.
  • the ADP driver 33 operates in either an activated mode or deactivated mode. Activated mode refers to the state that ADP enforces IRP interception and making allow/deny decision based on the operations described (e.g. deny or allow an IO request).
  • ADP There are two operating states in deactivated mode. In status 1, ADP continues to examine IRPs but does not deny IO requests, which is the same as it being turned off, and all IO requests are allowed. The selfprotection of Registry data and its own application files is active. In status 2, ADP is totally deactivated and all protection functions disabled. This mode allows the admin user to change ADP operating parameters.
  • the ADP driver 33 intercepts all VO requests to open an existing file in a IRP MJ CREATE IRP.
  • This request IRP will be made by the VO Manager 32 to either create a new file or open an existing file.
  • the request IRP is rerouted by the VO Manager 32 to the ADP driver 33 which then intercepts the request IRP (step 135).
  • the driver then optionally checks to see if it is in the activated state (step 140), and if not, passes the request to the next driver in the kernel (Step 180).
  • This means the IO operation will be processed by the IO system normally, i.e. ADP is not denying IO although it still intercepts and inspects the IRPs. This allows the ADP driver 33 to protect its files on the registry from being modified, while still being inactive and not preventing any form of IO.
  • the driver checks the type of the request IRP intercepted (step 150). If the IRP MJ CREATE IRP is related to creating a new file, which is of no interest to the ADP driver 33, and not to open an existing file, the ADP driver 33 does not process the
  • IRP MJ CREATE IRP further and forwards the IRP to the next drivers (step 180) by calling IoCallDriver(), as mandated in the Microsoft kernel development documentation. This is to minimize any unnecessary delay in the file I/O processing by the I/O system services.
  • IRP MJ CREATE IRPs relating to creating a new file are not of interest as ransomware does not create new files, but encrypts existing ones.
  • Fig. 4 illustrates the standard operation flow when accessing a file, as well as the moment when the driver intercepts the request.
  • the file type is determined.
  • the interception allows the ADP driver 33 to inspect the file extension of the impending file open operation. Both the requesting process name and its parent process name are obtained in the ADPCreate() function code, which handles the IRP MJ CREATE IRP, via a native API call to ZwQueryInformationProcess() .
  • the type of the file is inspected (step 160). If the file is not a data file, the ADP driver 33 does not process the IRP request further, but instead passes it to the next driver in the kernel (step 180).
  • the next stage involves checking (step 170) whether the requesting process name is an appropriate file handler for the file type.
  • this check comprises checking whether the requesting process name is a registered file handler for the file extension found when inspecting the IRP MJ CREATE IRP.
  • this check is implemented through the use of a mapping list (although any form of mapping data structure could be used).
  • the ADP driver 33 maintains an internal mapping list of (i) file extensions (file types), (ii) its registered 'file handler' and optionally (iii) the parent process of the 'file handler'.
  • the ADP driver 33 compares (i) the requested file's file extension (filename ignored) embedded in the IRP MJ CREATE IRP as a key against the ADP driver's internal mapping list to locate the registered file handler. If a registered file handler is found, it is compared with (ii) the requesting process name for a match. If the requesting process matches the registered file handler then the check is positive, if not, the check is negative.
  • the check could also be implemented in a variety of alternative ways that also compare the requesting process to the registered file handler for that process.
  • the use of a mapping data structure is not required, just some form of check that a process is a registered file handler for that file type. Examples of this include a list of tuples containing a file extension and its registered file handler.
  • the ADP driver 33 may optionally further match (iii) the requesting process's parent process name with the corresponding parent's process name in the mapping list.
  • the optional second stage matching of the parent process names is an enhanced protection against a hypothetical but potentially possible advanced ransomware technique, whereby the ransomware could have compromised and launched the registered 'file handler' to perform malicious VO operations on the specific file type, e.g. *.xlsx.
  • the parent process of the requesting process (which is suspected ransomware) will not be the user's default shell, i.e. explorer. exe ⁇ but an arbitrary unknown process (possibly the ransomware).
  • mapping [0077]
  • the mapping also includes application programs that require unrestricted access to all data files (e.g. backup programs and anti-malware applications), and, if any, user- selected application programs that could manipulate a specific file type in addition to the default registered 'file handler'.
  • application programs that require unrestricted access to all data files e.g. backup programs and anti-malware applications
  • user- selected application programs that could manipulate a specific file type in addition to the default registered 'file handler'.
  • the ADP driver 33 excludes protection of executable files, e.g. *.exe, *.dll and * .sy.s' etc., system and application generated temporary working files, e.g. *.tmp, *,temp, because ransomware typically does not encrypt executables/system files so as not to cause the computer to malfunction and become inoperable.
  • the ADP driver 33 checks (step 170) the requested file's file extension (filename ignored) embedded in the IRP MJ CREATE IRP is not one of the excluded file extensions.
  • the ADP driver 33 does not process the IRP MJ CREATE IRP and forwards the IRP to the next drivers by calling loCallDriver ().
  • the ADP driver's interception for this VO request is completed and the VO operation by the filesystem proceeds as normal.
  • the check is performed as described above.
  • the final stage involves denying the request when a negative check occurs (step 190).
  • the check is negative, meaning that there is no match between the requesting process name and the registered file handler process name or, if optionally activated, the parent process names are not matched (in the mapping list), and the user rejects the file access by the unknown requesting process
  • the ADP driver 33 completes the IRP MJ CREATE IRP processing with a API call IoCompleteRequest() and return a status code STATUS ACCESS DENIED to the VO Manager 32.
  • the ADP driver 33 does not forward the IRP MJ CREATE IRP to the next filesystem drivers for further VO processing, and the I/O call is curtailed to indicate the ‘requesting process’ is not allowed to access the data file and could be malicious, for example, a ransomware.
  • the I/O Manager 32 sends an "Access Denied/F ailed" message code to the 'requesting process' and the IO operation is aborted.
  • the method of denying access to the data file not only prevents an unauthorized/unknown requesting process from encrypting the file content, it also blocks file data being exfiltrated outside the computer without the user's approval. If the 'requesting process' is ransomware, all of its data encryption and data stealing attempts are blocked and the ransomware attack is thwarted. Any other suspicious executable will also be denied access.
  • the ADP driver 33 allows the user to approve the request.
  • the ADP driver 33 sends a runtime query to the user, via its user-mode component. This query asks if the user would like to allow the unknown 'requesting process' (application program) to access the data file under ADP protection, with suitable advisory warning of possible malicious program access attempt and showing the user the full path of the unknown requesting process. This is to allow the user to confirm an alternative application program other than the default application to edit the specific file type at that point in time.
  • the unknown application that the user approves may optionally be added to the mapping list for later matching purposes.
  • the ADP driver 33 loads the parameters in its internal mapping list on starting up. Sending this runtime query does not depend on the existence of a mapping list, meaning that the feature can be performed with any alternate form of check.
  • the ADP driver 33 may put the requesting process name in an internal list for faster denial processing.
  • the ADP driver 33 may also terminates the requesting process or instruct its user-mode component to terminate the requesting process and to raise an alert to the logged on user and system administrator.
  • the ADP driver 33 audit may also log in a log file all its processing of IRP MJ CREATE IRPs and whether it allows or denies the I/O operation by the requesting process.
  • the ADP driver 33 forwards the IRP MJ CREATE IRP to the next filesystem drivers for normal I/O processing via a native API call IoCallDriver() similar to the description above.
  • the target filesystem driver e.g. NTFS
  • the createFile() request it returns to the I/O Manager 32 the file handle object of the requested file in the IRP MJ CREATE IRP with a STATUS SUCCESS code.
  • the 'requesting process' e.g. excel.exe, then succeeds in getting the file handle object for subsequent VO operations.
  • the I/O operation by the requesting process is not affected by the ADP driver's protection, which is transparent to the requesting process and the human user.
  • This inventive method has significant advantages over the current ransomware protection technologies. It requires zero knowledge of the content and activity of a suspicious executable which means that it is not necessary to scan the file contents, check any local and online databases of suspicious executables, and it is not necessary to track the API calls and activities of all processes on the computer looking for suspicious and known ransomware activity footprints and patterns. All the mentioned protective technologies are computing resource intensive and impact on the computer performance. Known protections have also not proven reliably effective. In contrast, the ADP method described in the above embodiment requires minimal system resources because it has no active scanning and detecting requirement.
  • the claimed invention is equally effective against known and unknown variants of ransomware and other suspicious executables. New and unknown ransomware techniques are unable to bypass ADP blocking interception, because all ransomware attacks require opening the data files for malicious activities such as encryption and/or data stealing.
  • the claimed invention also does not require that the computer is patched and up-to- date to be effective. It presumes the suspicious executable has already breached the computer anti-malware and security defence and running unrestrictedly.
  • Fig. 3 shows the operation flow of the method when two different processes attempt to access a file stored on the computer permanent storage medium 36.
  • the first path (labelled ‘a’ in Fig. 3) involves the suspicious program “ransom.exe”, as an example of a suspicious executable.
  • the program opens a file on the computer, which makes a request to the VO Manager 32 to access the file.
  • the I/O Manager 32 sends an
  • IRP MJ CREATE IRP to the ADP driver 33 so that the request can be inspected.
  • the driver compares the requesting process name to any registered file handlers using an internal mapping list.
  • the ADP driver 33 also compares the parent process to the parent process of the file handler.
  • the request made by the suspicious process is blocked by the driver as that particular process was not listed as a registered file handler for that file extension.
  • the VO Manager 32 has an access denied code returned to it.
  • the requesting process is not able to edit the file in question.
  • the driver may send a runtime request to the user to allow the unknown process access before sending the denial.
  • the second path involves the legitimate process “excel.exe”.
  • step 310b the program opens a file on the computer, which again makes a request to the VO Manager 32 to access the file.
  • step 320 an IRP containing the process name and the requested file is again sent to the ADP driver 33.
  • “exce/.exe” is found to be a registered file handler for the requested file extension, meaning that the request is allowable.
  • step 330b the ADP driver 33 forwards the IRP JAJ CREATE IRP to the file systems drivers 34 for normal processing.
  • step 340 the file system completes the VO request and returns the file handle object. The requesting process is then able to edit the file in question.
  • the file type may be determined by other means than filename extensions, e.g. by looking at the beginning of the file content, and comparing it to a list of known indicators. A check can then be performed to determine whether the requesting process is an appropriate file handler for the file type.
  • the various embodiments can be implemented in a wide variety of operating environments, which in some cases can include one or more user computers, computing devices, or processing devices which can be used to operate any of a number of applications.
  • User devices can include any of a number of general purpose personal computers, such as desktop or laptop computers running a standard operating system, as well as cellular, wireless, and handheld devices running mobile software and capable of supporting a number of networking and messaging protocols.
  • Such a system also can include a number of workstations running any of a variety of commercially-available operating systems and other known applications for purposes such as development and database management.
  • These devices also can include other electronic devices, such as thin-clients, gaming systems, and other devices capable of communicating via a network, provided the devices include a file system to protect.
  • Various aspects also can be implemented as part of at least one service or Web service, such as may be part of a service-oriented architecture.
  • Services such as Web services can communicate using any appropriate type of messaging, such as by using messages in extensible markup language (XML) format and exchanged using an appropriate protocol such as SOAP (derived from the "Simple Object Access Protocol").
  • SOAP derived from the "Simple Object Access Protocol"
  • Processes provided or executed by such services can be written in any appropriate language, such as the Web Services Description Language (WSDL).
  • WSDL Web Services Description Language
  • Using a language such as WSDL allows for functionality such as the automated generation of client-side code in various SOAP frameworks.
  • the Web server can run any of a variety of server or mid-tier applications, including HTTP servers, FTP servers, CGI servers, data servers, Java servers, and business application servers.
  • the server(s) also may be capable of executing programs or scripts in response requests from user devices, such as by executing one or more Web applications that may be implemented as one or more scripts or programs written in any programming language, such as Java®, C, C# or C++, or any scripting language, such as Perl, Python, or TCL, as well as combinations thereof.
  • the server(s) may also include database servers, including without limitation those commercially available from Oracle®, Microsoft®, Sybase®, and IBM®.
  • the environment can include a variety of data stores and other memory and storage media as discussed above. These can reside in a variety of locations, such as on a storage medium 36 local to (and/or resident in) one or more of the computers or remote from any or all of the computers across the network. In a particular set of embodiments, the information may reside in a storage-area network (“SAN”) familiar to those skilled in the art. Similarly, any necessary files for performing the functions attributed to the computers, servers, or other network devices may be stored locally and/or remotely, as appropriate.
  • SAN storage-area network
  • each such device can include hardware elements that may be electrically coupled via a bus, the elements including, for example, at least one central processing unit (CPU), at least one input device (e.g., a mouse, keyboard, controller, touch screen, or keypad), and at least one output device (e.g., a display device, printer, or speaker).
  • CPU central processing unit
  • input device e.g., a mouse, keyboard, controller, touch screen, or keypad
  • at least one output device e.g., a display device, printer, or speaker
  • Such a system may also include one or more storage devices, such as disk drives, optical storage devices, and solid-state storage devices such as random access memory (“RAM”) or read-only memory (“ROM”), as well as removable media devices, memory cards, flash cards, etc.
  • ROM read-only memory
  • Such devices can include a computer-readable storage media reader, a communications device (e.g., a modem, a network card (wireless or wired), an infrared communication device, etc.), and working memory as described above.
  • the computer- readable storage media reader can be connected with, or configured to receive, a computer- readable storage medium 36, representing remote, local, fixed, and/or removable storage devices as well as storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information.
  • the system and various devices also typically will include a number of software applications, modules, services, or other elements located within at least one working memory device, including an operating system and application programs. It should be appreciated that alternate embodiments may have numerous variations from that described above.
  • Storage media and other non-transitory computer readable media for containing code, or portions of code can include any appropriate media known or used in the art, such as but not limited to volatile and non-volatile, removable and non-removable non-transitory media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the a system device.
  • RAM random access memory
  • ROM read only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory electrically erasable programmable read-only memory
  • CD-ROM compact disc read-only memory
  • DVD digital versatile disk
  • magnetic cassettes magnetic tape
  • magnetic disk storage magnetic storage devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé mis en œuvre par ordinateur pour la protection de données, consistant à : intercepter un paquet de demande d'E/S élaboré par un processus de demande à un système de fichiers pour ouvrir un fichier existant ; déterminer le type de fichier du fichier existant ; vérifier si le nom de processus demandeur est un pilote de fichiers approprié pour le type de fichier ; refuser la demande lorsque le résultat de la vérification est négatif.
PCT/GB2024/050602 2023-03-08 2024-03-07 Protection de système de fichiers Pending WO2024184646A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB2303373.1A GB2627941A (en) 2023-03-08 2023-03-08 File-system protection
GB2303373.1 2023-03-08

Publications (1)

Publication Number Publication Date
WO2024184646A1 true WO2024184646A1 (fr) 2024-09-12

Family

ID=85980241

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2024/050602 Pending WO2024184646A1 (fr) 2023-03-08 2024-03-07 Protection de système de fichiers

Country Status (2)

Country Link
GB (1) GB2627941A (fr)
WO (1) WO2024184646A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12430457B2 (en) * 2023-04-07 2025-09-30 Dell Products L.P. Reversing symmetric encryptions using keys found in snapshots—per-file keys, random and transmitted outside

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130067600A1 (en) * 2011-09-09 2013-03-14 Microsoft Corporation Selective file access for applications
US20180018458A1 (en) * 2016-07-14 2018-01-18 Mcafee, Inc. Mitigation of ransomware
US20180357416A1 (en) * 2017-06-08 2018-12-13 Cisco Technology, Inc. File-type whitelisting
WO2019212111A1 (fr) * 2018-04-30 2019-11-07 에스엠테크놀러지(주) Système et procédé permettant de surveiller et de contrôler un processus anormal, et support d'enregistrement pour mettre en œuvre ledit procédé

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180135601A (ko) * 2017-06-13 2018-12-21 김대엽 컴퓨터 시스템의 랜섬웨어 실시간 탐지 와 차단 방법 및 그 장치

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130067600A1 (en) * 2011-09-09 2013-03-14 Microsoft Corporation Selective file access for applications
US20180018458A1 (en) * 2016-07-14 2018-01-18 Mcafee, Inc. Mitigation of ransomware
US20180357416A1 (en) * 2017-06-08 2018-12-13 Cisco Technology, Inc. File-type whitelisting
WO2019212111A1 (fr) * 2018-04-30 2019-11-07 에스엠테크놀러지(주) Système et procédé permettant de surveiller et de contrôler un processus anormal, et support d'enregistrement pour mettre en œuvre ledit procédé

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SVEN SCHREIBER: "Undocumented Windows 2000 Secrets: A Programmer's Cookbook"

Also Published As

Publication number Publication date
GB202303373D0 (en) 2023-04-19
GB2627941A (en) 2024-09-11

Similar Documents

Publication Publication Date Title
US10291634B2 (en) System and method for determining summary events of an attack
US9846776B1 (en) System and method for detecting file altering behaviors pertaining to a malicious attack
US8850428B2 (en) User transparent virtualization method for protecting computer programs and data from hostile code
RU2723665C1 (ru) Динамический индикатор репутации для оптимизации операций по обеспечению компьютерной безопасности
RU2646352C2 (ru) Система и способ для применения индикатора репутации для облегчения сканирования на наличие вредоносных программ
US7437766B2 (en) Method and apparatus providing deception and/or altered operation in an information system operating system
US12225013B2 (en) Securing application behavior in serverless computing
US7296274B2 (en) Method and apparatus providing deception and/or altered execution of logic in an information system
US20100306851A1 (en) Method and apparatus for preventing a vulnerability of a web browser from being exploited
US20020178375A1 (en) Method and system for protecting against malicious mobile code
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
US20070250927A1 (en) Application protection
US8195953B1 (en) Computer program with built-in malware protection
US20140337918A1 (en) Context based switching to a secure operating system environment
US9454652B2 (en) Computer security system and method
US8775802B1 (en) Computer security system and method
US20230297676A1 (en) Systems and methods for code injection detection
US11636219B2 (en) System, method, and apparatus for enhanced whitelisting
WO2024184646A1 (fr) Protection de système de fichiers
US10880316B2 (en) Method and system for determining initial execution of an attack
Iglio Trustedbox: a kernel-level integrity checker
US11275828B1 (en) System, method, and apparatus for enhanced whitelisting
Liu et al. Tzeamm: An efficient and secure active measurement method based on trustzone
Xuan et al. Droidpill: pwn your daily-use apps
Major A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24712566

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2024712566

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2024712566

Country of ref document: EP

Effective date: 20251008

ENP Entry into the national phase

Ref document number: 2024712566

Country of ref document: EP

Effective date: 20251008

ENP Entry into the national phase

Ref document number: 2024712566

Country of ref document: EP

Effective date: 20251008

ENP Entry into the national phase

Ref document number: 2024712566

Country of ref document: EP

Effective date: 20251008