Prioritizing the scanning of messages using the reputation of the message destinations

US 10,182,064 B1
Filed: 12/31/2016
Issued: 01/15/2019
Est. Priority Date: 12/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying a plurality of messages to scan with an updated malware definition;

identifying reputations of a plurality of message destinations associated with the plurality of messages, wherein the reputations are based on one or more reputation clusters, wherein each reputation cluster further comprises one or more nodes representing the plurality of message destinations and one or more edges representing communications between the nodes;

determining an access time for one or more users associated with the plurality of message destinations;

determining a prioritization for scanning the plurality of messages using the identified reputations and the determined access times by assigning higher prioritization to message destinations that have working hours that occur earlier in a period of time;

scanning the plurality of messages using the updated malware definition in the prioritization;

identifying an infected message of the plurality of messages using the updated malware definition; and

removing malware identified by the updated malware definition on the infected message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, computer program products, computer systems, and the like, which protect messages in an electronic messaging system, are disclosed. The methods, computer program products, computer systems, and the like include detecting an occurrence of an event, and, in response to the detecting the occurrence of the event, scanning a message. The occurrence of the event indicates that the message should be scanned. The message includes recipient information, which identifies a recipient of the message, and is stored in a message store. The message has been received at a message destination associated with the recipient. The scanning uses a malware definition. The scanning is performed prior to the message being retrieved from the message store in response to a request by the recipient to retrieve the message from the message store. The event is other than the request by the recipient to retrieve the message from the message store.

22 Citations

View as Search Results

18 Claims

1. A method, comprising:
- identifying a plurality of messages to scan with an updated malware definition;
  
  identifying reputations of a plurality of message destinations associated with the plurality of messages, wherein the reputations are based on one or more reputation clusters, wherein each reputation cluster further comprises one or more nodes representing the plurality of message destinations and one or more edges representing communications between the nodes;
  
  determining an access time for one or more users associated with the plurality of message destinations;
  
  determining a prioritization for scanning the plurality of messages using the identified reputations and the determined access times by assigning higher prioritization to message destinations that have working hours that occur earlier in a period of time;
  
  scanning the plurality of messages using the updated malware definition in the prioritization;
  
  identifying an infected message of the plurality of messages using the updated malware definition; and
  
  removing malware identified by the updated malware definition on the infected message.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the updated malware definition includes information identifying a new malware definition.
  - 3. The method of claim 1, wherein the reputations of the plurality of message destinations are based on a number of violations during a period of time.
  - 4. The method of claim 3, wherein the number of violations include one of a number of antivirus violations, a number of file filtering violations, a number of content filtering violations, a number of emails received since a previous scan, a number of malware items sent, a number of malware items received, and a number of spam messages received.
  - 5. The method of claim 3, wherein the reputations include a score calculated based on the number of violations and the prioritization for scanning the plurality of messages is based on the score.
  - 6. The method of claim 1, wherein identifying the reputations of the plurality of message destinations includes identifying a number of emails received from an external source and a number of emails received from an internal source and assigning a high priority based on the number of emails received from the external sources and assigning a low priority based on the number of emails received from the internal sources.

7. A computer system comprising:
- a processor;
  
  system memory; and
  
  a scanning module residing in the system memory, the scanning module configured to;
  
  identify a plurality of messages to scan with an updated malware definition;
  
  identify reputations of a plurality of message destinations associated with the plurality of messages, wherein the reputations are based on one or more reputation clusters, wherein each reputation cluster further comprises one or more nodes representing the plurality of message destinations and one or more edges representing communications between the nodes;
  
  determine an access time for one or more users associated with the plurality of message destinations;
  
  determine a prioritization for scanning the plurality of messages using the identified reputations by assigning higher prioritization to message destinations that have working hours that occur earlier in a period of time;
  
  scan the plurality of messages using the updated malware definition in an order based on the prioritization;
  
  identify an infected message of the plurality of messages using the updated malware definition; and
  
  remove malware identified by the updated malware definition on the infected message.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the updated malware definition includes information identifying a new malware definition.
  - 9. The system of claim 7, wherein the reputations of the plurality of message destinations are based on a number of violations during a period of time.
  - 10. The system of claim 9, wherein the number of violations include one of a number of antivirus violations, a number of file filtering violations, a number of content filtering violations, a number of emails received since a previous scan, a number of malware items sent, a number of malware items received, and a number of spam messages received.
  - 11. The system of claim 9, wherein the reputations include a score calculated based on the number of violations and the prioritization for scanning the plurality of messages is based on the score.
  - 12. The system of claim 7, wherein identifying the reputations of the plurality of message destinations includes identifying a number of emails received from an external source and a number of emails received from an internal source and assigning a high priority based on the number of emails received from the external sources and assigning a low priority based on the number of emails received from the internal sources.

13. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a plurality of messages to scan with an updated malware definition;
  
  identify reputations of a plurality of message destinations associated with the plurality of messages, wherein the reputations are based on one or more reputation clusters, wherein each reputation cluster further comprises one or more nodes representing the plurality of message destinations and one or more edges representing communications between the nodes;
  
  determine an access time for one or more users associated with the plurality of message destinations;
  
  determine a prioritization for scanning the plurality of messages using the identified reputations and the determined access times by assigning higher prioritization to message destinations that have working hours that occur earlier in a period of time;
  
  scan the plurality of messages using the updated malware definition in an order based on the prioritization;
  
  identify an infected message of the plurality of messages using the updated malware definition; and
  
  remove malware identified by the updated malware definition on the infected message.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable-storage medium of claim 13, wherein the updated malware definition includes information identifying a new malware definition.
  - 15. The non-transitory computer-readable-storage medium of claim 13, wherein the reputations of the plurality of message destinations are based on a number of violations during a period of time.
  - 16. The non-transitory computer-readable-storage medium of claim 15, wherein the number of violations include one of a number of antivirus violations, a number of file filtering violations, a number of content filtering violations, a number of emails received since a previous scan, a number of malware items sent, a number of malware items received, and a number of spam messages received.
  - 17. The non-transitory computer-readable-storage medium of claim 13, wherein causing the computing device to identify the reputations of the plurality of message destinations further causes the computing device to identify a number of emails received from an external source and a number of emails received from an internal source and assign a high priority based on the number of emails received from the external sources and assign a low priority based on the number of emails received from the internal sources.
  - 18. The non-transitory computer-readable-storage medium of claim 15, wherein the reputations include a score calculated based on the number of violations and the prioritization for scanning the plurality of messages is based on the score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Agarwal, Preeti, Bhagwat, Rohit
Primary Examiner(s)
Leung, Robert B
Assistant Examiner(s)
Ho, Thomas

Application Number

US15/396,659
Time in Patent Office

745 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

H04L 51/04   Real-time or near real-time...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 67/01   Protocols

Prioritizing the scanning of messages using the reputation of the message destinations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Prioritizing the scanning of messages using the reputation of the message destinations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links