System and method for antivirus checking of files based on level of trust of their digital certificates

US 10,313,324 B2
Filed: 12/02/2014
Issued: 06/04/2019
Est. Priority Date: 12/02/2014
Status: Active Grant

First Claim

Patent Images

1. A method for performing antivirus checking of a file, the method comprising:

obtaining a digital certificate of the file, wherein the digital certificate is an end certificate associated with a certificate chain;

determining, by a hardware processor, validity of the obtained digital certificate by decrypting a digital signature of the obtained digital certificate using a public key of an intermediate certificate authority, calculating a hash value of the digital certificate, and determining a match of the decrypted digital signature with the calculated hash value;

assigning a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file and further based on a set of intermediate digital certificates in the certificate chain,wherein a low level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a digital certificate used to sign a known malicious file,wherein a medium level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a valid digital certificate, andwherein a high level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates being issued by a trusted certification authority; and

performing an antivirus checking method on the file based on the assigned level of trust of the digital certificate of the file, wherein one or more of heuristic analysis, emulation, and blocking execution is performed on the file having a digital certificate with an assigned low level of trust.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for antivirus checking of files based on level of trust of their digital certificates. An example method includes obtaining a digital certificate of a digital signature of a file; determining validity of the obtained digital certificate; assigning a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file; based on the assigned level of trust of the digital certificate of the file, determining what antivirus checking method to perform on the file; and performing the determined antivirus checking method on the file.

16 Citations

20 Claims

1. A method for performing antivirus checking of a file, the method comprising:
- obtaining a digital certificate of the file, wherein the digital certificate is an end certificate associated with a certificate chain;
  
  determining, by a hardware processor, validity of the obtained digital certificate by decrypting a digital signature of the obtained digital certificate using a public key of an intermediate certificate authority, calculating a hash value of the digital certificate, and determining a match of the decrypted digital signature with the calculated hash value;
  
  assigning a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file and further based on a set of intermediate digital certificates in the certificate chain,wherein a low level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a digital certificate used to sign a known malicious file,wherein a medium level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a valid digital certificate, andwherein a high level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates being issued by a trusted certification authority; and
  
  performing an antivirus checking method on the file based on the assigned level of trust of the digital certificate of the file, wherein one or more of heuristic analysis, emulation, and blocking execution is performed on the file having a digital certificate with an assigned low level of trust.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - assigning, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a low level of trust based on invalidity of the at least one digital certificate or based on the at least one digital certificate being used to sign a known malicious file.
  - 3. The method of claim 1, further comprising:
    - assigning, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a medium level of trust based on a validity of the at least one digital certificate; and
      
      performing signature matching of the file having a digital certificate with a medium level of trust.
  - 4. The method of claim 1, further comprising:
    - assigning, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a high level of trust based on digital certificates issued by a trusted certification authority; and
      
      not performing antivirus checking of a file having a digital certificate with a high level of trust.
  - 5. The method of claim 1, wherein determining validity of the digital certificate includes:
    - constructing the certificate chain associated with the certificate of the file; and
      
      traversing the certificate chain and validating each certificate in the chain.
  - 6. The method of claim 1, further comprising:
    - assigning a low level of trust to the end certificate based on an intermediate certificate in the certificate chain that were found in certificate chains of a malicious file even if other certificates in the certificate chain have an assigned medium or high level of trust.
  - 7. The method of claim 1, wherein determining whether a digital certificate is valid when one or more of the following conditions is met:
    - a digital signature of a certification authority associated with the digital certificate is correct;
      
      a validity period of the certificate has not expired at a present moment; and
      
      the certificate has not been revoked.

8. A system for performing antivirus checking of a file, the system comprising:
- a hardware processor configured to;
  
  obtain a digital certificate of the file, wherein the digital certificate is an end certificate associated with a certificate chain;
  
  determine validity of the obtained digital certificate of the file by decrypting a digital signature of the obtained digital certificate using a public key of an intermediate certificate authority, calculating a hash value of the digital certificate, and determining a match of the decrypted digital signature with the calculated hash value;
  
  assign a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file and further based on a set of intermediate digital certificates in the certificate chain,wherein a low level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a digital certificate used to sign a known malicious file,wherein a medium level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a valid digital certificate, andwherein a high level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates being issued by a trusted certification authority; and
  
  perform an antivirus checking method on the file based on the assigned level of trust of the digital certificate of the file, wherein one or more of heuristic analysis, emulation, and blocking execution is performed on the file having a digital certificate with an assigned low level of trust.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the hardware processor further configured to:
    - assign, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a low level of trust based on invalidity of at least one digital certificate or based on the least one digital certificate being used to sign a known malicious file.
  - 10. The system of claim 8, wherein the hardware processor further configured to:
    - assign, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a medium level of trust based on validity of the at least one digital certificate; and
      
      perform signature matching of the file having a digital certificate with a medium level of trust.
  - 11. The system of claim 8, wherein the hardware processor further configured to:
    - assign, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a high level of trust based on digital certificates issued by a trusted certification authority; and
      
      not perform antivirus checking of a file having a digital certificate with a high level of trust.
  - 12. The system of claim 8, wherein determining validity of the digital certificate includes:
    - constructing the certificate chain associated with the certificate of the file; and
      
      traversing the certificate chain and validating each certificate in the chain.
  - 13. The system of claim 8, wherein the hardware processor further configured to:
    - assign a low level of trust to the end certificate based on an intermediate certificate in the certificate chain that were found in certificate chains of a malicious file even if other certificates in the certificate chain have an assigned medium or high level of trust.
  - 14. The system of claim 8, wherein determining whether a digital certificate is valid when one or more of the following conditions is met:
    - a digital signature of a certification authority associated with the digital certificate is correct;
      
      a validity period of the certificate has not expired at a present moment; and
      
      the certificate has not been revoked.

15. A computer program product, stored on a non-transitory computer readable medium, wherein the computer program product includes computer executable instructions for performing antivirus checking of a file, including instructions for:
- obtaining a digital certificate of the file, wherein the digital certificate is an end certificate associated with a certificate chain;
  
  determining, by a hardware processor, validity of the obtained digital certificate by decrypting a digital signature of the obtained digital certificate using a public key of an intermediate certificate authority, calculating a hash value of the digital certificate, and determining a match of the decrypted digital signature with the calculated hash value;
  
  assigning a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file and further based on a set of with intermediate digital certificates in the certificate chain,wherein a low level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a digital certificate used to sign a known malicious file,wherein a medium level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates is a valid digital certificate, andwherein a high level of trust is assigned to the end certificate based on a determination that at least one intermediate digital certificate of the set of intermediate digital certificates being issued by a trusted certification authority; and
  
  performing an antivirus checking method on the file based on the assigned level of trust of the digital certificate of the file, wherein one or more of heuristic analysis, emulation, and blocking execution is performed on the file having a digital certificate with an assigned low level of trust.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, further comprising instructions for:
    - assigning, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a low level of trust based on invalidity of the at least one digital certificate or based on the at least one digital certificate being used to sign a known malicious file.
  - 17. The computer program product of claim 15, further comprising instructions for:
    - assigning, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a medium level of trust based on a validity of the at least one digital certificate; and
      
      performing signature matching of the file having a digital certificate with a medium level of trust.
  - 18. The computer program product of claim 15, further comprising instructions for:
    - assigning, to at least one digital certificate in the set of intermediate digital certificates in the certificate chain, a high level of trust based on digital certificates issued by a trusted certification authority; and
      
      not performing antivirus checking of a file having a digital certificate with a high level of trust.
  - 19. The computer program product of claim 15, wherein instructions for determining validity of the digital certificate include instructions for:
    - constructing the certificate chain associated with the certificate of the file; and
      
      traversing the certificate chain and validating each certificate in the chain.
  - 20. The computer program product of claim 15, further comprising instructions for:
    - assigning a low level of trust to the end certificate based an intermediate certificate in the certificate chain that were found in certificate chains of a malicious file even if other certificates in the certificate chain have an assigned medium or high level of trust.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Lab A.O. Kaspersky
Inventors
Solodovnikov, Andrey Y., Ladikov, Andrey V., Pavlushik, Michael
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Shirazi, Sayed Aresh Beheshti

Application Number

US14/557,922
Publication Number

US 20160359842A1
Time in Patent Office

1,645 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/565   by checking file integrity

H04L 63/0823   using certificates cryptogr...

H04L 9/3247   involving digital signatures

System and method for antivirus checking of files based on level of trust of their digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for antivirus checking of files based on level of trust of their digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links