First response computer virus blocking.

US 20040172551A1
Filed: 12/09/2003
Published: 09/02/2004
Est. Priority Date: 12/09/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of screening a software file for viral infection, the method comprising:

defining a database of known infected file signatures;

determining a signature for a file; and

screening that signature against the signatures contained in said database to determine if there is a match.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process of screening one or more software files to determine any that are recognized to have a matching hash signature with a file contained in a database of files known to be Virus, Trojan, Worm, or otherwise potentially malicious or suspicious which then can be safely blocked, quarantined and/or deleted. This is accomplished through a method and apparatus running on a firewall, network device, mail server, server, personal computer, PDA, cell phone or wireless device to compare the hash signature of each incoming software file against a regularly updated database of known infected file hash signatures. One or more users can be alerted when an infected file is identified. If quarantined the file is safely stored until virus software is updated properly with later developed virus definitions file(s), which are then used to eradicate or clean the infected file(s) or computer systems.

170 Citations

49 Claims

1. A method of screening a software file for viral infection, the method comprising:
- defining a database of known infected file signatures;
  
  determining a signature for a file; and
  
  screening that signature against the signatures contained in said database to determine if there is a match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 27, 28, 38, 39, 40, 41)
- - 2. A method according to claim 1, wherein a match of signatures between the screened file and said database results in an action affecting the said screened file.
  - 3. A method according to claim 1, wherein the result of a non matching signature between the screened file and said database results in an action affecting the said screened file.
  - 4. A method according to claim 1, wherein the result of a non matching signature between the screened file and said database results in an action affecting the said database.
  - 5. A method according to claim 1, wherein a match of signatures between the screened file and said database results in an action affecting the database.
  - 6. A method according to claim 1, wherein a match of signatures between the screened file and said database results in an alert or notification to a user of a local computer system.
  - 7. A method according to claim 6, wherein the said computer system is connected via an electronic link to a remote central computer.
  - 8. A method according to claim 2, wherein a said action is an electronic quarantine of said matched file.
  - 9. A method according to claim 1, wherein said database is updated via an electronic link between a computer hosting the database, where the scanning of the file is performed, and a remote central computer.
  - 10. A method according to claim 1, wherein said database contains a flag set in memory to quarantine said screened files.
  - 11. A method according to claim 1, wherein said database contains a flag set in memory to release quarantined files.
  - 12. A method according to claim 1, wherein said database contains a flag set in memory to erase said files.
  - 13. A method according to claim 10, wherein said flag can be updated by remote software via an electronic link to end user computers.
  - 14. A method according to claim 11, wherein said flag can be updated by remote software via an electronic link to end user computers.
  - 15. A method according to claim 12, wherein said flag can be updated by remote software via an electronic link to end user computers.
  - 16. A method according to claim 10, wherein said flag can be updated by a network manager and flag updates made by the network manager are communicated to network end user computers where infected file virus screening is performed.
  - 17. A method according to claim 11, wherein said flag can be updated by a network manager and flag updates made by the network manager are communicated to network end user computers where infected file virus screening is performed.
  - 18. A method according to claim 12, wherein said flag can be updated by a network manager and flag updates made by the network manager are communicated to network end user computers where infected file virus screening is performed.
  - 19. A method according to claim 10, wherein the quarantined file is placed in a non-executable electronic container.
  - 20. A method according to claim 1, wherein the user is a network manager and database updates made by the network manager are communicated to network end user computers where infected file virus screening is performed.
  - 21. A method according to claim 1, wherein said step of determining a signature for the file and screening that signature comprises deriving a signature of the file and comparing the derived signature with signatures in the database.
  - 27. A method according to claim 1, wherein a match condition causes an alert or notification to be sent electronically to the user of the local computer system hosting said database.
  - 28. A method according to claim 1, wherein a match condition causes an alert or notification to be sent electronically to a network administrator of a remote server.
  - 38. A method according to claim 1, wherein the said database is a part of a bidirectional system for sending and receiving partial hash signatures.
  - 39. A method according to claim 38, wherein partial hash signatures are sent and received through a bidirectional request protocol set to determine a percentage of said file used in hash computation.
  - 40. A method according to claim 39, wherein the requested percentage is set by a dynamic request protocol based on communication speed.
  - 41. A method according to claim 39, wherein the requested percentage is set by a dynamic request protocol based on file size.

22. Apparatus for screening a software file for viral infection, the apparatus comprising:
- a memory storing a database of known infected file signatures; and
  
  a data processor arranged to scan said file to determine whether or not the file has a signature corresponding to one of the signatures contained in said database.
- View Dependent Claims (23, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 23. The apparatus according to claim 22, wherein, in order to determine whether or not the file has a signature corresponding to one of the signatures contained in said database, said data processor is arranged to derive a signature of the file and to compare the derived signature with signatures in the databases.
  - 29. The apparatus according to claim 22, wherein, is a part of a network firewall device.
  - 30. The apparatus according to claim 22, wherein, is a part of a network IDS (Intrusion Detection System).
  - 31. The apparatus according to claim 22, wherein, is a part of a network IPS (Intrusion Prevention System).
  - 32. The apparatus according to claim 22, wherein, is a part of a network packet sniffer software.
  - 33. The apparatus according to claim 22, wherein, is a part of a PDA (Personal Digital Assistant).
  - 34. The apparatus according to claim 22, wherein, is a part of a digital camera.
  - 35. The apparatus according to claim 22, wherein, is a part of a cellular phone.
  - 36. The apparatus according to claim 22, wherein, is a part of a wireless device.
  - 37. The apparatus according to claim 22, wherein, is a part of a computer system comprising one or more CPUs (Central Processing Unit) and one or more memories.

24. A computer memory encoded with executable instructions representing a computer program for causing computer system to:
- maintain a database of known infected file signatures; and
  
  determine whether or not the file has a signature corresponding to one of the signatures contained in said database.
- View Dependent Claims (25, 26)
- - 25. A computer memory according to claim 24, wherein the computer program causes the files to be scanned to determine whether or not they contain a signature corresponding to one of signatures contained in the database.
  - 26. The computer memory according to claim 24, wherein in order to determine whether or not the file has a signature corresponding to one of the signatures contained in said infected file database, said computer program causes the computer system to derive a signature of the file and to compare the derived signature with signatures in the database.

42. Apparatus for determining a partial file hash signature:
- a memory storing a database of known infected file signatures; and
  
  a memory storing a database of partial file signatures; and
  
  a data processor arranged to scan said file incrementally and add file hash signatures, upon request, to said database of partial file signatures; and
  
  to add said hash signatures, upon request, to said database of infected file signatures.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49)
- - 43. The apparatus according to claim 42, wherein the percentage scanned and imputed into said partial file signature database is set by a bidirectional electronic data protocol.
  - 44. The apparatus according to claim 43, wherein the said bidirectional electronic data protocol contains a field of type contained in said protocol.
  - 45. The apparatus according to claim 44, wherein the said protocol is communicated electronically over a computer network.
  - 46. The apparatus according to claim 42, wherein the said partial file hash signature is computed through reverse computation based on probability of a match condition between said partial file and said infected file signature database.
  - 47. The apparatus according to claim 43, wherein the said bidirectional electronic data protocol contains a field of length contained in said protocol.
  - 48. The apparatus according to claim 47, wherein the said field of length is communicating the numerical value of the percent of a hash computed.
  - 49. The apparatus according to claim 42, wherein the said determination of partial file hash signatures is modified based on block size of end user system when compared to block size on a remote server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alex Fielding, Michael Connor
Original Assignee
Alex Fielding, Michael Connor
Inventors
Connor, Michael James, Fielding, Alex

Application Number

US10/707,363
Publication Number

US 20040172551A1
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

First response computer virus blocking.

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

170 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

First response computer virus blocking.

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links