DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

US 20080155691A1
Filed: 12/17/2007
Published: 06/26/2008
Est. Priority Date: 12/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining whether there exists a certificate chain associated with a computer file; and

if the certificate chain is determined to exist then;

evaluating the certificate chain by extracting information from the certificate chain and analyzing the extracted information;

classifying the computer file into a category of a plurality of categories based on said evaluating; and

handling the computer file in accordance with a policy associated with the category.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted information. The computer file is then classified into one of multiple categories based on the evaluation. Finally, the computer file is handled in accordance with a policy associated with the category to which it was assigned. For example, a confirmed or suspected undesired file may be quarantined and/or an end user or an administrator may be notified regarding the confirmed or suspected undesired file.

61 Citations

View as Search Results

24 Claims

1. A method comprising:
- determining whether there exists a certificate chain associated with a computer file; and
  
  if the certificate chain is determined to exist then;
  
  evaluating the certificate chain by extracting information from the certificate chain and analyzing the extracted information;
  
  classifying the computer file into a category of a plurality of categories based on said evaluating; and
  
  handling the computer file in accordance with a policy associated with the category.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file and wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened.
  - 3. The method of claim 1, further comprising identifying a type and structure of the computer file and wherein said determining whether there exists a certificate chain is based upon the type and structure of the computer file.
  - 4. The method of claim 1, wherein said extracting information from the certificate chain comprises extracting the certificate chain in its entirety.
  - 5. The method of claim 1, wherein said extracting information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain.
  - 6. The method of claim 5, where the extracted information may include all or part of one or more of:
    - a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information.
  - 7. The method of claim 1, where the file data is held in a memory buffer, or where the file data is held in a temporary file, or where the file is in transit across a network or where the file data exists on some other medium where it can be accessed by the detection module.
  - 8. The method of claim 1, wherein the certificate chain is part of the computer file.
  - 9. The method of claim 1, wherein the certificate chain is in a separate file from the computer file.
  - 10. The method of claim 1, where the extracted information is examined by comparing it with similar information for known undesired files.
  - 11. The method of claim 1, wherein said analyzing the extracted information includes using a digital signature and digital signature analysis method to determine if the file is suspected to be undesirable.
  - 12. The method of claim 1, wherein the computer file is in transit across a network and transfer is blocked.
  - 13. The method of claim 1, where an alert is issued to a user or administrator indicating that an undesired file was detected and possibly describing any action taken.
  - 14. The method of claim 13, wherein information about the undesired file and any action taken is entered into a log.

15. A method of detecting undesired computer files comprising:
- identifying a type and structure of a file at issue;
  
  determining whether there is a certificate chain associated with the file at issue;
  
  locating the associated certificate chain;
  
  extracting the associated certificate chain in its entirety or specific identification information from the associated certificate chain;
  
  examining the extracted information to determine if the file at issue is undesired or suspected of being undesired; and
  
  if the file at issue is found to be undesired or suspected of being undesired, advising a computer user or administrator regarding the determination or communicating other related information to the computer user or the administrator about the file at issue.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The method of claim 15, wherein the file at issue is known or suspected of being undesired and the computer user is provided with information identifying the file at issue or some indication of a degree of suspicion.
  - 17. The method of claim 16, wherein the computer user is given some indication of the degree of potential danger posed by the file.
  - 18. The method of claim 16, where the computer user is given an option to accept or reject the file at issue, or to quarantine the file at issue.
  - 19. The method of claim 15, further comprising storing the file at issue in a memory buffer, the memory buffer being a location for the file at issue to be held temporarily when the file at issue is in transit across a network, and said memory buffer allows access to the file at issue, and the memory buffer is some other medium than a main memory hierarchy of the computer user'"'"'s computer.
  - 20. The method of claim 15, wherein the file at issue comprises an electronic mail (email) attachment.
  - 21. The method of claim 15, wherein the file at issue comprises a Windows Portable Executable (PE) file requested to be downloaded to a computer system by an automated update system associated with a client application running on the computer system.
  - 22. The method of claim 15, wherein the file at issue comprises a file manually requested to be downloaded to a computer system by the computer user.
  - 23. The method of claim 15, wherein the specific identification information comprises all or part of one or more of a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information from an end entity certificate of the associated certificate chain.
  - 24. The method of claim 15, wherein the extracted information is examined by comparing it with similar information for known undesired files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
MacDonald, Alexander Douglas, Fossen, Steven Michael

Granted Patent

US 9,917,844 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2115   Third party

H04L 51/046   Interoperability with other...

H04L 51/08   Annexed information, e.g. a...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/02   for separating internal fro...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links