Detection of exploits in files

US 20090013408A1
Filed: 07/06/2007
Published: 01/08/2009
Est. Priority Date: 07/06/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method of scanning computer files for exploits, the method comprising:

maintaining a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format;

determining the file format of respective files; and

performing, on respective files, a validation process comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file, a determination that a file contains an exploit being made in response to the structure and/or content of the data fields of the file failing to be validated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scanning system for scanning computer files for exploits uses a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format. Files are analysed to determine their file format. A validation process is performed comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file. A file is determined to contain an exploit in response to the structure and/or content of the data fields of the file failing to be validated.

Citations

36 Claims

1. A method of scanning computer files for exploits, the method comprising:
- maintaining a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format;
  
  determining the file format of respective files; and
  
  performing, on respective files, a validation process comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file, a determination that a file contains an exploit being made in response to the structure and/or content of the data fields of the file failing to be validated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method according to claim 1, wherein, in respect of at least some of the plurality of file formats, the file format includes a file header storing information about the file, and at least one data block
  - 3. A method according to claim 2, wherein the validation rules specify valid structure and/or content of data fields of at least one of the file header and the at least one data block
  - 4. A method according to claim 2, wherein the file header contains a data field representing a tag and the validation rules specify the content of the tag.
  - 5. A method according to claim 2, wherein the file header contains at least one a data field representing a pointer pointing to a data block and the validation rules specify that the pointers point to valid points within the file.
  - 6. A method according to claim 2, wherein the file header contains a data field representing file size information about the size of the file and the validation rules specify that the file size information is compatible with the actual size of the file.
  - 7. A method according to claim 2, wherein the at least one data block includes a block header storing information about the block, and further data.
  - 8. A method according to claim 7, the validation rules specify valid structure and/or content of data fields of the block header.
  - 9. A method according to claim 7, wherein the block header contains a data field representing a tag and the validation rules specify the content of the tag.
  - 10. A method according to claim 7, wherein the block header contains at least one data field representing a pointer pointing to data blocks and the validation rules specify that the pointers point to valid points within the file.
  - 11. A method according to claim 1, whereinthe database further contains a score in respect of each of the validation rules, andsaid step of validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file comprises calculating a function of the scores of each rule which is failed by the file, the structure and/or content of the data fields of the file failing to be validated when the function exceeds a predetermined threshold.
  - 12. A method according to claim 1, further comprising, in the event that the method is found falsely to make a determination that a particular file contains an exploit, revising the validation rules in the database in respect of the file format of that particular file so that the structure and/or content of the data fields of the particular file are subsequently validated by validation process.
  - 13. A method according to claim 1, further comprising, in the event that the method is found falsely to fail to make a determination that a particular file contains an exploit, revising the validation rules in the database in respect of the file format of that particular file so that the structure and/or content of the data fields of the particular file subsequently fail to be validated by validation process.
  - 14. A method according to claim 1, further comprising storing data representing said determination or outputting a signal indicating said determination.
  - 15. A method according to claim 1, further comprising, responsive to said determination that a file contains an exploit, performing a remedial action in respect of that file.
  - 16. A method according to claim 1, wherein the files include any one or both of files capable of being rendered by an application program and files capable of being processed by an operating system.
  - 17. A method according to claim 1, wherein the files are being transferred through a node of a network.
  - 18. A method according to claim 1, wherein the files are contained in any one or more of emails, HTTP traffic, FTP traffic, and IM traffic.

19. A scanning system for scanning computer files for exploits, the system comprising:
- a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format;
  
  a file format identifier operative to determine the file format of respective files;
  
  a validation unit operative to perform, on respective files, a validation process comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file, and operative to make a determination that a file contains an exploit in response to the structure and/or content of the data fields of the file failing to be validated
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. A scanning system according to claim 19, wherein, in respect of at least some of the plurality of file formats, the file format includes a file header storing information about the file, and at least one data block.
  - 21. A scanning system according to claim 20, wherein the validation rules specify valid structure and/or content of data fields of at least one of the file header and the at least one data block
  - 22. A scanning system according to claim 20, wherein the file header contains a data field representing a tag and the validation rules specify the content of the tag.
  - 23. A scanning system according to claim 20, wherein the file header contains at least one a data field representing a pointer pointing to a data block and the validation rules specify that the pointers point to valid points within the file.
  - 24. A scanning system according to claim 20, wherein the file header contains a data field representing file size information about the size of the file and the validation rules specify that the file size information is compatible with the actual size of the file.
  - 25. A scanning system according to claim 20, wherein the at least one data block includes a block header storing information about the block and further data.
  - 26. A scanning system according to claim 25, wherein the validation rules specify valid structure and/or content of data fields of the block header.
  - 27. A scanning system according to claim 25, wherein the block header contains a data field representing a tag and the validation rules specify the content of the tag.
  - 28. A scanning system according to claim 25, wherein the block header contains at least one data field representing a pointer pointing to data blocks and the validation rules specify that the pointers point to valid points within the file.
  - 29. A scanning system according to claim 19, whereinthe database further contains a score in respect of each of the validation rules, andin said validation process which the validation unit is operative to perform, said step of validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file comprises calculating a function of the scores of each rule which is failed by the file, the structure and/or content of the data fields of the file failing to be validated when the function exceeds a predetermined threshold.
  - 30. A scanning system according to claim 19, further comprising a database revision unit operative to revise the validation rules in the database in respect of the file format of a particular file found falsely to cause the validation unit to determine that the particular file contains an exploit so that the structure and/or content of the data fields of the particular file are subsequently validated by validation process.
  - 31. A scanning system according to claim 19, further comprising a database revision unit operative to revise the validation rules in the database in respect of the file format of a particular file found falsely to fail to cause the validation unit to determine that the particular file contains an exploit so that so that the structure and/or content of the data fields of the particular file subsequently fail to be validated by validation process.
  - 32. A scanning system according to claim 19, wherein the validation unit is operative to store data indicating the determination or to output a signal indicating the determination.
  - 33. A scanning system according to claim 19, further comprising a remedial action unit which is operative, responsive to the validation unit determining that a file contains an exploit, to perform a remedial action in respect of that file.
  - 34. A scanning system according to claim 19, wherein the files include any one or both of files capable of being rendered by an application program and files capable of being processed by an operating system.
  - 35. A scanning system according to claim 19, wherein the files are being transferred through a node of a network.
  - 36. A scanning system according to claim 19, wherein the files are contained in any one or more of emails, HTTP traffic, FTP traffic, and IM traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Messagelabs Limited (Gen Digital Inc.)
Inventors
Schipka, Maksym

Application Number

US11/822,533
Publication Number

US 20090013408A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

H04L 63/145 the attack involving the pr...

Detection of exploits in files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of exploits in files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links