Zero-hour quarantine of suspect electronic messages
First Claim
1. A method of filtering electronic messages from a network comprising a sending server and a destination server, the method comprising:
- receiving an incoming electronic message from the sending server;
examining the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message;
assigning a threat score to the electronic message based on the examination;
sending the message to a permanent quarantine if the revised threat score passes the first threshold, sending the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or delivering the message to an intended recipient if the assigned threat score does not pass the first or second threshold;
periodically reexamining the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revising the threat score based on the reexamination; and
sending the message to a permanent quarantine if the revised threat score passes the first threshold, keeping the message in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message to the intended recipient if the revised threat score does not pass the first or second threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
The zero-hour quarantine comprises a tool for flagging potentially harmful messages/files prior to having an anti-virus signature published for a particular virus. The suspect file is sent to the zero-hour quarantine and periodically scanned, giving time for creation of a signature file that would then detect the virus. An example method may include receiving and examining a message for attributes indicative of its undesirability, and assigning a threat score to the message. The method may comprise disposing of the message by comparing the threat score to first and second thresholds, and the message sent to a permanent quarantine if the threat score passes the first threshold. The message is sent to the zero-hour quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or is delivered to the recipient if the assigned threat score does not pass the first or second threshold.
-
Citations
30 Claims
-
1. A method of filtering electronic messages from a network comprising a sending server and a destination server, the method comprising:
-
receiving an incoming electronic message from the sending server; examining the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message; assigning a threat score to the electronic message based on the examination; sending the message to a permanent quarantine if the revised threat score passes the first threshold, sending the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or delivering the message to an intended recipient if the assigned threat score does not pass the first or second threshold; periodically reexamining the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revising the threat score based on the reexamination; and sending the message to a permanent quarantine if the revised threat score passes the first threshold, keeping the message in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message to the intended recipient if the revised threat score does not pass the first or second threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for filtering electronic messages from a network comprising a sending server and a destination server, the system comprising:
-
a message handler configured to receive an incoming electronic message from the sending server; a message filtering process in the message handler and configured to examine the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and assign a threat score to the electronic message based on the examination; a message disposition process in the message handler and configured to compare the assigned threat score to first and second thresholds, and then to send the message to a permanent quarantine if the assigned threat score passes the first threshold, send the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or send the message to an intended recipient if the assigned threat score does not pass the first or second threshold; wherein the message filtering process is further configured to periodically reexamine the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revise the threat score based on the reexamination; and wherein the message disposition process is further configured to send the message to a permanent quarantine if the revised threat score passes the first threshold, send the message to a temporary quarantine if the revised threat score does not pass the second threshold but passes the second threshold, or send the message to an intended recipient if the revised threat score does not pass the first or second threshold. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method of filtering electronic messages from a network comprising a sending server and a destination server, the method comprising:
-
receiving an incoming electronic message containing an attachment from the sending server; examining the attachment for attributes indicative of its harmfulness to an intended recipient of the electronic message; assigning a threat score to the electronic message or the attachment based on the examination; sending the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the assigned threat score does not pass the first or second threshold; periodically reexamining the attachment, if sent to the temporary quarantine, for attributes indicative of its harmfulness to the intended recipient of the message, and revising the threat score based on the reexamination; and sending the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, keeping the message and attachment in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message and attachment to the intended recipient if the revised threat score does not pass the first or second threshold. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A system for filtering electronic messages from a network comprising a sending server and a destination server, the system comprising:
-
a message handler configured to receive an incoming electronic message containing an attachment from the sending server; a message filtering process in the message handler and configured to examine the attachment for attributes indicative of its harmfulness to an intended recipient of the electronic message, and assign a threat score to the electronic message or the attachment based on the examination; a message disposition process in the message handler and configured to compare the assigned threat score to first and second thresholds, and then to send the message and attachment to a permanent quarantine if the assigned threat score passes the first threshold, to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the assigned threat score does not pass the first or second threshold; wherein the message filtering process is further configured to periodically reexamine the attachment, if sent to the temporary quarantine, for attributes indicative of its harmfulness to the intended recipient of the message, and revise the threat score based on the reexamination; and wherein the message disposition process is further configured to send the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, to a temporary quarantine if the revised threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the revised threat score does not pass the first or second threshold. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification