Zero-hour quarantine of suspect electronic messages

US 20090064329A1
Filed: 06/25/2008
Published: 03/05/2009
Est. Priority Date: 06/25/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method of filtering electronic messages from a network comprising a sending server and a destination server, the method comprising:

receiving an incoming electronic message from the sending server;

examining the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message;

assigning a threat score to the electronic message based on the examination;

sending the message to a permanent quarantine if the revised threat score passes the first threshold, sending the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or delivering the message to an intended recipient if the assigned threat score does not pass the first or second threshold;

periodically reexamining the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revising the threat score based on the reexamination; and

sending the message to a permanent quarantine if the revised threat score passes the first threshold, keeping the message in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message to the intended recipient if the revised threat score does not pass the first or second threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The zero-hour quarantine comprises a tool for flagging potentially harmful messages/files prior to having an anti-virus signature published for a particular virus. The suspect file is sent to the zero-hour quarantine and periodically scanned, giving time for creation of a signature file that would then detect the virus. An example method may include receiving and examining a message for attributes indicative of its undesirability, and assigning a threat score to the message. The method may comprise disposing of the message by comparing the threat score to first and second thresholds, and the message sent to a permanent quarantine if the threat score passes the first threshold. The message is sent to the zero-hour quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or is delivered to the recipient if the assigned threat score does not pass the first or second threshold.

Citations

30 Claims

1. A method of filtering electronic messages from a network comprising a sending server and a destination server, the method comprising:
- receiving an incoming electronic message from the sending server;
  
  examining the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message;
  
  assigning a threat score to the electronic message based on the examination;
  
  sending the message to a permanent quarantine if the revised threat score passes the first threshold, sending the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or delivering the message to an intended recipient if the assigned threat score does not pass the first or second threshold;
  
  periodically reexamining the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revising the threat score based on the reexamination; and
  
  sending the message to a permanent quarantine if the revised threat score passes the first threshold, keeping the message in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message to the intended recipient if the revised threat score does not pass the first or second threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, further comprising sending a notification message to the intended recipient when the incoming message is sent to the temporary quarantine.
  - 3. A method according to claim 1, wherein if the message is sent to the temporary quarantine and the attributes comprise an attachment, the method further comprising stripping the attachment from the message and delivering the message to the intended recipient.
  - 4. A method according to claim 1, wherein if the electronic message is sent to the temporary quarantine and the attributes comprise an attachment, sending the attachment to a virus laboratory for examination of the attachment.
  - 5. A method according to claim 1, wherein if the electronic message is sent to the temporary quarantine and the attributes comprise an attachment, sending the attachment to a testing area for executing the attachment.
  - 6. A method according to claim 1, wherein an attribute of the incoming message is an executable file, the method further comprising assigning a threat score to the message that will pass the second threshold such that the message will be sent to the temporary quarantine.
  - 7. A method according to claim 1, wherein the attributes examined are selected from the group consisting of:
    - an attachment to the incoming message;
      
      a count of the number of intended recipients of the incoming message;
      
      a virus in the incoming message;
      
      a worm in the incoming message;
      
      a count of the number of sources sending a message substantially similar to the incoming message;
      
      count of connection attempts from a source IP address sending the incoming message;
      
      count of current open connections from a source IP address sending the incoming message;
      
      duration of connection from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message;
      
      size of the incoming message;
      
      count of spam messages from a source IP address sending the incoming message;
      
      count of virus infected messages from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message having a previous unwanted binary attachment;
      
      count of messages from a source IP address sending the incoming message previously determined to have unwanted content; and
      
      count of messages from a source IP address sending the incoming message which were previously blocked, black-holed, spooled, or quarantined.

8. A system for filtering electronic messages from a network comprising a sending server and a destination server, the system comprising:
- a message handler configured to receive an incoming electronic message from the sending server;
  
  a message filtering process in the message handler and configured to examine the electronic message for attributes indicative of its desirability or undesirability to an intended recipient of the electronic message, and assign a threat score to the electronic message based on the examination;
  
  a message disposition process in the message handler and configured to compare the assigned threat score to first and second thresholds, and then to send the message to a permanent quarantine if the assigned threat score passes the first threshold, send the message to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or send the message to an intended recipient if the assigned threat score does not pass the first or second threshold;
  
  wherein the message filtering process is further configured to periodically reexamine the message, if sent to the temporary quarantine, for attributes indicative of its desirability or undesirability to the intended recipient of the message, and revise the threat score based on the reexamination; and
  
  wherein the message disposition process is further configured to send the message to a permanent quarantine if the revised threat score passes the first threshold, send the message to a temporary quarantine if the revised threat score does not pass the second threshold but passes the second threshold, or send the message to an intended recipient if the revised threat score does not pass the first or second threshold.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A system according to claim 8, wherein the message handler is further configured to send a notification message to the intended recipient when the incoming message is sent to the temporary quarantine.
  - 10. A system according to claim 8, wherein if the disposition process sends the electronic message to the temporary quarantine and the attributes comprise an attachment, the disposition process is further configured to strip the attachment from the message and deliver the message to the intended recipient.
  - 11. A system according to claim 8, further comprising a network portal associated with the message handler and accessible by a user via a computer network, the network portal configured to display to the user information representing at least a portion of an electronic message sent to the temporary quarantine.
  - 12. A system according to claim 11, wherein the portal further provides the user the ability to cause disposition process to deliver a message sent to the temporary quarantine to the intended recipient.
  - 13. A system according to claim 8, wherein an attribute of the incoming message is an executable file, the filtering process further configured to assign a threat score to the message that will pass the second threshold such that the disposition process will send the message to the temporary quarantine.
  - 14. A system according to claim 8, wherein the attributes examined are selected from the group consisting of:
    - an attachment to the incoming message;
      
      a count of the number of intended recipients of the incoming message;
      
      a virus in the incoming message;
      
      a worm in the incoming message;
      
      a count of the number of sources sending a message substantially similar to the incoming message;
      
      count of connection attempts from a source IP address sending the incoming message;
      
      count of current open connections from a source IP address sending the incoming message;
      
      duration of connection from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message;
      
      size of the incoming message;
      
      count of spam messages from a source IP address sending the incoming message;
      
      count of virus infected messages from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message having a previous unwanted binary attachment;
      
      count of messages from a source IP address sending the incoming message previously determined to have unwanted content; and
      
      count of messages from a source IP address sending the incoming message which were previously blocked, black-holed, spooled, or quarantined.

15. A method of filtering electronic messages from a network comprising a sending server and a destination server, the method comprising:
- receiving an incoming electronic message containing an attachment from the sending server;
  
  examining the attachment for attributes indicative of its harmfulness to an intended recipient of the electronic message;
  
  assigning a threat score to the electronic message or the attachment based on the examination;
  
  sending the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the assigned threat score does not pass the first or second threshold;
  
  periodically reexamining the attachment, if sent to the temporary quarantine, for attributes indicative of its harmfulness to the intended recipient of the message, and revising the threat score based on the reexamination; and
  
  sending the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, keeping the message and attachment in the temporary quarantine if the revised threat score does not pass the second threshold but passes the first threshold, or delivering the message and attachment to the intended recipient if the revised threat score does not pass the first or second threshold.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. A method according to claim 15, further comprising sending a notification message to the intended recipient when the incoming message and attachment are sent to the temporary quarantine.
  - 17. A method according to claim 15, wherein if the electronic message and attachment are sent to the temporary quarantine, sending the attachment to a virus laboratory for examination of the attachment.
  - 18. A method according to claim 15, wherein if the electronic message and attachment are sent to the temporary quarantine, sending the attachment to a testing area for executing the attachment.
  - 19. A method according to claim 15, wherein if the electronic message and attachment are sent to the temporary quarantine, stripping the attachment from the message and delivering the message to the intended recipient.
  - 20. A method according to claim 15, wherein the examining is selected from the group consisting of:
    - binary scanning,filename scanning, orextension name scanning.
  - 21. A method according to claim 15, wherein the attachment is an executable file, the method further comprising assigning a threat score that will pass the second threshold such that the message and attachment are sent to the temporary quarantine.
  - 22. A method according to claim 15, wherein attributes examined to determine the harmfulness of the attachment are selected from the group consisting of:
    - a count of the number of intended recipients of the incoming message;
      
      a virus in the attachment;
      
      a worm in the attachment;
      
      a count of the number of sources sending a message and attachment substantially similar to the incoming message and attachment;
      
      count of connection attempts from a source IP address sending the incoming message;
      
      count of current open connections from a source IP address sending the incoming message;
      
      duration of connection from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message;
      
      size of the incoming message or attachment;
      
      count of spam messages from a source IP address sending the incoming message;
      
      count of virus infected messages from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message having a previous unwanted binary attachment;
      
      count of messages from a source IP address sending the incoming message previously determined to have unwanted content; and
      
      count of messages from a source IP address sending the incoming message which were previously blocked, black-holed, spooled, or quarantined.

23. A system for filtering electronic messages from a network comprising a sending server and a destination server, the system comprising:
- a message handler configured to receive an incoming electronic message containing an attachment from the sending server;
  
  a message filtering process in the message handler and configured to examine the attachment for attributes indicative of its harmfulness to an intended recipient of the electronic message, and assign a threat score to the electronic message or the attachment based on the examination;
  
  a message disposition process in the message handler and configured to compare the assigned threat score to first and second thresholds, and then to send the message and attachment to a permanent quarantine if the assigned threat score passes the first threshold, to a temporary quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the assigned threat score does not pass the first or second threshold;
  
  wherein the message filtering process is further configured to periodically reexamine the attachment, if sent to the temporary quarantine, for attributes indicative of its harmfulness to the intended recipient of the message, and revise the threat score based on the reexamination; and
  
  wherein the message disposition process is further configured to send the message and attachment to a permanent quarantine if the revised threat score passes the first threshold, to a temporary quarantine if the revised threat score does not pass the second threshold but passes the second threshold, or to an intended recipient if the revised threat score does not pass the first or second threshold.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. A system according to claim 23, wherein the message handler is further configured to send a notification message to the intended recipient when the incoming message is sent to the temporary quarantine.
  - 25. A system according to claim 23, further comprising a network portal associated with the message handler and accessible by a user via a computer network, the network portal configured to display to the user information representing at least a portion of an electronic message sent to the temporary quarantine.
  - 26. A system according to claim 25, wherein the portal further provides the user the ability to cause disposition process to deliver a message and attachment sent to the temporary quarantine to the intended recipient.
  - 27. A system according to claim 23, wherein the disposition process is further configured to strip the attachment from the message and deliver the message to the intended recipient if the message and attachment are sent to the temporary quarantine.
  - 28. A system according to claim 23, wherein the filtering process examines the incoming message using at least one selected from the group consisting of:
    - binary scanning,filename scanning, orextension name scanning.
  - 29. A system according to claim 23, wherein the attachment is an executable file, the filtering process further configured to assign a threat score that will pass the second threshold such that the disposition process will send the message and attachment to the temporary quarantine.
  - 30. A system according to claim 23, wherein attributes examined to determine the harmfulness of the attachment are selected from the group consisting of:
    - a count of the number of intended recipients of the incoming message;
      
      a virus in the attachment;
      
      a worm in the attachment;
      
      a count of the number of sources sending a message and attachment substantially similar to the incoming message and attachment;
      
      count of connection attempts from a source IP address sending the incoming message;
      
      count of current open connections from a source IP address sending the incoming message;
      
      duration of connection from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message;
      
      size of the incoming message or attachment;
      
      count of spam messages from a source IP address sending the incoming message;
      
      count of virus infected messages from a source IP address sending the incoming message;
      
      count of messages from a source IP address sending the incoming message having a previous unwanted binary attachment;
      
      count of messages from a source IP address sending the incoming message previously determined to have unwanted content; and
      
      count of messages from a source IP address sending the incoming message which were previously blocked, black-holed, spooled, or quarantined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Inc. (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Cunningham, James, Gutekunst, Carl S., Larin, Dmitriy Y., Chen, Erik S., Dawes, Adam S., Lund, Peter K., Petry, Scott M., Okumura, Kenneth K.

Application Number

US12/146,333
Publication Number

US 20090064329A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/102   Entity profiles

H04L 63/145   the attack involving the pr...

Zero-hour quarantine of suspect electronic messages

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Zero-hour quarantine of suspect electronic messages

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links