SERVER BASED MALWARE SCREENING

US 20090282483A1
Filed: 02/17/2009
Published: 11/12/2009
Est. Priority Date: 05/12/2008
Status: Active Grant

First Claim

Patent Images

1. A server device that is adapted to be coupled to a network, the server device comprising:

network interface circuitry adapted to couple the server device to a network;

computer memory; and

processing circuitry coupled to the network interface circuitry and to the computer memory wherein the network interface circuitry, the computer memory, and the processing circuitry are operable to;

register a client device with the server device, the server device being identified as a malware-scanning device for the client device;

receive data packets destined for the client device;

scan the data packets destined for the client device for the presence of malware using the resources of the server device;

provide the data packets from the server device to the client device over the network when the data packets are determined to be malware-free; and

perform corrective measures on data packets that are found to contain malware before providing the data packets to the client device for full use.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected.

Citations

25 Claims

1. A server device that is adapted to be coupled to a network, the server device comprising:
- network interface circuitry adapted to couple the server device to a network;
  
  computer memory; and
  
  processing circuitry coupled to the network interface circuitry and to the computer memory wherein the network interface circuitry, the computer memory, and the processing circuitry are operable to;
  
  register a client device with the server device, the server device being identified as a malware-scanning device for the client device;
  
  receive data packets destined for the client device;
  
  scan the data packets destined for the client device for the presence of malware using the resources of the server device;
  
  provide the data packets from the server device to the client device over the network when the data packets are determined to be malware-free; and
  
  perform corrective measures on data packets that are found to contain malware before providing the data packets to the client device for full use.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The server device of claim 1 wherein the data packets contain Internet data requested by an Internet browser associated with the client device.
  - 3. The server device of claim 1 wherein the server device is a device selected from the group consisting of:
    - a server computer, a blade within a server, a dedicated CPU within a server, a virtual machine within a server, or a plurality of the foregoing.
  - 4. The server device of claim 1 wherein the client device is a thin client device that does not contain malware detection software, wherein the server device performs all the malware detection operations for the client device.
  - 5. The server device of claim 1 wherein the data transmitted from the server device to the client device that is malware free is associated with a signature and encrypted whereby the client device can ensure that the malware free data that was present on the server device is the same data that arrives at the client device.
  - 6. The server device of claim 1 wherein server device contains a digital signature detection module to authenticate digital signatures from data provided from trusted download sources, whereby if a digital signature is properly processed for authenticity, then the server device can forgo certain malware scanning on the data.
  - 7. The server device of claim 1 wherein server device contains a quarantine space of computer memory that is at least partially isolated and protected from certain resources within the server device that can be adversely affected by malware, wherein the data is scanned within the quarantine space and not released from the quarantine space until malware scanning is completed.
  - 8. The server device of claim 1 wherein server device contains software within the computer memory that scans the data for all of adware, spyware, and viruses before releasing the data for use by the client device.
  - 9. The server device of claim 1 wherein server device informs a user of the client device that certain malware was found within the data.
  - 10. The server device of claim 9 wherein server device attempts to remedy the malware to create corrected data and provide the corrected data from the server device to the client device.
  - 11. The server device of claim 9 wherein server device destroys or isolates the data if infected with malware and informs the user that the data will not be provided to the client device.
  - 12. The server device of claim 9 wherein server device notifies the source of the data that a malware scan of the data is required because malware was found to be present within the data.
  - 13. The server device of claim 9 wherein the user at the client device can override protective measures at the server device and request the data even though the user was informed that the data contains malware.
  - 14. The server device of claim 1 wherein the client device scans the data again upon receipt from the server device for malware content within the data, wherein the malware scan performed on the server is more comprehensive and computer intensive than the malware scan performed on the client device.
  - 15. The server device of claim 1 wherein the data is first sent to the client device whereby the client device routes the data to the server device for malware scanning before using the data within the client device.
  - 16. The server device of claim 1 wherein the data is first sent to the server device when requested by the client device whereby the server device scans the data for malware before sending the data to the client device.
  - 17. The server device of claim 1 wherein the data is sent by a source of the data to both the client device and the server device whereby the client device does not fully use or access the data until the server device verifies for the client device that the data is malware-free and gives the client device a signal indicative thereof.
  - 18. The server device of claim 1 wherein the data is encrypted when received by the server device whereby the data is decrypted before scanning the data for malware, and then re-encrypted for transmission of the data from the server device.

19. A support server that is adapted to communicate with a client device to malware certify data provided from a source device, the support server comprising:
- transmission circuitry for receiving the data in at least one data packet after the client device requests a transfer of the data between the source device and the client device;
  
  malware identification module for scanning the data for the presence of malware;
  
  a digital signature detection module within local memory for receiving and processing signatures associated with the data, wherein a receipt and authentication of a signature may allow the support server to simplify or eliminate certain malware detection processes;
  
  at least one malware detection module within local memory for maintaining malware information to help the malware identification module detect malware within the data;
  
  a quarantine memory space within the local memory for containing the data while malware processing is performed;
  
  a permanent quarantine area as part of the local memory for permanently quarantining data that has been contaminated with malware and has not been rendered malware-free; and
  
  a communication module as part of the local memory for communicating between at least one of either the client device and the source device a malware status of data.

20. A method for detecting malware within data by using a support server to scan the data for malware for the benefit of at least one client device, the method comprising the steps of:
- registering the at least one client device with the support server, whereby the support server is notified that the support server is to process malware on behalf of the at least one client device;
  
  receiving, at the support server, a request from the client device for a download of data;
  
  passing on the request to download the data to a source device from the support server;
  
  receiving, within the support server, the data from a download from the source device;
  
  performing malware analysis on the data what was downloaded within the support server;
  
  identifying and detecting malware codes, if any, within the data while the data is resident within the support server; and
  
  sending the data from the support server to the client device for use by the client device if malware codes are not detected or can be removed effectively from the data by the support server.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The method of claim 20 wherein the step of sending the data from the support server to the client device also sends data that is contaminate with malware code if the user at the client device is notified of the presence of the malware within the data, agrees to accept the data anyway, and the client device takes precautions to deal with the malware that is present.
  - 22. The method of claim 20 wherein the data is encrypted when received from the source device at the support server and wherein the support server decrypts the data with a public key, scans the data for malware while in an unencrypted state, then re-encrypts the data for provision to the client device.
  - 23. The method of claim 20 wherein the data is associated with a digital signature wherein the digital signature can be processed by the support server and, if authenticated, allow the support server to bypass at least some of the malware analysis.
  - 24. The method of claim 20 wherein the support server contains a quarantine space which maintains the data while malware analysis is performed, the quarantine space being constrained in certain secure manners so that any malware that may be within the data is not harmful to the support server.
  - 25. The method of claim 24 wherein the support server can create a virtual machine having a safe environment within the quarantine space and allow the data to operate within the virtual machine to detect malware operations within the safe environment of the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
Enpulz LLC
Inventors
Bennett, James D.

Granted Patent

US 8,291,496 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/565   by checking file integrity

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

SERVER BASED MALWARE SCREENING

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SERVER BASED MALWARE SCREENING

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links