Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries

US 20090293125A1
Filed: 05/21/2008
Published: 11/26/2009
Est. Priority Date: 05/21/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malware, comprising:

applying a filter to an input file to detect if the input file has characteristics matching those of a malware definition in a set of known malware definitions;

responsive to the input file having characteristics matching those of the malware definition based on applying the filter, scanning the input file using the malware definition; and

determining if the input file comprises malware based on the scanning.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method detects malware on client devices based on partially distributed malware definitions from a central server. A server stores malware definitions for known malware. The server generates one or more filters based on the malware definitions and distributes the filter(s) to client devices. The server also distributes full definitions to the clients for a subset of the most commonly detected malware. The client device scans files for malware by first applying the filter to a file. If the filter outputs a positive detection, the client scans the file using the full definition to determine if the file comprises malware. If the full definition is not stored locally by the client, the client queries the server for the definition and then continues the scanning process.

166 Citations

20 Claims

1. A computer-implemented method for detecting malware, comprising:
- applying a filter to an input file to detect if the input file has characteristics matching those of a malware definition in a set of known malware definitions;
  
  responsive to the input file having characteristics matching those of the malware definition based on applying the filter, scanning the input file using the malware definition; and
  
  determining if the input file comprises malware based on the scanning.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally; and
      
      responsive to the malware definition not being stored locally, querying a central server to obtain the malware definition.
  - 3. The method of claim 1, further comprising:
    - receiving by a client device, a subset of known malware definitions from the set of known malware definitions;
      
      receiving the filter, wherein the filter is based on multiple malware definitions from the set of known malware definitions; and
      
      locally storing the filter and the subset of known malware definitions at the client device.
  - 4. The method of claim 3, wherein the subset of known malware definitions received for locally storing include malware definitions for malware most likely to be detected by the client device.
  - 5. The method of claim 1, further comprising:
    - receiving an update from a central server comprising an updated filter generated based on an updated set of known malware.
  - 6. The method of claim 1, wherein the filter comprises a Bloom filter adapted to compute hash functions on the input file, wherein the output of the hash functions indicate if the input file has characteristics matching any of the set of known malware definitions.
  - 7. The method of claim 6, wherein applying the Bloom filter to the input file can produce a false positive detection of malware but cannot produce a false negative detection.
  - 8. The method of claim 1, wherein the filter is generated according to steps comprising:
    - computing hash functions on each malware definition; and
      
      defining the filter based on the outputs of the hash functions.

9. A computer program product for detecting malware, the computer program product comprising a computer-readable storage medium containing computer program code for:
- applying a filter to an input file to detect if the input file has characteristics matching those of a malware definition in a set of known malware definitions;
  
  responsive to the input file having characteristics matching those of the malware definition based on applying the filter, scanning the input file using the malware definition; and
  
  determining if the input file comprises malware based on the scanning.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein the computer-readable storage medium further contains computer program code for:
    - responsive to the input file having characteristics matching those of the malware definition based on applying the filter, determining if the malware definition is stored locally; and
      
      responsive to the malware definition not being stored locally, querying a central server to obtain the malware definition.
  - 11. The computer program product of claim 9, wherein the computer-readable storage medium further contains computer program code for:
    - receiving by a client device, a subset of known malware definitions from the set of known malware definitions;
      
      receiving the filter, wherein the filter is based on multiple malware definitions in the set of known malware definitions; and
      
      locally storing the filter and the subset of known malware definitions at the client device.
  - 12. The computer program product of claim 11, wherein the subset of known malware definitions received for locally storing include malware definitions for malware most likely to be detected by the client device.
  - 13. The computer program product of claim 9, wherein the computer-readable storage medium further contains computer program code for:
    - receiving an update from a central server comprising an updated filter generated based on an updated set of known malware.
  - 14. The computer program product of claim 9, wherein the filter comprises a Bloom filter adapted to compute hash functions on the input file, wherein the output of the hash functions indicate if the input file has characteristics matching any of the set of known malware definitions.
  - 15. The computer program product of claim 14, wherein applying the Bloom filter to the input file can produce a false positive detection of malware but cannot produce a false negative detection.
  - 16. The computer program product of claim 9, wherein the filter is generated according to steps comprising:
    - computing hash functions on each malware definition; and
      
      defining the filter based on the outputs of the hash functions.

17. A method for distributing malware definitions to a client device, comprising:
- generating a filter from a set of known malware definitions, wherein the filter detects if an input file has characteristics matching those of the set of known malware definitions;
  
  distributing the filter to the client device; and
  
  distributing a subset of malware definitions from the set of known malware definitions used to generate the filter to the client device together with the filter.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - receiving a query from the client device for a definition not in the subset of known malware definitions distributed to the client; and
      
      responsive to the query, transmitting the queried definition to the client device.
  - 19. The method of claim 17, further comprising:
    - evaluating the set of known malware definitions to determine the subset of known malware definitions to distribute to the client device, wherein the subset comprises malware definitions most likely to be detected by the client device.
  - 20. The method of claim 17, further comprising:
    - updating the subset of known malware definitions to distribute to the client device based on a frequency of queries for malware definitions from the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter

Granted Patent

US 8,214,977 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized Scanner Database With Qptimal Definition Distribution Using Network Queries

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links