DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES
First Claim
1. A computer-implemented method comprising:
- receiving an electronic mail (email) message having attached thereto a self-extracting archive file, the self-extracting archive file including a header portion that is unencrypted and uncompressed and a file data portion containing contents of one or more files in compressed form; and
prior to delivery of the email message to an intended recipient, determining whether any of the one or more files may be malicious or undesired files by causing the self-extracting archive file to be processed by an anti-virus detection module executing on a computer system, includingdetermining a type of archive file and associated structure of the self-extracting archive file by examining one or more identification bytes stored within the header portion that identify the type of archive file;
based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header portion describing characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in the compressed form; and
identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.
19 Citations
22 Claims
-
1. A computer-implemented method comprising:
-
receiving an electronic mail (email) message having attached thereto a self-extracting archive file, the self-extracting archive file including a header portion that is unencrypted and uncompressed and a file data portion containing contents of one or more files in compressed form; and prior to delivery of the email message to an intended recipient, determining whether any of the one or more files may be malicious or undesired files by causing the self-extracting archive file to be processed by an anti-virus detection module executing on a computer system, including determining a type of archive file and associated structure of the self-extracting archive file by examining one or more identification bytes stored within the header portion that identify the type of archive file; based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header portion describing characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in the compressed form; and identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a computer system, cause the one or more processors to perform content filtering, the method comprising:
-
receiving an electronic mail (email) message having attached thereto a self-extracting archive file, the self-extracting archive file including a header portion that is unencrypted and uncompressed and a file data portion containing contents of one or more files in compressed form; and prior to delivery of the email message to an intended recipient, determining whether any of the one or more files may be malicious or undesired files by causing the self-extracting archive file to be processed by an anti-virus detection module executing on a processor of the one or more processors, including determining a type of archive file and associated structure of the self-extracting archive file by examining one or more identification bytes stored within the header portion that identify the type of archive file; based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header portion describing characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in the compressed form; and identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification