SYSTEM AND METHOD FOR DETECTING A FILE EMBEDDED IN AN ARBITRARY LOCATION AND DETERMINING THE REPUTATION OF THE FILE

US 20130097661A1
Filed: 10/18/2011
Published: 04/18/2013
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying a file format identifier associated with a beginning of a file;

parsing the file based on the file format identifier to identify an end of the file; and

calculating a hash value from the beginning of the file to the end of the file.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes identifying a file format identifier associated with a beginning of a file, parsing the file based on the file format identifier until an end of the file is identified, and calculating a hash from the beginning of the file to the end of the file. The method may also include sending the hash to a reputation system and taking a policy action based on the hash'"'"'s reputation received from the reputation system.

Citations

20 Claims

1. A method, comprising:
- identifying a file format identifier associated with a beginning of a file;
  
  parsing the file based on the file format identifier to identify an end of the file; and
  
  calculating a hash value from the beginning of the file to the end of the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - sending the hash value to a reputation system;
      
      receiving a reputation value associated with the hash value; and
      
      taking a policy action based on the reputation value.
  - 3. The method of claim 1, wherein the file is a binary file.
  - 4. The method of claim 1, wherein:
    - the file is an executable file; and
      
      the file format identifier is a string comprising “
      
      MZ”
      
      .
  - 5. The method of claim 1, wherein:
    - the file is an executable file; and
      
      the file format identifier is a string comprising “
      
      PE00”
      
      .
  - 6. The method of claim 1, wherein parsing the file comprises parsing a header in the file to determine a size of the file.
  - 7. The method of claim 1, wherein:
    - the file is an executable file;
      
      the file format identifier is a string comprising “
      
      MZ”
      
      ; and
      
      parsing the file comprises parsing a header in the file to determine a size of the file.
  - 8. The method of claim 1, wherein parsing the file comprises parsing a header in the file to detect a certificate associated with the file.
  - 9. The method of claim 1, wherein the file is embedded in a network flow.
  - 10. The method of claim 1, wherein the file is embedded in a network flow with a container and the file is parsed without parsing the container.
  - 11. The method of claim 1, wherein the hash value is calculated with a hash function selected to minimize a false positive match with malware if the hash value is incorrect.

12. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- identifying a file format identifier associated with a beginning of a file;
  
  parsing the file based on the file format identifier to identify an end of the file; and
  
  calculating a hash value from the beginning of the file to the end of the file.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The encoded logic of claim 12, wherein the operations further comprise:
    - sending the hash value to a reputation system;
      
      receiving a reputation value associated with the hash value; and
      
      taking a policy action based on the reputation value.
  - 14. The encoded logic of claim 12, wherein the file is a binary file.
  - 15. The encoded logic of claim 12, wherein:
    - the file is an executable file; and
      
      the file format identifier is a string comprising “
      
      MZ”
      
      .
  - 16. The encoded logic of claim 12, wherein:
    - the file is an executable file; and
      
      the file format identifier is a string comprising “
      
      PE00”
      
      .

17. An apparatus, comprising:
- one or more processors operable to execute instructions associated with file detection module such that the apparatus is configured for;
  
  identifying a file format identifier associated with a beginning of a file;
  
  parsing the file based on the file format identifier to identify an end of the file; and
  
  calculating a hash value from the beginning of the file to the end of the file.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, wherein the apparatus is further configured for:
    - sending the hash value to a reputation system;
      
      receiving a reputation value associated with the hash value; and
      
      taking a policy action based on the reputation value.
  - 19. The apparatus of claim 17, wherein the file is a binary file.
  - 20. The apparatus of claim 17, wherein:
    - the file is an executable file; and
      
      the file format identifier is a string comprising “
      
      MZ”
      
      .

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ma, Denys Lok Hang, Pathak, Swapnil, Mahadik, Vinay

Granted Patent

US 8,650,638 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

SYSTEM AND METHOD FOR DETECTING A FILE EMBEDDED IN AN ARBITRARY LOCATION AND DETERMINING THE REPUTATION OF THE FILE

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING A FILE EMBEDDED IN AN ARBITRARY LOCATION AND DETERMINING THE REPUTATION OF THE FILE

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links