DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES
First Claim
1. A method comprising:
- receiving, by an electronic mail (email) security system, logically interposed between an external network and a plurality of host systems within a private network an inbound email message;
when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running on the electronic mail (email) security system, including;
identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary identification bytes that are indicative of the attachment being of a particular executable file format;
determining a location of the certificate chain with respect to the attachment based on the identified type and structure;
forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the type and structure of the attachment;
evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status;
classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and
when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound email message is addressed.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a file having associated therewith a certificate chain is received. A type and structure of the file are identified. A location of the certificate chain is determined based on the identified type and structure. A signature of the file is formed by extracting a targeted subset of information from the certificate chain. The file is evaluated by comparing the signature with a set signatures having a known desirable or undesirable status. The file is classified based on a result of the evaluating into a category of multiple categories, including one indicative of an associated file being an undesired file or a file suspected of being undesired. The file is handled in accordance with a policy associated with the category.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by an electronic mail (email) security system, logically interposed between an external network and a plurality of host systems within a private network an inbound email message; when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running on the electronic mail (email) security system, including; identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary identification bytes that are indicative of the attachment being of a particular executable file format; determining a location of the certificate chain with respect to the attachment based on the identified type and structure; forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the type and structure of the attachment; evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status; classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound email message is addressed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory program storage device readable by an electronic mail (email) security system logically interposed between an external network and a plurality of host systems within a private network, embodying a program of instructions executable by one or more processors of the email security system to perform a method comprising:
-
receiving an inbound email message; when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running on the electronic mail (email) security system, including; identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary identification bytes that are indicative of the attachment being of a particular executable file format; determining a location of the certificate chain with respect to the attachment based on the identified type and structure; forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the type and structure of the attachment; evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status; classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound email message is addressed. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification