DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

US 20170187684A1
Filed: 03/11/2017
Published: 06/29/2017
Est. Priority Date: 12/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an electronic mail (email) security system, logically interposed between an external network and a plurality of host systems within a private network an inbound email message;

when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running on the electronic mail (email) security system, including;

identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary identification bytes that are indicative of the attachment being of a particular executable file format;

determining a location of the certificate chain with respect to the attachment based on the identified type and structure;

forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the type and structure of the attachment;

evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status;

classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and

when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound email message is addressed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a file having associated therewith a certificate chain is received. A type and structure of the file are identified. A location of the certificate chain is determined based on the identified type and structure. A signature of the file is formed by extracting a targeted subset of information from the certificate chain. The file is evaluated by comparing the signature with a set signatures having a known desirable or undesirable status. The file is classified based on a result of the evaluating into a category of multiple categories, including one indicative of an associated file being an undesired file or a file suspected of being undesired. The file is handled in accordance with a policy associated with the category.

Citations

20 Claims

1. A method comprising:
- receiving, by an electronic mail (email) security system, logically interposed between an external network and a plurality of host systems within a private network an inbound email message;
  
  when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running on the electronic mail (email) security system, including;
  
  identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary identification bytes that are indicative of the attachment being of a particular executable file format;
  
  determining a location of the certificate chain with respect to the attachment based on the identified type and structure;
  
  forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the type and structure of the attachment;
  
  evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status;
  
  classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and
  
  when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound email message is addressed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the targeted subset of information includes the certificate chain in its entirety.
  - 3. The method of claim 1, wherein the targeted subset of information comprises specific identification information from an end entity certificate of the certificate chain.
  - 4. The method of claim 3, wherein the targeted subset of information includes all or part of one or more of:
    - a certificate serial number of the end entity certificate, an issuer name of the end entity certificate, validity information associated with the end entity certificate, a subject name of the end entity certificate, an alternate name from the end entity certificate and key usage information associated with the end entity certificate.
  - 5. The method of claim 1, wherein the certificate chain is located at an end of the attachment.
  - 6. The method of claim 1, wherein the certificate chain is located within a separate file from the attachment.
  - 7. The method of claim 1, wherein the identified type comprises a file format for encapsulating one or more of executables, object code and dynamic-link libraries (DLLs).
  - 8. The method of claim 7, wherein the attachment comprises a Portable Executable file.
  - 9. The method of claim 1, wherein the attachment comprises an archive file.
  - 10. The method of claim 1, wherein a mail transfer protocol proxy running on the email security system causes the attachment to be subjected to the processing performed by the antivirus detection module.

11. A non-transitory program storage device readable by an electronic mail (email) security system logically interposed between an external network and a plurality of host systems within a private network, embodying a program of instructions executable by one or more processors of the email security system to perform a method comprising:
- receiving an inbound email message;
  
  when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running on the electronic mail (email) security system, including;
  
  identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary identification bytes that are indicative of the attachment being of a particular executable file format;
  
  determining a location of the certificate chain with respect to the attachment based on the identified type and structure;
  
  forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the type and structure of the attachment;
  
  evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status;
  
  classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and
  
  when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound email message is addressed.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory program storage device of claim 11, wherein the targeted subset of information includes the certificate chain in its entirety.
  - 13. The non-transitory program storage device of claim 11, wherein the targeted subset of information comprises specific identification information from an end entity certificate of the certificate chain.
  - 14. The non-transitory program storage device of claim 13, wherein the targeted subset of information includes all or part of one or more of:
    - a certificate serial number of the end entity certificate, an issuer name of the end entity certificate, validity information associated with the end entity certificate, a subject name of the end entity certificate, an alternate name from the end entity certificate and key usage information associated with the end entity certificate.
  - 15. The non-transitory program storage device of claim 11, wherein the certificate chain is located at an end of the attachment.
  - 16. The non-transitory program storage device of claim 11, wherein the certificate chain is located within a separate file from the attachment.
  - 17. The non-transitory program storage device of claim 11, wherein the identified type comprises a file format for encapsulating one or more of executables, object code and dynamic-link libraries (DLLs).
  - 18. The non-transitory program storage device of claim 17, wherein the attachment comprises a Portable Executable file.
  - 19. The non-transitory program storage device of claim 11, wherein the attachment comprises an archive file.
  - 20. The non-transitory program storage device of claim 11, wherein a mail transfer protocol proxy running on the email security system causes the attachment to be subjected to the processing performed by the antivirus detection module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fossen, Steven Michael, MacDonald, Alexander Douglas

Granted Patent

US 9,774,569 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2115   Third party

H04L 51/046   Interoperability with other...

H04L 51/08   Annexed information, e.g. a...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/02   for separating internal fro...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links