Antivirus accelerator for computer networks

US 6,094,731 A
Filed: 11/09/1998
Issued: 07/25/2000
Est. Priority Date: 11/24/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer-based method for examining a file that is transmitted over a computer network from an originating computer to a recipient computer to determine whether a computer virus is present within said file, said file containing at least one sector, the method comprising the steps of:

causing the originating computer to;

scan the file by an associated antivirus module while storing into a first storage area an identification of each file sector that is scanned and a hash value of each sector that is scanned; and

calculate a digital signature of a computed message digest of contents of the first storage area; and

causing the recipient computer to;

compute a hash value for each file sector that was scanned by the originating computer, to generate a computed hash value;

compare each computed hash value with the hash value stored within said first storage area for the corresponding sector, wherein, when any computed hash value fails to match a corresponding stored hash value for any sector, the entire file is rescanned;

examine the authenticity of the digital signature by comparing a decrypted message digest with the computed message digest; and

rescan the entire file when the decrypted message digest does not match the computed message digest.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, method, and computer readable medium for examining a file (1) associated with an originating computer (2) to determine whether a virus is present within the file (1). File (1) contains at least one sector and is scanned by an antivirus module (3). An identification and hash value of each scanned sector, a date of an update to antivirus module (3), and a version number of antivirus module (3) are stored into a critical sectors file (4). Hash values can be calculated by an antivirus accelerator module (5). An authentication module (12) affixes a digital signature to critical sectors file (4). File (1), critical sectors file (4), and digital signature (15) are then transmitted over network (14) to a recipient computer (11). File (1) sectors that were scanned by originating computer (2) are examined by antivirus module (3'"'"'). Each of these sectors again has its hash value calculated and compared with the hash value of the corresponding sector as stored within critical sectors file (4). When any calculated hash value fails to match a corresponding stored hash value for any sector, antivirus module (3'"'"') is commanded to rescan the entire file (1). Recipient computer (11) decrypts the digital signature (15) produced by originating computer (2) to verify the authenticity of the contents of critical sectors file (4).

Citations

16 Claims

1. A computer-based method for examining a file that is transmitted over a computer network from an originating computer to a recipient computer to determine whether a computer virus is present within said file, said file containing at least one sector, the method comprising the steps of:
- causing the originating computer to;
  
  scan the file by an associated antivirus module while storing into a first storage area an identification of each file sector that is scanned and a hash value of each sector that is scanned; and
  
  calculate a digital signature of a computed message digest of contents of the first storage area; and
  
  causing the recipient computer to;
  
  compute a hash value for each file sector that was scanned by the originating computer, to generate a computed hash value;
  
  compare each computed hash value with the hash value stored within said first storage area for the corresponding sector, wherein, when any computed hash value fails to match a corresponding stored hash value for any sector, the entire file is rescanned;
  
  examine the authenticity of the digital signature by comparing a decrypted message digest with the computed message digest; and
  
  rescan the entire file when the decrypted message digest does not match the computed message digest.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 comprising the additional step of setting the entire contents of the first storage area to zero prior to performing the steps that are performed by the originating computer.
  - 3. The method of claim 1 wherein, during the scanning of the file by the antivirus module, sector numbers are automatically read into the first storage area by means of hooks associated with engines of the antivirus module.
  - 4. The method of claim 1 wherein the antivirus module determines the size of the file and stores said size within the first storage area.
  - 5. The method of claim 4 wherein the recipient computer computes the size of the file, and when the computed file size differs from the file size stored within the first storage area, the entire file is rescanned for viruses by an antivirus module associated with the recipient computer.
  - 6. The method of claim 1, wherein, when all the computed hash values respectively match the stored hash values, and, in addition, the authenticity of the digital signature has been verified, the recipient computer declares that the file is unchanged in a way that could allow for a viral infection.
  - 7. The method of claim 1, wherein, when the antivirus module fails to detect a virus in the file, the originating computer causes the file, the contents of the first storage area, and the digital signature to be transmitted over the computer network to the recipient computer.
  - 8. The method of claim 7, wherein the recipient computer computes hash values by an associated antivirus module that is identical to the antivirus module associated with the originating computer.
  - 9. The method of claim 8, wherein, when the antivirus module associated with the originating computer differs from the antivirus module associated with the recipient computer, the contents of the first storage area are deemed to be invalid and the file is reexamined for viruses.
  - 10. The method of claim 1, wherein the originating computer stores into the first storage area a date of a most recent update to the antivirus module and a version number of the antivirus module.
  - 11. The method of claim 10, wherein the recipient computer checks the date and the version number from the first storage area against a date of a most recent update to the antivirus module associated with the recipient computer and a version number of the antivirus module associated with the recipient computer, respectively, and when at least one entity from the group of entities comprising the date and the version number fails to match, the entire file is rescanned for viruses.
  - 12. The method of claim 1, wherein a private key and a related public key are associated with the originating computer;
    - the originating computer calculates the digital signature by means of applying the private key to contents of the first storage area; and
      
      the recipient computer examines the authenticity of the digital signature by means of applying the public key to the digital signature.
  - 13. The method of claim 12, wherein a hash function is applied to contents of the first storage area before the originating computer calculates the digital signature.
  - 14. The method of claim 1, wherein the computer network contains at least one entity from the group of entities comprising server computers, proxy servers, mail gateways, and client computers.

15. Apparatus for speeding the detection of computer viruses, the apparatus comprising:
- a first file associated with an originating computer and containing at least one sector;
  
  coupled to the first file, an antivirus scan module adapted to detect the presence of computer viruses within said first file;
  
  coupled to the antivirus scan module, an antivirus accelerator module;
  
  a critical sectors file coupled to the antivirus accelerator module, said critical sectors file containing the size of the first file, identifications of sectors of the first file that have been scanned by the antivirus scan module, and a hash value for each sector of the first file that has been scanned by the antivirus scan module; and
  
  coupled to the critical sectors file, an authentication module adapted for affixing a digital signature to contents of the critical sectors file and adapted for comparing a decrypted message digest of a received file with a computed message digest, wherein the antivirus scan module rescans the entire file when the decrypted message digest does not match the computed message digest.

16. A computer-readable medium storing a program for examining a file that is transmitted over a computer network from an originating computer to a recipient computer to determine whether a computer virus is present within the file, the file containing at least one sector, the program implementing a method comprising the steps of:
- causing the originating computer to;
  
  scan the file by an associated antivirus module while storing into a first storage area an identification of each file sector that is scanned and a hash value of each sector that is scanned; and
  
  calculate a digital signature of a computed message digest of contents of the first storage area; and
  
  causing the recipient computer to;
  
  compute a hash value for each file sector that was scanned by the originating computer, to generate a computed hash value;
  
  compare each computed hash value with the hash value stored within said first storage area for the corresponding sector, wherein, when any computed hash value fails to match a corresponding stored hash value for any sector, the entire file is rescanned;
  
  examine the authenticity of the digital signature by comparing a decrypted message digest with the computed message digest; and
  
  rescan the entire file when the decrypted message digest does not match the computed message digest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Power Management Enterprises LLC (IPNav)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Waldin, Ray, Nachenberg, Carey
Primary Examiner(s)
Hong, Stephen S.
Assistant Examiner(s)
Hamdan, Wasseem H.

Application Number

US09/188,919
Time in Patent Office

624 Days
Field of Search

714/2, 714/38, 714/48, 714/33, 714/45, 714/46, 395/704
US Class Current

714/38.14
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

H04L 63/123   received data contents, e.g...

H04L 63/145   the attack involving the pr...

Antivirus accelerator for computer networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Antivirus accelerator for computer networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links