Protocol-level malware scanner

US 6,772,345 B1
Filed: 02/08/2002
Issued: 08/03/2004
Est. Priority Date: 02/08/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting a malware comprising the steps of:

a) receiving a data stream;

b) scanning the data stream at a protocol level to detect a malware including viruses;

c) removing the detected malware from the data stream;

d) transmitting the data stream without the malware;

e) determining an IP address and a port associated with the detected malware, wherein the IP address and the port are blocked from being able to send any data to a protected network, and the IP address and the port are blocked from being able to receive any data from the protected network; and

f) scanning email messages at a protocol level, each email message transmitted by one of a plurality of protocols;

wherein;

i) a HyperText Transfer Protocol (HTTP) filter is utilized for scanning an HTTP data stream for malware, ii) a File Transfer Protocol (FTP) filter is utilized for scanning an FTP data stream for malware, iii) a Simple Mail Transfer Protocol (SMTP) filter is utilized for scanning an SMTP data stream for malware, iv) an Internet Message Access Protocol (IMAP) filter is utilized for scanning an IMAP data stream for malware, v) a Post Office Protocol filter is utilized for scanning a Post Office Protocol data stream for malware, vi) a Trivial File Transfer Protocol filter is utilized for scanning a Trivial File Transfer Protocol data stream for malware, and vii) a Network News Transfer Protocol filter is utilized for scanning a Network News Transfer Protocol data stream for malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product for malware scanning of data that is being transferred or downloaded to a computer system that is performed at the protocol level, and is capable of blocking the spread of malwares that may not be blocked by operating system level scanning. A method of detecting a malware comprises the steps of: a) receiving a data stream, b) scanning the data stream at a protocol level to detect a malware, c) removing the detected malware from the data stream, and d) transmitting the data stream without the malware.

379 Citations

19 Claims

1. A method of detecting a malware comprising the steps of:
- a) receiving a data stream;
  
  b) scanning the data stream at a protocol level to detect a malware including viruses;
  
  c) removing the detected malware from the data stream;
  
  d) transmitting the data stream without the malware;
  
  e) determining an IP address and a port associated with the detected malware, wherein the IP address and the port are blocked from being able to send any data to a protected network, and the IP address and the port are blocked from being able to receive any data from the protected network; and
  
  f) scanning email messages at a protocol level, each email message transmitted by one of a plurality of protocols;
  
  wherein;
  
  i) a HyperText Transfer Protocol (HTTP) filter is utilized for scanning an HTTP data stream for malware, ii) a File Transfer Protocol (FTP) filter is utilized for scanning an FTP data stream for malware, iii) a Simple Mail Transfer Protocol (SMTP) filter is utilized for scanning an SMTP data stream for malware, iv) an Internet Message Access Protocol (IMAP) filter is utilized for scanning an IMAP data stream for malware, v) a Post Office Protocol filter is utilized for scanning a Post Office Protocol data stream for malware, vi) a Trivial File Transfer Protocol filter is utilized for scanning a Trivial File Transfer Protocol data stream for malware, and vii) a Network News Transfer Protocol filter is utilized for scanning a Network News Transfer Protocol data stream for malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the data stream is received from a communications network.
  - 3. The method of claim 2, wherein the communications network is the Internet.
  - 4. The method of claim 1, wherein steps a)-f) are performed on a workstation computer system.
  - 5. The method of claim 4, wherein the receiving step comprises the step of:
6. The method of claim 5, wherein the transmitting step comprises the step of:
- transmitting the data stream without the malware to an operating system and/or application programs running on the workstation computer system.
7. The method of claim 1, wherein steps a)-f) are performed on a gateway computer system.
8. The method of claim 7, wherein the receiving step comprises the step of:
- receiving a data stream from a network to the gateway computer system or from a network via a router/firewall connected to the gateway computer system.
9. The method of claim 8, wherein the transmitting step comprises the step of:
- transmitting the data stream without the malware to a computer system via a local area network or a wide area network connected to the gateway computer system.

10. A system for detecting a malware comprising:
- a processor operable to execute computer program instructions;
  
  a memory operable to store computer program instructions executable by the processor; and
  
  computer program instructions stored in the memory and executable to perform the steps of;
  
  a) receiving a data stream;
  
  b) scanning the data stream at a protocol level to detect a malware including viruses;
  
  c) removing the detected malware from the data stream;
  
  d) transmitting the data stream without the malware;
  
  e) determining an IP address and a port associated with the detected malware, wherein the IP address and the port are blocked from being able to send any data to a protected network, and the IP address and the port are blocked from being able to receive any data from the protected network; and
  
  f) scanning email messages at a protocol level, each email message transmitted by one of a plurality of protocols;
  
  wherein;
  
  i) a HyperText Transfer Protocol (HTTP) filter is utilized for scanning an HTTP data stream for malware, ii) a File Transfer Protocol (FTP) filter is utilized for scanning an FTP data stream for malware, iii) a Simple Mail Transfer Protocol (SMTP) filter is utilized for scanning an SMTP data stream for malware, iv) an Internet Message Access Protocol (IMAP) filter is utilized for scanning an IMAP data stream for malware, v) a Post Office Protocol filter is utilized for scanning a Post Office Protocol data stream for malware, vi) a Trivial File Transfer Protocol filter is utilized for scanning a Trivial File Transfer Protocol data stream for malware, and vii) a Network News Transfer Protocol filter is utilized for scanning a Network News Transfer Protocol data stream for malware.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the data stream is received from a communications network.
  - 12. The system of claim 11, wherein the communications network is the Internet.
  - 13. The system of claim 10, wherein steps a)-f) are performed on a workstation computer system.
  - 14. The system of claim 13, wherein the receiving step comprises the step of:
15. The system of claim 14, wherein the transmitting step comprises the step of:
- transmitting the data stream without the malware to an operating system and/or application programs running on the workstation computer system.
16. The system of claim 10, wherein steps a)-f) are performed on a gateway computer system.
17. The system of claim 16, wherein the receiving step comprises the step of:
- receiving a data stream from a network to the gateway computer system or from a network via a router/firewall connected to the gateway computer system.
18. The system of claim 17, wherein the transmitting step comprises the step of:
- transmitting the data stream without the malware to a computer system via a local area network or a wide area network connected to the gateway computer system.

19. A computer program product for detecting a malware comprising:
- a computer readable medium;
  
  computer program instructions, recorded on the computer readable medium, executable by a processor, for performing the steps of;
  
  a) receiving a data stream;
  
  b) scanning the data stream at a protocol level to detect a malware including viruses;
  
  c) removing the detected malware from the data stream;
  
  d) transmitting the data stream without the malware;
  
  e) blocking an IP address and a port associated with the detected malware, wherein the IP address and the port are blocked from being able to send any data to a protected network, and the IP address and the port are blocked from being able to receive any data from the protected network; and
  
  f) scanning email messages at a protocol level, each email message transmitted by one of a plurality of protocols;
  
  wherein;
  
  i) a HyperText Transfer Protocol (HTTP) filter is utilized for scanning an HTTP data stream for malware, ii) a File Transfer Protocol (FTP) filter is utilized for scanning an FTP data stream for malware, iii) a Simple Mail Transfer Protocol (SMTP) filter is utilized for scanning an SMTP data stream for malware, iv) an Internet Message Access Protocol (IMAP) filter is utilized for scanning an IMAP data stream for malware, v) a Post Office Protocol filter is utilized for scanning a Post Office Protocol data stream for malware, vi) a Trivial File Transfer Protocol filter is utilized for scanning a Trivial File Transfer Protocol data stream for malware, and vii) a Network News Transfer Protocol filter is utilized for scanning a Network News Transfer Protocol data stream for malware;
  
  wherein the data stream is received from the Internet;
  
  wherein steps a)-f) are performed on a gateway computer system;
  
  wherein the receiving step comprises the step of receiving a data stream from a network to the gateway computer system or from a network via a router/firewall connected to the gateway computer system;
  
  wherein uniform resource locators (URLs) are blocked;
  
  wherein packet filtering is performed to accept and reject packets based on user-defined rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Shetty, Satish
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US10/067,886
Time in Patent Office

907 Days
Field of Search

713/151, 713/153, 713/154, 713/200, 714/15, 370/39
US Class Current

726/24
CPC Class Codes

G06F 21/562   Static detection

G06F 21/568   eliminating virus, restorin...

G06F 2221/2147   Locking files

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Protocol-level malware scanner

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

379 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Protocol-level malware scanner

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

379 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links