System and method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment

US 6,993,660 B1
Filed: 12/10/2001
Issued: 01/31/2006
Est. Priority Date: 08/03/2001
Status: Active Grant

First Claim

Patent Images

1. A computer implemented system for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment, comprising:

an antivirus system intercepting an incoming message at a network domain boundary, the incoming message including a body storing message content;

a parser module parsing the message content from the body and calculating a checksum over the parsed message content;

a checksum module storing the checksum in an information file associated with the incoming message in a transient message store;

an antivirus scanner scanning the incoming message for a presence of at least one of a computer virus and malware to identify infected message contents, and recording the checksum corresponding to each infected message content and an infection indicator;

wherein the checksum is calculated as a running checksum on a line-by-line basis as the incoming message is received.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment is described. An incoming message is intercepted at a network domain boundary. The incoming message includes a body storing message content. The message content is parsed from the body and a checksum is calculated over the parsed message content. The checksum is stored in an information file associated with the incoming message in a transient message store. The incoming message is scanned for a presence of at least one of a computer virus and malware to identify infected message contents. The checksum corresponding to each infected message content and an infection indicator is recorded.

112 Citations

40 Claims

1. A computer implemented system for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment, comprising:
- an antivirus system intercepting an incoming message at a network domain boundary, the incoming message including a body storing message content;
  
  a parser module parsing the message content from the body and calculating a checksum over the parsed message content;
  
  a checksum module storing the checksum in an information file associated with the incoming message in a transient message store;
  
  an antivirus scanner scanning the incoming message for a presence of at least one of a computer virus and malware to identify infected message contents, and recording the checksum corresponding to each infected message content and an infection indicator;
  
  wherein the checksum is calculated as a running checksum on a line-by-line basis as the incoming message is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 38)
- - 2. A system according to claim 1, further comprising:
    - a message queue enqueueing each incoming message and the associated information file.
  - 3. A system according to claim 1, further comprising:
    - a table of entries, each comprising the checksum and the infection indicator corresponding to each infected message content.
  - 4. A system according to claim 3, further comprising:
    - a comparison module comparing the checksum to the entries in the table prior to scanning operations, and discarding the incoming message if the checksum of the incoming message matches the checksum of one such entry with one such infection indicator.
  - 5. A system according to claim 3, further comprising:
    - a replacement module replacing entries in the table using a least-recently-used replacement algorithm.
  - 6. A system according to claim 3, wherein the table is structured as a binary tree.
  - 7. A system according to claim 1, wherein the message content further comprises at least one of an attachment and an embedded attachment.
  - 8. A system according to claim 1, wherein the distributed computing environment is TCP/IP-compliant and each incoming message is SMTP-compliant.
  - 38. A system according to claim 4, wherein the incoming message is not scanned by the antivirus scanner if the checksum of the incoming message matches the checksum of one such entry with one such infection identifier.

9. A computer implemented method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment, comprising:
- intercepting an incoming message at a network domain boundary, the incoming message including a body storing message content;
  
  parsing the message content from the body and calculating a checksum over the parsed message content;
  
  calculating the checksum as a running checksum on a line-by-line basis as the incoming message is received;
  
  storing the checksum in an information file associated with the incoming message in a transient message store;
  
  scanning the incoming message for a presence of at least one of a computer virus and malware to identify infected message contents; and
  
  recording the checksum corresponding to each infected message content and an infection indicator.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. A method according to claim 9, further comprising:
    - enqueueing each incoming message and the associated information file onto a message queue.
  - 11. A method according to claim 9, further comprising:
    - maintaining a table of entries, each comprising the checksum and the infection indicator corresponding to each infected message content.
  - 12. A method according to claim 11, further comprising:
    - comparing the checksum to the entries in the table prior to scanning operations; and
      
      discarding the incoming message if the checksum of the incoming message matches the checksum of one such entry with one such infection indicator.
  - 13. A method according to claim 11, further comprising:
    - replacing entries in the table using a least-recently-used replacement algorithm.
  - 14. A method according to claim 11, further comprising:
    - structuring the table as a binary tree.
  - 15. A method according to claim 9, wherein the message content further comprises at least one of an attachment and an embedded attachment.
  - 16. A method according to claim 9, wherein the distributed computing environment is TCP/IP-compliant and each incoming message is SMTP-compliant.
  - 17. A computer-readable storage medium holding code for performing the method according to claim 9, 10, 11, 12, 13, 14, 15, or 16.

18. A computer implemented system for performing efficient computer virus scanning of transient messages with message digests, comprising:
- an antivirus system intercepting an incoming message at a network domain boundary, the incoming message including a header including fields, which each store field values, and a body storing message content;
  
  a parser module parsing the field values from each field in the header and the message content from the body;
  
  a digest module generating a message digest over each such field value and over the message content and recording the message digests corresponding to the incoming message;
  
  an antivirus scanner scanning the incoming message for a presence of at least one of a computer virus and malware to identify infected message contents;
  
  an update module updating the message digest corresponding to each infected message content with an infection indicator; and
  
  a set of digests, each comprising the message digest and the infection indicator corresponding to each infected message content.
- View Dependent Claims (19, 20, 21, 22, 23, 39, 40)
- - 19. A system according to claim 18, further comprising:
    - a message queue enqueueing each incoming message.
  - 20. A system according to claim 18, further comprising:
    - a comparison module comparing the message digest to the entries in the table prior to scanning operations, and discarding the incoming message if the message digest of the incoming message matches the message digest of one such entry with one such infection indicator.
  - 21. A system according to claim 18, wherein the message content further comprises at least one of an attachment and an embedded attachment.
  - 22. A system according to claim 18, wherein the message digest comprises at least one of SHA-1 and MD5 encryption.
  - 23. A system according to claim 18, wherein the bounded network domain is TCP/IP-compliant and each such message packet is SMTP-compliant.
  - 39. A system according to claim 18, wherein the field values include a subject value.
  - 40. A system according to claim 18, wherein the message content only includes scripted portions in an Hypertext Markup Language (HTML) incoming message.

24. A computer implemented method for performing efficient computer virus scanning of transient messages with message digests, comprising:
- intercepting an incoming message at a network domain boundary, the incoming message including a header including fields, which each store field values, and a body storing message content;
  
  parsing the field values from each field in the header and the message content from the body and generating a message digest over each such field value and over the message content;
  
  recording the message digests corresponding to the incoming message;
  
  scanning the incoming message for a presence of at least one of a computer virus and malware to identify infected message contents;
  
  updating the message digest corresponding to each infected message content with an infection indicator; and
  
  maintaining a set of digests, each comprising the message digest and the infection indicator corresponding to each infected message content.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. A method according to claim 24, further comprising:
    - enqueueing each incoming message onto a message queue.
  - 26. A method according to claim 24, further comprising:
    - comparing the message digest to the entries in the table prior to scanning operations; and
      
      discarding the incoming message if the message digest of the incoming message matches the message digest of one such entry with one such infection indicator.
  - 27. A method according to claim 24, wherein the message content further comprises at least one of an attachment and an embedded attachment.
  - 28. A method according to claim 24, wherein the message digest comprises at least one of SHA-1 and MD5 encryption.
  - 29. A method according to claim 24, wherein the bounded network domain is TCP/IP-compliant and each such message packet is SMTP-compliant.
  - 30. A computer-readable storage medium holding code for performing the method according to claim 24, 25, 26, 27, 28, or 29.

31. A computer implemented system for providing dynamic computer virus and malware protection of message packets in a bounded network domain, comprising:
- an antivirus system intercepting an incoming message packet, each incoming message packet comprising a plurality of sections comprising a header storing field values and a body storing message packet content, and providing dynamic computer virus and malware protection, comprising at least one of;
  
  a checksum module calculating and storing a checksum over the message packet content stored in the body of the incoming message packet; and
  
  a digest module generating and storing a digest over at least one the field values stored in the header and the message packet content stored in the body of the incoming message packet;
  
  an antivirus scanner scanning the incoming message packet if the at least one of the checksum and the digest have not been previously stored with an infection indicator indicating a presence of at least one of a computer virus and malware;
  
  wherein the checksum is calculated as a running checksum on a line-by-line basis as the incoming message packet is received.
- View Dependent Claims (32, 33)
- - 32. A system according to claim 31, wherein the incoming message packet is discarded if the at least one of the checksum and the digest has been previously stored with an infection indicator indicating a presence of at least one of a computer virus and malware.
  - 33. A system according to claim 31, wherein the distributed computing environment is TCP/IP-compliant and each message packet is SMTP-compliant.

34. A computer implemented method for providing dynamic computer virus and malware protection of message packets in a bounded network domain, comprising:
- intercepting an incoming message packet, each incoming message packet comprising a plurality of sections comprising a header storing field values and a body storing message packet content;
  
  providing dynamic computer virus and malware protection, comprising at least one of;
  
  calculating a checksum over the message packet content stored in the body of the incoming message packet; and
  
  generating a digest over at least one the field values stored in the header and the message packet content stored in the body of the incoming message packet;
  
  storing at least one of the checksum and the digest; and
  
  scanning the incoming message packet if the at least one of the checksum and the digest have not been previously stored with an infection indicator indicating a presence of at least one of a computer virus and malware;
  
  wherein the checksum is calculated as a running checksum on a line-by-line basis as the incoming message packet is received.
- View Dependent Claims (35, 36, 37)
- - 35. A method according to claim 34, further comprising:
    - discarding the incoming message packet if the at least one of the checksum and the digest has been previously stored with an infection indicator indicating a presence of at least one of a computer virus and malware.
  - 36. A method according to claim 34, wherein the distributed computing environment is TCP/IP-compliant and each message packet is SMTP-compliant.
  - 37. A computer-readable storage medium holding code for performing the method according to claim 34, 35, or 36.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Libenzi, Davide, Pak, Michael Chin-Hwan
Primary Examiner(s)
Barrón, Jr., Gilberto
Assistant Examiner(s)
LEMMA, SAMSON B

Application Number

US10/016,533
Time in Patent Office

1,513 Days
Field of Search

713/188, 709/206, 709/232, 726/23, 726/24
US Class Current

713/188
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/145   the attack involving the pr...

System and method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

System and method for performing efficient computer virus scanning of transient messages using checksums in a distributed computing environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others