Detecting malware carried by an e-mail message
First Claim
1. A computer program product embodied on a tangible computer readable medium operable to control a computer to detect an item of malware carried by an e-mail message, said computer program product comprising:
- rule receiving code operable to receive from a remote source an e-mail identifying content filtering rule defining one or more characteristics of an e-mail message indicative of said e-mail message carrying said item of malware;
message receiving code operable to receive a target e-mail message;
content filtering code operable to apply said e-mail identifying content filtering rule to said target e-mail message to detect if said target e-mail message has said one or more characteristics and, if said target e-mail message has said one or more characteristics, then triggering a suspected malware found action;
wherein detection action of said e-mail identifying content filtering rule is reported with a detection activity report to a remote report collector;
wherein said detection activity report includes an indication of whether a target e-mail message which has said one or more characteristics was inbound to a predetermined computer network or outbound from said predetermined computer network;
wherein said suspected malware found action includes suspending delivery of said target e-mail message;
wherein a target e-mail message for which delivery has been suspended may be released to be rescanned by one or more content filtering rules at a later time;
wherein said one or more characteristics include one or more of;
a sender field matching predetermined characteristics;
a relay field matching predetermined characteristics;
a subject field matching predetermined characteristics;
a body message matching predetermined characteristics;
an attachment having a file type matching predetermined characteristics;
an attachment having a filename matching predetermined characteristics; and
SMTP structure matching predetermined characteristics;
wherein said e-mail identifying content filtering rule is auto-rescinding in response to detection of predetermined conditions.
11 Assignments
0 Petitions
Accused Products
Abstract
An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.
131 Citations
29 Claims
-
1. A computer program product embodied on a tangible computer readable medium operable to control a computer to detect an item of malware carried by an e-mail message, said computer program product comprising:
-
rule receiving code operable to receive from a remote source an e-mail identifying content filtering rule defining one or more characteristics of an e-mail message indicative of said e-mail message carrying said item of malware; message receiving code operable to receive a target e-mail message; content filtering code operable to apply said e-mail identifying content filtering rule to said target e-mail message to detect if said target e-mail message has said one or more characteristics and, if said target e-mail message has said one or more characteristics, then triggering a suspected malware found action; wherein detection action of said e-mail identifying content filtering rule is reported with a detection activity report to a remote report collector; wherein said detection activity report includes an indication of whether a target e-mail message which has said one or more characteristics was inbound to a predetermined computer network or outbound from said predetermined computer network; wherein said suspected malware found action includes suspending delivery of said target e-mail message; wherein a target e-mail message for which delivery has been suspended may be released to be rescanned by one or more content filtering rules at a later time; wherein said one or more characteristics include one or more of; a sender field matching predetermined characteristics; a relay field matching predetermined characteristics; a subject field matching predetermined characteristics; a body message matching predetermined characteristics; an attachment having a file type matching predetermined characteristics; an attachment having a filename matching predetermined characteristics; and SMTP structure matching predetermined characteristics; wherein said e-mail identifying content filtering rule is auto-rescinding in response to detection of predetermined conditions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of detecting an item of malware carried by an e-mail message, said method comprising the steps of:
-
receiving from a remote source an e-mail identifying content filtering rule defining one or more characteristics of an e-mail message indicative of said e-mail message carrying said item of malware; receiving a target e-mail message; applying said e-mail identifying content filtering rule to said target e-mail message to detect if said target e-mail message has said one or more characteristics; and if said target e-mail message has said one or more characteristics, then triggering a suspected malware found action; wherein detection action of said e-mail identifying content filtering rule is reported with a detection activity report to a remote report collector; wherein said detection activity report includes an indication of whether a target e-mail message which has said one or more characteristics was inbound to a predetermined computer network or outbound from said predetermined computer network; wherein said suspected malware found action includes suspending delivery of said target e-mail message; wherein a target e-mail message for which delivery has been suspended may be released to be rescanned by one or more content filtering rules at a later time; wherein said one or more characteristics include one or more of; a sender field matching predetermined characteristics; a relay field matching predetermined characteristics; a subject field matching predetermined characteristics; a body message matching predetermined characteristics; an attachment having a file type matching predetermined characteristics; an attachment having a filename matching predetermined characteristics; and SMTP structure matching predetermined characteristics; wherein said e-mail identifying content filtering rule is auto-rescinding in response to detection of predetermined conditions. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification