Detecting malware carried by an e-mail message

US 7,237,008 B1
Filed: 05/10/2002
Issued: 06/26/2007
Est. Priority Date: 05/10/2002
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a tangible computer readable medium operable to control a computer to detect an item of malware carried by an e-mail message, said computer program product comprising:

rule receiving code operable to receive from a remote source an e-mail identifying content filtering rule defining one or more characteristics of an e-mail message indicative of said e-mail message carrying said item of malware;

message receiving code operable to receive a target e-mail message;

content filtering code operable to apply said e-mail identifying content filtering rule to said target e-mail message to detect if said target e-mail message has said one or more characteristics and, if said target e-mail message has said one or more characteristics, then triggering a suspected malware found action;

wherein detection action of said e-mail identifying content filtering rule is reported with a detection activity report to a remote report collector;

wherein said detection activity report includes an indication of whether a target e-mail message which has said one or more characteristics was inbound to a predetermined computer network or outbound from said predetermined computer network;

wherein said suspected malware found action includes suspending delivery of said target e-mail message;

wherein a target e-mail message for which delivery has been suspended may be released to be rescanned by one or more content filtering rules at a later time;

wherein said one or more characteristics include one or more of;

a sender field matching predetermined characteristics;

a relay field matching predetermined characteristics;

a subject field matching predetermined characteristics;

a body message matching predetermined characteristics;

an attachment having a file type matching predetermined characteristics;

an attachment having a filename matching predetermined characteristics; and

SMTP structure matching predetermined characteristics;

wherein said e-mail identifying content filtering rule is auto-rescinding in response to detection of predetermined conditions.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.

131 Citations

29 Claims

1. A computer program product embodied on a tangible computer readable medium operable to control a computer to detect an item of malware carried by an e-mail message, said computer program product comprising:
- rule receiving code operable to receive from a remote source an e-mail identifying content filtering rule defining one or more characteristics of an e-mail message indicative of said e-mail message carrying said item of malware;
  
  message receiving code operable to receive a target e-mail message;
  
  content filtering code operable to apply said e-mail identifying content filtering rule to said target e-mail message to detect if said target e-mail message has said one or more characteristics and, if said target e-mail message has said one or more characteristics, then triggering a suspected malware found action;
  
  wherein detection action of said e-mail identifying content filtering rule is reported with a detection activity report to a remote report collector;
  
  wherein said detection activity report includes an indication of whether a target e-mail message which has said one or more characteristics was inbound to a predetermined computer network or outbound from said predetermined computer network;
  
  wherein said suspected malware found action includes suspending delivery of said target e-mail message;
  
  wherein a target e-mail message for which delivery has been suspended may be released to be rescanned by one or more content filtering rules at a later time;
  
  wherein said one or more characteristics include one or more of;
  
  a sender field matching predetermined characteristics;
  
  a relay field matching predetermined characteristics;
  
  a subject field matching predetermined characteristics;
  
  a body message matching predetermined characteristics;
  
  an attachment having a file type matching predetermined characteristics;
  
  an attachment having a filename matching predetermined characteristics; and
  
  SMTP structure matching predetermined characteristics;
  
  wherein said e-mail identifying content filtering rule is auto-rescinding in response to detection of predetermined conditions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A computer program product as claimed in claim 1, wherein said e-mail identifying content filtering rule is received from said remote source within a rule transmitting e-mail message.
  - 3. A computer program product as claimed in claim 2, wherein said rule transmitting e-mail message includes an electronic signature for authentication and said electronic signature is verified before said e-mail identifying content filtering rule is used.
  - 4. A computer program product as claimed in claim 2, wherein said rule transmitting e-mail message is encrypted and said rule transmitting e-mail message is decrypted before said e-mail identifying content filtering rule is used.
  - 5. A computer program product as claimed in claim 1, wherein said e-mail identifying content filtering rule is received from said remote source by one of a multicast from said remote source and a download from said remote source.
  - 6. A computer program product as claimed in claim 1, wherein said detection activity report includes a sample of said item of malware.
  - 7. A computer program product as claimed in claim 1, wherein a target e-mail message for which delivery has been suspended may be released for deliver at a later time.
  - 8. A computer program product as claimed in claim 1, wherein said one or more characteristics include one or more characteristics of SMTP data forming said target e-mail message.
  - 9. A computer program product as claimed in claim 8, wherein said SMTP structure matching predetermined characteristics include formatting errors within a header of said e-mail message and an absence of a normal heading provided by genuine e-mail programs.
  - 10. A computer program product as claimed in claim 1, wherein a received e-mail identifying content filtering rule is one of automatically made active or made active once confirmed for use by a user input.
  - 11. A computer program product as claimed in claim 10, wherein a priority level associated with said received e-mail identifying content filtering rule and predetermined user specified parameters determine if said received e-mail identifying content filtering rule is automatically made active or made active once confirmed for use by a user input.
  - 12. A computer program product as claimed in claim 1, further comprising rule altering code operable to receive from a remote source a rule altering message and in response to receipt of said rule altering message alter said e-mail identifying content filtering rule.
  - 13. A computer program product as claimed in claim 12, wherein a received rule altering message is one of automatically responded to or responded to once confirmed by a user input.
  - 14. A computer program product as claimed in claim 12, wherein said rule altering message is one of a rule rescinding message which serves to rescind said e-mail identifying content filtering rule and a rule superseding message which serves to supersede said e-mail identifying content filtering rule.
  - 15. A computer program product as claimed in claim 1, wherein said detection activity report includes a number of target e-mail messages which have said one or more characteristics over a predetermined period of time, and a sample of said item of malware present in said target e-mail messages which have said one or more characteristics.
  - 16. A computer program product as claimed in claim 1, wherein said target e-mail message is released after one of:
    - it is determined that said item of malware is not actually real, and said target e-mail message has been cleaned of said item of malware.

17. A method of detecting an item of malware carried by an e-mail message, said method comprising the steps of:
- receiving from a remote source an e-mail identifying content filtering rule defining one or more characteristics of an e-mail message indicative of said e-mail message carrying said item of malware;
  
  receiving a target e-mail message;
  
  applying said e-mail identifying content filtering rule to said target e-mail message to detect if said target e-mail message has said one or more characteristics; and
  
  if said target e-mail message has said one or more characteristics, then triggering a suspected malware found action;
  
  wherein detection action of said e-mail identifying content filtering rule is reported with a detection activity report to a remote report collector;
  
  wherein said detection activity report includes an indication of whether a target e-mail message which has said one or more characteristics was inbound to a predetermined computer network or outbound from said predetermined computer network;
  
  wherein said suspected malware found action includes suspending delivery of said target e-mail message;
  
  wherein a target e-mail message for which delivery has been suspended may be released to be rescanned by one or more content filtering rules at a later time;
  
  wherein said one or more characteristics include one or more of;
  
  a sender field matching predetermined characteristics;
  
  a relay field matching predetermined characteristics;
  
  a subject field matching predetermined characteristics;
  
  a body message matching predetermined characteristics;
  
  an attachment having a file type matching predetermined characteristics;
  
  an attachment having a filename matching predetermined characteristics; and
  
  SMTP structure matching predetermined characteristics;
  
  wherein said e-mail identifying content filtering rule is auto-rescinding in response to detection of predetermined conditions.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. A method as claimed in claim 17, wherein said e-mail identifying content filtering rule is received from said remote source within a rule transmitting e-mail message.
  - 19. A method as claimed in claim 18, wherein said rule transmitting e-mail message includes an electronic signature for authentication and said electronic signature is verified before said e-mail identifying content filtering rule is used.
  - 20. A method as claimed in claim 18, wherein said rule transmitting e-mail message is encrypted and said rule transmitting e-mail message is decrypted before said e-mail identifying content filtering rule is used.
  - 21. A method as claimed in claim 17, wherein said e-mail identifying content filtering rule is received from said remote source by one of a multicast from said remote source and a download from said remote source.
  - 22. A method as claimed in claim 17, wherein said detection activity report includes a sample of said item of malware.
  - 23. A method as claimed in claim 17, wherein a target e-mail message for which delivery has been suspended may be released for delivery at a later time.
  - 24. A method as claimed in claim 17, wherein said one or more characteristics include one or more characteristics of SMTP data forming said target e-mail message.
  - 25. A method as claimed in claim 17, wherein a received e-mail identifying content filtering rule is one of automatically made active or made active once confirmed for use by a user input.
  - 26. A method as claimed in claim 25, wherein a priority level associated with said received e-mail identifying content filtering rule and predetermined user specified parameters determine if said received e-mail identifying content filtering rule is automatically made active or made active once confirmed for use by a user input.
  - 27. A method as claimed in claim 17, further comprising the steps of:
    - receiving from a remote source a rule altering message; and
      
      in response to receipt of said rule altering message altering said e-mail identifying content filtering rule.
  - 28. A method as claimed in claim 27, wherein a received rule altering message is one of automatically responded to or responded to once confirmed by a user input.
  - 29. A method as claimed in claim 27, wherein said rule altering message is one of a rule rescinding message which serves to rescind said e-mail identifying content filtering rule and a rule superseding message which serves to supersede said e-mail identifying content filtering rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Tarbotton, Lee Codel Lawson, Gudgion, Kevin Andrew
Primary Examiner(s)
Wiley; David
Assistant Examiner(s)
Avellino; Joseph E.

Application Number

US10/142,167
Time in Patent Office

1,873 Days
Field of Search

709/220, 709217-219, 709204-206, 713/188
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

Detecting malware carried by an e-mail message

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malware carried by an e-mail message

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links