Send blocking system and method

US 7,287,281 B1
Filed: 06/17/2003
Issued: 10/23/2007
Est. Priority Date: 06/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer;

determining a location of said call module; and

determining whether code of said call module is in said send buffer comprising;

determining a starting memory location of said send buffer;

determining an ending memory location of said send buffer; and

determining whether said location of said call module is between said starting memory location and said ending memory location,wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises;

comparing said call module to content of said send buffer; and

determining whether said call module matches said content of said send buffer,wherein upon a determination that said location of said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer,wherein upon a determination that said code of said call module is in said send buffer during said determining, said method further comprising terminating said call.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes hooking a send operating system function, originating a call to the send operating system function with a call module to send the content of a send buffer, stalling the call, and determining whether the call module or a copy of the call module are in the send buffer. Upon a determination that the call module or a copy of the call module are in the send buffer, the method further includes terminating the call. By terminating the call, the call module comprising malicious code is prevented from sending itself or a copy of itself to other host computer systems thus preventing the spread of the call module.

34 Citations

View as Search Results

18 Claims

1. A method comprising:
- stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer;
  
  determining a location of said call module; and
  
  determining whether code of said call module is in said send buffer comprising;
  
  determining a starting memory location of said send buffer;
  
  determining an ending memory location of said send buffer; and
  
  determining whether said location of said call module is between said starting memory location and said ending memory location,wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises;
  
  comparing said call module to content of said send buffer; and
  
  determining whether said call module matches said content of said send buffer,wherein upon a determination that said location of said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer,wherein upon a determination that said code of said call module is in said send buffer during said determining, said method further comprising terminating said call.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein upon a determination that said code of said call module is not in said send buffer during said determining, said method further comprising allowing said call to proceed.
  - 3. The method of claim 1 further comprising hooking said send OS function.
  - 4. The method of claim 1 further comprising originating said call from said call module.
  - 5. The method of claim 1 wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises:
    - determining whether said call module is in an executable area.
  - 6. The method of claim 1 further comprising determining whether said call module is a known false positive call module prior to said terminating said call.
  - 7. The method of claim 1 further comprising taking protective action to prevent damage to a host computer system comprising said call module.
  - 8. The method of claim 1 further comprising providing a notification that said call was terminated during said terminating.
  - 9. The method of claim 1 wherein said call module comprises malicious code, said method further comprising submitting a sample of said malicious code to a virus collection center.
  - 10. The method of claim 1 further comprising identifying said send buffer by said starting memory location of said send buffer and a length of data to be sent from said send buffer.

11. A method comprising:
- stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer;
  
  determining a location of said call module; and
  
  determining whether code of said call module is in said send buffer comprising;
  
  determining a starting memory location of said send buffer;
  
  determining an ending memory location of said send buffer;
  
  anddetermining whether said location of said call module is between said starting memory location and said ending memory location, wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises;
  
  comparing said call module to content of said send buffer;
  
  anddetermining whether said call module matches said content of said send buffer, wherein upon a determination that said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer;
  
  wherein upon a determination that said code of said call module is in said send buffer during said determining, said method further comprising determining whether said call module is a known false positive call module; and
  
  wherein upon a determination that said code of said call module is not in said send buffer during said determining, said method further comprising allowing said call to proceed.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11 wherein upon a determination that said call module is a known false positive call module, said method further comprising allowing said call to proceed.
  - 13. The method of claim 11 wherein upon a determination that said call module is not a known false positive call module, said method further comprising terminating said call.
  - 14. The method of claim 11 further comprising identifying said send buffer by said starting memory location of said send buffer and a length of data to be sent from said send buffer.

15. A computer system comprising:
- a send blocking application for stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer;
  
  said send blocking application further for determining a location of said call module; and
  
  said send blocking application further for determining whether code of said call module is in said send buffer comprising;
  
  determining a starting memory location of said send buffer;
  
  determining an ending memory location of said send buffer; and
  
  determining whether said location of said call module is between said starting memory location and said ending memory location, wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises;
  
  comparing said call module to content of said send buffer; and
  
  determining whether said call module matches said content of said send buffer, wherein upon a determination that said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer, wherein upon a determination that said code of said call module is in said send buffer during said determining, said send blocking application further for terminating said call.
- View Dependent Claims (16, 17, 18)
- - 16. The computer system of claim 15 wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises:
    - determining whether said call module is in an executable area.
  - 17. The computer system of claim 15 wherein said determining whether code of said call module is in said send buffer comprises determining whether said call module or a copy of said call module is in said send buffer.
  - 18. The computer system of claim 15 wherein said send buffer is identified by said starting memory location of said send buffer and a length of data to be sent from said send buffer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Baum; Ronald

Application Number

US10/464,091
Time in Patent Office

1,589 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

Send blocking system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Send blocking system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others