Send blocking system and method
First Claim
Patent Images
1. A method comprising:
- stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer;
determining a location of said call module; and
determining whether code of said call module is in said send buffer comprising;
determining a starting memory location of said send buffer;
determining an ending memory location of said send buffer; and
determining whether said location of said call module is between said starting memory location and said ending memory location,wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises;
comparing said call module to content of said send buffer; and
determining whether said call module matches said content of said send buffer,wherein upon a determination that said location of said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer,wherein upon a determination that said code of said call module is in said send buffer during said determining, said method further comprising terminating said call.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes hooking a send operating system function, originating a call to the send operating system function with a call module to send the content of a send buffer, stalling the call, and determining whether the call module or a copy of the call module are in the send buffer. Upon a determination that the call module or a copy of the call module are in the send buffer, the method further includes terminating the call. By terminating the call, the call module comprising malicious code is prevented from sending itself or a copy of itself to other host computer systems thus preventing the spread of the call module.
34 Citations
18 Claims
-
1. A method comprising:
-
stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer; determining a location of said call module; and determining whether code of said call module is in said send buffer comprising; determining a starting memory location of said send buffer; determining an ending memory location of said send buffer; and determining whether said location of said call module is between said starting memory location and said ending memory location, wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises; comparing said call module to content of said send buffer; and determining whether said call module matches said content of said send buffer, wherein upon a determination that said location of said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer, wherein upon a determination that said code of said call module is in said send buffer during said determining, said method further comprising terminating said call. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer; determining a location of said call module; and determining whether code of said call module is in said send buffer comprising; determining a starting memory location of said send buffer; determining an ending memory location of said send buffer; and determining whether said location of said call module is between said starting memory location and said ending memory location, wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises; comparing said call module to content of said send buffer; and determining whether said call module matches said content of said send buffer, wherein upon a determination that said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer; wherein upon a determination that said code of said call module is in said send buffer during said determining, said method further comprising determining whether said call module is a known false positive call module; and wherein upon a determination that said code of said call module is not in said send buffer during said determining, said method further comprising allowing said call to proceed. - View Dependent Claims (12, 13, 14)
-
-
15. A computer system comprising:
-
a send blocking application for stalling a call originating from a call module to a send operating system (OS) function to send the content of a send buffer; said send blocking application further for determining a location of said call module; and said send blocking application further for determining whether code of said call module is in said send buffer comprising; determining a starting memory location of said send buffer; determining an ending memory location of said send buffer; and determining whether said location of said call module is between said starting memory location and said ending memory location, wherein upon a determination that said location of said call module is not between said starting memory location and said ending memory location, said determining whether code of said call module is in said send buffer further comprises; comparing said call module to content of said send buffer; and determining whether said call module matches said content of said send buffer, wherein upon a determination that said call module does match said content of said send buffer, a determination is made that said code of said call module is in said send buffer, wherein upon a determination that said code of said call module is in said send buffer during said determining, said send blocking application further for terminating said call. - View Dependent Claims (16, 17, 18)
-
Specification