Controlling access to suspicious files
First Claim
1. A computer program product embodied on a tangible computer readable medium for operating a computer to review files for potential malware, comprising:
- logging code operable to maintain a statistical log having an entry for each file sent to the computer for review, each entry being arranged to store a count value indicating the number of times that the file has been sent to the computer for review and a value of one or more predetermined attributes relating to the file;
weighting table code operable to maintain a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of said one or more predetermined attributes will be malware;
statistical log interface code operable, upon receipt of a file, to determine with reference to the statistical log the count value relating to that file;
action determination code operable, if the count value determined by the statistical log interface code exceeds a predetermined threshold, to reference the weighting table to determine the weighting to be associated with the file, based on the value of said one or more predetermined attributes associated with that file in the statistical log; and
action performing code operable to perform predetermined actions in relation to the file dependent on the weighting determined by said action determination code.
11 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a computer program product, method and data processing apparatus for reviewing files for potential malware. The computer program product comprises logging code operable to maintain a statistical log having an entry for each file sent for review, each entry being arranged to store a count value indicating the number of times that the file has been sent for review and a value of one or more predetermined attributes relating to the file. Weighting table code is also used to maintain a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of the one or more predetermined attributes will be malware. The computer program product further comprises statistical log interface code operable, upon receipt of a file, to determine with reference to the statistical log the count value relating to that file, and action determination code operable, if the count value determined by the statistical log interface code exceeds a predetermined threshold, to reference the weighting table to determine the weighting to be associated with the file, based on the value of said one or more predetermined attributes associated with that file in the statistical log. Finally, action performing code is provided to perform predetermined actions in relation to the file depending on the weighting determined by the action determination code. It has been found that this technique is useful in identifying files that may potentially contain malware.
31 Citations
39 Claims
-
1. A computer program product embodied on a tangible computer readable medium for operating a computer to review files for potential malware, comprising:
-
logging code operable to maintain a statistical log having an entry for each file sent to the computer for review, each entry being arranged to store a count value indicating the number of times that the file has been sent to the computer for review and a value of one or more predetermined attributes relating to the file; weighting table code operable to maintain a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of said one or more predetermined attributes will be malware; statistical log interface code operable, upon receipt of a file, to determine with reference to the statistical log the count value relating to that file; action determination code operable, if the count value determined by the statistical log interface code exceeds a predetermined threshold, to reference the weighting table to determine the weighting to be associated with the file, based on the value of said one or more predetermined attributes associated with that file in the statistical log; and action performing code operable to perform predetermined actions in relation to the file dependent on the weighting determined by said action determination code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of operating a computer to review files for potential malware, comprising the steps of:
-
(a) maintaining a statistical log having an entry for each file sent to the computer for review, each entry being arranged to store a count value indicating the number of times that the file has been sent to the computer for review and a value of one or more predetermined attributes relating to the file; (b) maintaining a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of said one or more predetermined attributes will be malware; (c) upon receipt of a file, determining with reference to the statistical log the count value relating to that file; (d) if the count value determined at said step (c) exceeds a predetermined threshold, referencing the weighting table to determine the weighting to be associated with the file, based on the value of said one or more predetermined attributes associated with that file in the statistical log; and (e) performing predetermined actions in relation to the file dependent on the weighting determined at said step (d). - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A data processing apparatus including a tangible computer readable medium for reviewing files for potential malware, comprising:
-
logging logic operable to maintain a statistical log having an entry for each file sent to the computer for review, each entry being arranged to store a count value indicating the number of times that the file has been sent to the computer for review and a value of one or more predetermined attributes relating to the file; weighting table logic operable to maintain a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of said one or more predetermined attributes will be malware; statistical log interface logic operable, upon receipt of a file, to determine with reference to the statistical log the count value relating to that file; action determination logic operable, if the count value determined by the statistical log interface logic exceeds a predetermined threshold, to reference the weighting table to determine the weighting to be associated with the file, based on the value of said one or more predetermined attributes associated with that file in the statistical log; and action performing logic operable to perform predetermined actions in relation to the file dependent on the weighting determined by said action determination logic. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
Specification