Virus detection by executing e-mail code in a virtual machine

US 7,607,171 B1
Filed: 11/18/2002
Issued: 10/20/2009
Est. Priority Date: 01/17/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting that executable code associated with an e-mail is harmful, the method comprising:

an act of receiving an e-mail that designates at least a first and a second destination computing system;

an act of detecting that the e-mail has associated executable code;

an act of determining an environment of the at least the first and the second destination computing system;

an act of emulating the environment of the at least the first and the second destination computing system to create a first emulated environment corresponding to the first destination computing system and a second emulated environment corresponding to the second destination computing system;

an act of executing the associated executable code in the first emulated environment and in the second emulated environment;

an act of determining whether the email is harmful and includes one or more unknown viruses by monitoring the act of executing the associated executable code in the first emulated environment and in the second emulated environment using a plurality of filters for any of one or more viral like actions;

during execution of the executable code, strategically monitoring an impact of the executable code on the hardware and software of the first emulated environment and the second emulated environment, as well as monitoring for a viral like request to transmit data over a network during execution of the executable code using the plurality of filters;

if the email is determined to include the viral like request to transmit data over the network, updating the plurality of filters to identify the one or more viral like actions in the email; and

if the email is determined not to be harmful, an act of delivering the e-mail with the associated executable code to the first destination computing system or the second destination computing system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary isolation server receives e-mails and isolates any viral behavior from harming its intended destination. After the intermediary receives an e-mail, it determines that the e-mail has associated executable code, and then identifies the environment in which the e-mail code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.

334 Citations

20 Claims

1. A method for detecting that executable code associated with an e-mail is harmful, the method comprising:
- an act of receiving an e-mail that designates at least a first and a second destination computing system;
  
  an act of detecting that the e-mail has associated executable code;
  
  an act of determining an environment of the at least the first and the second destination computing system;
  
  an act of emulating the environment of the at least the first and the second destination computing system to create a first emulated environment corresponding to the first destination computing system and a second emulated environment corresponding to the second destination computing system;
  
  an act of executing the associated executable code in the first emulated environment and in the second emulated environment;
  
  an act of determining whether the email is harmful and includes one or more unknown viruses by monitoring the act of executing the associated executable code in the first emulated environment and in the second emulated environment using a plurality of filters for any of one or more viral like actions;
  
  during execution of the executable code, strategically monitoring an impact of the executable code on the hardware and software of the first emulated environment and the second emulated environment, as well as monitoring for a viral like request to transmit data over a network during execution of the executable code using the plurality of filters;
  
  if the email is determined to include the viral like request to transmit data over the network, updating the plurality of filters to identify the one or more viral like actions in the email; and
  
  if the email is determined not to be harmful, an act of delivering the e-mail with the associated executable code to the first destination computing system or the second destination computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method in accordance with claim 1, wherein the act of determining whether the email is harmful and includes one or more unknown viruses comprises an act of determining that the act of executing does result in any one or more viral like actions to occur in the first emulated environment or in the second emulated environment the method further comprising the following:
    - an act of flagging the e-mail as having associated viral code.
  - 3. A method in accordance with claim 1, wherein the act of determining whether the email is harmful and includes one or more unknown viruses comprises an act of determining that the act of executing does result in any one or more viral like actions to occur in the first emulated environment or in the second emulated environment, the method further comprising:
    - an act of determining a sender of the e-mail; and
      
      an act of restricting future e-mail deliveries from the sender.
  - 4. A method in accordance with claim 1, wherein the act of determining whether the email is harmful and includes one or more unknown viruses comprises an act of determining that the act of executing does result in any one or more viral like actions to occur in the first emulated environment or in the second emulated environment, the method further comprising the following:
    - an act of notifying the first destination computing system or the second destination computing system that an email has been detected that may result in viral actions to occur.
  - 5. A method in accordance with claim 1, wherein the act of determining whether the email is harmful and includes one or more unknown viruses comprises an act of determining that the act of executing does result in any one or more viral like actions to occur in the first emulated environment or in the second emulated environment, the method further comprising the following:
    - an act of notifying a system administrator that an e-mail has been detected that may result in viral actions to occur.
  - 6. A method in accordance with claim 1, wherein:
    - the act of determining the first environment of the at least the first and the second destination computing system comprises an act of determining a first operating system running on the first destination computing system and determining a second operating system running on the second destination computing system;
      
      the act of executing the associated executable code in the first emulated environment and in the second emulated environment comprises an act of executing the associated executable code using the first operating system and executing the associated executable code using the second operating system.
  - 7. A method in accordance with claim 1, wherein the executable code is an executable attachment of the e-mail.
  - 8. A method in accordance with claim 1, wherein the executable code is embedded within the body of the e-mail.
  - 9. A method in accordance with claim 1, wherein the e-mail is a first email, and the associated executable code is first associated executable code, the method further comprising:
    - an act of receiving a second e-mail, the second e-mail designating the second intended destination computing system;
      
      an act of detecting that the second e-mail has second associated executable code;
      
      an act of executing the second associated executable code in the second emulated environment; and
      
      an act of determining whether the second email is harmful and includes one or more unknown viruses by monitoring, using a second plurality of filters, the act of executing the second associated executable code for any of one or more viral like actions and requests to transmit data over the network to occur in the second emulated environment; and
      
      during the execution of the executable code, strategically monitoring, using the second plurality of filters, the impact of the second associated executable code on the hardware and software of the second emulated environment, as well as monitoring for a viral like request to transmit data over the network during the execution of the second associated executable code.
  - 10. A method in accordance with claim 1, wherein the act of determining an environment of the at least one intended destination computing system comprises an act of determining an operating system running on an intended destination computing system;
    - and;
      
      the act of executing the associated executable code comprises an act of executing the associated executable code using the same operating system version that is running on the intended destination computing system.
  - 11. A method accordance with claim 1, wherein the act of determining the environment of the at least the first and the second destination computing system comprises the following:
    - an act of identifying client software running on an intended destination computing system.
  - 12. A method in accordance with claim 1, wherein the act of determining the environment of the at least the first and the second destination computing system comprises the following:
    - an act of identifying one or more programs that are running on the first destination computing system or on the second destination computing system.

13. A computer program product for implementing a method for detecting that executable code associated with an e-mail is harmful, the computer program product comprising one or more physical computer-readable media having thereon the following:
- computer-executable instructions for detecting the receipt of an e-mail that designates at least a first and a second destination computing system;
  
  computer-executable instructions for detecting that the e-mail has associated executable code;
  
  computer-executable instructions for determining an environment of the at least the first and the second destination computing system;
  
  computer-executable instructions for emulating the environment of the at least the first and the second destination computing system to create a first emulated environment corresponding to the first destination computing system and a second emulated environment corresponding to the second destination computing system;
  
  computer-executable instructions for executing the associated executable code in the first emulated environment and in the second emulated environment; and
  
  computer-executable instructions for determining whether the email is harmful and includes one or more unknown viruses by monitoring the act of executing the associated executable code in the first emulated environment and in the second emulated environment using a plurality of filters for any of one or more viral like actions;
  
  computer-executable instructions for strategically monitoring during execution of the executable code, strategically monitoring an impact of the executable code on the hardware and software of the first emulated environment and the second emulated environment, as well as monitoring for a viral like request to transmit data over a network during execution of the executable code using the plurality of filters;
  
  computer-executable instructions for updating the plurality of filters to identify one or more viral like actions associated with the email if the email is determined to include the viral like request to transmit data over the network; and
  
  computer-executable instructions for delivering the e-mail with the associated executable code to the first destination computing system or the second destination computing system if the email is determined not to be harmful.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. A computer program product in accordance with claim 13, wherein the one or more physical computer-readable media are physical storage media.
  - 15. A computer program product in accordance with claim 13, wherein the computer-executable instructions for determining whether the email is harmful comprise computer-executable instructions for determining that one or more viral actions have occurred in the first emulated environment or in the second emulated environment, the physical computer-readable media further having thereon the following:
    - computer-executable instructions for flagging the e-mail as having associated viral code.
  - 16. A computer program product in accordance with claim 13, wherein the computer-executable instructions for determining whether the email is harmful and includes one or more unknown viruses comprise computer-executable instructions for determining that one or more viral like actions and requests have occurred in the first emulated environment or in the second emulated environment, the physical computer-readable media further having thereon the following:
    - computer-executable instructions for determining a sender of the e-mail; and
      
      computer-executable instructions for restricting future e-mail deliveries from the sender.
  - 17. A computer program product in accordance with claim 13, wherein the computer-executable instructions for determining whether the email is harmful and includes one or more unknown viruses comprise computer-executable instructions for determining that one or more viral like actions and requests have occurred in the first emulated environment or in the second emulated environment, the physical computer-readable media further having thereon the following:
    - computer-executable instructions for notifying the at least one intended destination computing system or an associated system administrator that an e-mail has been detected that may result in viral like actions or requests to occur.
  - 18. A computer program product in accordance with claim 13, wherein the first emulated environment is different from the second emulated environment.
  - 19. A computer program product in accordance with claim 13, wherein the email is a first e-mail and the associated executable code is first associated executable code, the one or more physical computer-readable media further having thereon the following:
    - computer-executable instructions for detecting the receipt of a second e-mail, the second e-mail designating a second intended destination computing system;
      
      computer-executable instructions for detecting that the second e-mail has second associated executable code;
      
      computer-executable instructions for executing the second associated executable code in the second emulated environment;
      
      computer-executable instructions for determining whether the email is harmful and includes one or more unknown viruses by monitoring executing results, using a second plurality of filters, for any of one or more viral like actions and requests to transmit data over the network; and
      
      computer-executable instructions for strategically monitoring, using the second plurality of filters, during execution of the second associated executable code the impact of the second associated executable code on the hardware and software of the second emulated environment, as well as monitoring for a viral like request to transmit data over the network during execution of the second associated executable code.
  - 20. A computer program product in accordance with claim 13, wherein the computer-executable instructions for determining whether the email is harmful and includes one or more unknown viruses comprises computer-executable instructions for determining whether the email includes one or more known viruses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Avinti (Singapore Telecommunications Limited)
Inventors
Green, David E., Marsden, Walter L.
Primary Examiner(s)
Nalven; Andrew L

Application Number

US10/299,452
Time in Patent Office

2,528 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

Virus detection by executing e-mail code in a virtual machine

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

334 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virus detection by executing e-mail code in a virtual machine

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

334 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links