Blocking replication of e-mail worms

US 7,631,353 B2
Filed: 12/17/2002
Issued: 12/08/2009
Est. Priority Date: 12/17/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for blocking the replication of computer worms in a computer, said method comprising the steps of:

for an e-mail program installed on the computer, finding the location of a temporary holding area used by the e-mail program for storing and opening e-mail attachments, the email attachments comprising target programs;

monitoring the temporary holding area for openings of target programs stored within the temporary holding area;

implementing a worm mitigation procedure when a target program is opened for execution and prior to detection of a worm in the target program, wherein the worm mitigation procedure comprises preventing the target program from accessing port 25; and

when the target program attempts to access port 25;

alerting a user of the computer; and

executing a false positive mitigation procedure, wherein the target program is allowed to access port 25 when a false positive is found.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods, apparati, and computer-readable media for blocking the replication of computer worms in a computer. A method of the present invention comprises the steps of: for an e-mail program installed on the computer, finding the location of a temporary holding area used by the e-mail program for storing and opening e-mail attachments; monitoring the temporary holding area for openings of target programs stored within the temporary holding area; and upon the opening of a target program for execution, implementing a worm mitigation procedure.

76 Citations

View as Search Results

24 Claims

1. A computer-implemented method for blocking the replication of computer worms in a computer, said method comprising the steps of:
- for an e-mail program installed on the computer, finding the location of a temporary holding area used by the e-mail program for storing and opening e-mail attachments, the email attachments comprising target programs;
  
  monitoring the temporary holding area for openings of target programs stored within the temporary holding area;
  
  implementing a worm mitigation procedure when a target program is opened for execution and prior to detection of a worm in the target program, wherein the worm mitigation procedure comprises preventing the target program from accessing port 25; and
  
  when the target program attempts to access port 25;
  
  alerting a user of the computer; and
  
  executing a false positive mitigation procedure, wherein the target program is allowed to access port 25 when a false positive is found.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1 wherein the worm mitigation procedure further comprises preventing the target program from opening itself as data.
  - 3. The computer-implemented method of claim 2 wherein a user of the computer is alerted when the target program attempts to open itself as data.
  - 4. The computer-implemented method of claim 2 further comprising the step of processing the target program when the target program attempts to open itself as data.
  - 5. The computer-implemented method of claim 1, wherein a false positive is found when the target program is a self extractor.
  - 6. The computer-implemented method of claim 1 wherein the worm mitigation procedure further comprises preventing any program anywhere on the computer from opening the target program as data.
  - 7. The computer-implemented method of claim 6 wherein a user of the computer is alerted when any program anywhere on the computer attempts to open the target program as data.
  - 8. The computer-implemented method of claim 6 further comprising the step of processing the target program when any program anywhere on the computer attempts to open the target program as data.
  - 9. The computer-implemented method of claim 1 wherein a false positive is found when the target program has a valid digital signature affixed thereto.
  - 10. The computer-implemented method of claim 1 wherein a false positive is found whenthe target program passes an additional test selected by the false positive mitigation procedure.
  - 11. The computer-implemented method of claim 1 further comprising the step of processing the target program when the target program attempts to access port 25.
  - 12. The computer-implemented method of claim 1 wherein the worm mitigation procedure further comprises blocking all e-mail programs on the computer from opening any executable program on the computer as data during the time period that the target program is executing out of the temporary holding area.
  - 13. The computer-implemented method of claim 12 further comprising the step of alerting a user of the computer when the target program opens itself for execution out of the temporary holding area.
  - 14. The computer-implemented method of claim 12 further comprising the step of processing the target program when the target program opens for execution.
  - 15. The computer-implemented method of claim 1 further comprising the step of:
    - before performing the method steps of claim 1, locating all e-mail programs installed on the computer;
      
      whereinthe method steps of claim 1 are performed for each e-mail program installed on the computer.

16. An apparatus for blocking the replication of computer worms in a computer, said apparatus comprising:
- means for finding a temporary holding area used for storing and opening e-mail attachments by an e-mail program installed on the computer, the email attachments comprising target programs;
  
  coupled to the temporary holding area, a file system filter driver adapted to monitor openings of target programs stored within the temporary holding area; and
  
  coupled to the file system filter driver, a worm mitigation module adapted to;
  
  execute a worm mitigation procedure when a target program is opened for execution prior to detection of a worm in the target program, wherein the worm mitigation procedure comprises preventing the target program from accessing port 25; and
  
  when the target program attempts to access port 25;
  
  alert a user of the computer; and
  
  execute a false positive mitigation procedure, wherein the target program is allowed to access port 25 when a false positive is found.
- View Dependent Claims (17)
- - 17. The apparatus of claim 16 further comprising:
    - coupled to the means for finding a temporary holding area, means for locating all e-mail programs installed on the computer.

18. A computer-readable storage medium storing computer program instructions for blocking the replication of computer worms in a computer, said computer program instructions performing the steps of:
- for an e-mail program installed in memory on the computer, finding the location of a temporary holding area in memory on the computer used by the e-mail program for storing and opening e-mail attachments, the email attachments comprising target programs;
  
  monitoring the temporary holding area for openings of target programs stored within the temporary holding area;
  
  implementing a worm mitigation procedure when the target program opens itself for execution and prior to detection of a worm in the target program, wherein the worm mitigation procedure comprises preventing the target program from accessing port 25; and
  
  when the target program attempts to access port 25;
  
  alerting a user of the computer; and
  
  executing a false positive mitigation procedure, wherein the target program is allowed to access port 25 when a false positive is found.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The computer-readable storage medium of claim 18 wherein the worm mitigation procedure further comprises processing the target program.
  - 20. The computer-readable storage medium of claim 19 wherein processing the target program comprises blocking execution of a method being performed by the target program.
  - 21. The computer-readable storage medium of claim 19 wherein processing the target program comprises blocking a method being performed by the target program and quarantining the target program.
  - 22. The computer-readable storage medium of claim 19 wherein processing the target program comprises attempting a repair of the target program and, when the repair is successful, allowing the method being performed by the target program to proceed.
  - 23. The computer-readable storage medium of claim 19 wherein processing the target program comprises allowing a method being performed by the target program to proceed, upon instructions received from a user of the computer.
  - 24. The computer-readable storage medium of claim 18 wherein said computer program instructions perform the step of:
    - before performing the method steps of claim 18, locating all e-mail programs installed on the computer;
      
      wherein the method steps of claim 18 are performed for each e-mail program installed on the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Renert, Charles, Kennedy, Mark
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Khoshnoodi; Nadia

Application Number

US10/322,289
Publication Number

US 20040117641A1
Time in Patent Office

2,548 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

Blocking replication of e-mail worms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Blocking replication of e-mail worms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links