Rule set-based system and method for advanced virus protection

US 7,765,593 B1
Filed: 06/24/2004
Issued: 07/27/2010
Est. Priority Date: 06/24/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

preventing mass-mailing-type malware from sending electronic messages via a network;

preventing malware from communicating;

preventing opening of unrecognized attachments; and

preventing executable files from being infected via the network;

wherein a graphical user interface is utilized, the graphical user interface associated with;

a first field adapted for receiving an identifier of a rule;

a second field adapted for receiving a selection of a process to which the rule is to be applied;

a third field adapted for receiving a selection of at least one file or directory to which the rule is to be applied;

a fourth field adapted for receiving a selection of at least one action that triggers the rule to be applied to the selected process and at least one file or directory; and

a fifth field adapted for receiving a selection of an operation to be carried out in response to the action.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for preventing malware infection. In use, mass-mailing-type malware is prevented from sending electronic messages via a network. Malware is also prevented from communicating. Still yet, unrecognized attachments are prevented from opening, and executable files are prevented from being infected via the network.

52 Citations

View as Search Results

42 Claims

1. A method, comprising:
- preventing mass-mailing-type malware from sending electronic messages via a network;
  
  preventing malware from communicating;
  
  preventing opening of unrecognized attachments; and
  
  preventing executable files from being infected via the network;
  
  wherein a graphical user interface is utilized, the graphical user interface associated with;
  
  a first field adapted for receiving an identifier of a rule;
  
  a second field adapted for receiving a selection of a process to which the rule is to be applied;
  
  a third field adapted for receiving a selection of at least one file or directory to which the rule is to be applied;
  
  a fourth field adapted for receiving a selection of at least one action that triggers the rule to be applied to the selected process and at least one file or directory; and
  
  a fifth field adapted for receiving a selection of an operation to be carried out in response to the action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The method as recited in claim 1, wherein the mass-mailing-type malware is capable of sending a multiplicity of electronic messages to a multiplicity of recipients.
  - 3. The method as recited in claim 1, wherein the mass-mailing-type malware is prevented from sending the electronic messages by preventing use of a predetermined port.
  - 4. The method as recited in claim 3, wherein the predetermined port includes port 25.
  - 5. The method as recited in claim 4, wherein the preventing of the mass-mailing-type-malware from sending the electronic messages is carried out by preventing use of port 25, which also prevents sending the electronic messages to e-mail servers.
  - 6. The method as recited in claim 1, wherein the mass-mailing-type malware is prevented from sending the electronic messages by utilizing a white list for conditionally preventing the sending of the electronic messages based on a predetermined aspect.
  - 7. The method as recited in claim 6, wherein the predetermined aspect includes a recipient address.
  - 8. The method as recited in claim 6, wherein the predetermined aspect includes an application identifier.
  - 9. The method as recited in claim 8, wherein the application identifier identifies an application that legitimately sends e-mail.
  - 10. The method as recited in claim 1, wherein the malware is prevented from communicating by utilizing a white list for conditionally preventing the communicating based on a predetermined aspect.
  - 11. The method as recited in claim 10, wherein the predetermined aspect includes an application identifier.
  - 12. The method as recited in claim 10, wherein the communication includes code that copies itself using FTP.
  - 13. The method as recited in claim 10, wherein the communication includes downloading at least one of a Trojan, adware and spyware using HTTP.
  - 14. The method as recited in claim 10, wherein the communication includes downloading at least one of a Trojan, adware and spyware using FTP.
  - 15. The method as recited in claim 10, wherein the communication includes informing a source of malware of a location of the malware and receiving instructions from the source to send the malware to other recipients.
  - 16. The method as recited in claim 10, wherein the prevention of communication by the malware stops the malware from spreading to other recipients.
  - 17. The method as recited in claim 1, wherein the opening of unrecognized attachments is prevented by preventing the opening of the unrecognized attachments when residing in a temporary directory.
  - 18. The method as recited in claim 1, wherein the prevention of the opening of the unrecognized attachments is subject to user tuning.
  - 19. The method as recited in claim 18, wherein the user tuning involves limiting the prevention of the opening of the unrecognized attachments to situations where the unrecognized attachments are received via a web page.
  - 20. The method as recited in claim 18, wherein the user tuning involves limiting the prevention of the opening of the unrecognized attachments to situations where the unrecognized attachments are received via an electronic message.
  - 21. The method as recited in claim 1, wherein the executable files are prevented from being infected via the network by determining whether a request to open the executable files is a local request or a remote request.
  - 22. The method as recited in claim 21, wherein the executable files are prevented from being infected by conditionally allowing the opening thereof based on whether the request is the local request or the remote request.
  - 23. The method as recited in claim 22, wherein conditionally allowing the opening of the executable files based on whether the request is the local request or the remote requests utilizes location-based rules.
  - 24. The method as recited in claim 23, wherein the location-based rules include preventing network users from changing executables.
  - 25. The method as recited in claim 23, wherein the location-based rules include preventing network users from changing executables associated with an operating system.
  - 26. The method as recited in claim 21, wherein rules tuned to specific directories are utilized for determining whether the request to open the executable files is the local request or the remote request.
  - 27. The method as recited in claim 1, wherein the method is utilized to counter terrorism.
  - 28. The method as recited in claim 1, wherein the opening of the unrecognized attachments is prevented by preventing web browsers, e-mail clients and archive extracting programs from executing the unrecognized attachments.
  - 29. The method as recited in claim 1, wherein the malware is prevented from communicating by preventing a first component of malware from communicating with a second component of malware, the first component of malware including a virus and the second component of malware including a Trojan.
  - 30. The method as recited in claim 1, wherein the malware is prevented from communicating by preventing communications over predetermined communication channels.
  - 31. The method as recited in claim 30, wherein the communications over the predetermined communication channels are prevented for preventing the malware from at least one of copying an entirety of itself to a device, downloading other malware, and receiving instructions from an associated master.
  - 32. The method as recited in claim 30, wherein the predetermined communication channels include a file transfer protocol (FTP).
  - 33. The method as recited in claim 30, wherein the predetermined communication channels include a hypertext transfer protocol (HTTP).
  - 34. The method as recited in claim 30, wherein the predetermined communication channels include an internet relay chat (IRC) protocol.

35. A computer program product embodied on a computer readable medium, comprising:
- computer code for preventing mass-mailing-type malware from sending electronic messages via a network;
  
  computer code for preventing malware from communicating;
  
  computer code for preventing opening of unrecognized attachments; and
  
  computer code for preventing executable files from being infected via the network;
  
  wherein the computer program product is operable such that a graphical user interface is utilized, the graphical user interface associated with;
  
  a first field adapted for receiving an identifier of a rule;
  
  a second field adapted for receiving a selection of a process to which the rule is to be applied;
  
  a third field adapted for receiving a selection of at least one file or directory to which the rule is to be applied;
  
  a fourth field adapted for receiving a selection of at least one action that triggers the rule to be applied to the selected process and at least one file or directory; and
  
  a fifth field adapted for receiving a selection of an operation to be carried out in response to the action.

36. A graphical user interface system embodied on a computer readable medium for defining a rule to prevent malware infection, comprising:
- a first field associated with a graphical user interface, the first field adapted for receiving an identifier of a rule;
  
  a second field associated with the graphical user interface, the second field adapted for receiving a selection of a process to which the rule is to be applied;
  
  a third field associated with the graphical user interface, the third field adapted for receiving a selection of at least one file or directory to which the rule is to be applied;
  
  a fourth field associated with the graphical user interface, the fourth field adapted for receiving a selection of at least one action that triggers the rule to be applied to the selected process and at least one file or directory; and
  
  a fifth field associated with the graphical user interface, the fifth field adapted for receiving a selection of an operation to be carried out in response to the action.
- View Dependent Claims (37, 38, 39, 40, 41)
- - 37. The method as recited in claim 36, wherein the process involves an application program.
  - 38. The method as recited in claim 36, wherein the action is performed by a user.
  - 39. The method as recited in claim 36, wherein the action is performed by a computer.
  - 40. The method as recited in claim 36, wherein the first field allows a user to enter a descriptive name for the rule.
  - 41. The method as recited in claim 36, wherein the identifier includes a name of the rule.

42. A method for preventing malware infection, comprising:
- preventing mass-mailing-type malware from sending electronic messages via a network by utilizing a white list for conditionally preventing the sending of the electronic messages based on at least one of a recipient address and an application identifier;
  
  preventing malware from communicating by;
  
  preventing a first component of malware from communicating with a second component of malware,preventing communications over predetermined communication channels including at least one of a file transfer protocol, a hypertext transfer protocol, and an internet relay chat protocol, andutilizing a white list for conditionally preventing communication based on an application identifier;
  
  preventing opening of unrecognized attachments when the attachments reside in a temporary directory;
  
  preventing executable files from being infected via the network by determining whether a request to open the executable files is a local request or a remote request and conditionally allowing the opening of the executable files based on whether the request is determined to be the local request or the remote request;
  
  wherein the mass-mailing-type malware is capable of sending a multiplicity of electronic messages to a multiplicity of recipients;
  
  wherein the prevention of the opening of the unrecognized attachments is limited to situations where the unrecognized attachments are received via at least one of an electronic message and a web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Lowe, Joseph C., Spurlock, Joel R., Woodruff, Andrew A., Edwards, Jonathan L.
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US10/876,524
Time in Patent Office

2,224 Days
Field of Search

713/200, 713/151, 713/165, 713/168, 713/188, 713/189, 726/24, 726/3, 726 22- 25, 709/217, 709/225
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/145   the attack involving the pr...

Rule set-based system and method for advanced virus protection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Rule set-based system and method for advanced virus protection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links