Identifying threats in electronic messages
First Claim
1. An apparatus, comprising:
- a network interface;
one or more processors coupled to the network interface;
logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;
receiving an electronic mail message having a destination address for a recipient account;
determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses;
wherein each rule has a weight proportional to a number of attributes specified in the rule;
wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules;
when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.
1 Assignment
0 Petitions
Accused Products
Abstract
Early detection of computer viruses and other message-borne threats is provided by applying heuristic tests to message content and examining sender reputation information when no virus signature information is available. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages. A dynamic and flexible threat quarantine queue is provided with a variety of exit criteria and exit actions that permits early release of messages in other than first in, first-out order. A message scanning method is described in which early exit from parsing and scanning can occur by matching threat rules only to selected message elements and stopping rule matching as soon as a match on one message element exceeds a threat threshold.
-
Citations
23 Claims
-
1. An apparatus, comprising:
-
a network interface; one or more processors coupled to the network interface; logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform; receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses; wherein each rule has a weight proportional to a number of attributes specified in the rule; wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures; wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules; when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method, comprising:
-
receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses; wherein each rule has a weight proportional to a number of attributes specified in the rule; wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures; wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules; when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account; wherein the method is performed by one or more processors. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer readable storage medium, storing one or more sequences of instructions, which, when executed by one or more processors, cause the one or more processors to perform:
-
receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses; wherein each rule has a weight proportional to a number of attributes specified in the rule; wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures; wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules; when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account. - View Dependent Claims (20, 21, 22, 23)
-
Specification