Rapid analysis of data stream for malware presence
First Claim
1. A system for anti-malware processing of data stream, the system comprising:
- a processor;
a memory coupled to the processor;
a plurality of elements stored in the memory and executed by the processor, the elements comprising;
dividing a primary data stream to form a plurality of logical data streams, wherein each logical data stream has a different data format;
a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream;
a plurality of processing handlers separated from the stream buffers, each processing handler associated with one of the stream buffers and processing the data of the logical data stream buffered by its stream buffer,wherein;
each logical data stream is processed inside the processing handler associated with the stream buffer; and
each processing handler is associated with a particular data transmission mode and at least one of the processing handlers scans its logical data stream for malware presence, andwherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, andwherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and computer program product for anti-malware processing of data stream that includes a plurality of logical data streams formed from a primary data stream; and a plurality of stream buffers, each buffering data of a corresponding logical data stream. A plurality of processing handlers each associated with one of the data streams, where the handlers are processing the data of the logical data stream buffered by its stream buffer. Each processing handler is associated with a particular functionality and at least one processing handler scans its logical data stream for malware presence. Each stream buffer has a configurable buffering policy. At least one of the processing handlers decompresses the data into one or more secondary streams. At least one of the processing handlers parses its logical data stream, creating one or more instances of secondary data streams. The scanning can be based on a signature search. At least one of the processing handlers parses its logical data stream to identify headers, wherein new secondary data streams are instantiated based on regions of interest in a future stream data at positions identified by the headers. The set of conditions is stored e.g., in a table, a list, and/or a registry.
257 Citations
29 Claims
-
1. A system for anti-malware processing of data stream, the system comprising:
-
a processor; a memory coupled to the processor; a plurality of elements stored in the memory and executed by the processor, the elements comprising; dividing a primary data stream to form a plurality of logical data streams, wherein each logical data stream has a different data format; a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream; a plurality of processing handlers separated from the stream buffers, each processing handler associated with one of the stream buffers and processing the data of the logical data stream buffered by its stream buffer, wherein; each logical data stream is processed inside the processing handler associated with the stream buffer; and each processing handler is associated with a particular data transmission mode and at least one of the processing handlers scans its logical data stream for malware presence, and wherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, and wherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for anti-malware processing of data stream, the method being performed on a computer having a processor and a memory, the method comprising:
-
generating a plurality of logical data streams by dividing a primary data stream, wherein each logical data stream has a different data format; instantiating a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream; instantiating a plurality of processing handlers separated from the stream buffers, wherein each processing handler scans data of the logical data stream buffered by its stream buffer for malware presence; associating each processing handler with one of the logical data streams, wherein each logical data stream is processed inside the associated processing handler; and associating each processing handler with a particular data transmission mode, and wherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, and wherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A system for anti-malware processing of data stream, the system comprising:
-
a processor;
a memory coupled to the processor;a plurality of elements stored in the memory and executed by the processor, the elements comprising; a plurality of logical data streams separated out from a primary data stream based on a data format; a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream; and a plurality of processing handlers separated from the stream buffers, each processing handler associated with a corresponding stream buffer and processing the logical data stream stored by its stream buffer, and each processing handler associated with a particular data transmission mode, wherein each processing handler scans its logical data stream for malware presence, wherein each logical data stream is processed inside the associated processing handler, wherein at least some of the processing handlers identify, using header information, location of regions of interest in future data in the primary data stream and instantiate new instances of stream buffers to buffer the data in the regions of interest, wherein at least one of the processing handlers is adapted to parse an email body for password information, and wherein at least one other processing handler is adapted to unpack archived files based on the password information, and wherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, and wherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
-
-
27. A system for anti-malware processing of data stream, the system comprising:
-
a processor;
a memory coupled to the processor;a plurality of elements stored in the memory and executed by the processor, the elements comprising; a primary data stream that includes emails with archived password-protected attachments; a plurality of stream buffers, each stream buffer buffering data of a corresponding portion of the emails, wherein the portions include any of email body and the archived password-protected attachments; and a plurality of processing handlers separated from the stream buffers, each processing handler associated with a corresponding stream buffer and processing the portion of the email stored by its stream buffer, wherein each portion of the email is processed inside the associated processing handler; wherein each processing handler scans its portion of the email for malware, wherein at least some of the processing handlers identify, using header information, location of attachments in future data in the primary data stream and instantiate new instances of stream buffers to buffer the attachments, and wherein at least one of the processing handlers parses the email body for passwords for the attachments used to unpack the attachments, and wherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, and wherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
-
-
28. A system for anti-malware processing of data stream, the system comprising:
-
a processor;
a memory coupled to the processor;a plurality of elements stored in the memory and executed by the processor, the elements comprising; a logical data stream receiving input data portion by portion from a primary data stream, wherein the logical data stream receives data of a particular format; a stream buffer, assigned to the logical data stream, buffering the last N bytes associated with the logical data stream; a plurality of processing handlers separated from the stream buffer assigned to the logical data stream, wherein a portion of buffered data is passed to all the assigned processing handlers and each processing handler is permitted to consume less data than the entire portion, and the remainder of the buffered data, that has not yet been consumed, is passed to one of the plurality of processing handlers together with the next portion of input data when the next portion becomes available in the stream buffer, wherein each portion of the buffered data is processed inside the assigned processing handler; wherein at least one of the processing handlers scans its associated data for malware presence, wherein the amount of data consumed by different processing handlers from the same portion of buffered data is not the same, and wherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, and wherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
-
-
29. A non-transitory computer readable storage medium having computer executable program logic stored thereon, the computer executable program logic executing on a processor for anti-malware processing of data stream, the computer program logic comprising:
-
computer program code means for generating a plurality of logical data streams by dividing a primary data stream, wherein each logical data stream has a different data format; computer program code means for instantiating a plurality of stream buffers, each stream buffer buffering data of a corresponding logical data stream; computer program code means for instantiating a plurality of processing handlers separated from the stream buffers, wherein each processing handler scans data of the logical data stream buffered by its stream buffer for malware presence; computer program code means for associating each processing handler with one of the logical data streams, wherein each logical data stream is processed inside the associated processing handler; and computer program code means for associating each processing handler with a particular data transmission mode, and wherein at least several of the plurality of processing handlers are associated with a single stream buffer buffering data, and wherein different processing handlers extract different amounts of the same data buffered by the single stream buffer, and wherein the data is deleted from the single stream buffer only after multiple processing handlers associated with the single stream buffer have processed the same data.
-
Specification