Remote security servers for protecting customer computers against computer security threats

US 8,132,258 B1
Filed: 06/12/2008
Issued: 03/06/2012
Est. Priority Date: 06/12/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of checking a file for computer viruses, the method comprising:

detecting reception of a file in a client computer;

generating a query input for the file;

in the client computer, determining if the query input has corresponding security information in a remotely located security server before the query input is transmitted from the client computer to the remotely located security server over a computer network;

after determining that the query input has corresponding security information in the remotely located security server, transmitting the query input from the client computer to the remotely located security server over the computer network; and

receiving security information in the client computer over the computer network, the security information indicating whether or not the file is infected with a computer virus.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client computer may be configured to perform computer security operations in conjunction with a remotely located security server. Upon detection of a computer security event, such as reception of a file, the client computer may generate a query input and determine if the query input has corresponding security information in the security server. When the query input has corresponding security information, the client computer may forward the query input to the security server. In response, the security server may retrieve the security information using the query input and provide the security information to the client computer. As a particular example, the security event may be reception of a file in the client computer and the security information may indicate whether or not the file is infected with a computer virus.

27 Citations

View as Search Results

19 Claims

1. A computer-implemented method of checking a file for computer viruses, the method comprising:
- detecting reception of a file in a client computer;
  
  generating a query input for the file;
  
  in the client computer, determining if the query input has corresponding security information in a remotely located security server before the query input is transmitted from the client computer to the remotely located security server over a computer network;
  
  after determining that the query input has corresponding security information in the remotely located security server, transmitting the query input from the client computer to the remotely located security server over the computer network; and
  
  receiving security information in the client computer over the computer network, the security information indicating whether or not the file is infected with a computer virus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein generating the query input for the file comprises:
    - generating a hash of the file.
  - 3. The method of claim 1 wherein the file is deemed not infected with the computer virus when the query input has no corresponding security information in the remotely located security server.
  - 4. The method of claim 1 wherein the file is received in the client computer over the computer network.
  - 5. The method of claim 1 wherein the query input comprises a CRC (cyclic redundancy check) hash of the file.
  - 6. The method of claim 5 wherein the CRC hash is of a portion of the file likely to contain the computer virus.
  - 7. The method of claim 1 wherein the file is quarantined in the client computer when communication cannot be established with the remotely located security server.
  - 8. The method of claim 1 further comprising:
    - taking remedial action when the security information received in the client computer indicates that the file is infected with the computer virus.
  - 9. The method of claim 8 wherein the remedial action comprises quarantine of the file.

10. A client computer having memory and a processor configured to execute computer-readable program code in the memory, the memory comprising:
- a security manager comprising computer-readable program code for detecting malicious codes in the client computer; and
  
  a zero false negative filter comprising computer-readable program code for determining whether or not query inputs in a set of query inputs generated by the security manager in response to security events have corresponding security information in a remotely located security server, the zero false negative filter being configured to determine in the client computer whether or not any of the query inputs has corresponding security information in the remotely located security server before any of the query inputs is forwarded from the client computer to the security server over a computer network, to generate filtered query inputs comprising the set of query inputs minus query inputs with no corresponding security information in the remotely located security server, and to forward the filtered query inputs from the client computer to the remotely located security server over the computer network.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The client computer of claim 10 wherein the security events include receiving a file in the client computer and the filtered query inputs comprise hash of the file.
  - 12. The client computer of claim 10 wherein the zero false negative filter forwards the filtered query inputs to the remotely located security server over the Internet.
  - 13. The client computer of claim 10 wherein the zero false negative filter is generated from a security database comprising the security information.
  - 14. The client computer of claim 13 wherein the zero false negative filter is updateable by an update server configured to provide updates to the zero false negative filter for changes to the security database that changes the zero false negative filter.
  - 15. The client computer of claim 14 wherein the update server includes an update history of the security database and the zero false negative filter is not updated when the update history indicates that a change to the security database does not change the zero false negative filter.

16. A system for protecting computers against computer security threats, the system comprising:
- a client computer, the client computer being configured to generate a query input in response to a computer security event in the client computer, to determine if the query input has corresponding security information in a remotely located security server before the query input is forwarded to the security server, and to forward the query input to the security server over a computer network when the query input has the corresponding security information in the security server; and
  
  the security server configured to receive the query input, to use the query input to obtain the security information, and to provide the security information to the client computer, the security information indicating whether or not the security event poses a computer security threat.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16 wherein the client computer comprises a zero false negative filter generated from a security database comprising a set of security information pertaining to computer security threats, the zero false negative filter being configured to determine if the query input has corresponding information in the security server.
  - 18. The system of claim 16 further comprising:
    - an update server configured to provide updates to the zero false negative filter, the update server including an update history indicating if a change to the security database changed the zero false negative filter, the update server being configured to provide an update to the zero false negative filter for changes to the security database that changes the zero false negative filter.
  - 19. The system of claim 16 wherein the computer security event comprises receiving a file in the client computer and the security information indicates whether or not the file is infected with a computer virus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Wei, Shaohong, Jensen, Wayne Jens
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tabor, Amare F

Application Number

US12/137,870
Time in Patent Office

1,363 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/567 using dedicated hardware

H04L 63/1416 Event detection, e.g. attac...

Remote security servers for protecting customer computers against computer security threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Remote security servers for protecting customer computers against computer security threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links