Scanning computer data for malicious codes using a remote server computer

US 8,230,510 B1
Filed: 10/02/2008
Issued: 07/24/2012
Est. Priority Date: 10/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method of scanning computer data for malicious codes, the method comprising:

calculating first hash values of a plurality of files stored in a storage device of a client computer, each of the first hash values being a hash value of less than an entirety of a corresponding file in the plurality of files;

forwarding the first hash values to a remotely located server computer over a computer network coupling the client computer and the server computer;

comparing the first hash values of the plurality of files to first hash values of a plurality of malicious code patterns, a malicious code pattern in the plurality of malicious code patterns comprising a first hash value and a second hash value;

detecting that the first hash value of the malicious code pattern matches a first hash value of a suspect file in the plurality of files, the first hash value of the suspect file being calculated from less than an entirety of the suspect file;

in response to detecting that the first hash value of the malicious code pattern matches the first hash value of the suspect file, forwarding the second hash value of the malicious code pattern from the server computer to the client computer;

forwarding a size of the second hash value of the malicious code pattern from the server computer to the client computer;

calculating a second hash value of the suspect file in the client computer; and

in the client computer, determining whether the suspect file is infected with malicious code by comparing the second hash value of the suspect file with the second hash value of the malicious code pattern received from the server computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Scanning of files for malicious codes may be performed by calculating a first hash value of a file in a client computer and providing the first hash value of the file to a remotely located server computer. The server computer may compare the first hash value of the file to first hash values of malicious code patterns to determine if the file is possibly infected with malicious code. A malicious code pattern having a first hash value that matches that of the file may be forwarded from the server computer to the client computer. In the client computer, a second hash value of the file may be calculated and compared against a second hash value of the malicious code pattern to determine if the file is infected with the malicious code.

89 Citations

View as Search Results

17 Claims

1. A method of scanning computer data for malicious codes, the method comprising:
- calculating first hash values of a plurality of files stored in a storage device of a client computer, each of the first hash values being a hash value of less than an entirety of a corresponding file in the plurality of files;
  
  forwarding the first hash values to a remotely located server computer over a computer network coupling the client computer and the server computer;
  
  comparing the first hash values of the plurality of files to first hash values of a plurality of malicious code patterns, a malicious code pattern in the plurality of malicious code patterns comprising a first hash value and a second hash value;
  
  detecting that the first hash value of the malicious code pattern matches a first hash value of a suspect file in the plurality of files, the first hash value of the suspect file being calculated from less than an entirety of the suspect file;
  
  in response to detecting that the first hash value of the malicious code pattern matches the first hash value of the suspect file, forwarding the second hash value of the malicious code pattern from the server computer to the client computer;
  
  forwarding a size of the second hash value of the malicious code pattern from the server computer to the client computer;
  
  calculating a second hash value of the suspect file in the client computer; and
  
  in the client computer, determining whether the suspect file is infected with malicious code by comparing the second hash value of the suspect file with the second hash value of the malicious code pattern received from the server computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the first hash values of the plurality of files and the first hash values of the malicious code patterns comprise cyclic redundancy check (CRC) values.
  - 3. The method of claim 1 wherein the malicious code patterns comprise patterns of computer viruses.
  - 4. The method of claim 1 wherein the server computer maintains tables of first hash values of files of a plurality of client computers registered to perform remote malicious code scanning with the server computer.
  - 5. The method of claim 1 wherein the client computer calculates the second hash value of the suspect file based on the size of the second hash value of the malicious code pattern.
  - 6. The method of claim 1 wherein the client computer locates the suspect file by consulting a table comprising the first hash value of the suspect file and a file path of the suspect file.

7. A system for scanning computer data for malicious code, the system comprising:
- a client computer configured to calculate a first hash value representing a first portion of a file stored in a storage device of the client computer, to transmit the first hash value of the first portion of the file over a computer network, to receive a second hash value of a second portion of a malicious code pattern from a server computer over a computer network when the file is possibly infected with malicious code, to calculate a second hash value of a second portion of the file, and to compare the second hash value of the second portion of the file against the second hash value of the second portion of the malicious code pattern to determine whether the file is infected with the malicious code, the malicious code pattern comprising the first hash value of the first portion of the malicious code pattern and the second hash value of the second portion of the malicious code pattern, wherein the client computer is configured to receive a size of the second hash value of the second portion of the malicious code pattern and use the size of the second hash value of the second portion of the malicious code pattern to calculate the second hash value of the second portion of the file; and
  
  the server computer configured to receive the first hash value of the first portion of the file, to determine whether the file is possibly infected with the malicious code based on the first hash value of the first portion of the file, and to provide the second hash value of the second portion of the malicious code pattern and a size of the second hash value of the second portion of the malicious code pattern to the client computer when the file is possibly infected with the malicious code based on the first hash value of the first portion of the file.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7 wherein the first hash value of the first portion of the file and the first hash value of the first portion of the malicious code pattern comprise cyclic redundancy check (CRC) values.
  - 9. The system of claim 7 wherein the server computer is configured to maintain a database containing first hash values of files of a plurality of client computers.
  - 10. The system of claim 9 wherein the server computer is configured to check the database for possible infected files in the plurality of client computers whenever the server computer receives an updated pattern file containing malicious code patterns.
  - 11. The system of claim 9 wherein the first hash values of the files in the database all have the same fixed size.
  - 12. The system of claim 7 wherein the server computer is configured to determine whether the file is possibly infected with the malicious code by comparing the first hash value of the first portion of the file with the first hash value of the first portion of the malicious code pattern.
  - 13. The system of claim 7 wherein the client computer is one of a plurality of client computers registered to perform malicious code scanning of files with the server computer.

14. A method of scanning computer data for malicious code, the method comprising:
- locating a file stored in a storage device of a client computer, the file comprising a first portion and a second portion;
  
  forwarding a first hash value indicative of the first portion of the file from the client computer to a server computer over a computer network;
  
  comparing the first hash value indicative of the first portion of the file against a malicious code pattern in the server computer to determine whether the file is possibly infected with malicious code, the malicious code pattern comprising a first hash value and a second hash value;
  
  forwarding at least the second hash value of the malicious code pattern from the server computer to the client computer;
  
  forwarding a size of the second hash value of the malicious code pattern from the server computer to the client computer; and
  
  in the client computer, determining whether the file is infected with malicious code by comparing the second hash value of the malicious code pattern received from the server computer to a second hash value indicative of the second portion of the file.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 wherein the first hash value of the malicious code pattern comprises a cyclic redundancy check (CRC).
  - 16. The method of claim 14 wherein the malicious code comprises a computer virus.
  - 17. The method of claim 14 wherein determining whether the file is infected with the malicious code comprises:
    - calculating the second hash value indicative of the second portion of the file; and
      
      comparing the second hash value indicative of the second portion of the file against the second hash value of the malicious code pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Yang, Shun-Fa, Cheng, Hung-Hao, Siao, Yi-Song, Kuo, Shih-Chien, Huang, Jia-Sin
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Shirazi, Sayed Beheshti

Application Number

US12/244,584
Time in Patent Office

1,391 Days
Field of Search

726 22- 25, 713/188, 709/232
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Scanning computer data for malicious codes using a remote server computer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Scanning computer data for malicious codes using a remote server computer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links