Scanning computer data for malicious codes using a remote server computer
First Claim
1. A method of scanning computer data for malicious codes, the method comprising:
- calculating first hash values of a plurality of files stored in a storage device of a client computer, each of the first hash values being a hash value of less than an entirety of a corresponding file in the plurality of files;
forwarding the first hash values to a remotely located server computer over a computer network coupling the client computer and the server computer;
comparing the first hash values of the plurality of files to first hash values of a plurality of malicious code patterns, a malicious code pattern in the plurality of malicious code patterns comprising a first hash value and a second hash value;
detecting that the first hash value of the malicious code pattern matches a first hash value of a suspect file in the plurality of files, the first hash value of the suspect file being calculated from less than an entirety of the suspect file;
in response to detecting that the first hash value of the malicious code pattern matches the first hash value of the suspect file, forwarding the second hash value of the malicious code pattern from the server computer to the client computer;
forwarding a size of the second hash value of the malicious code pattern from the server computer to the client computer;
calculating a second hash value of the suspect file in the client computer; and
in the client computer, determining whether the suspect file is infected with malicious code by comparing the second hash value of the suspect file with the second hash value of the malicious code pattern received from the server computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Scanning of files for malicious codes may be performed by calculating a first hash value of a file in a client computer and providing the first hash value of the file to a remotely located server computer. The server computer may compare the first hash value of the file to first hash values of malicious code patterns to determine if the file is possibly infected with malicious code. A malicious code pattern having a first hash value that matches that of the file may be forwarded from the server computer to the client computer. In the client computer, a second hash value of the file may be calculated and compared against a second hash value of the malicious code pattern to determine if the file is infected with the malicious code.
-
Citations
17 Claims
-
1. A method of scanning computer data for malicious codes, the method comprising:
-
calculating first hash values of a plurality of files stored in a storage device of a client computer, each of the first hash values being a hash value of less than an entirety of a corresponding file in the plurality of files; forwarding the first hash values to a remotely located server computer over a computer network coupling the client computer and the server computer; comparing the first hash values of the plurality of files to first hash values of a plurality of malicious code patterns, a malicious code pattern in the plurality of malicious code patterns comprising a first hash value and a second hash value; detecting that the first hash value of the malicious code pattern matches a first hash value of a suspect file in the plurality of files, the first hash value of the suspect file being calculated from less than an entirety of the suspect file; in response to detecting that the first hash value of the malicious code pattern matches the first hash value of the suspect file, forwarding the second hash value of the malicious code pattern from the server computer to the client computer; forwarding a size of the second hash value of the malicious code pattern from the server computer to the client computer; calculating a second hash value of the suspect file in the client computer; and in the client computer, determining whether the suspect file is infected with malicious code by comparing the second hash value of the suspect file with the second hash value of the malicious code pattern received from the server computer. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for scanning computer data for malicious code, the system comprising:
-
a client computer configured to calculate a first hash value representing a first portion of a file stored in a storage device of the client computer, to transmit the first hash value of the first portion of the file over a computer network, to receive a second hash value of a second portion of a malicious code pattern from a server computer over a computer network when the file is possibly infected with malicious code, to calculate a second hash value of a second portion of the file, and to compare the second hash value of the second portion of the file against the second hash value of the second portion of the malicious code pattern to determine whether the file is infected with the malicious code, the malicious code pattern comprising the first hash value of the first portion of the malicious code pattern and the second hash value of the second portion of the malicious code pattern, wherein the client computer is configured to receive a size of the second hash value of the second portion of the malicious code pattern and use the size of the second hash value of the second portion of the malicious code pattern to calculate the second hash value of the second portion of the file; and the server computer configured to receive the first hash value of the first portion of the file, to determine whether the file is possibly infected with the malicious code based on the first hash value of the first portion of the file, and to provide the second hash value of the second portion of the malicious code pattern and a size of the second hash value of the second portion of the malicious code pattern to the client computer when the file is possibly infected with the malicious code based on the first hash value of the first portion of the file. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method of scanning computer data for malicious code, the method comprising:
-
locating a file stored in a storage device of a client computer, the file comprising a first portion and a second portion; forwarding a first hash value indicative of the first portion of the file from the client computer to a server computer over a computer network; comparing the first hash value indicative of the first portion of the file against a malicious code pattern in the server computer to determine whether the file is possibly infected with malicious code, the malicious code pattern comprising a first hash value and a second hash value; forwarding at least the second hash value of the malicious code pattern from the server computer to the client computer; forwarding a size of the second hash value of the malicious code pattern from the server computer to the client computer; and in the client computer, determining whether the file is infected with malicious code by comparing the second hash value of the malicious code pattern received from the server computer to a second hash value indicative of the second portion of the file. - View Dependent Claims (15, 16, 17)
-
Specification