Detection of undesired computer files in archives

US 8,327,447 B2
Filed: 12/06/2011
Issued: 12/04/2012
Est. Priority Date: 12/12/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving an electronic mail (email) message having attached thereto a self-extracting archive file, the self-extracting archive file including a header portion that is unencrypted and uncompressed and a file data portion containing contents of one or more files in compressed form; and

prior to delivery of the email message to an intended recipient, determining whether any of the one or more files may be malicious or undesired files by causing the self-extracting archive file to be processed by an anti-virus detection module executing on a computer system, includingdetermining a type of archive file and associated structure of the self-extracting archive file by examining one or more identification bytes stored within the header portion that identify the type of archive file;

based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header portion describing characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in the compressed form; and

identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.

41 Citations

View as Search Results

22 Claims

1. A computer-implemented method comprising:
- receiving an electronic mail (email) message having attached thereto a self-extracting archive file, the self-extracting archive file including a header portion that is unencrypted and uncompressed and a file data portion containing contents of one or more files in compressed form; and
  
  prior to delivery of the email message to an intended recipient, determining whether any of the one or more files may be malicious or undesired files by causing the self-extracting archive file to be processed by an anti-virus detection module executing on a computer system, includingdetermining a type of archive file and associated structure of the self-extracting archive file by examining one or more identification bytes stored within the header portion that identify the type of archive file;
  
  based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header portion describing characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in the compressed form; and
  
  identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the one or more identification bytes comprise four bytes represented in hexadecimal form as follows:
    - 50 4B 03 04.
  - 3. The method of claim 1, wherein the computer system comprises a network gateway and wherein the method further comprises the anti-virus detection module processing the self-extracting archive file responsive to a proxy running on the network gateway.
  - 4. The method of claim 1, wherein the computer system comprises a network gateway logically interposed between an email client and an email server and wherein the method further comprises:
    - opening, by the network gateway, a direct connection between the email client and the email server; and
      
      filtering, by the network gateway, email messages including the email message in real-time as they pass through the direct connection.
  - 5. The method of claim 1, further comprising blocking delivery of the self-extracting archive file to the intended recipient.
  - 6. The method of claim 1, further comprising removing the potentially malicious or undesired file from the self-extracting archive file.
  - 7. The method of claim 1, wherein the self-extracting archive file is held in a memory buffer of the computer system during at least a portion of the anti-virus detection module processing.
  - 8. The method of claim 1, wherein the self-extracting archive file comprises an executable installer file.
  - 9. The method of claim 1, wherein the self-extracting archive file comprises an installation archive.
  - 10. The method of claim 1, wherein the one or more files are encrypted or password-protected.
  - 11. The method of claim 1, wherein the type of archive file comprises one of WinZip, ZIP, RAR, WinRAR, 7-Zip, KGB Archiver and Stuffit.

12. A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a computer system, cause the one or more processors to perform content filtering, the method comprising:
- receiving an electronic mail (email) message having attached thereto a self-extracting archive file, the self-extracting archive file including a header portion that is unencrypted and uncompressed and a file data portion containing contents of one or more files in compressed form; and
  
  prior to delivery of the email message to an intended recipient, determining whether any of the one or more files may be malicious or undesired files by causing the self-extracting archive file to be processed by an anti-virus detection module executing on a processor of the one or more processors, includingdetermining a type of archive file and associated structure of the self-extracting archive file by examining one or more identification bytes stored within the header portion that identify the type of archive file;
  
  based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header portion describing characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in the compressed form; and
  
  identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer-readable storage medium of claim 12, wherein the one or more identification bytes comprise four bytes represented in hexadecimal form as follows:
    - 50 4B 03 04.
  - 14. The computer-readable storage medium of claim 12, wherein the computer system comprises a network gateway and wherein the method further comprises the anti-virus detection module processing the self-extracting archive file responsive to a proxy running on the network gateway.
  - 15. The computer-readable storage medium of claim 12, wherein the computer system comprises a network gateway logically interposed between an email client and an email server and wherein the method further comprises:
    - opening, by the network gateway, a direct connection between the email client and the email server; and
      
      filtering, by the network gateway, email messages including the email message in real-time as they pass through the direct connection.
  - 16. The computer-readable storage medium of claim 12, wherein the method further comprises blocking delivery of the self-extracting archive file to the intended recipient.
  - 17. The computer-readable storage medium of claim 12, wherein the method further comprises removing the potentially malicious or undesired file from the self-extracting archive file.
  - 18. The computer-readable storage medium of claim 12, wherein the self-extracting archive file is held in a memory buffer of the computer system during at least a portion of the anti-virus detection module processing.
  - 19. The computer-readable storage medium of claim 12, wherein the self-extracting archive file comprises an executable installer file.
  - 20. The computer-readable storage medium of claim 12, wherein the self-extracting archive file comprises an installation archive.
  - 21. The computer-readable storage medium of claim 12, wherein the one or more files are encrypted or password-protected.
  - 22. The computer-readable storage medium of claim 12, wherein the type of archive file comprises one of WinZip, ZIP, RAR, WinRAR, 7-Zip, KGB Archiver and Stuffit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fossen, Steven Michael, MacDonald, Alexander Douglas
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US13/312,966
Publication Number

US 20120090031A1
Time in Patent Office

364 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/564   by virus signature recognition

G06F 2221/2107   File encryption

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Detection of undesired computer files in archives

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of undesired computer files in archives

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links