Detecting malware carried by an E-mail message

US 8,510,839 B2
Filed: 03/28/2011
Issued: 08/13/2013
Est. Priority Date: 05/10/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising:

receiving an e-mail message at a computer;

evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message;

using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data;

rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available;

determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and

generating a detection activity report based on the threshold number of trigger levels.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.

66 Citations

View as Search Results

17 Claims

1. A method, comprising:
- receiving an e-mail message at a computer;
  
  evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message;
  
  using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data;
  
  rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available;
  
  determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and
  
  generating a detection activity report based on the threshold number of trigger levels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving a new e-mail that identifies a new rule that can be extracted and added to the set of filtering rules being used by the computer to detect malware.
  - 3. The method of claim 2, wherein the new e-mail message is authenticated and decrypted before being added to the set of filtering rules.
  - 4. The method of claim 1, further comprising:
    - receiving additional virus definition data associated with the malware; and
      
      switching off certain filtering rules after the additional virus definition data is incorporated into the set of filtering rules being used by the computer to detect the malware.
  - 5. The method of claim 1, wherein the characteristics include evaluating a header associated with the e-mail message in order to identify formatting errors indicative of the malware.
  - 6. The method of claim 1, further comprising:
    - receiving at least some of the set of filtering rules to be used in evaluating network traffic via a multicasting protocol.
  - 7. The method of claim 1, further comprising:
    - receiving at least some of the set of filtering rules to be used in evaluating network traffic via downloading from a secure remote server.
  - 8. The method of claim 1, wherein if a rule of the set of filtering rules is not triggered, then the e-mail message is evaluated using different filtering rules configured to search for particular words or images associated with malware.

9. An apparatus, comprising:
- a gateway computer coupled to an end user computer over a network connection, the gateway computer including a rule engine, the gateway computer being configured for;
  
  evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message;
  
  using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data;
  
  rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available;
  
  determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and
  
  generating a detection activity report based on the threshold number of trigger levels.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus of claim 9, wherein the characteristics include evaluating a header associated with the e-mail message in order to identify formatting errors indicative of the malware.
  - 11. The apparatus of claim 9, wherein if a rule of the set of filtering rules is not triggered, then the e-mail message is evaluated using different filtering rules configured to search for particular words or images associated with malware.
  - 12. The apparatus of claim 9, further comprising:
    - communicating additional virus definition data associated with the malware such that the end user computer switches off certain filtering rules of the set of filtering rules being used by the end user computer to detect the malware.

13. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving an e-mail message at a computer;
  
  evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message;
  
  using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data;
  
  rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available;
  
  determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and
  
  generating a detection activity report based on the threshold number of trigger levels.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The logic of claim 13, the operations further comprising:
    - receiving a new e-mail that identifies a new rule that can be extracted and added to the set of filtering rules being used by the computer to detect malware.
  - 15. The logic of claim 14, wherein the new e-mail message is authenticated and decrypted before being added to the set of filtering rules.
  - 16. The logic of claim 13, the operations further comprising:
    - receiving additional virus definition data associated with the malware; and
      
      switching off certain filtering rules after the additional virus definition data is incorporated into the set of filtering rules being used by the computer to detect the malware.
  - 17. The logic of claim 13, wherein the characteristics include evaluating a header associated with the e-mail message in order to identify formatting errors indicative of the malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Tarbotton, Lee Codel Lawson, Gudgion, Kevin Andrew
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/073,806
Publication Number

US 20110173677A1
Time in Patent Office

869 Days
Field of Search

726/11, 726 22- 24, 713/188
US Class Current

726/24
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

Detecting malware carried by an E-mail message

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malware carried by an E-mail message

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links