Resisting the spread of unwanted code and data

US 8,533,824 B2
Filed: 11/08/2007
Issued: 09/10/2013
Est. Priority Date: 12/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer system for processing an electronic file, the method comprising the steps, performed by the computer system, of:

identifying a portion of content data in the electronic file;

determining, by the computer system, if the identified portion of content data is passive content data having a fixed purpose or active content data having an associated function;

if the identified portion of content data is determined to be passive content data, then;

determining a file type or protocol of the portion of passive content data; and

determining whether the portion of passive content data is to be re-generated by determining if the passive content data conforms to a predetermined data format comprising a set of rules corresponding to the file type or protocol;

if the identified portion of content data is determined to be active content data, then analysing the portion of active content data to determine whether the portion of active content data is known good and therefore is to be re-generated; and

re-generating the portion of content data to create a re-generated electronic file, if the portion of content data is determined to be re-generated,wherein said step of analyzing a portion of active content data comprises;

(a) generating a hash for the portion of active content data, including normalizing the portion of active content data and generating a hash for the normalized portion of active content data;

(b) determining if the generated hash is present in a hash database of hashed normalized known good active content data; and

(c) determining that the portion of active content data is to be re-generated if it is determined in (b) that the generated hash is present in the hash database of normalized known known good active content data,wherein the method resists spread of unwanted code and data without scanning the electronic file for the unwanted code and data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of processing an electronic file by identifying portions of content data in the electronic file and determining if each portion of content data is passive content data having a fixed purpose or active content data having an associated function. If a portion is passive content data, then a determination is made as to whether the portion of passive content data is to be re-generated. If a portion is active content data, then the portion is analysed to determine whether the portion of active content data is to be re-generated. A re-generated electronic file is then created from the portions of content data which are determined to be re-generated.

295 Citations

16 Claims

1. A method performed by a computer system for processing an electronic file, the method comprising the steps, performed by the computer system, of:
- identifying a portion of content data in the electronic file;
  
  determining, by the computer system, if the identified portion of content data is passive content data having a fixed purpose or active content data having an associated function;
  
  if the identified portion of content data is determined to be passive content data, then;
  
  determining a file type or protocol of the portion of passive content data; and
  
  determining whether the portion of passive content data is to be re-generated by determining if the passive content data conforms to a predetermined data format comprising a set of rules corresponding to the file type or protocol;
  
  if the identified portion of content data is determined to be active content data, then analysing the portion of active content data to determine whether the portion of active content data is known good and therefore is to be re-generated; and
  
  re-generating the portion of content data to create a re-generated electronic file, if the portion of content data is determined to be re-generated,wherein said step of analyzing a portion of active content data comprises;
  
  (a) generating a hash for the portion of active content data, including normalizing the portion of active content data and generating a hash for the normalized portion of active content data;
  
  (b) determining if the generated hash is present in a hash database of hashed normalized known good active content data; and
  
  (c) determining that the portion of active content data is to be re-generated if it is determined in (b) that the generated hash is present in the hash database of normalized known known good active content data,wherein the method resists spread of unwanted code and data without scanning the electronic file for the unwanted code and data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method according to claim 1, wherein the electronic file comprises a plurality of portions of content data and wherein the method processes each of said plurality of portions of content data to determine whether or not each portion of active content data is to be re-generated and re-generates those portions of content data that are determined to be re-generated to create a re-generated electronic file.
  - 3. A method according to claim 2, further comprising the step of determining if a cleaning mode is enabled or disabled and wherein said step of re-generating portions of content data to create a re-generated electronic file is not performed if it is determined that at least one portion of passive content data is not to be re-generated and the cleaning mode is disabled.
  - 4. A method according to claim 3, wherein the electronic file is placed in quarantine if it is determined that at least one portion of passive content data is not to be re-generated and the cleaning mode is disabled.
  - 5. A method according to claim 1, wherein a portion of passive content data in the electronic file comprises a plurality of sub-portions of passive content data, wherein said each of said sub-portions is processed to determine if the sub-portions of passive content data conform to a predetermined data format, and wherein the portion of passive content data is determined to conform to a predetermined data format if all of said sub-portions are determined to conform to a predetermined data format.
  - 6. A method according to claim 5, wherein each of said plurality of sub-portions of passive content data have a different file type.
  - 7. A method according to claim 1, wherein said step of analysing a portion of active content data determines whether or not the portion of active content data is to be re-generated by processing the portion of active content data using a third party anti-virus application.
  - 8. A method according to claim 1, wherein said passive content data comprises text, image, audio or video content data.
  - 9. A method according to claim 1, wherein said active content data comprises a script, macro or executable code.
  - 10. A method according to claim 1, wherein if a purported predetermined data type of a portion of passive content data cannot be determined, then analysing that portion of passive content data as a portion of active content data.
  - 11. A method according to claim 1, further comprising a step of altering a portion of active content data in a predetermined and repeatable way and wherein said step of generating a hash generates a hash for the altered portion of active content data.
  - 12. A method according to claim 1, further comprising storing the electronic file in a scrambled format in memory.
  - 13. A method according to claim 12, wherein each byte of data is stored in a bit reversed order.
  - 14. A method according to claim 1, further comprising replacing a portion of content data that is determined to not be re-generated with warning text.
  - 15. A non-transitory computer readable medium comprising a computer program adapted to perform the method of claim 1 when the computer program is run on a computer.

16. An apparatus for processing an electronic file, said apparatus comprising:
- identifying means for identifying a portion of content data in the electronic file;
  
  content determining means for determining if the identified portion of content data is passive content data having a fixed purpose or active content data having an associated function;
  
  portion determining means for determining a file type or protocol of a portion of passive content data, and for determining whether the portion of passive content data is to be re-generated by determining if the passive content data conforms to a predetermined data format comprising a set of rules corresponding to the file type or protocol;
  
  analyzing means for analyzing a portion of active content data to determine whether a portion of active content data is known good and therefore is to be re-generated, if the identified portion of content data is determined to be active content data;
  
  re-generating means for re-generating the portion of content data to create a re-generated electronic file, if the portion of content data is determined to be re-generated;
  
  a hash database of hashed normalized known good active content data;
  
  active content normalizing means for normalizing the active content data;
  
  hash generating means for generating a hash for the portion of the normalized active content data; and
  
  hash determination means for determining if the generated hash is present in a hash database of normalized known good active content data; and
  
  wherein the analyzing means determines that the portion of active content data is to be re-generated if it is determined that the generated hash is present in the hash database of normalized known good active content data, andwherein the apparatus is arranged to resist spread of unwanted code and data without scanning the electronic file for the unwanted code and data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Glasswall (Ip) Limited
Original Assignee
Glasswall (Ip) Limited
Inventors
Hutton, Samuel Harrison, Goddard, Trevor
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
TRAN, PHUOC D

Application Number

US12/517,614
Publication Number

US 20100154063A1
Time in Patent Office

2,133 Days
Field of Search

709/206, 713/188, 726/24
US Class Current

726/22
CPC Class Codes

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 2221/03   Indexing scheme relating to...

G06Q 10/107   Computer-aided management o...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Resisting the spread of unwanted code and data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

295 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Resisting the spread of unwanted code and data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

295 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others