Network stream scanning facility

US 8,607,347 B2
Filed: 09/29/2008
Issued: 12/10/2013
Est. Priority Date: 09/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method of scanning data comprising:

receiving a request for network content at a scanning facility, the request received from a content requesting computing facility remote from the scanning facility, and the request including a source from which to retrieve the network content;

performing a source lookup for the request at the scanning facility, wherein the source lookup requests data concerning the source of the request from a networked source lookup database, and wherein the networked source lookup database responds with a characterization of the source;

retrieving the network content to the scanning facility;

calculating a checksum of the network content;

performing a checksum lookup on the checksum, wherein the checksum lookup is from a networked checksum lookup database that stores checksums for known malware content; and

when the network content is not identified as malware based upon the checksum lookup, taking an action to protect the content requesting computing facility from malware based on the characterization of the source from the networked source lookup database.

View all claims

9 Assignments

Timeline View

Assignment View

1 Petition

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for providing a scanning of data associated with a network computer facility. In the process, a request may be received for network content from a content requesting computing facility. A source lookup associated with the request for network content may be performed, where the source lookup may be from a networked source lookup database. The requested network content may then be retrieved, where the type of the content may be determined as a further aid in scanning the content. A checksum of at least a portion of the retrieved network content may then be calculated, and a checksum lookup associated with the portion of the retrieved network content be performed, where the checksum lookup may be from a networked checksum lookup database. Finally, an action may be taken based on at least one of the source lookup and checksum lookup, where the action is associated with protecting the content requesting computing facility from malware.

59 Citations

View as Search Results

25 Claims

1. A method of scanning data comprising:
- receiving a request for network content at a scanning facility, the request received from a content requesting computing facility remote from the scanning facility, and the request including a source from which to retrieve the network content;
  
  performing a source lookup for the request at the scanning facility, wherein the source lookup requests data concerning the source of the request from a networked source lookup database, and wherein the networked source lookup database responds with a characterization of the source;
  
  retrieving the network content to the scanning facility;
  
  calculating a checksum of the network content;
  
  performing a checksum lookup on the checksum, wherein the checksum lookup is from a networked checksum lookup database that stores checksums for known malware content; and
  
  when the network content is not identified as malware based upon the checksum lookup, taking an action to protect the content requesting computing facility from malware based on the characterization of the source from the networked source lookup database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the action is blocking the requested network content.
  - 3. The method of claim 1, wherein the action is sending the requested network content to the content requesting computing facility.
  - 4. The method of claim 1, wherein the action is providing further scanning of the received network content, wherein the further scanning depends on the characterization of the network content.
  - 5. The method of claim 1, wherein the action is determined by a policy.
  - 6. The method of claim 1, wherein the action is determined by a type of the requested network content.
  - 7. The method of claim 1, wherein the networked source lookup database includes a plurality of characterizations of a plurality of previously identified URLs.
  - 8. The method of claim 1, wherein the networked source lookup database includes a white list of URLs that are acceptable to access.
  - 9. The method of claim 1, wherein the networked source lookup database includes a black list of URLs that are unacceptable to access.
  - 10. The method of claim 1, wherein the result of the source lookup is used in subsequent scanning.
  - 11. The method of claim 1, further comprising updating the networked source database when a scan of the networked source lookup database with the source of the network content when a scan of the network content identifies malware.
  - 12. The method of claim 1, wherein the networked checksum lookup database includes checksums generated from the same length of data as the network content.

13. A system comprising:
- a network device with on-device malware analysis tools;
  
  a networked source lookup database storing a characterization of a number of URLs, the networked source lookup database configured to respond to a source URL with a corresponding characterization of the source URL;
  
  a networked checksum lookup database storing checksums for known malware content, the networked checksum lookup database configured to respond to a checksum with any malware known to be associated with the checksum; and
  
  a content requesting computing facility configured to request network content through the network device, wherein the network device is configured to protect the content requesting computing facility from malware by sequentially performing a first query of the networked source lookup database and a second query of the networked checksum lookup database, and further configured to conditionally take action according to a result of the first query and the second query.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The system of claim 13, wherein the action is blocking the requested network content.
  - 15. The system of claim 13, wherein the action is sending the requested network content to the content requesting computing facility.
  - 16. The system of claim 13, wherein the action is providing further scanning of the received network content.
  - 17. The system of claim 13, wherein the action is determined by a policy.
  - 18. The system of claim 13, wherein the action is determined by the type of the requested network content.
  - 19. The system of claim 13, wherein the networked source lookup database includes a characterization of previously identified URLs.
  - 20. The system of claim 13, wherein the networked source lookup database includes a white list of URLs that are acceptable to access.
  - 21. The system of claim 13, wherein the networked source lookup database includes a black list of URLs that are unacceptable to access.
  - 22. The system of claim 13, wherein a result of the first query is used in subsequent scanning
  - 23. The system of claim 13, wherein the networked checksum lookup database includes checksums from prior network content identified to contain malware.
  - 24. The system of claim 13, wherein the networked checksum lookup database includes checksums generated from the same length of data as the network content.
  - 25. The system of claim 13, wherein the on-device malware analysis tools include a malware scanning facility.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Harris, Mark D., Thomas, Andrew J., Magdic, Mario, Lyne, James I. G.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US12/239,867
Publication Number

US 20100083380A1
Time in Patent Office

1,898 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/565   by checking file integrity

H04L 63/101   Access control lists [ACL]

H04L 63/123   received data contents, e.g...

Network stream scanning facility

First Claim

9 Assignments

1 Petition

Accused Products

Abstract

59 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Network stream scanning facility

First Claim

9 Assignments

Subscription Required

Subscription Required

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links