Detection of undesired computer files in archives

US 8,793,798 B2
Filed: 11/30/2012
Issued: 07/29/2014
Est. Priority Date: 12/12/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

determining, by an anti-virus detection module running on a computer system, a type and associated structure of an archive file, wherein the archive file includes (i) one or more identification bytes that identify the type of archive file in unencrypted and uncompressed form, (ii) header information in unencrypted and uncompressed form and (iii) a file data portion containing contents of one or more files in encrypted form, compressed form or both encrypted and compressed form and wherein said determining is performed based solely on one or more of the one or more identification bytes and the header information; and

based on the type of archive file and the associated structure, for each of the one or more files, extracting, by the anti-virus detection module, descriptive information from the header information that describes characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in compressed form; and

identifying, by the anti-virus detection module, a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for content filtering are provided. According to one embodiment, a type and structure of an archive file are determined. The archive file includes identification bytes that identify the type of archive file and header information both in unencrypted and uncompressed form and a file data portion containing contents of files in encrypted form, compressed form or both. The determination is based solely on the identification bytes and/or the header information. Based thereon, descriptive information, describing characteristics of the files, is extracted from the header information for each file. The descriptive information includes a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in compressed form. A file is identified as being potentially malicious or undesired when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.

53 Citations

24 Claims

1. A computer-implemented method comprising:
- determining, by an anti-virus detection module running on a computer system, a type and associated structure of an archive file, wherein the archive file includes (i) one or more identification bytes that identify the type of archive file in unencrypted and uncompressed form, (ii) header information in unencrypted and uncompressed form and (iii) a file data portion containing contents of one or more files in encrypted form, compressed form or both encrypted and compressed form and wherein said determining is performed based solely on one or more of the one or more identification bytes and the header information; and
  
  based on the type of archive file and the associated structure, for each of the one or more files, extracting, by the anti-virus detection module, descriptive information from the header information that describes characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in compressed form; and
  
  identifying, by the anti-virus detection module, a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the one or more identification bytes comprise four bytes represented in hexadecimal form as follows:
    - 50 4B 03 04.
  - 3. The method of claim 1, wherein the computer system comprises a network gateway and wherein the method further comprises the anti-virus detection module processing the archive file responsive to a request from proxy running on the network gateway.
  - 4. The method of claim 1, wherein the computer system comprises a network gateway logically interposed between an email client and an email server and wherein the method further comprises:
    - opening, by the network gateway, a direct connection between the email client and the email server; and
      
      filtering, by the network gateway, email messages, including an email message having attached thereto the archive file, in real-time as they pass through the direct connection.
  - 5. The method of claim 1, further comprising blocking delivery of the archive file to the intended recipient.
  - 6. The method of claim 1, further comprising removing the potentially malicious or undesired file from the archive file.
  - 7. The method of claim 1, wherein the archive file is held in a memory buffer of the computer system during at least a portion of the anti-virus detection module processing.
  - 8. The method of claim 1, wherein the archive file comprises a self-extracting archive file.
  - 9. The method of claim 8, wherein the self-extracting archive file comprises an executable installer file.
  - 10. The method of claim 8, wherein the self-extracting archive file comprises an installation archive.
  - 11. The method of claim 1, wherein the one or more files are password-protected.
  - 12. The method of claim 1, wherein the type of archive file comprises one of WinZip, ZIP, RAR, WinRAR, 7-Zip, KGB Archiver and StuffIt.

13. A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a computer system, cause the one or more processors to perform content filtering, the method comprising:
- determining a type and associated structure of an archive file, wherein the archive file includes (i) one or more identification bytes that identify the type of archive file in unencrypted and uncompressed form, (ii) header information in unencrypted and uncompressed form and (iii) a file data portion containing contents of one or more files in encrypted form, compressed form or both encrypted and compressed form and wherein said determining is performed based solely on one or more of the one or more identification bytes and the header information; and
  
  based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header information that describes characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in compressed form; and
  
  identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computer-readable storage medium of claim 13, wherein the one or more identification bytes comprise four bytes represented in hexadecimal form as follows:
    - 50 4B 03 04.
  - 15. The computer-readable storage medium of claim 13, wherein the computer system comprises a network gateway and wherein the method further comprises the anti-virus detection module processing the archive file responsive to a request from proxy running on the network gateway.
  - 16. The computer-readable storage medium of claim 13, wherein the computer system comprises a network gateway logically interposed between an email client and an email server and wherein the method further comprises:
    - opening a direct connection between the email client and the email server; and
      
      filtering email messages, including an email message having attached thereto the archive file, in real-time as they pass through the direct connection.
  - 17. The computer-readable storage medium of claim 13, wherein the method further comprises blocking delivery of the archive file to the intended recipient.
  - 18. The computer-readable storage medium of claim 13, wherein the method further comprises removing the potentially malicious or undesired file from the archive file.
  - 19. The computer-readable storage medium of claim 13, wherein the archive file is held in a memory buffer of the computer system during at least a portion of the anti-virus detection module processing.
  - 20. The computer-readable storage medium of claim 13, wherein the archive file comprises a self-extracting archive file.
  - 21. The computer-readable storage medium of claim 20, wherein the self-extracting archive file comprises an executable installer file.
  - 22. The computer-readable storage medium of claim 20, wherein the self-extracting archive file comprises an installation archive.
  - 23. The computer-readable storage medium of claim 13, wherein the one or more files are password-protected.
  - 24. The computer-readable storage medium of claim 13, wherein the type of archive file comprises one of WinZip, ZIP, RAR, WinRAR, 7-Zip, KGB Archiver and StuffIt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fossen, Steven Michael, MacDonald, Alexander Douglas
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/690,588
Publication Number

US 20130104235A1
Time in Patent Office

606 Days
Field of Search

713187-188, 713193-194, 726 22- 25
US Class Current

726/24
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/564   by virus signature recognition

G06F 2221/2107   File encryption

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Detection of undesired computer files in archives

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of undesired computer files in archives

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links