Detection of undesired computer files in archives
First Claim
1. A computer-implemented method comprising:
- determining, by an anti-virus detection module running on a computer system, a type and associated structure of an archive file, wherein the archive file includes (i) one or more identification bytes that identify the type of archive file in unencrypted and uncompressed form, (ii) header information in unencrypted and uncompressed form and (iii) a file data portion containing contents of one or more files in encrypted form, compressed form or both encrypted and compressed form and wherein said determining is performed based solely on one or more of the one or more identification bytes and the header information; and
based on the type of archive file and the associated structure, for each of the one or more files, extracting, by the anti-virus detection module, descriptive information from the header information that describes characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in compressed form; and
identifying, by the anti-virus detection module, a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for content filtering are provided. According to one embodiment, a type and structure of an archive file are determined. The archive file includes identification bytes that identify the type of archive file and header information both in unencrypted and uncompressed form and a file data portion containing contents of files in encrypted form, compressed form or both. The determination is based solely on the identification bytes and/or the header information. Based thereon, descriptive information, describing characteristics of the files, is extracted from the header information for each file. The descriptive information includes a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in compressed form. A file is identified as being potentially malicious or undesired when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.
53 Citations
24 Claims
-
1. A computer-implemented method comprising:
-
determining, by an anti-virus detection module running on a computer system, a type and associated structure of an archive file, wherein the archive file includes (i) one or more identification bytes that identify the type of archive file in unencrypted and uncompressed form, (ii) header information in unencrypted and uncompressed form and (iii) a file data portion containing contents of one or more files in encrypted form, compressed form or both encrypted and compressed form and wherein said determining is performed based solely on one or more of the one or more identification bytes and the header information; and based on the type of archive file and the associated structure, for each of the one or more files, extracting, by the anti-virus detection module, descriptive information from the header information that describes characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in compressed form; and identifying, by the anti-virus detection module, a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a computer system, cause the one or more processors to perform content filtering, the method comprising:
-
determining a type and associated structure of an archive file, wherein the archive file includes (i) one or more identification bytes that identify the type of archive file in unencrypted and uncompressed form, (ii) header information in unencrypted and uncompressed form and (iii) a file data portion containing contents of one or more files in encrypted form, compressed form or both encrypted and compressed form and wherein said determining is performed based solely on one or more of the one or more identification bytes and the header information; and based on the type of archive file and the associated structure, for each of the one or more files, extracting descriptive information from the header information that describes characteristics of the one or more files, including one or more of a checksum of the file in uncompressed form, a size of the file in uncompressed form and a size of the file in compressed form; and identifying a file of the one or more files as a potentially malicious or undesired file when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification