Detection of undesired computer files using digital certificates
First Claim
1. A computer-implemented method comprising:
- identifying, by an antivirus detection module running on a computer system, a type and structure of a computer file;
determining, by the antivirus detection module, whether there exists a certificate chain associated with the computer file; and
if the certificate chain is determined to exist then;
evaluating, by the antivirus detection module, the certificate chain by locating and extracting a targeted subset of information from the certificate chain based on the identified type and the identified structure of the computer file and causing the extracted information to be analyzed by generating a digital signature for the computer file based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status, wherein said locating and extracting the targeted subset of information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain and wherein the extracted information includes all or part of one or more of;
a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information;
classifying, by the antivirus detection module, the computer file into a category of a plurality of categories based on said evaluating;
handling, by the antivirus detection module, the computer file in accordance with a policy associated with the category;
wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file; and
wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened by an end user.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted information. The computer file is then classified into one of multiple categories based on the evaluation. Finally, the computer file is handled in accordance with a policy associated with the category to which it was assigned. For example, a confirmed or suspected undesired file may be quarantined and/or an end user or an administrator may be notified regarding the confirmed or suspected undesired file.
30 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
identifying, by an antivirus detection module running on a computer system, a type and structure of a computer file; determining, by the antivirus detection module, whether there exists a certificate chain associated with the computer file; and if the certificate chain is determined to exist then; evaluating, by the antivirus detection module, the certificate chain by locating and extracting a targeted subset of information from the certificate chain based on the identified type and the identified structure of the computer file and causing the extracted information to be analyzed by generating a digital signature for the computer file based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status, wherein said locating and extracting the targeted subset of information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain and wherein the extracted information includes all or part of one or more of;
a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information;classifying, by the antivirus detection module, the computer file into a category of a plurality of categories based on said evaluating; handling, by the antivirus detection module, the computer file in accordance with a policy associated with the category; wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file; and wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened by an end user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method of detecting undesired computer files comprising:
-
storing, by an antivirus detection module running on a computer system, a file at issue in a memory buffer, wherein the memory buffer represents a location in which the file at issue is held temporarily while the file at issue is in transit across a network, wherein the memory buffer allows access to the file at issue, and wherein the memory buffer comprises a non-transitory storage medium other than a main memory hierarchy of the computer system; identifying, by the antivirus detection module, a type and structure of a file at issue; determining whether there is a certificate chain associated with the file at issue; locating, by the antivirus detection module, the associated certificate chain; extracting, by the antivirus detection module, specific identification information from the associated certificate chain based on the identified type and the identified structure of the file, wherein the specific identification information comprises all or part of one or more of a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information from an end entity certificate of the associated certificate chain; determining, by the antivirus detection module, if the file at issue is undesired or suspected of being undesired by generating a digital signature for the file at issue based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status; and if the file at issue is found to be undesired or suspected of being undesired, causing a computer user of the computer system or an administrator of the network to be advised regarding the determination or causing other related information to be communicated to the computer user or the administrator about the file at issue. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable storage medium embodying a set of instructions representing an antivirus detection module, which when executed by one or more processors of one or more computer systems, cause the one or more processors to perform a method comprising:
-
identifying a type and structure of a computer file; determining whether there exists a certificate chain associated with the computer file; and if the certificate chain is determined to exist then; evaluating the certificate chain by locating and extracting a targeted subset of information from the certificate chain based on the identified type and the identified structure of the computer file and causing the extracted information to be analyzed by generating a digital signature for the computer file based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status, wherein said locating and extracting the targeted subset of information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain and wherein the extracted information includes all or part of one or more of;
a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information;classifying the computer file into a category of a plurality of categories based on said evaluating; handling the computer file in accordance with a policy associated with the category; wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file; and wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened by an end user. - View Dependent Claims (20)
-
Specification