Detection of undesired computer files using digital certificates

US 9,917,844 B2
Filed: 12/17/2007
Issued: 03/13/2018
Est. Priority Date: 12/17/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

identifying, by an antivirus detection module running on a computer system, a type and structure of a computer file;

determining, by the antivirus detection module, whether there exists a certificate chain associated with the computer file; and

if the certificate chain is determined to exist then;

evaluating, by the antivirus detection module, the certificate chain by locating and extracting a targeted subset of information from the certificate chain based on the identified type and the identified structure of the computer file and causing the extracted information to be analyzed by generating a digital signature for the computer file based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status, wherein said locating and extracting the targeted subset of information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain and wherein the extracted information includes all or part of one or more of;

a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information;

classifying, by the antivirus detection module, the computer file into a category of a plurality of categories based on said evaluating;

handling, by the antivirus detection module, the computer file in accordance with a policy associated with the category;

wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file; and

wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened by an end user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted information. The computer file is then classified into one of multiple categories based on the evaluation. Finally, the computer file is handled in accordance with a policy associated with the category to which it was assigned. For example, a confirmed or suspected undesired file may be quarantined and/or an end user or an administrator may be notified regarding the confirmed or suspected undesired file.

30 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- identifying, by an antivirus detection module running on a computer system, a type and structure of a computer file;
  
  determining, by the antivirus detection module, whether there exists a certificate chain associated with the computer file; and
  
  if the certificate chain is determined to exist then;
  
  evaluating, by the antivirus detection module, the certificate chain by locating and extracting a targeted subset of information from the certificate chain based on the identified type and the identified structure of the computer file and causing the extracted information to be analyzed by generating a digital signature for the computer file based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status, wherein said locating and extracting the targeted subset of information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain and wherein the extracted information includes all or part of one or more of;
  
  a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information;
  
  classifying, by the antivirus detection module, the computer file into a category of a plurality of categories based on said evaluating;
  
  handling, by the antivirus detection module, the computer file in accordance with a policy associated with the category;
  
  wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file; and
  
  wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened by an end user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said determining whether there exists a certificate chain is based upon the identified type and identified structure of the computer file.
  - 3. The method of claim 1, wherein said locating and extracting information from the certificate chain comprises extracting the certificate chain in its entirety.
  - 4. The method of claim 1, wherein data associated with the computer file is held in a memory buffer, wherein the data is held in a temporary file, and wherein the computer file is in transit across a network or the data exists on a non-transitory computer-readable medium where it is accessible by the antivirus detection module.
  - 5. The method of claim 1, wherein the certificate chain is part of the computer file.
  - 6. The method of claim 1, wherein the certificate chain is in a separate file from the computer file.
  - 7. The method of claim 1, wherein the computer system comprises a network gateway, wherein the computer file is in transit across a network and wherein transfer of the computer file is blocked by the associated policy.
  - 8. The method of claim 1, further comprising issuing an alert to the end user or an administrator indicating that an undesired file was detected and describing any action taken.
  - 9. The method of claim 8, further comprising entering information about the undesired file and any action taken into a log.

10. A computer-implemented method of detecting undesired computer files comprising:
- storing, by an antivirus detection module running on a computer system, a file at issue in a memory buffer, wherein the memory buffer represents a location in which the file at issue is held temporarily while the file at issue is in transit across a network, wherein the memory buffer allows access to the file at issue, and wherein the memory buffer comprises a non-transitory storage medium other than a main memory hierarchy of the computer system;
  
  identifying, by the antivirus detection module, a type and structure of a file at issue;
  
  determining whether there is a certificate chain associated with the file at issue;
  
  locating, by the antivirus detection module, the associated certificate chain;
  
  extracting, by the antivirus detection module, specific identification information from the associated certificate chain based on the identified type and the identified structure of the file, wherein the specific identification information comprises all or part of one or more of a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information from an end entity certificate of the associated certificate chain;
  
  determining, by the antivirus detection module, if the file at issue is undesired or suspected of being undesired by generating a digital signature for the file at issue based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status; and
  
  if the file at issue is found to be undesired or suspected of being undesired, causing a computer user of the computer system or an administrator of the network to be advised regarding the determination or causing other related information to be communicated to the computer user or the administrator about the file at issue.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the file at issue is known to be or suspected of being undesired and the method further comprises providing the computer user with information identifying the file at issue or an indication of suspicion regarding the file at issue.
  - 12. The method of claim 11, wherein the computer user is given the indication of suspicion posed by the file at issue.
  - 13. The method of claim 11, wherein the computer user is given an option to accept or reject the file at issue, or to quarantine the file at issue.
  - 14. The method of claim 10, wherein the file at issue comprises an electronic mail (email) attachment.
  - 15. The method of claim 10, wherein the file at issue comprises a Windows Portable Executable (PE) file requested to be downloaded to a host computer system by an automated update system associated with a client application running on the host computer system.
  - 16. The method of claim 10, wherein the file at issue comprises a file manually requested to be downloaded to a host computer system by the computer user.
  - 17. The method of claim 14, wherein the computer system comprises an email security system.
  - 18. The method of claim 10, wherein the computer system comprises a network gateway.

19. A non-transitory computer-readable storage medium embodying a set of instructions representing an antivirus detection module, which when executed by one or more processors of one or more computer systems, cause the one or more processors to perform a method comprising:
- identifying a type and structure of a computer file;
  
  determining whether there exists a certificate chain associated with the computer file; and
  
  if the certificate chain is determined to exist then;
  
  evaluating the certificate chain by locating and extracting a targeted subset of information from the certificate chain based on the identified type and the identified structure of the computer file and causing the extracted information to be analyzed by generating a digital signature for the computer file based on the extracted information and comparing the digital signature with a set of digital signatures having a known desirable or undesirable status, wherein said locating and extracting the targeted subset of information from the certificate chain comprises extracting specific identification information from an end entity certificate of the certificate chain and wherein the extracted information includes all or part of one or more of;
  
  a certificate serial number, an issuer name, validity information, a subject name, an alternate name, and key usage information;
  
  classifying the computer file into a category of a plurality of categories based on said evaluating;
  
  handling the computer file in accordance with a policy associated with the category;
  
  wherein the category is indicative of the computer file being an undesired file or a file suspected of being an undesired file; and
  
  wherein the associated policy quarantines or otherwise attempts to prevent the computer file from being opened by an end user.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein said determining whether there exists a certificate chain is based upon the identified type and identified structure of the computer file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fossen, Steven Michael, MacDonald, Alexander Douglas
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US11/958,196
Publication Number

US 20080155691A1
Time in Patent Office

3,739 Days
Field of Search

726 22, 713156, 713173, 713175, 713176, 713179
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2115   Third party

H04L 51/046   Interoperability with other...

H04L 51/08   Annexed information, e.g. a...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/02   for separating internal fro...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Detection of undesired computer files using digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of undesired computer files using digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links