System and method for providing dynamic screening of transient messages in a distributed computing environment
First Claim
1. A system for providing dynamic screening of transient messages in a distributed computing environment, comprising:
- an antivirus system intercepting an incoming message at a network domain boundary, the incoming message including a header comprising a plurality of address fields storing contents;
a stored set of blocking rules, each blocking rule defining readily-discoverable characteristics indicative of messages infected with at least one of a computer virus, malware and bad content;
a parser module identifying the contents of each address field;
a comparison module checking the contents of each address field against the blocking rules to screen infected messages and identify clean messages;
an intermediate message queue staging each such clean message pending further processing;
an antivirus scanner scanning each message in the intermediate message queue for at least one of a computer virus and malware; and
an event handler performing each scanning operation as an event responsive to each such clean message staged in the intermediate message queue;
wherein the infected messages are blocked from entering the intermediate message queue immediately after the comparison is made between the blocking rules and the contents of at least one of the address fields;
wherein the intermediate message queue is maintained at a constant size;
wherein the constant size is determined according to a progress of the antivirus scanner in order to prevent the intermediate message queue from becoming overloaded with messages awaiting scanning.
11 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing dynamic screening of transient messages in a distributed computing environment is disclosed. An incoming message is intercepted at a network domain boundary. The incoming message includes a header having a plurality of address fields, each storing contents. A set of blocking rules is maintained. Each blocking rule defines readily-discoverable characteristics indicative of messages infected with at least one of a computer virus, malware and bad content. The contents of each address field are identified and checked against the blocking rules to screen infected messages and identify clean messages. Each such clean message is staged into an intermediate message queue pending further processing.
94 Citations
29 Claims
-
1. A system for providing dynamic screening of transient messages in a distributed computing environment, comprising:
-
an antivirus system intercepting an incoming message at a network domain boundary, the incoming message including a header comprising a plurality of address fields storing contents; a stored set of blocking rules, each blocking rule defining readily-discoverable characteristics indicative of messages infected with at least one of a computer virus, malware and bad content; a parser module identifying the contents of each address field; a comparison module checking the contents of each address field against the blocking rules to screen infected messages and identify clean messages; an intermediate message queue staging each such clean message pending further processing; an antivirus scanner scanning each message in the intermediate message queue for at least one of a computer virus and malware; and an event handler performing each scanning operation as an event responsive to each such clean message staged in the intermediate message queue; wherein the infected messages are blocked from entering the intermediate message queue immediately after the comparison is made between the blocking rules and the contents of at least one of the address fields; wherein the intermediate message queue is maintained at a constant size; wherein the constant size is determined according to a progress of the antivirus scanner in order to prevent the intermediate message queue from becoming overloaded with messages awaiting scanning. - View Dependent Claims (2, 3, 4, 5, 6, 7, 27, 28, 29)
-
-
8. A method for providing dynamic screening of transient messages in a distributed computing environment, comprising:
-
intercepting an incoming message at a network domain boundary, the incoming message including a header comprising a plurality of address fields storing contents; maintaining a set of blocking rules, each blocking rule defining readily-discoverable characteristics indicative of messages infected with at least one of a computer virus, malware and bad content; identifying and checking the contents of each address field against the blocking rules to screen infected messages and identify clean messages; staging each such clean message into an intermediate message queue pending further processing; scanning each message in the intermediate message queue for at least one of a computer virus and malware; and performing each scanning operation as an event responsive to each such clean message staged in the intermediate message queue; wherein the infected messages are blocked from entering the intermediate message queue immediately after the comparison is made between the blocking rules and the contents of at least one of the address fields; wherein the intermediate message queue is maintained at a constant size; wherein the constant size is determined according to a progress of an antivirus scanner in order to prevent the intermediate message queue from becoming overloaded with messages awaiting scanning. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for efficiently detecting computer viruses and malware at a network domain boundary, comprising:
-
an antivirus system receiving an incoming message packet from a sending client at a network domain boundary through an open connection, the incoming message packet comprising a header including fields, which each store field values, wherein each incoming message packet further comprises a body storing message content; a message receiver comprising; a parser module parsing the field values from each field in the header of each incoming message packet by extracting tokens representing the field values; a comparison module comparing the tokens to characteristics indicative of at least one of a computer virus and malware to identify screened incoming message packets, and forwarding each screened incoming message packet; a message queue enqueueing each screened incoming message packet; and an antivirus scanner scanning the message content of the body of each screened incoming message packet for at least one of a computer virus and malware to identify uninfected screened incoming message packets, and forwarding each uninfected screened incoming message packet; wherein the screened incoming message packets determined to be infected are blocked from being forwarded immediately after the comparison is made between the tokens and the characteristics indicative of at least one of a computer virus and malware; wherein the message queue is maintained at a constant size; wherein the constant size is determined according to a progress of the antivirus scanner in order to prevent the message queue from becoming overloaded with messages awaiting scanning. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for efficiently detecting computer viruses and malware at a network domain boundary, comprising:
-
receiving an incoming message packet from a sending client at a network domain boundary through an open connection, the incoming message packet comprising a header including fields, which each store field values, wherein each incoming message packet further comprises a body storing message content; parsing the field values from each field in the header of each incoming message packet by extracting tokens representing the field values; comparing the tokens to characteristics indicative of at least one of a computer virus and malware to identify screened incoming message packets; forwarding each screened incoming message packet; scanning the message content of the body of each screened incoming message packet for at least one of a computer virus and malware to identify uninfected screened incoming message packets; forwarding each uninfected screened incoming message packet; and enqueueing each screened incoming message packet onto a message queue; wherein the screened incoming message packets determined to be infected are blocked from being forwarded immediately after the comparison is made between the tokens and the characteristics indicative of at least one of a computer virus and malware; wherein the intermediate message queue is maintained at a constant size; wherein the constant size is determined according to a progress of an antivirus scanner in order to prevent the intermediate message queue from becoming overloaded with messages awaiting scanning. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification