Detecting malware carried by an E-mail message
First Claim
1. A method, comprising:
- receiving an e-mail message at a computer;
evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message;
using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data;
rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available;
determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and
generating a detection activity report based on the threshold number of trigger levels.
9 Assignments
0 Petitions
Accused Products
Abstract
An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.
66 Citations
17 Claims
-
1. A method, comprising:
-
receiving an e-mail message at a computer; evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message; using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data; rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available; determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and generating a detection activity report based on the threshold number of trigger levels. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
a gateway computer coupled to an end user computer over a network connection, the gateway computer including a rule engine, the gateway computer being configured for; evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message; using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data; rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available; determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and generating a detection activity report based on the threshold number of trigger levels. - View Dependent Claims (10, 11, 12)
-
13. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
-
receiving an e-mail message at a computer; evaluating characteristics of the e-mail message based on a set of filtering rules that are distinct from virus definition data, wherein the set of filtering rules are to be accessed by a malware scanner configured for scanning e-mail traffic propagating in a network environment, wherein the evaluating of the characteristics is performed without identifying offending virus code within a file in the e-mail message; using the characteristics to determine that the e-mail message includes malware for which there is no current virus definition data, wherein the set of filtering rules have an associated priority level indicative of a security threat posed by certain types of malware, and wherein an identification of certain malware instances in outbound e-mail messages of a particular network results in a high priority designation for the particular network to receive updated virus definition data; rescinding a particular one of the filtering rules, which was temporary, based, at least in part, on new virus definition data becoming available; determining whether a threshold number of trigger levels of a particular one of the filtering rules has been exceeded; and generating a detection activity report based on the threshold number of trigger levels. - View Dependent Claims (14, 15, 16, 17)
-
Specification