-
公开(公告)号:US09917844B2
公开(公告)日:2018-03-13
申请号:US11958196
申请日:2007-12-17
CPC分类号: H04L63/0254 , G06F21/562 , G06F2221/2115 , H04L51/046 , H04L51/08 , H04L51/22 , H04L63/02 , H04L63/0281 , H04L63/0823 , H04L63/105 , H04L63/1416 , H04L63/145
摘要: Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted information. The computer file is then classified into one of multiple categories based on the evaluation. Finally, the computer file is handled in accordance with a policy associated with the category to which it was assigned. For example, a confirmed or suspected undesired file may be quarantined and/or an end user or an administrator may be notified regarding the confirmed or suspected undesired file.
-
公开(公告)号:US20080155691A1
公开(公告)日:2008-06-26
申请号:US11958196
申请日:2007-12-17
IPC分类号: G06F11/00
CPC分类号: H04L63/0254 , G06F21/562 , G06F2221/2115 , H04L51/046 , H04L51/08 , H04L51/22 , H04L63/02 , H04L63/0281 , H04L63/0823 , H04L63/105 , H04L63/1416 , H04L63/145
摘要: Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted information. The computer file is then classified into one of multiple categories based on the evaluation. Finally, the computer file is handled in accordance with a policy associated with the category to which it was assigned. For example, a confirmed or suspected undesired file may be quarantined and/or an end user or an administrator may be notified regarding the confirmed or suspected undesired file.
摘要翻译: 提供了用于基于相关数字证书链中包含的信息的扫描和分析来检测不期望的计算机文件的方法和系统。 根据一个实施例,确定是否存在与计算机文件相关联的证书链。 如果证书链确定存在,则通过从证书链中提取信息并分析提取的信息来评估证书链。 然后根据评估将计算机文件分类成多个类别之一。 最后,根据与其分配的类别相关联的策略来处理计算机文件。 例如,可能会隔离已确认或怀疑的不合需要的文件,并且/或可能会通知最终用户或管理员有关已确认或怀疑不需要的文件。
-
公开(公告)号:US20120090031A1
公开(公告)日:2012-04-12
申请号:US13312966
申请日:2011-12-06
IPC分类号: G06F11/00
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.
摘要翻译: 提供内容过滤的系统和方法。 根据一个实施例,使用电子邮件(电子邮件)消息接收自解压档案。 在发送电子邮件消息之前,确定包含在归档中的文件是否是恶意的或不期望的。 通过检查存储在归档的标题部分中的标识字节来确定存档的一种类型的存档和相关联的结构,以识别存档的类型。 基于类型和相关联的结构,对于每个包含的文件,描述性信息(包括未压缩形式的文件的校验和)以非压缩形式的文件的大小和/或压缩形式的文件的大小从 标题部分。 当描述性信息匹配已知恶意或不需要的文件的检测签名时,文件被识别为潜在的恶意或不期望的。
-
公开(公告)号:US08151355B2
公开(公告)日:2012-04-03
申请号:US12893094
申请日:2010-09-29
IPC分类号: G06F11/00
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary identification bytes of the archive. Based on the type and structure, descriptive information regarding a contained file is obtained. The descriptive information includes a hash value of the contained file in uncompressed format. If the descriptive information matches a signature of a known undesired computer file, then a clean version of the archive is produced by removing the contained file and regenerating the archive. Finally, the clean version of the archive is delivered.
摘要翻译: 提供了可以检测受保护存档中的已知不需要的计算机文件的系统和方法。 根据一个实施例,通过在网络网关上运行的防病毒检测模块来扫描作为目的地为客户端工作站的电子邮件的附件通过网络传输的归档文件,而不对存档的内容进行解密或解压缩。 归档的类型和关联的结构通过检查存档的主要或次要标识字节来识别。 基于类型和结构,获得关于包含文件的描述信息。 描述性信息包括未压缩格式的所包含文件的哈希值。 如果描述性信息与已知不需要的计算机文件的签名相匹配,则通过删除所包含的文件并重新生成归档来产生一个干净版本的归档。 最后,传递了干净版本的存档。
-
公开(公告)号:US08166550B2
公开(公告)日:2012-04-24
申请号:US12899056
申请日:2010-10-06
IPC分类号: G06F11/00
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the threat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive.
摘要翻译: 提供了可以检测可能被加密,压缩和/或密码保护的损坏归档中的已知不期望计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,接收到损坏或不完整的RAR,CAB或ZIP存档。 在不解密或解压内容的情况下,反病毒检测模块将归档文件识别为RAR,CAB或ZIP存档,依次依次考虑多个可能的归档类型,并搜索归档中的所有或某些部分以符合当前的内容 存档类型。 基于所识别的类型,对于每个包含的文件,从相应的本地文件头提取描述性信息,并且通过将描述信息与已知恶意或不需要的文件的签名进行比较来执行威胁评估。 如果威胁评估结束某个特定的文件是一个威胁,那么就应该采取适当的防御措施与档案有关。
-
公开(公告)号:US20110023121A1
公开(公告)日:2011-01-27
申请号:US12899056
申请日:2010-10-06
IPC分类号: G06F21/24
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the treat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive.
摘要翻译: 提供了可以检测可能被加密,压缩和/或密码保护的损坏归档中的已知不期望计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,接收到损坏或不完整的RAR,CAB或ZIP存档。 在不解密或解压内容的情况下,反病毒检测模块将归档文件识别为RAR,CAB或ZIP存档,依次依次考虑多个可能的归档类型,并搜索归档中的所有或某些部分与目前一致的内容 存档类型。 基于所识别的类型,对于每个包含的文件,从相应的本地文件头提取描述性信息,并且通过将描述信息与已知恶意或不需要的文件的签名进行比较来执行威胁评估。 如果对待评估结束某个特定的文件是一个威胁,那么就应该采取与档案有关的适当的防御措施。
-
公开(公告)号:US07797746B2
公开(公告)日:2010-09-14
申请号:US11828754
申请日:2007-07-26
IPC分类号: G06F11/00
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in encrypted, compressed, password-protected and/or damaged archives are provided. According to one embodiment, an archive file is scanned without decrypting and without decompressing contents of the archive file. A type and associated structure of the archive file are identified. Then, based on the identified type and the associated structure, descriptive information from the archive file is obtained describing one or more contained files. The descriptive information for each of the contained files is evaluated to determine if any of the contained files are malicious or undesired computer files by comparing the descriptive information to signatures of known malicious or undesired computer files. Finally, an attempt is made to prevent any of the contained files determined to be a malicious or undesired computer file from being opened.
摘要翻译: 提供了可以检测加密,压缩,密码保护和/或损坏的归档中的已知不需要的计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,在不解密并且不解压缩归档文件的内容的情况下扫描归档文件。 识别归档文件的类型和关联结构。 然后,基于所识别的类型和相关联的结构,获得描述一个或多个所包含的文件的归档文件的描述信息。 评估每个包含的文件的描述信息,以通过将描述信息与已知恶意或不期望的计算机文件的签名进行比较来确定所包含的文件中的任何一个是恶意的还是不期望的计算机文件。 最后,尝试防止任何被确定为包含的文件是恶意的或不期望的计算机文件被打开。
-
公开(公告)号:US20100095380A1
公开(公告)日:2010-04-15
申请号:US12638951
申请日:2009-12-15
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged archive file is received. And, without decrypting or decompressing the contents, an anti-virus detection module identifies a type and associated structure of the archive file by assuming each possible archive file type in turn and searching the archive file for descriptive information consistent with a current archive file type. Based thereon, descriptive information is obtained from the archive file describing one or more contained files within the archive file. Then, the descriptive information for each contained file is evaluated to determine if any contained files are malicious or undesired computer files. Finally, an attempt is made to prevent contained files determined to be a malicious or undesired computer file from being opened.
摘要翻译: 提供了可以检测可能被加密,压缩和/或密码保护的损坏归档中的已知不期望计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,接收到损坏的归档文件。 而且,在没有对内容进行解密或解压缩的情况下,防病毒检测模块通过依次假设每个可能的归档文件类型来识别归档文件的类型和相关联的结构,并且搜索归档文件以获得与当前归档文件类型一致的描述性信息。 基于此,从归档文件中获取描述信息,描述档案文件中的一个或多个包含的文件。 然后,评估每个包含的文件的描述信息,以确定是否包含的文件是恶意的或不期望的计算机文件。 最后,尝试防止被确定为恶意或不需要的计算机文件的包含文件被打开。
-
公开(公告)号:US20080141373A1
公开(公告)日:2008-06-12
申请号:US11828754
申请日:2007-07-26
IPC分类号: G06F21/00
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in encrypted, compressed, password-protected and/or damaged archives are provided. According to one embodiment, an archive file is scanned without decrypting and without decompressing contents of the archive file. A type and associated structure of the archive file are identified. Then, based on the identified type and the associated structure, descriptive information from the archive file is obtained describing one or more contained files. The descriptive information for each of the contained files is evaluated to determine if any of the contained files are malicious or undesired computer files by comparing the descriptive information to signatures of known malicious or undesired computer files. Finally, an attempt is made to prevent any of the contained files determined to be a malicious or undesired computer file from being opened.
摘要翻译: 提供了可以检测加密,压缩,密码保护和/或损坏的归档中的已知不需要的计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,在不解密并且不解压缩归档文件的内容的情况下扫描归档文件。 识别归档文件的类型和关联结构。 然后,基于所识别的类型和相关联的结构,获得描述一个或多个所包含的文件的归档文件的描述信息。 评估每个包含的文件的描述信息,以通过将描述信息与已知恶意或不期望的计算机文件的签名进行比较来确定所包含的文件中的任何一个是恶意的还是不期望的计算机文件。 最后,尝试防止任何被确定为包含的文件是恶意的或不期望的计算机文件被打开。
-
公开(公告)号:US08327447B2
公开(公告)日:2012-12-04
申请号:US13312966
申请日:2011-12-06
IPC分类号: G06F11/00
CPC分类号: G06F21/561 , G06F21/564 , G06F2221/2107 , H04L51/12 , H04L63/145
摘要: Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.
摘要翻译: 提供内容过滤的系统和方法。 根据一个实施例,使用电子邮件(电子邮件)消息接收自解压档案。 在发送电子邮件消息之前,确定包含在归档中的文件是否是恶意的或不期望的。 通过检查存储在归档的标题部分中的标识字节来确定存档的一种类型的存档和相关联的结构,以识别存档的类型。 基于类型和相关联的结构,对于每个包含的文件,描述性信息(包括未压缩形式的文件的校验和)以非压缩形式的文件的大小和/或压缩形式的文件的大小从 标题部分。 当描述性信息匹配已知恶意或不需要的文件的检测签名时,文件被识别为潜在的恶意或不期望的。
-
-
-
-
-
-
-
-
-
搜索结果
12 条记录 (耗时 0.03 秒)