DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES
    2.
    发明申请
    DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES 有权
    使用数字证书检测未完成的计算机文件

    公开(公告)号:US20080155691A1

    公开(公告)日:2008-06-26

    申请号:US11958196

    申请日:2007-12-17

    IPC分类号: G06F11/00

    摘要: Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a determination is made regarding whether there exists a certificate chain associated with a computer file. If the certificate chain is determined to exist, then the certificate chain is evaluated by extracting information from the certificate chain and analyzing the extracted information. The computer file is then classified into one of multiple categories based on the evaluation. Finally, the computer file is handled in accordance with a policy associated with the category to which it was assigned. For example, a confirmed or suspected undesired file may be quarantined and/or an end user or an administrator may be notified regarding the confirmed or suspected undesired file.

    摘要翻译: 提供了用于基于相关数字证书链中包含的信息的扫描和分析来检测不期望的计算机文件的方法和系统。 根据一个实施例,确定是否存在与计算机文件相关联的证书链。 如果证书链确定存在,则通过从证书链中提取信息并分析提取的信息来评估证书链。 然后根据评估将计算机文件分类成多个类别之一。 最后,根据与其分配的类别相关联的策略来处理计算机文件。 例如,可能会隔离已确认或怀疑的不合需要的文件,并且/或可能会通知最终用户或管理员有关已确认或怀疑不需要的文件。

    DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES
    3.
    发明申请
    DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES 有权
    检索存档中未完成的计算机文件

    公开(公告)号:US20120090031A1

    公开(公告)日:2012-04-12

    申请号:US13312966

    申请日:2011-12-06

    IPC分类号: G06F11/00

    摘要: Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.

    摘要翻译: 提供内容过滤的系统和方法。 根据一个实施例,使用电子邮件(电子邮件)消息接收自解压档案。 在发送电子邮件消息之前,确定包含在归档中的文件是否是恶意的或不期望的。 通过检查存储在归档的标题部分中的标识字节来确定存档的一种类型的存档和相关联的结构,以识别存档的类型。 基于类型和相关联的结构,对于每个包含的文件,描述性信息(包括未压缩形式的文件的校验和)以非压缩形式的文件的大小和/或压缩形式的文件的大小从 标题部分。 当描述性信息匹配已知恶意或不需要的文件的检测签名时,文件被识别为潜在的恶意或不期望的。

    Detection of undesired computer files in archives
    4.
    发明授权
    Detection of undesired computer files in archives 有权
    检测档案中不需要的电脑档案

    公开(公告)号:US08151355B2

    公开(公告)日:2012-04-03

    申请号:US12893094

    申请日:2010-09-29

    IPC分类号: G06F11/00

    摘要: Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary identification bytes of the archive. Based on the type and structure, descriptive information regarding a contained file is obtained. The descriptive information includes a hash value of the contained file in uncompressed format. If the descriptive information matches a signature of a known undesired computer file, then a clean version of the archive is produced by removing the contained file and regenerating the archive. Finally, the clean version of the archive is delivered.

    摘要翻译: 提供了可以检测受保护存档中的已知不需要的计算机文件的系统和方法。 根据一个实施例,通过在网络网关上运行的防病毒检测模块来扫描作为目的地为客户端工作站的电子邮件的附件通过网络传输的归档文件,而不对存档的内容进行解密或解压缩。 归档的类型和关联的结构通过检查存档的主要或次要标识字节来识别。 基于类型和结构,获得关于包含文件的描述信息。 描述性信息包括未压缩格式的所包含文件的哈希值。 如果描述性信息与已知不需要的计算机文件的签名相匹配,则通过删除所包含的文件并重新生成归档来产生一个干净版本的归档。 最后,传递了干净版本的存档。

    Detection of undesired computer files in archives
    5.
    发明授权
    Detection of undesired computer files in archives 有权
    检测档案中不需要的电脑档案

    公开(公告)号:US08327447B2

    公开(公告)日:2012-12-04

    申请号:US13312966

    申请日:2011-12-06

    IPC分类号: G06F11/00

    摘要: Systems and methods for content filtering are provided. According to one embodiment, a self-extracting archive is received with an electronic mail (email) message. Prior to delivery of the email message, a determination is made regarding whether a file contained in the archive may be malicious or undesired. A type of archive and associated structure of the archive are determined by examining identification bytes stored within a header portion of the archive that identify the type of archive. Based on the type and associated structure, for each contained file, descriptive information, including a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in the compressed form, is extracted from the header portion. A file is identified as potentially malicious or undesired when the descriptive information matches a detection signature of a known malicious or undesired file.

    摘要翻译: 提供内容过滤的系统和方法。 根据一个实施例,使用电子邮件(电子邮件)消息接收自解压档案。 在发送电子邮件消息之前,确定包含在归档中的文件是否是恶意的或不期望的。 通过检查存储在归档的标题部分中的标识字节来确定存档的一种类型的存档和相关联的结构,以识别存档的类型。 基于类型和相关联的结构,对于每个包含的文件,描述性信息(包括未压缩形式的文件的校验和)以非压缩形式的文件的大小和/或压缩形式的文件的大小从 标题部分。 当描述性信息匹配已知恶意或不需要的文件的检测签名时,文件被识别为潜在的恶意或不期望的。

    Detection of undesired computer files in archives
    6.
    发明授权
    Detection of undesired computer files in archives 有权
    检测档案中不需要的电脑档案

    公开(公告)号:US08074280B2

    公开(公告)日:2011-12-06

    申请号:US12638951

    申请日:2009-12-15

    IPC分类号: G06F11/00

    摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a method is provided for detection of malicious or undesired computer files within an archive without decrypting and without decompressing the contents of the archive. A type and structure of the archive are identified by examining primary or secondary identification bytes stored within the archive. Based on the identified type and structure, descriptive information is obtained from the archive describing contained files within the archive file. The descriptive information for each contained files is evaluated to determine if any are malicious or undesired computer files by comparing the descriptive information to signatures of known malicious or undesired computer files. Finally, an attempt is made to prevent contained files determined to be malicious or undesired from being opened.

    摘要翻译: 提供了可以检测归档中可能被加密,压缩和/或密码保护的已知不需要的计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,提供了一种用于检测存档内的恶意或不需要的计算机文件而不解密并且不解压缩归档的内容的方法。 归档的类型和结构通过检查归档中存储的主要或次要标识字节来识别。 基于所识别的类型和结构,从归档文件中包含的文件的归档中获得描述性信息。 通过将描述信息与已知恶意或不期望的计算机文件的签名进行比较来评估每个包含文件的描述信息,以确定是否有恶意或不期望的计算机文件。 最后,尝试防止被确定为恶意或不希望被打开的包含文件。

    DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES
    7.
    发明申请
    DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES 有权
    检索存档中未完成的计算机文件

    公开(公告)号:US20110016530A1

    公开(公告)日:2011-01-20

    申请号:US12893094

    申请日:2010-09-29

    IPC分类号: G06F21/00

    摘要: Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary identification bytes of the archive. Based on the type and structure, descriptive information regarding a contained file is obtained. The descriptive information includes a hash value of the contained file in uncompressed format. If the descriptive information matches a signature of a known undesired computer file, then a clean version of the archive is produced by removing the contained file and regenerating the archive. Finally, the clean version of the archive is delivered.

    摘要翻译: 提供了可以检测受保护存档中的已知不需要的计算机文件的系统和方法。 根据一个实施例,通过在网络网关上运行的防病毒检测模块来扫描作为目的地为客户端工作站的电子邮件的附件通过网络传输的归档文件,而不对存档的内容进行解密或解压缩。 归档的类型和关联的结构通过检查存档的主要或次要标识字节来识别。 基于类型和结构,获得关于包含文件的描述信息。 描述性信息包括未压缩格式的所包含文件的哈希值。 如果描述性信息与已知不需要的计算机文件的签名相匹配,则通过删除所包含的文件并重新生成归档来产生一个干净版本的归档。 最后,传递了干净版本的存档。

    Detection of undesired computer files in damaged archives
    8.
    发明授权
    Detection of undesired computer files in damaged archives 有权
    在损坏的档案中检测不需要的计算机文件

    公开(公告)号:US08166550B2

    公开(公告)日:2012-04-24

    申请号:US12899056

    申请日:2010-10-06

    IPC分类号: G06F11/00

    摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the threat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive.

    摘要翻译: 提供了可以检测可能被加密,压缩和/或密码保护的损坏归档中的已知不期望计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,接收到损坏或不完整的RAR,CAB或ZIP存档。 在不解密或解压内容的情况下,反病毒检测模块将归档文件识别为RAR,CAB或ZIP存档,依次依次考虑多个可能的归档类型,并搜索归档中的所有或某些部分以符合当前的内容 存档类型。 基于所识别的类型,对于每个包含的文件,从相应的本地文件头提取描述性信息,并且通过将描述信息与已知恶意或不需要的文件的签名进行比较来执行威胁评估。 如果威胁评估结束某个特定的文件是一个威胁,那么就应该采取适当的防御措施与档案有关。

    DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES
    9.
    发明申请
    DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES 有权
    在损坏的档案中检测未完成的计算机文件

    公开(公告)号:US20110023121A1

    公开(公告)日:2011-01-27

    申请号:US12899056

    申请日:2010-10-06

    IPC分类号: G06F21/24

    摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the treat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive.

    摘要翻译: 提供了可以检测可能被加密,压缩和/或密码保护的损坏归档中的已知不期望计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,接收到损坏或不完整的RAR,CAB或ZIP存档。 在不解密或解压内容的情况下,反病毒检测模块将归档文件识别为RAR,CAB或ZIP存档,依次依次考虑多个可能的归档类型,并搜索归档中的所有或某些部分与目前一致的内容 存档类型。 基于所识别的类型,对于每个包含的文件,从相应的本地文件头提取描述性信息,并且通过将描述信息与已知恶意或不需要的文件的签名进行比较来执行威胁评估。 如果对待评估结束某个特定的文件是一个威胁,那么就应该采取与档案有关的适当的防御措施。

    Detection of undesired computer files in archives
    10.
    发明授权
    Detection of undesired computer files in archives 有权
    检测档案中不需要的电脑档案

    公开(公告)号:US07797746B2

    公开(公告)日:2010-09-14

    申请号:US11828754

    申请日:2007-07-26

    IPC分类号: G06F11/00

    摘要: Systems and methods for an anti-virus detection module that can detect known undesired computer files in encrypted, compressed, password-protected and/or damaged archives are provided. According to one embodiment, an archive file is scanned without decrypting and without decompressing contents of the archive file. A type and associated structure of the archive file are identified. Then, based on the identified type and the associated structure, descriptive information from the archive file is obtained describing one or more contained files. The descriptive information for each of the contained files is evaluated to determine if any of the contained files are malicious or undesired computer files by comparing the descriptive information to signatures of known malicious or undesired computer files. Finally, an attempt is made to prevent any of the contained files determined to be a malicious or undesired computer file from being opened.

    摘要翻译: 提供了可以检测加密,压缩,密码保护和/或损坏的归档中的已知不需要的计算机文件的反病毒检测模块的系统和方法。 根据一个实施例,在不解密并且不解压缩归档文件的内容的情况下扫描归档文件。 识别归档文件的类型和关联结构。 然后,基于所识别的类型和相关联的结构,获得描述一个或多个所包含的文件的归档文件的描述信息。 评估每个包含的文件的描述信息,以通过将描述信息与已知恶意或不期望的计算机文件的签名进行比较来确定所包含的文件中的任何一个是恶意的还是不期望的计算机文件。 最后,尝试防止任何被确定为包含的文件是恶意的或不期望的计算机文件被打开。