USRE45326E1 - Systems and methods for securing computers - Google Patents
Systems and methods for securing computers Download PDFInfo
- Publication number
- USRE45326E1 USRE45326E1 US13/672,978 US201213672978A USRE45326E US RE45326 E1 USRE45326 E1 US RE45326E1 US 201213672978 A US201213672978 A US 201213672978A US RE45326 E USRE45326 E US RE45326E
- Authority
- US
- United States
- Prior art keywords
- emails
- computer
- user
- infected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/107—Computer-aided management of electronic mailing [e-mailing]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to systems and methods for protecting a computer against a virus or a worm.
- viruses have become problematic to computers and computer users. Such viruses are typically found within computer programs, files, or code and can produce unintended and sometimes damaging results. These viruses can be transmitted by disk, electronic mail (e-mail), radio wave, light wave, or other computer readable media.
- emails transmit electronic messages from one computer to another. These messages may be simple text messages or more complex messages containing documents and data of various types.
- the transmission of e-mail messages may range from transmission over a short distance, such as over a local area network between employees in adjoining offices, to transmission over extremely long distances, such as over the global Internet between users on different continents.
- the global nature of emails makes them easy carriers for viruses.
- viruses produce copies of it in other programs, allows the programs to perform their regular operations, and surreptitiously performs other, unintended actions.
- Other types of viruses include, without limitation, the following: worms, logic bombs, time bombs, trojan horses, and any malicious program or code residing in executable programs, macros, applets, or elsewhere. While advances have been made in the detection of viruses, the proliferation of computers and the increasing interconnection of, and communication between, computers have also increased the opportunities for the spread of existing viruses and the development of new computer viruses. Thus, the number and type of viruses to which a computer or computer system is potentially exposed is ever changing. This is one reason that the information used to detect viruses requires seemingly constant revision and augmentation in order to detect the various strains of viruses.
- Nimda a virulent virus that first appeared in September 2001 is Nimda (a.k.a. W32/Nimda@MM or Code Rainbow), a worm that attacks Microsoft Windows systems.
- Nimda attacks a variety of both server and client vulnerabilities and even the back doors left by Code Red II.
- Nimda can attack via email. It uses the Internet Explorer exploit mentioned in MS01-020 to cause Outlook to automatically execute the worm on a users system.
- Nimda can attack via web browser. If a user visits an infected web server and does not have patch MS01-020 applied their machine can be infected.
- Nimda can attack using holes opened by previous worms.
- Nimda looks for these holes. If they are present it uses them to install itself on the machines in question. Web servers are attacked using a wide variety of previously known and patched holes. If Nimda detects the presence of file shares on a remote machine and it has access rights it will infect the machine through those shared files.
- Melissa is a computer virus launched when a user opens an infected Microsoft Word 8 or Word 9 document contained in Microsoft's Office suite of software products.
- the virus prompts Microsoft's Outlook e-mail program to send an infected document to addresses in a victim's Microsoft Outlook address book.
- the e-mail can appear to be from a boss, co-worker, or friend.
- the virus can infiltrate the default Word document template “Normal.dot” and send the virus to anyone receiving their Word documents.
- the virus also attacks the registry for Word and changes security settings that prevent the Word macro warning from appearing.
- the original virus is sent via e-mail with the subject line “Important Message From . . . ” and then automatically fills in the user's name.
- the text inside the message reads “Here is the document that you asked for. Don't show anyone else ;-).”
- the message includes an attached document of pornographic Web sites called “list-.doc.”
- One method of detection is to compare known virus signatures to targeted files to determine whether the targeted files include a virus signature and, thus, the corresponding virus.
- the comparison data used for virus detection might include a set of such known virus signatures and, possibly, additional data for virus detection.
- the comparison data is maintained in a computer storage medium for access and use in the detection of viruses.
- the comparison data might be stored on the computer's hard disk.
- comparison data updates are provided to detect new or different forms of viruses.
- the comparison data updates are typically provided on some source storage medium for transfer to the storage medium used to maintain the comparison data. For example, an update might be provided on a floppy disk so that a personal computer user can transfer the comparison data update from the floppy disk to the computer hard disk to complete the update.
- the comparison data is essentially discrete and static. That is, all of the information used for the detection of viruses generally remains constant unless it is updated or altered by the user or other relevant party or action. This can be problematic because the quality of information used to detect viruses is reliant upon some form of comparison data maintenance.
- Another problem with updatable comparison data is that the comparison data can quickly lose its efficacy due to the existence of new and different viruses. Thus, while a periodic update might seem effective, there is no telling how many new and different viruses could be produced in the interim.
- Still another problem with comparison data updates is that a transfer of an entire replacement set of data, or at least a transfer of all the new virus detection data, is typically undertaken in order to complete the update.
- a significant amount of data must be transferred for the update. More specifically, if a user updates her virus detection information using, for example, an update provided on a floppy disk, at least all of the new virus detection information is transferred from the floppy disk to the appropriate medium.
- the problems of updatable comparison data remain. Specifically, the user, administrator, or other relevant party is still typically responsible for accessing and updating the comparison data, the comparison data can quickly and unpredictably lose its efficacy, and a significant amount of data must be transferred from the source to the storage medium used for the comparison data. Indeed, the amount of data to be transferred may be more problematic where internet resources are the source of the comparison data update since a significant amount of computational resources would be used to complete the update.
- virus scans can be overinclusive in that the scanning for viruses that could not possibly reside at the computer, and can be underinclusive if an exhaustive scan for the types of viruses likely to reside at the computer, based upon the conditions presented at the computer, is not undertaken.
- a user or other relevant party typically must configure the scan. This can be problematic because of reliance upon party input. Additionally, the conditions pertaining to a particular computer and the requisite type of scanning can change.
- the global nature of the Internet means that one virus email can create a large amount of network traffic that jams the server that the user connects to as well as the Internet. Such virus can be destructive and can cause lost business due to computer downtime.
- a method for avoiding electronic mail (email) attacks on a computer includes downloading one or more email s in virtual-copy format to prevent the one or more emails from executing; determining whether an infected email is in the downloaded one or more emails; and disposing of the infected email.
- Implementations of the above aspect may include one or more of the following.
- the method allows non-infected emails to be accessed.
- the method includes downloading non-infected emails to an email software such as Microsoft Outlook.
- the method includes parsing the downloaded virtual-copy format emails to determine whether the emails are secure. Potentially infected emails are determined based on one or more of the following: an email from field, an email to field, and an email subject field.
- the method includes applying a security policy that specifies characteristics of potentially infected emails.
- the method includes removing one or more potentially infected emails based on the security policy.
- the system can display a summary for each email.
- a system for avoiding electronic mail (email) attacks on a computer includes means for downloading one or more emails in virtual-copy format to prevent the one or more emails from executing; means for determining whether an infected email is in the downloaded one or more emails; and means for disposing of the infected email.
- the system uses a proactive approach to capture information from a copy of a user's emails.
- a Smart-Diagnosis engine analyzes the emails and indicates potentially infected email(s) for the user. Then user can manually remove those email and kill the viruses before they infect the user's computer.
- the system allows the user to subscribe to a predetermined security policy.
- the system allows the user to view emails before they come into user system.
- a smart user interface is provided to indicate potentially-infected emails.
- the user interface shows email attachment full file name, email size.
- the user interface also provides a history log file view. The user can review a historical email log file and can delete the email log file view as well as review the deleted email log file. Further, the user can schedule the system to run and perform Smart-Diagnosis.
- the system co-exists with any other email application such as Microsoft Outlook.
- the user can screen emails, can remove email, and read emails in a secure manner.
- the user can use his or her favorite email application to safely read emails and associated attachments. Since the virus or worm does not get through, the virus or worm cannot propagate itself by accessing the user's address book in Outlook and sending copies of itself to each entry in the address book.
- the system allows a user to relate all of the steps in avoiding virus infections and to save all of the information regarding each of the various steps in one convenient and easily accessible location.
- the system is also efficient and low in operating cost. It also is highly responsive to user demands.
- FIG. 1 shows an exemplary process that alerts users to potentially dangerous emails before they download the emails into their email software.
- FIG. 2 shows an exemplary process to detect and delete emails potentially infected with a virus or a worm.
- FIG. 3 shows the system of FIGS. 1-2 in a network.
- FIGS. 4-5 show various exemplary user interfaces for the anti-virus system of FIG. 1 .
- an exemplary process 10 alerts users to potentially dangerous emails before they download the emails into their email software.
- the user previews his or her emails (step 12 ).
- the process 10 applies one or more rules to identify potentially dangerous emails and highlights them for the user to decide (step 14 ).
- the user can keep the email or delete the email (step 16 ).
- the user can download the emails to his or her email software.
- the purpose of the process 10 is not to detect or repair specific viruses, but to alert users to the fact that they are opening emails that could contain viruses or worms and to allow uses to delete questionable emails.
- an exemplary process 200 to detect and delete emails potentially infected with a virus or a worm is popular because it is a quick, convenient, and easy way to exchange information and communicate with others. E-mail offers numerous advantages over other forms of communication. For example, e-mail is less intrusive than a telephone call because the recipient of an e-mail message may wait until a convenient time to retrieve and respond to the message rather than being immediately interrupted. Another advantage of e-mail is the ability to communicate with large groups of people by sending a single e-mail message to multiple recipients. Still another advantage of e-mail is the ability of attaching documents in electronic format to an e-mail message. Viruses and worms typically disguise themselves in the form of executables or programmable macros embedded in the emails.
- the process 200 allows a user to preview incoming emails and enables the user to delete potentially dangerous emails.
- the process 200 can be run automatically (step 202 ) or can run upon command.
- the process 200 determines whether the user has set-up one or more email accounts (step 204 ). If no, the user is prompted to set-up one or more email accounts and these accounts can be tested to ensure that they are properly set up (step 206 ).
- the email accounts are specified by providing the user's email address and the transmit/receive addresses for a mail server maintained by the user's Internet Service Provider (ISP).
- ISP Internet Service Provider
- the process 200 retrieves (downloads) emails from the mail server in a virtual-copy format (step 210 ).
- the virtual-copy format allows the downloaded content to be safely analyzed in that virtual-copy format data cannot be executed.
- each email is parsed (step 212 ).
- the process 200 then checks whether the user has subscribed to a security policy that specifies whether the user wants the process 200 to automatically remove emails fitting specific criteria indicative of a virus or a worm embedded therein (step 214 ). If no security policy has been specified, the process 200 diagnoses emails attachment for other hints of viruses or worms based on the attachment type and the emails' fields such as the From field, the To field, and the Subject field, among others (step 216 ).
- the process 200 removes email(s) with potentially infected viruses or worms (step 220 ) and records the removal into a log (step 222 ).
- the process 200 displays brief information for each email and highlights potential emails that contain worms or viruses (step 224 ).
- the user can select one or more emails and execute a Delete operation (step 226 ).
- the process 200 accesses the user's mail server and removes the selected emails stored in the user's account at the mail server hosted by the user's ISP (step 228 ).
- the process 200 launches the user's default email software to retrieve the safe emails (step 230 ).
- a Smart-Diagnosis engine analyzes the emails and indicates potentially infected email(s) for the user.
- the engine can be an “expert system” or an intelligent computer program that uses knowledge and inference procedures to solve problems such as virus detection.
- An expert system includes a knowledge base of domain facts and heuristics associated with the problem.
- the facts constitute a body of information that is widely shared, publicly available, and generally agreed upon by experts in a field.
- the “heuristics” are mostly private, little-discussed rules and strategies of good judgment, plausible reasoning, and good guessing that characterize expert-level decision-making and drastically limit search in large problem spaces. This knowledge is used by the system in reasoning about the problem.
- the expert system also includes a control structure for symbolically processing and utilizing the information stored in the knowledge base to solve the problem.
- This control structure is also commonly referred to as the inference engine.
- a global data base serves as a working memory to keep track of the problem status, input data, and relevant facts and history of the solution progression in detecting and removing harmful viruses and worms.
- the system also includes an explanation systems to allow the user to challenge and examine the reasoning process underlying the system's answers. This includes a user friendly interface to facilitate user interaction with the system.
- the expert system also includes a knowledge acquisition system to facilitate the addition of new knowledge on viruses and worms into the system. Knowledge acquisition is an ongoing process, thus the knowledge must evolve over time through several iterations of trial and error. This interactive transfer of expertise from a human expert to the expert system is required in order to achieve an operationally acceptable level of performance.
- the Smart Diagnosis engine can also be a neural network, a fuzzy logic or a statistical based learning system.
- the email software is Microsoft's Outlook software, published by Microsoft Corporation of Redmond, Wash.
- the Outlook client application is divided into several modules, including a calendar manager, a task list manager, a contact manager, a message manager (e-mail), and a notes manager.
- All folders contain objects, or items such as e-mail items, appointment items, task items, address items, etc. Items have a set of fields and a behavior associated with them. For example, an e-mail item has To, From, CC, Subject, date and time fields among others. The behavior of e-mail items includes knowledge of what it means to Forward or Reply/Reply All. A user stores information in the form of items. Items, in turn, reside in folders.
- a message is a collection of properties. Items are composed of fields. For example, the “subject” in an e-mail note would be a field called “subject” in the e-mail item.
- every item is initially created from a template.
- a template is the “mold” from which new items are made and as such describes the fields and the item—the data types, default values, formatting rules, etc. For example, there would be a default template for each kind of item listed above: appointments, to-do items, notes, e-mail messages, among others.
- the reader may refer to the documentation that is distributed with the Outlook program.
- Pseudo-code for the process 200 is shown below:
- Step 1.0 IF user Pop3 mail server information is available THEN Run main application ELSE Run “Setup E-mail account and testing” property page IF user fill in Pop3 mail server address, usemame and password THEN Recommend user press “test” button to test POP3 E-mail account and if so: Issue win socket command Interpret receiving raw data from POP3 mail server Send back user information and password Check receiving data IF no error found THEN Finish test and show message to user Close win socket ELSE Display error message and remind user try again END IF ELSE Warn user to complete test, otherwise emails may not be retrieved IF user's pop3 information not available THEN Disable certain functions to protect itself END IF END IF END IF STEP 1.1 IF user subscribe automatic check in certain interval time THEN Use user's POP3 information and run whole process, Include automatic Retrieve user's email Parse E-mail Diagnoses email component, such as To, From, Subject, Attachment, Mail body Check user subscribe security policy Display all the email data with intelligent format to
- FIG. 3 shows an environment for electronically generating documents, including legal documents.
- a server 100 is connected to a network 102 such as the Internet.
- One or more client workstations 104 - 106 are also connected to the network 102 .
- the client workstations 104 - 106 can be personal computers, thin clients, or workstations running browsers such as Netscape or Internet Explorer. With the browser, a client or user can access the server 100 's Web site by clicking in the browser's Address box, and typing the address (for example, www.mailrancher.com), then press Enter. When the page has finished loading, the status bar at the bottom of the window is updated.
- the browser also provides various buttons that allow the client or user to traverse the Internet or to perform other browsing functions.
- An Internet community 110 with one or more service providers, manufacturers, or marketers is connected to the network 102 and can communicate directly with users of the client workstations 104 - 106 or indirectly through the server 100 .
- the Internet community 110 provides the client workstations 104 - 106 with access to a network of anti-virus specialists.
- members of the Internet community 110 can include consultants who can help the user in recovering from an infection.
- the server 100 can be an individual server, the server 100 can also be a cluster of redundant servers. Such a cluster can provide automatic data failover, protecting against both hardware and software faults.
- a plurality of servers provides resources independent of each other until one of the servers fails. Each server can continuously monitor other servers. When one of the servers is unable to respond, the failover process begins. The surviving server acquires the shared drives and volumes of the failed server and mounts the volumes contained on the shared drives. Applications that use the shared drives can also be started on the surviving server after the failover. As soon as the failed server is booted up and the communication between servers indicates that the server is ready to own its shared drives, the servers automatically start the recovery process. Additionally, a cluster of servers or server farm can be used. Network requests and server load conditions can be tracked in real time by the server farm controller, and the request can be distributed across the farm of servers to optimize responsiveness and system capacity. When necessary, the farm can automatically and transparently place additional server capacity in service as traffic load increases.
- the server 100 can also be protected by a firewall.
- the firewall receives a network packet from the network 102 , it determines whether the transmission is authorized. If so, the firewall examines the header within the packet to determine what encryption algorithm was used to encrypt the packet. Using this algorithm and a secret key, the firewall decrypts the data and addresses of the source and destination firewalls and sends the data to the server 100 . If both the source and destination are firewalls, the only addresses visible (i.e., unencrypted) on the network are those of the firewall. The addresses of computers on the internal networks, and, hence, the internal network topology, are hidden. This is called “virtual private networking” (VPN).
- VPN virtual private networking
- the server 100 supports a document generating portal that provides a single point of integration, access, and navigation through the multiple enterprise systems and information sources facing knowledge users operating the client workstations 104 - 106 .
- the portal can additionally support services that are transaction driven. Once such service is advertising: each time the user accesses the portal, the client workstation 104 or 106 downloads information from the server 100 .
- the information can contain commercial messages/links or can contain downloadable software. Based on data collected on users, advertisers may selectively broadcast messages to users. Messages can be sent through banner advertisements, which are images displayed in a window of the portal. A user can click on the image and be routed to an advertiser's Website.
- Advertisers pay for the number of advertisements displayed, the number of times users click on advertisements, or based on other criteria.
- the portal supports sponsorship programs, which involve providing an advertiser the right to be displayed on the face of the port or on a drop down menu for a specified period of time, usually one year or less.
- the portal also supports performance-based arrangements whose payments are dependent on the success of an advertising campaign, which may be measured by the number of times users visit a Web-site, purchase products or register for services.
- the portal can refer users to advertisers' Websites when they log on to the portal.
- the portal offers contents and forums providing focused articles, valuable insights, questions and answers, and value-added information about anti-virus operations.
- Other services can be supported as well.
- a user can rent space on the server to enable him/her to download application software (applets) and/or data—anytime and anywhere.
- application software apps
- data anytime and anywhere.
- the user minimizes the memory required on the client workstation 104 - 106 , thus enabling complex operations to run on minimal computers such as handheld computers and yet still ensures that he/she can access the application and related information anywhere anytime.
- Another service is On-line Software Distribution/Rental Service.
- the portal can distribute its software and other software companies from its server. Additionally, the portal can rent the software so that the user pays only for the actual usage of the software. After each use, the application is erased and will be reloaded when next needed, after paying another transaction usage fee.
- FIG. 4 shows an exemplary user interface displaying the status of a mail receiving process.
- twelve emails have been received and stored in the user's incoming mail server.
- the exemplary interface shows that the user's email account has successfully logged-in and the emails are downloaded in a last-in-first-out order.
- the emails are downloaded in their virtual-copy format data so that they cannot self-executed.
- the user previews the received emails and deletes suspicious emails before the emails are actually downloaded into an email software such as Outlook.
- FIG. 5 shows an exemplary user interface for an exemplary email preview operation.
- the twelve emails have been downloaded.
- a clip is shown for each email with an attachment.
- a warning flag is generated for each suspicious email for the user to decide whether that particular email should be deleted beforehand.
- a checkbox exists for each email so that the user can check off each email that needs to be deleted.
- an email number ID, the email address of the sender, and email address(es) for all recipients are shown.
- the sender and recipient information can be helpful in that the user can determine whether the source is suspect.
- the sender is familiar to the user (such as in the case of a virus that accessed the prior victim's address book)
- the list of recipient can be helpful. For example, a long list of recipients can signify a virus attack. Based on the information provided in the user interface, the user can effectively manage his or her emails to minimize if not avoid virus infections.
Abstract
Description
Step 1.0 |
IF user Pop3 mail server information is available THEN |
Run main application |
ELSE |
Run “Setup E-mail account and testing” property page |
IF user fill in Pop3 mail server address, usemame and password THEN |
Recommend user press “test” button to test POP3 E-mail account |
and if so: |
Issue win socket command |
Interpret receiving raw data from POP3 mail server |
Send back user information and password |
Check receiving data |
IF no error found THEN |
Finish test and show message to user |
Close win socket |
ELSE |
Display error message and remind user try again |
END IF |
ELSE |
Warn user to complete test, otherwise emails may not be retrieved |
IF user's pop3 information not available THEN |
Disable certain functions to protect itself |
END IF |
END IF |
END IF |
STEP 1.1 |
IF user subscribe automatic check in certain interval time THEN |
Use user's POP3 information and run whole process, |
Include automatic |
Retrieve user's email |
Parse E-mail |
Diagnoses email component, such as To, From, Subject, |
Attachment, Mail body |
Check user subscribe security policy |
Display all the email data with intelligent format to help |
user do the final scan |
Repeat step 2, 3 and 4 |
END IF |
STEP 2 |
IF user finish test POP3 email account THEN |
Retrieve email by POP3 protocol in raw format |
Save incoming received data to file stream and temporary store in |
user machine |
Store all the email data in virtual-copy format for safe accounting |
in |
“Diagnoses” |
END IF |
STEP 3 |
IF retrieve email successful THEN |
Parse E-mail virtual-copy format data |
Exact E-mail header like To, From, Subject, Cc, Bcc, Attachment |
and Body text |
Diagnose To, From and Subject data to detect virus pattern or |
behave |
Diagnose Attachment file to detect any potential auto run pattem |
or behave |
IF user subscribe security policy THEN |
Execute security check and automatic “Remove” those campaign email |
which fit in check condition |
Write the log file for user reference |
END IF |
END IF |
STEP 4 |
IF no error from parse email THEN |
According parse result, display different level of warning such as |
virus icon, attachment icon and red background color to indicate |
suspicious emails |
END IF |
STEP 5 |
User can |
a. Remove suspicious email |
b. Remove junk email as well |
c. Remove unknown “From” email |
d. Remove mail which its To or Cc contain email address and similar name |
email address |
e. Capture email information to log |
STEP |
6 |
User can launch Outlook or other email application to read, send and |
manage their |
|
Property page |
1 |
User can setup their POP3 account and test their email account here. |
|
User can subscribe security policy here, |
Include |
Mail address filter function - domain name check in “From” field |
Text filter function - filter specific text show up in To, From, Subject |
or E-mail |
Body text |
IF user select “automatic” remove THEN |
Each time email retrieval is done, a security policy operation is executed |
to remove candidate “dangerous” emails from user email account in ISP |
POP3 server. |
END |
Property page |
3 |
User can setup schedule to run automatically |
|
User can setup log file recording option. |
Option 1 - automatic capture email information to log file after |
execute retrieve |
email operation |
Option 2 - user clicks toolbar button to capture email information |
Claims (33)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/672,978 USRE45326E1 (en) | 2001-10-05 | 2012-11-09 | Systems and methods for securing computers |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/972,596 US20030097409A1 (en) | 2001-10-05 | 2001-10-05 | Systems and methods for securing computers |
US11/964,636 US7831672B2 (en) | 2001-10-05 | 2007-12-26 | Systems and methods for securing computers |
US13/672,978 USRE45326E1 (en) | 2001-10-05 | 2012-11-09 | Systems and methods for securing computers |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/964,636 Reissue US7831672B2 (en) | 2001-10-05 | 2007-12-26 | Systems and methods for securing computers |
Publications (1)
Publication Number | Publication Date |
---|---|
USRE45326E1 true USRE45326E1 (en) | 2015-01-06 |
Family
ID=25519862
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/972,596 Abandoned US20030097409A1 (en) | 2001-10-05 | 2001-10-05 | Systems and methods for securing computers |
US11/964,636 Expired - Lifetime US7831672B2 (en) | 2001-10-05 | 2007-12-26 | Systems and methods for securing computers |
US13/672,978 Expired - Fee Related USRE45326E1 (en) | 2001-10-05 | 2012-11-09 | Systems and methods for securing computers |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/972,596 Abandoned US20030097409A1 (en) | 2001-10-05 | 2001-10-05 | Systems and methods for securing computers |
US11/964,636 Expired - Lifetime US7831672B2 (en) | 2001-10-05 | 2007-12-26 | Systems and methods for securing computers |
Country Status (1)
Country | Link |
---|---|
US (3) | US20030097409A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10552624B2 (en) | 2016-06-24 | 2020-02-04 | Xattic, Inc. | Methods and a system for inoculating inter-device communication |
Families Citing this family (69)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6714967B1 (en) * | 1999-07-30 | 2004-03-30 | Microsoft Corporation | Integration of a computer-based message priority system with mobile electronic devices |
US7657935B2 (en) * | 2001-08-16 | 2010-02-02 | The Trustees Of Columbia University In The City Of New York | System and methods for detecting malicious email transmission |
US20030079142A1 (en) * | 2001-10-22 | 2003-04-24 | Aladdin Knowledge Systems Ltd. | Classifying digital object security category |
JP3693244B2 (en) * | 2001-10-31 | 2005-09-07 | 株式会社日立製作所 | E-mail system, mail server and mail terminal |
US7155608B1 (en) * | 2001-12-05 | 2006-12-26 | Bellsouth Intellectual Property Corp. | Foreign network SPAM blocker |
US9652613B1 (en) | 2002-01-17 | 2017-05-16 | Trustwave Holdings, Inc. | Virus detection by executing electronic message code in a virtual machine |
US20030195933A1 (en) * | 2002-04-10 | 2003-10-16 | Curren Thomas Charles | Web filter screen |
US20040117450A1 (en) * | 2002-12-13 | 2004-06-17 | Campbell David T. | Gateway email concentrator |
US7900254B1 (en) * | 2003-01-24 | 2011-03-01 | Mcafee, Inc. | Identifying malware infected reply messages |
US7644008B1 (en) | 2003-08-15 | 2010-01-05 | Sprint Communications Company L.P. | Web-based system and method for user role assignment in an enterprise |
US8200761B1 (en) * | 2003-09-18 | 2012-06-12 | Apple Inc. | Method and apparatus for improving security in a data processing system |
JP2005108099A (en) * | 2003-10-01 | 2005-04-21 | Hitachi Ltd | Information security policy evaluation system and its control method |
US20050081057A1 (en) * | 2003-10-10 | 2005-04-14 | Oded Cohen | Method and system for preventing exploiting an email message |
US7610341B2 (en) * | 2003-10-14 | 2009-10-27 | At&T Intellectual Property I, L.P. | Filtered email differentiation |
US7664812B2 (en) * | 2003-10-14 | 2010-02-16 | At&T Intellectual Property I, L.P. | Phonetic filtering of undesired email messages |
US7930351B2 (en) * | 2003-10-14 | 2011-04-19 | At&T Intellectual Property I, L.P. | Identifying undesired email messages having attachments |
US7467409B2 (en) * | 2003-12-12 | 2008-12-16 | Microsoft Corporation | Aggregating trust services for file transfer clients |
US7457823B2 (en) | 2004-05-02 | 2008-11-25 | Markmonitor Inc. | Methods and systems for analyzing data related to possible online fraud |
US7870608B2 (en) * | 2004-05-02 | 2011-01-11 | Markmonitor, Inc. | Early detection and monitoring of online fraud |
US7913302B2 (en) * | 2004-05-02 | 2011-03-22 | Markmonitor, Inc. | Advanced responses to online fraud |
US8769671B2 (en) * | 2004-05-02 | 2014-07-01 | Markmonitor Inc. | Online fraud solution |
US20070107053A1 (en) * | 2004-05-02 | 2007-05-10 | Markmonitor, Inc. | Enhanced responses to online fraud |
US7992204B2 (en) | 2004-05-02 | 2011-08-02 | Markmonitor, Inc. | Enhanced responses to online fraud |
US8041769B2 (en) * | 2004-05-02 | 2011-10-18 | Markmonitor Inc. | Generating phish messages |
US9203648B2 (en) * | 2004-05-02 | 2015-12-01 | Thomson Reuters Global Resources | Online fraud solution |
WO2005114539A2 (en) * | 2004-05-20 | 2005-12-01 | Computer Associates Think, Inc. | Systems and methods for excluding user specified applications |
US8707251B2 (en) * | 2004-06-07 | 2014-04-22 | International Business Machines Corporation | Buffered viewing of electronic documents |
US20060047756A1 (en) * | 2004-06-16 | 2006-03-02 | Jussi Piispanen | Method and apparatus for indicating truncated email information in email synchronization |
US7685639B1 (en) * | 2004-06-29 | 2010-03-23 | Symantec Corporation | Using inserted e-mail headers to enforce a security policy |
WO2006107883A2 (en) * | 2005-04-01 | 2006-10-12 | Arroyo Video Solutions, Inc. | Stream control failover |
US20060224677A1 (en) * | 2005-04-01 | 2006-10-05 | Baytsp | Method and apparatus for detecting email fraud |
US8060860B2 (en) * | 2005-04-22 | 2011-11-15 | Apple Inc. | Security methods and systems |
US20070028301A1 (en) * | 2005-07-01 | 2007-02-01 | Markmonitor Inc. | Enhanced fraud monitoring systems |
US20070016951A1 (en) * | 2005-07-13 | 2007-01-18 | Piccard Paul L | Systems and methods for identifying sources of malware |
US20070118759A1 (en) * | 2005-10-07 | 2007-05-24 | Sheppard Scott K | Undesirable email determination |
US8321381B2 (en) * | 2005-12-19 | 2012-11-27 | Oracle International Corporation | Facilitating a sender of email communications to specify policies with which the email communication are to be managed as a record |
US20090133124A1 (en) * | 2006-02-15 | 2009-05-21 | Jie Bai | A method for detecting the operation behavior of the program and a method for detecting and clearing the virus program |
US8370649B2 (en) * | 2006-03-31 | 2013-02-05 | Cisco Technology, Inc. | Stream control failover utilizing an attribute-dependent protection mechanism |
US20070294396A1 (en) * | 2006-06-15 | 2007-12-20 | Krzaczynski Eryk W | Method and system for researching pestware spread through electronic messages |
US8028335B2 (en) * | 2006-06-19 | 2011-09-27 | Microsoft Corporation | Protected environments for protecting users against undesirable activities |
US8190868B2 (en) | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
US8583731B1 (en) * | 2006-11-17 | 2013-11-12 | Open Invention Network Llc | System and method for analyzing and filtering journaled electronic mail |
US8467527B2 (en) | 2008-12-03 | 2013-06-18 | Intel Corporation | Efficient key derivation for end-to-end network security with traffic visibility |
US8402529B1 (en) | 2007-05-30 | 2013-03-19 | M86 Security, Inc. | Preventing propagation of malicious software during execution in a virtual machine |
US20090182818A1 (en) * | 2008-01-11 | 2009-07-16 | Fortinet, Inc. A Delaware Corporation | Heuristic detection of probable misspelled addresses in electronic communications |
CN101999126A (en) * | 2008-04-10 | 2011-03-30 | 日本电气株式会社 | Information processing device, lock control method, and lock control program |
US20090276728A1 (en) * | 2008-05-02 | 2009-11-05 | Doan Christopher H | Arrangements for Managing Assistance Requests for Computer Services |
US20090282113A1 (en) * | 2008-05-06 | 2009-11-12 | Steven Blakeman | Apparatus and method for providing a photocopier with e-mail capability |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US8443447B1 (en) * | 2009-08-06 | 2013-05-14 | Trend Micro Incorporated | Apparatus and method for detecting malware-infected electronic mail |
US9529689B2 (en) * | 2009-11-30 | 2016-12-27 | Red Hat, Inc. | Monitoring cloud computing environments |
US20110208840A1 (en) * | 2010-02-22 | 2011-08-25 | Lee Blackman | Cookie alert |
US20110225649A1 (en) * | 2010-03-11 | 2011-09-15 | International Business Machines Corporation | Protecting Computer Systems From Malicious Software |
US8826437B2 (en) * | 2010-12-14 | 2014-09-02 | General Electric Company | Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network |
US9749211B2 (en) * | 2011-02-15 | 2017-08-29 | Entit Software Llc | Detecting network-application service failures |
JP5857637B2 (en) * | 2011-11-04 | 2016-02-10 | サンケン電気株式会社 | Information processing program and information processing method |
US20130333047A1 (en) * | 2012-06-07 | 2013-12-12 | Hal William Gibson | Electronic communication security systems |
US9176838B2 (en) * | 2012-10-19 | 2015-11-03 | Intel Corporation | Encrypted data inspection in a network environment |
US9356948B2 (en) * | 2013-02-08 | 2016-05-31 | PhishMe, Inc. | Collaborative phishing attack detection |
US9398014B2 (en) * | 2014-04-04 | 2016-07-19 | International Business Machines Corporation | Validation of a location resource based on recipient access |
US9722958B2 (en) * | 2014-07-18 | 2017-08-01 | International Business Machines Corporation | Recommendation of a location resource based on recipient access |
CN105991395B (en) * | 2015-01-30 | 2019-04-09 | 杭州迪普科技股份有限公司 | Attachment replacement method and device |
US9912687B1 (en) * | 2016-08-17 | 2018-03-06 | Wombat Security Technologies, Inc. | Advanced processing of electronic messages with attachments in a cybersecurity system |
CN107171950A (en) * | 2017-07-20 | 2017-09-15 | 国网上海市电力公司 | A kind of Email Body threatens the recognition methods of behavior |
US10693891B2 (en) | 2017-12-06 | 2020-06-23 | Chicago Mercantile Exchange Inc. | Electronic mail security system |
EP3759630A4 (en) * | 2018-03-02 | 2021-11-24 | Blocksafe Technologies, Inc. | Systems and methods for controlling access to a blockchain |
US11038916B1 (en) * | 2019-01-16 | 2021-06-15 | Trend Micro, Inc. | On-demand scanning of e-mail attachments |
US11392691B1 (en) * | 2019-07-25 | 2022-07-19 | Desmond Wilfred Wright | System and method of securing e-mail against phishing and ransomware attack |
US11949641B2 (en) * | 2022-01-11 | 2024-04-02 | Cloudflare, Inc. | Verification of selected inbound electronic mail messages |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5623600A (en) * | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
KR20010105618A (en) | 2000-05-16 | 2001-11-29 | 정우협 | Email preview |
AU6562101A (en) | 2000-09-01 | 2002-03-07 | Giouris, Chris | An electronic mail module |
US20030065941A1 (en) * | 2001-09-05 | 2003-04-03 | Ballard Clinton L. | Message handling with format translation and key management |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
US20040054498A1 (en) * | 2000-07-07 | 2004-03-18 | Alexander Shipp | Method of and system for, processing email |
US6785732B1 (en) * | 2000-09-11 | 2004-08-31 | International Business Machines Corporation | Web server apparatus and method for virus checking |
US20050081059A1 (en) * | 1997-07-24 | 2005-04-14 | Bandini Jean-Christophe Denis | Method and system for e-mail filtering |
US20050086499A1 (en) * | 2001-05-22 | 2005-04-21 | Hoefelmeyer Ralph S. | System and method for malicious code detection |
US7072942B1 (en) * | 2000-02-04 | 2006-07-04 | Microsoft Corporation | Email filtering methods and systems |
US7080407B1 (en) * | 2000-06-27 | 2006-07-18 | Cisco Technology, Inc. | Virus detection and removal system and method for network-based systems |
US20100169970A1 (en) * | 2001-08-16 | 2010-07-01 | Stolfo Salvatore J | System and methods for detecting malicious email transmission |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3723206B2 (en) * | 1993-03-19 | 2005-12-07 | バクスイン・エス・アー | A therapeutic composition for use in humans, characterized by combining muramyl peptide and cytokine |
US5923848A (en) * | 1996-05-31 | 1999-07-13 | Microsoft Corporation | System and method for resolving names in an electronic messaging environment |
US5832208A (en) * | 1996-09-05 | 1998-11-03 | Cheyenne Software International Sales Corp. | Anti-virus agent for use with databases and mail servers |
US6377978B1 (en) * | 1996-09-13 | 2002-04-23 | Planetweb, Inc. | Dynamic downloading of hypertext electronic mail messages |
US5960170A (en) * | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
US6088803A (en) * | 1997-12-30 | 2000-07-11 | Intel Corporation | System for virus-checking network data during download to a client device |
US6763462B1 (en) * | 1999-10-05 | 2004-07-13 | Micron Technology, Inc. | E-mail virus detection utility |
-
2001
- 2001-10-05 US US09/972,596 patent/US20030097409A1/en not_active Abandoned
-
2007
- 2007-12-26 US US11/964,636 patent/US7831672B2/en not_active Expired - Lifetime
-
2012
- 2012-11-09 US US13/672,978 patent/USRE45326E1/en not_active Expired - Fee Related
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5623600A (en) * | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
US20050081059A1 (en) * | 1997-07-24 | 2005-04-14 | Bandini Jean-Christophe Denis | Method and system for e-mail filtering |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
US7072942B1 (en) * | 2000-02-04 | 2006-07-04 | Microsoft Corporation | Email filtering methods and systems |
KR20010105618A (en) | 2000-05-16 | 2001-11-29 | 정우협 | Email preview |
US7080407B1 (en) * | 2000-06-27 | 2006-07-18 | Cisco Technology, Inc. | Virus detection and removal system and method for network-based systems |
US7877807B2 (en) * | 2000-07-07 | 2011-01-25 | Symantec Corporation | Method of and system for, processing email |
US20040054498A1 (en) * | 2000-07-07 | 2004-03-18 | Alexander Shipp | Method of and system for, processing email |
AU6562101A (en) | 2000-09-01 | 2002-03-07 | Giouris, Chris | An electronic mail module |
US6785732B1 (en) * | 2000-09-11 | 2004-08-31 | International Business Machines Corporation | Web server apparatus and method for virus checking |
US20050086499A1 (en) * | 2001-05-22 | 2005-04-21 | Hoefelmeyer Ralph S. | System and method for malicious code detection |
US20100169970A1 (en) * | 2001-08-16 | 2010-07-01 | Stolfo Salvatore J | System and methods for detecting malicious email transmission |
US20030065941A1 (en) * | 2001-09-05 | 2003-04-03 | Ballard Clinton L. | Message handling with format translation and key management |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10552624B2 (en) | 2016-06-24 | 2020-02-04 | Xattic, Inc. | Methods and a system for inoculating inter-device communication |
Also Published As
Publication number | Publication date |
---|---|
US20030097409A1 (en) | 2003-05-22 |
US7831672B2 (en) | 2010-11-09 |
US20090013374A1 (en) | 2009-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
USRE45326E1 (en) | Systems and methods for securing computers | |
US11461466B2 (en) | System and method for providing network security to mobile devices | |
US10757120B1 (en) | Malicious network content detection | |
US9998471B2 (en) | Highly accurate security and filtering software | |
US6901519B1 (en) | E-mail virus protection system and method | |
US9325738B2 (en) | Methods and apparatus for blocking unwanted software downloads | |
EP2036246B1 (en) | Systems and methods for identifying potentially malicious messages | |
US8627466B2 (en) | Alert message control of security mechanisms in data processing systems | |
KR101497742B1 (en) | System and method for authentication, data transfer, and protection against phising | |
US7302706B1 (en) | Network-based file scanning and solution delivery in real time | |
EP2410452A2 (en) | Protection against malware on web resources | |
US20160036849A1 (en) | Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies | |
US20080086638A1 (en) | Browser reputation indicators with two-way authentication | |
US20100235918A1 (en) | Method and Apparatus for Phishing and Leeching Vulnerability Detection | |
US20040088565A1 (en) | Method of identifying software vulnerabilities on a computer system | |
US20030018903A1 (en) | Method of containing spread of computer viruses | |
Kienzle et al. | Security patterns repository version 1.0 | |
EP1899822A2 (en) | Enhanced fraud monitoring systems | |
US11582205B2 (en) | System for sending e-mail and/or files securely | |
US20090064325A1 (en) | Phishing notification service | |
Levy et al. | Criminals Become Tech Savvy. | |
US20050120230A1 (en) | System for preventing a computer virus accessing email addresses | |
Tally et al. | Anti-phishing: Best practices for institutions and consumers | |
Kannan | A bird's eye view of Cyber Crimes and Free and Open Source Software's to Detoxify Cyber Crime Attacks-an End User Perspective | |
Sullivan | The definitive guide to controlling malware, spyware, phishing, and spam |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: TRAN, BAO, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TSAI, HUNGCHOU;REEL/FRAME:030537/0777 Effective date: 20011005 |
|
AS | Assignment |
Owner name: RESOLUTE FOCUS LIMITED LIABILITY COMPANY, DELAWARE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TRAN, BAO;REEL/FRAME:030547/0183 Effective date: 20120524 |
|
AS | Assignment |
Owner name: XENOGENIC DEVELOPMENT LIMITED LIABILITY COMPANY, D Free format text: MERGER;ASSIGNOR:RESOLUTE FOCUS LIMITED LIABILITY COMPANY;REEL/FRAME:037383/0881 Effective date: 20150826 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552) Year of fee payment: 8 |
|
AS | Assignment |
Owner name: INTELLECTUAL VENTURES ASSETS 170 LLC, DELAWARE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:XENOGENIC DEVELOPMENT LIMITED LIABILITY;REEL/FRAME:057274/0293 Effective date: 20210809 |
|
AS | Assignment |
Owner name: SERVSTOR TECHNOLOGIES, LLC, GEORGIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTELLECTUAL VENTURES ASSETS 170 LLC;REEL/FRAME:058537/0293 Effective date: 20210825 |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |