ENTEFENATKFNAL SEARCH FCEPQRT
`
`V "“"""“““““ ”°
`v“""’-‘
`P€TfU$28U4fUOG4G9
`
`am m:scuM:~:w- sums mm m 35 meaxasnm
`
`Q W cm flf $10!, iinafcaiion. where appropriate, of the reizwani pmawages
`
`V
`
`V R: in ckeinz N_
`
`Us 5 191 3?fi
`31 March 199;:
`abstract
`
`fl £fl0fiUCHI KQSKI
`€.1gste2.»03-~31:>
`
`E? AL)
`
`co1umn 1, Iine 31 ~ cu1umn 3,
`figures 1,13,}?
`
`iine 12
`
`US 5 £52 451 A (AKIZAMH MITSURU £T AL)
`19 September 1995 {1995~G§~19}
`the whole dncument
`
`.-‘”—a:rn FilmE.é.:‘9.1 -2* (c¢\t:}h=;::S:m bi at-(»)bC,F'»:$ chmiy ;,.L-ermzary we-'5}
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0317
`
`

`
`!NTERNATlC}NAL SEARCH REPORT
`inmrmakéan an patent family mews:-ass
`
`lntema. ml flpylicatiou No.
`
`FCTKUSZEGQ/000409
`
`Pawm dacumeni
`chad in search report
`
`F’l31’iNf/‘8{iC'Y}
`data
`
`Patent iamiiy
`1m€:mbE:r{.s§
`
`NQNE
`o3—o:z—2o01
`3:
`“us 621.2625
`—-.~.— -—~~—.-..~.....w. «mun-uuwwwmmmm an mmmmvamnuanmanwumawmwmummmmmm..u..u......_._........».....\.m..._(..._...(e..a.,..;.«_ .......
`
`US fi32?5fl8
`
`E? 948839?
`
`B1
`
`A
`
`fi4~12"2QO1
`
`NGNE
`
`G3“flS"199E
`
`J?
`JP
`DE
`DE
`
`E?
`US
`
`JP
`KR
`US
`
`E9fifi533 82.
`5205374-A
`69131954 D1
`69131954 T2
`
`048829? A2
`5&9?&88 A
`
`313G994 A
`159941 B}
`5D35%85 A
`
`06~10~19§§
`2?—0?*19§2
`0Q*Q3*20Ufi
`G5~1G~2QGB
`
`fi3~G6~1%9E
`BS‘B3~1996
`
`Q4~Qfi*1991
`6l~02~1§§%
`38~O7~1§91
`
`U3 5lG13?6
`
`A
`
`31~fl3-IQQE
`
`US 5%5E451
`
`A
`
`19w99~l9§E
`
`}8*11*1998
`2825009 32
`J?
`2S~D1~1991
`3U17?Sfl A
`BF
`D5—%4~1999
`2BBUl§§ BE
`3?
`Q5~Bfi“199i
`3131969 A
`JP
`Q5-S3~1996
`54Q74$8 A
`US
`a-u._.a..m.uau»._......a:....a..—.... _.._._w...~,.»)_a.........._....._._........-.—-....._....... -.-~.--...,.....,....w...-«.~~—...__._......~..w......«.~-.............................. .. ..__
`
`Fawn .~”~‘3T,*x
`
`z‘<;M‘21ii;\ rjyaicsnk .?snn'r‘vg sv.rm:*>I) (dznuszw SEOC4}
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0318
`
`

`
`PATENT ABSTRACTS OF JAPAN
`
`(1 1)Publication number :
`
`08-263447
`
`(43)Date of publication of application : 11.10.1996
`
`G061” 15/16
`G06F
`9/445
`
`G06F 13/00
`
`(21)Applicati0n number : 07-349164
`
`(71)Applicant : SUN MICROSYST INC
`
`(22)Date of filing 1
`
`20.12.1995
`
`(72)lnVentor : GOSLING JAMES A
`
`(30)Priority
`
`Priority number : 94 359884
`
`Priority date : 20.12.1994
`
`Priority country : US
`
`(57)Abstract:
`PROBLEM TO BE SOLVED: To provide a distributed
`computer system provided with a computer for
`automatically clown—loading the viewer of an object to
`be referred to and verifying the maintainability of a
`loaded program and the operation method.
`SOLUTION: At the time of loading data (object) stored
`in another server or the like through a network and
`referring to them, the viewer corresponding to the object
`is automatically searched, and in the case that the
`appropriate viewer is found in the other server or the
`like, verification is performed so as to confirm the
`maintainability before activating the viewer. Especially,
`importance is placed in the verification relating to the use
`of a stack and a data type to the program Written in a byte
`code language.
`
`_
`,
`i?
`‘ imumna. 1,
`e
`,3,
`.
`_
`2
`'>'*-”_*‘~*j...i-*"“~"" an
`gm .
`'
`'
`‘I15
`
`_
`
`.
`
`,
`
`_
`
`_
`
`-
`
`_
`
`_
`"J.
`
`I
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0319
`
`

`
`Internatmnal Bureau
`WORLD lN’l'ELLEC'l'UAL_ PROPERTY ORGANIZATION
`INTERNATIONAL APPLICATION PUBLISHED UNDER Tl-IE PATENT COOPERATION TREATY (PCT)
`
`(51) International Patent Classification 5 :
`
`(11) International Publication Number:
`
`WO 95/33237
`
`G0“ 11/00’ 1-[mo
`
`(43) International Publication Date:
`
`7 December 1995 (0112.95)
`
`(21) [utemationnl Application Number:
`
`PCTYUS95/06659
`
`(22) lnternutiunal Filing Date:
`
`30 May 1995 60.05.95)
`
`(81) Designated 511!“-‘ii CA. CN. DE. GB. 1?. MX, EUIUPWH Pfliclll
`‘
`(AT. BE, CH. DE, DK. ES. FR. GB, GR, IE. IT: LU. MC,
`NL. PT, SE)-
`
`(30) Priority Data:
`08/251,622
`
`1 June. 1994 (0106.94)
`
`Published
`With l'nterna1ional search report.
`
`US
`
`QUANTUM LEAP INNOVATIONS INC.
`(71) Applicant:
`[US/US]; 410 Briarcliff Road, Brinmliff Manor, NY 10510
`(US).
`
`('72) Inventors: SCHNURER, John; I-‘.0. Box 446. Yellow Springs,
`OH 45387 (US). KLEMMER, Timothy, L; 410 Briumliff
`Road, Briarcliff Manor, NY 10510 (US).
`
`('74) Agent: AMARAL, Anthony, J12; Reid 8: Priest L.L.P., 40 West
`57th Sheet, New York. NY 10019 (US).
`
`(54) Title: COMPUTER VIRUS TRAP
`
`I
`
`1§
`1/0 BUFFER
`
`|
`
`|
`
`2§
`I
`T PROTECTED
`COMPUTER
`SYSTEM
`
`f ANALYSIS!
`1 DETECTION 1
`
`52
`RESPONSE!
`ALARM
`
`(57) Abstract
`
`A computer virus trapping device (10) is described that detects and eliminates computer viruses before they can enter a computer
`system and wreck havoc on its files, peripherals, etc. The mapping device (10) oreriteu 21 virtual world that simulaucs the host computer
`system (28) Intended by the virus to infect. The environment is made as friendly as possible to fool a computer virus into thinking it is
`present on the host (28), its intended target system. Within this virtual world, the virus is encouraged to perform its intended activity. The
`invention is able to detect any disruptive behaviour occurring within this simulated host computer system. It is further able to remove (52)
`the Virus from the data stieatu before it is clelivz-.re(l to the lmst (2%) and/or take any action previously instmcbcd by a user (38).
`
`DEF-F|NO0O07699
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0320
`
`

`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codcs used to identify States paxty to the PCT on the front pages of pamphlets publishing intcmational
`applications under the PCT.
`AT
`Austrin
`AU
`Australia
`BB
`Barbados
`IIE
`fit-.lgium
`UII‘
`Burkina Fuse
`no
`Bulgnrin
`Benin
`I11
`HR
`Brazil
`nv
`Balms
`CA
`Camnlz
`CF
`Cantral Afn'can Republic
`00
`Congo
`CH
`Switzerland
`CI
`Cblae d'Ivoire
`CM
`Cameroon
`CN
`China
`CS
`Cmchoslovnlcia
`CZ
`Czech Republic
`DE
`Germany
`Danmark
`DK
`ES
`Spain
`Fl
`Finland
`FR
`France
`GA.
`Galvan
`
`United Kingdom
`Georgia
`Guinea
`Cl-mum:
`Hungary
`Ireland
`Tmly
`Japan
`Kenya
`Kywgysmn
`Democratic Pwple'5 Republic
`of Korea
`lupublic of Korea
`Kazakhstan
`Liechtensuin
`Sri Lmka
`Luxembourg
`Latvia
`Monaco
`Republic of Moldova
`Mndagascnx
`Mali
`Mmlzolia
`
`Mauritania
`Malawi
`Niger
`Nctlmlztiinls
`Norway
`New Zaaland
`Poland
`Ponugnl
`Romania
`Russian Fedefiuion
`Sudan
`Sweden
`Slovenia
`Slovakia
`Senegal
`Cl1nI.1
`Togo
`Taiildsiau
`Trinidad and Tobago
`Ukraine
`United Stakes of Axmrica
`Uzbekistan
`Vict Nam
`
`DEF-F|NO0O07700
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0321
`
`

`
`W0 95/33237
`
`i
`
`i
`
`PCTIUS95/06659
`
`COMPUTER VIRUS TRAP
`
`BACKGROUND OF THE INVENTION
`
`The computer virus problem that exists today had its beginnings
`
`sometime in the late 1980s. At that time computer viruses were a novelty and
`
`plagued mainly DOS and Macintosh computers. Today, almost every Fortune
`
`500 company has experienced computer viruses with the current rate being
`
`about one virus incident every 2 to 3 months.
`
`The term computer virus is applied in common. and legal usage to
`
`software, code, code blocks, code elements and code segments which perform
`
`certain functions in the digital computer environment. Code is intended to mean
`
`tl1e digital
`
`instructions which the computer responds to. Non damaging or
`
`legitimate software, code, code blocks, code segments and code elements that
`
`serve a useful purpose would not be considered a vnus.
`
`Computer viruses have been known to cause physical harm to computer
`
`hardware in addition to erasing and destroying data. While rate, there have been
`
`cases of viruses that have made calls to disk drive heads actually scoring the
`
`media; still othersihave been discovered that ramped up the scan rate on a
`
`monitor causing failure. Most viruses do not, however, intentionally cause
`
`explicit physical harm and they are discovered before they are triggered to cause
`
`damage to data and tiles. However,
`
`it is after discovery that the real cost of
`
`viruses becomes apparent in connection with their detection and removal.
`
`In an
`
`_ average computer site this might entail searching 1000 PCs and 35,000 diskettes.
`If the software engineer misses even one instance of the virus, other computers
`will be re-infected and the clean up search must be repeated all over again.
`
`A common misconception is that there are good viruses and bad viruses.
`
`Some viruses are claimed to be benign because they do not have a malicious
`
`DEF-F|NOOO07701
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0322
`
`

`
`W0 95/33 237
`
`PCT/US95/06659
`
`2
`
`trigger event and cannot do intentional harm. However, this misses the point
`
`that the problems computer viruses cause are mainly due to the trigger events. It
`
`is a fact that computer viruses replicate. This by itself is harmful because it
`
`necessitates a search to clean up all instances of the viruses in a computer
`
`M
`installation.
`The damage caused by viruses, not so much due to erased files or data,
`
`but in the cost of detection, removal and also the accompanying lowered worker
`
`productivity can be very high.
`
`lt has been calculated that the average computer
`
`site will spend on the order of about $250,000 on a computer virus cleanup.
`
`It
`
`has been estimated that computer viruses will cost US. computer users over a
`billion dollars in 1994 alone.
`
`The problem will grow exponentially due to the advent of the Information
`
`Super Highway. The increased connectivity among individuals, companies and
`
`government will allow a computer virus to create havoc. Currently disjoint
`
`computer systems that perform various functions that we take for granted today,
`
`such as, banking,
`
`telecommunications, radio,
`
`information databases,
`
`libraries
`
`and credit might meld together
`
`in the future.
`
`Thus, computer viruses,
`
`unchecked, could have a crippling effect on our society.
`
`A virus can only cause trouble when it enters a system and finds a
`
`location on which to act.
`
`In a general sense, the virus must perform an intended
`
`function or a function the user or operator did not intend, expect, compensate for
`
`or otherwise protect against. Some examples of malicious virus activity are:
`
`changing names of files making it difficult for the user to access the files,
`
`moving a file to a new location, deleting files,
`
`interfering with working
`
`7 programs (Le. causing all the words on a screen to fall to the bottom of the
`
`screen in a heap), replicating themselves and clogging up the system making it
`nonfunctional or waiting for a predetermined time period or after a certain
`
`number of toggle operations such as boot, access, cursor movements, mouse
`
`clicks, etc. before acting.
`
`DEF-F|NO0O07702
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0323
`
`

`
`W0 95/332137
`
`PCTVUS95/06659
`
`3
`
`More felonious type viruses are those that have been released to cause
`
`ruin or impairment of a system for the purposes of sabotage, espionage, financial
`
`gain or to impair a competing business. Some examples include; creating a trap,
`
`door which allows access to an unauthorized user for any purpose such as
`
`espionage, dumping files or erasure, navigation programs which find routes into
`
`systems, password cracking programs, modifying the executable segment of
`
`legitimate programs and attaching themselves to a code block and travel to
`
`another site.
`
`In addition to traditional PCs and networks being vulnerable to virus
`
`infections, embedded control systems often used in industrial process control
`
`settings are also vulnerable.
`
`These systems control machinery, motors,
`
`industrial robots and process data from sensors. Because embedded systems are
`
`Vulnerable to viruses just as PCs are, the results are potentially quite damaging.
`
`The smooth flow of a factory or assembly line could be devastated by a virus‘
`
`uncontrolled behavior.
`
`There are many possible ways for a virus to act on a computer system.
`
`All computers go through a boot procedure in which the Basic Input Output
`System (BIOS) and/or other resident system tools perform a variety of startup
`
`tasks such as, finding drives, testing memory and the system, initiating system
`
`files, loading DOS or other Operating System (OS) and bringing up an initial
`
`startup program. The system performs certain housekeeping tasks such as
`
`establishing various links among other functions. A computer system of any
`
`utility is complex enough that someone writing a virus has a myriad of
`
`opportunities and possibilities in which to cause trouble and interfere with the
`
`proper operation of the system.
`
`The most common solution to the virus problem is to employ anti-virus
`
`software that scans, detects and eliminates viruses from computer systems.
`
`These programs work by searching a storage medium such as a hard disk drive
`
`or floppy diskette for known patterns of various viruses. However, there are
`
`DEF-F|NO0O07703
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0324
`
`

`
`wo 95133237
`
`PCTIUS95/06659
`
`4
`
`problems associated with this method of virus elimination. The software can
`
`only scan for known viruses which have an identifiable pattern that can be
`
`detected using repetitive string searches.
`
`To protect against new viruses
`
`frequent upgrades must be distributed.
`
`In addition, for the program to detect a
`
`virus it must already have infected that computer. The virus might have done
`
`some damage or even replicated itself and spread before it is detected. Also, the
`
`program must be run often to provide effective protection against viruses
`
`especially on systems where programs and data are transferred frequently
`
`between computers via diskettes.
`
`In addition further liabilities, pratfalls and limitations to the current breed
`
`of anti—virus software solutions exist.
`
`This software breaks down into 3
`
`categories: scanners, monitors, CRC's. Scarmers as previously mentioned work
`
`off of databases of known strings. These databases are in constant need of
`
`updates. Monitors are memory resident programs monitoring the computer for
`
`questionable behavior. Monitors suffer from high rates of false positives, and
`
`they occupy and take a large portion of the limited conventional memory of a
`
`PC. CRC's are error checking programs that generate a unique "signature" in the
`
`form of a 2-byte number for each and every file to be protected. CRC programs
`
`either place the ‘‘signature'' in the file itself or in a separate file. CRC programs
`
`suffer from the fact that they are easy to identify and thus easily tricked into
`
`recreating a "signature" for an infected file. Further, Scanners & Monitors &
`
`CRC programs must be run on the PC in question. Often this is a time
`
`consuming chore. These programs usually must have full control of the PC to
`
`operate further inconveniencing the user because he must wait for the scanner to
`
`finish before he can begin his normal work. The other critical concept is that the
`
`anti-virus software is run on the PC in question.
`
`It is subject to the limitations
`
`and liabilities of the operating system and may already be running on an infected
`
`PC without knowing it. The invention takes a unique approach by performing
`
`DEF-F|NO0O07704
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0325
`
`

`
`W0 9533237
`
`5
`
`PCT/US95/06659
`
`its logic outside of the PC, not inconveniencing the user and is more effective
`
`because the inventions hardware guarantees a clean uninfected start.
`
`Another possible solution is to increase computer security to the point
`
`where viruses cannot enter the system. Login/password control and encryption
`
`do not effect computer viruses. With encryption, detection and elimination is
`
`made more difficult because the virus along with good data is encrypted, only
`
`becoming decrypted when it attempts to replicate.
`
`Clearly,
`
`this is quite
`
`burdensome and expensive to implement.
`
`Another possible solution is to avoid computer bulletin boards, both the
`
`commercial type such as, Compuservc, Prodigy, the Internet and Usenet, and the
`
`private, local, small type. However, this will not prevent viruses from spreading
`because most viruses do not result from software or data downloaded from
`
`infomiation databases or computer bulletin boards.
`
`The operators of both
`
`commercial on-line services and private bulletin boards are very careful to keep
`
`viruses off their systems. They are constantly searching and scanning anything
`
`that is uploaded to their systems before making it available to their subscribers.
`
`In addition, most computer viruses of the boot track type do not spread through
`
`download data or software.
`
`The majority of viruses are spread through
`
`diskettes. There are known instances of commercial software being distributed
`after being infected by a virus. There are known instances of viruses being
`
`distributed unwittingly by diskette manufacturers on blank diskettes. There are
`norrules for which diskettes are more likely to be free from viruses.
`
`Thus, there is a long felt need for a device that can search for, detect and
`
`eliminate viruses before they ever enter
`
`into a computer system that
`
`is
`
`transparent to a user and effective against all viruses in existence today and
`
`those not yet created.
`
`SUMMARY OF THE INVENTION
`
`One characteristic of almost all viruses is that on their own they are not
`
`capable of crossing from one computer OS to another. This is because different
`
`DEF-F|NO0O07705
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0326
`
`

`
`wo 95/33 237
`
`PCTVUS95/06659
`
`6
`
`computer systems in use today have different internal instructions or command
`sets. The language perfectly acceptable and intelligible to one OS does not have
`
`any correlation to another. An analogy to humans would be two people
`
`speaking different languages not being able to communicate. Although there
`
`might exist identical words present in both languages it
`
`is statistically very
`
`unlikely for a misinterpreted or cross over string of words or set of computer
`
`instructions (i.e. a virus) to convey a significant amount of information or be
`
`able to effectively execute a series of instructions.
`
`It is even more unlikely for
`
`this misinterpreted or cross over string of words or series of instructions to
`
`migrate from one language or system to another language or system and still be
`
`able to convey any useful information or execute a series of commands.
`
`The present invention utilizes this characteristic of viruses to create an
`
`impenetrable barrier through which a virus cannot escape. The use of a foreign
`
`operating system guarantees the invention a high degree of safety and
`
`impenetrability. While the inventors recognize that such invention can be built
`
`Without the use of a foreign operating system, such a version of the inventiori
`
`would lack any creditable degree of security.
`
`In addition, without the use of a
`
`foreign operating system the invention itself risks contamination. A foreign
`
`operating system different from the one being protected is introduced into the
`
`data stream beforethe data arrives at the computer system to be protected. To
`illustrate: if a program written for DOS will not run as intended on a Macintosh
`
`neither will a virus. A foreign operating system in order to complete its
`
`operation must provide an emulation of the target computer operating system
`
`(disk drives, niemoiy configuration, ports, etc.). The virus is therefor fooled
`
`into thinking it is resident on the target computer system it was intending to
`
`infect.
`
`It is here, while the virus is resident within the emulated target operating
`
`system,
`
`that the virus is encouraged to infect files, destroy data and wreak
`
`havoc.
`
`It is here that the invention diverges from all other strategies in virus~
`
`detection and prevention. All other strategies are defensive in nature:
`
`they mark
`
`DEF-F|NO0O07706
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0327
`
`

`
`W0 95/33237
`
`PCP/U895/06659
`
`T
`
`files to detect unwarranted changes, they scan for unintended behavior in an .
`
`attempt to prevent the virus from performing its damage. The present invention
`
`takes an offensive strategy by encouraging the virus to infect and destroy tiles.
`
`The most critical behavior of a virus that computer users to prevent is the
`
`virus ability to replicate. Once a virus has erased a tile, made a hard drive
`
`is detected. Once the Virus has done anything considered
`it
`inoperable,
`malicious, it usually is detected. At this point anti-virus software and hardware
`
`must be brought in and run to detect and clean files. Prior to its performing this
`
`malicious act, a virus must replicate. If it does not replicate, it cannot grow and
`
`stay alive. If it has the ability to replicate, it can travel from PC to floppy to PC
`
`to network, etc.
`
`It is this behavior of viruses to replicate that the present
`
`invention preys on. The virus is encouraged to act within this cross platform
`
`generated emulation so that it can be detected.
`
`It is this use of cross platform
`
`technology and offensive strategy that allows a virus to be detected at any level
`
`before any damage occurs to the protected system.
`
`It is in the emulation that the
`
`invention can detect the Virus and in the use of transplatforni logic/environment
`that it can safely contain the virus. Where the virus
`get around DOS or
`
`MAC scanners or Operating System or BIOS,
`
`it cannot
`
`infiltrate and
`
`contaminate the foreign operating system.
`
`A foreign operating system is chosen based on its ability to monitor and
`
`watch any emulations, and for being able to manipulate elements within the
`
`emulation (files, falsifying BIOS information, creating sham peripherals), and
`
`for the sheer speed and computational horsepower.
`
`The inventors recognize that it can he done without a transplatform, but it
`
`will be slow and absolutely unsafe. The use of a foreign operating system can
`
`be likened to the use of lead walls and glass walls and nieclianical arms used by *
`people manipulating radioactive materials in labs. While it is certainly possible
`
`to pick up radioactivity with ones bare hands, it is not highly recommended or is
`
`DEF-F|NO0O07707
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0328
`
`

`
`W0 95/33237
`
`I’CTlUS95/06659
`
`8
`
`it safe. While the invention can be had without the use of a foreign operating
`
`system, it is not highly recommended nor is it safe.
`
`A primary object of the present invention is to provide a virus detection
`
`system to detect and eliminate viruses at their most basic level by simulating the
`
`host's environment by creating a virtual world to fool the virus into thinking it is
`
`resident on the host so as to allow disruptive behavior to be detected and the
`virus destroyed without harm to the host.
`
`Another object of the present invention is to provide a virus detection
`
`system able to detect and trap viruses at any level using in a way other than
`
`performing string searches through memory or files to detect viruses.
`
`Yet another object of the present invention is to provide a virus detection
`
`system able to detect as of yet imknnwn viruses thereby obviating the need for
`
`software updates to keep the detection device cuirent.
`
`Still another object of the present invention is to minimize the down time
`
`of the host computer system in the events. virus is detected.
`
`Still another object of the invention is to record at the user's discretion-
`
`the virus to another media for transferal to virus analysis groups. The object is
`
`to feed the virus to an internal analysis to compare against a know, previously
`
`acquired attempt, such as a trapdoor or file change, or industrial espionage or
`
`sabotage code, etc.
`
`Still another object is to record from which incoming source the virus
`
`came,
`
`i.e., modem, which digiboard channel,
`
`internet, Compuserve, LAN
`
`station/Userid, WAN line, etc.
`
`Another object is to alert system administration of the attack.
`
`BRIEF DESCRIPTION OF THE DRAVVINGS -
`
`Serving to illustrate exemplary embodiments of the invention are the
`
`drawings of which:
`
`Fig 1
`
`is
`
`a high level
`
`functional block diagram of the preferred
`
`embodiment of the present invention.
`
`DEF-F|NO0O07708
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0329
`
`

`
`W0 95/33237
`
`PCl.'lUS95/06659
`
`9
`
`Fig. 2 is a functional block diagram of the preferred embodiment of the
`
`present invention;
`
`Fig. 3 is a functional block diagram showing the application of the
`
`present invention in a local area networking envirorunent;
`
`Fig. 4 is a functional block diagram showing the application of the
`
`present invention in a telecommunications networking environment;
`
`Fig. 5 is a high level software logic diagram showing the operating steps
`
`of the present invention;
`
`9
`
`Figs. 6A to 6C together comprise a high level flow chart of the operating
`
`steps of the present invention.
`DETAILED DESCRIPTION OF THE INVENTION
`
`In order to afford a complete understanding of the invention and an
`
`appreciation of its advantages,
`
`:1 description of a preferred embodiment of the
`
`present invention in a typical operating environment is presented below.
`
`Operating on the principle that a virus cannot cross operating systems, the
`
`present invention creates a virtual world for a potential virus. An OS that
`
`emulates the system to be protected provides a friendly familiar environment for
`
`the virus. The virus is encouraged to act in this virtual world created for it. The
`
`results of the virus‘ disruptive behavior can be detected and consequently the
`
`virus can be flagged and eliminated or stored and further analyzed. This scheme
`
`is based on the assumptions that almost all viruses are executable in nature, no
`user would try to purposely communicate a destructive virus to another and that
`it is possible to identify executable instructions in an envirorunent where the
`instruction cannot possibly operate.
`ii
`
`I
`
`Shown in Figures 1 and 2 are functional block diagrams of the virus
`
`trapping device 10.
`
`The Central Processing Unit (CPU) 12 can be any
`
`computing device (i.e.
`
`Intel, Motorola, Paramid, National Seminoondutor or
`
`Texas Instruments microprocessor, multiple chip set CPUS, board level CPUs,
`
`ctc.). The Transputer is particularly well suited because almost all PCs in use
`
`DEF-F|NO0O07709
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0330
`
`

`
`W0 95133137
`
`1 O
`
`PCTIUS95/06659
`
`today employ CPUs other than the Transputer. A guide to the application and
`
`programming of the Transputer can be found in The Transputer Handbook, by
`
`Mark Hopkins, copyright 1989 INMOS Ltd. and The Transputer Databook, by
`
`Mark Hopkins, 3rd Edition copyright 1992 INMOS Ltd. Italy. As a typical
`
`microprocessor circuit design, EPROM l4 holds the operating software for the
`
`CPU 12. RAM 16 provides a temporary storage facility for the CPU 12 to
`
`execute the virus detection software.
`
`Link adapters 20 provide physical
`
`connections to interface the virus trapping device 10 to the outside world. The
`
`trap device 10 is not
`
`limited to two link adapters, any number could be
`
`implemented to handle a multitude of input data streams. The device 10 reads
`
`an incoming data stream from one or more outside sources. An example of a
`
`communication link 24 are a Local Area Network (LAN) (Le. Novell), Wide
`
`Area Network (WAN)
`
`(i.e. networked LANS),
`
`the telephone network (Le.
`
`Modems), radio frequency (RF) type cellular network or some type of data
`
`storage device (Le. floppy diskette, hard disk, tape, CD-ROM, magneto-optical,
`
`etc.). The communication link 24 provides an incoming data stream for the
`
`device 10 to operate on. Diskettes are commonly used to transfer data and
`
`programs from one computer to another, thus making it a common entry point
`
`into the system for viruses. An input/output (I/O) interface 18 provides a means
`
`for the virus trapping deidce 10 to communicate with the computer system being
`
`protected 28.
`
`The application of the virus trapping device 10 in a typical operating
`
`environment is shown in Figure 3. The file server 42 is the computer system to
`
`be protected. The virus trapping device 10 is placed in the data stream that
`connects the filer server 42 to other workstations 38. The hubs 40 serve to
`
`connect the workstations 38 into a LAN and the modems 36 serve to connect
`
`remote workstations 38 to the file server 42.
`
`In this scenario, all traffic to and
`
`from the file server 42 is monitored for viruses by the trap 10.
`
`DEF-F|NO0O07710
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0331
`
`

`
`wo 95/33237
`
`11
`
`PC’I‘fUS9'5/06659
`
`Another application of the trapping device 10 is shown in Figure 4. In
`
`this scenario, data traffic passing through the telecommunications network 34 is
`
`protected from viruses. A user might have a mainframe file server 30 at a
`
`remote site connected to the telephone network 34. Nodes 32 located in the
`
`telephone company's central offices perform access and cross connect functions
`
`for customers’ data traffic. To prevent the spread of a virus through the network,
`
`the trapping device 10 is placed in front of each node 32. Data traffic between
`
`workstations 38 connected to the telephone network 34 via modems 36 and the
`
`mainframe file server 30 is constantly checked for viruses because the traffic
`
`must pass through the virus trapping device 10.
`
`Operation of the virus trapping device 10 is as follows. The trapping
`
`device 10 monitors the data stream that enters from the outside world, such as
`from the communications link 24. All data is treated as data whether it is
`
`actually data (i.e. data files) or instructions (i.e. executables) as it passes over
`
`the link 24. At this point the actual instructions have not been executed but
`
`rather they are in the process of being transmitted for execution. While in this
`
`state of transmission, emulation means 48, controlled by the CPU 12, provide a
`
`friendly environment for a potential virus. The data is put into the emulation
`
`chamber 48 where the virus is fooled into acting as if it were really present on
`
`the host system. It is desired that any disruptive behavior the virus is capable of
`
`displaying take place in emulation chamber 48 such as replicating, attacking
`
`another program or destroying data.
`
`In this Virtual world the virus has complete
`
`M access to its envirorunent.
`
`It is at this point that analysis and detection means 50
`
`controlled by the CPU 12 catches the virus in the act of self replication and
`
`prevents it from infecting the host system; The virus cannot escape the
`
`emulation‘ box 48 because the box exists in a foreign operating environment with
`
`no access to critical files, keyboard, screen, etc. Access to the real world is
`
`completely blocked.
`
`DEF-FINOOOOT711
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0332
`
`

`
`W0 95/33237
`
`12
`
`PCT/US95/06659‘
`
`Upon startup of the trapping device 10, the emulation software is read
`
`from EPROM 14 and executed. When a user turns on his workstation 38, a
`
`connection is established between the workstation 38 and the file server 30 (or
`
`42). A connection session is created in the RAM 16 of the CPU 12. In like
`
`fashion, a session is created for each user.
`
`As the user at a workstation 38 runs commands and moves file about,
`data is ultimately written to and read from the file server 30. The trapping
`
`device 10 splits the data into two paths. One path connects directly to the
`
`protected computer system 28 without modification. Data over the other path is
`
`written into the emulation box or virtual world created for each user, The write
`
`is performed in this box just as it would have been performed on the file server
`
`30, protected computer 28 or workstation 38. Changes in data and time are
`
`simulated to trigger time sensitive viruses, fooling then as to the actual data and
`
`is checked to determine whether simply
`it
`If the environment changes,
`time.
`data was written or whether executable code was written.
`
`Once the executable in inside the emulation box, 3. Cyclic Redundancy
`
`Check (CRC) is made of the Interrupt Request table (IRQ). Also, CR.Cs are
`
`generated on all files that are placed in the emulation box. The CRC is an error
`
`detection and correction code widely used in the computer and engineering
`
`fields. Other aspects of the environment, such as available memory, are saved
`
`too. All information saved is stored outside of the emulation box where it
`
`cannot be altered by a virus. The executable is forced to run.
`
`If absolutely nothing happens, a self replicating virus does not exist.
`
`If
`
`anything within the environment changes (i.e. size of files, sudden attempts to
`
`write to other executables in the emulation box, etc.) it is determined that a virus
`
`does exist and is attempting to sell‘ replicate itself.
`
`The first step is to determine whether the IRQ table was modified. The
`
`second step is to determine if another program was written to. Many programs
`
`attach themselves to IRQS (i.e. network shell programs, mouse drivers, some
`
`DEF-F|NO0O07712
`
`SOPHOS
`EXHIBIT 1004 - PAGE 0333
`
`

`
`W0 95/3.3237
`
`1 3
`
`PCTIUS95/06659
`
`print drivers, communication and fax drivers). However, none of these
`
`programs will try to write code to other executables. No legitimate program will
`
`attempt direct changes to the File Allocation Table (FAT) or other internal OS
`disk area. They typically pass their changes (or writes) through standard well
`
`behaved DOS interrupts (H\lTS) (i.e. TNT 21). Or, for example, in the case of
`
`file repair programs (i.e. Norton Utilities) which do at times write directly to the
`FAT, they will also not grab IRQs.
`It is the combination of grabbing one or
`
`more IRQs and attempting ch