`USOOS623600A
`
`Ulllted States Patent
`[19]
`[11] Patent Number:
`5,623,600
`
`Ji et al.
`[45] Date of Patent:
`Apr. 22, 1997
`
`[54] VIRUS DETECTION AND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`6350784
`9322723
`
`Japan
`6/1994
`11/1993 WIPO
`
`
`....... H04N 1/00
`
`..... GOGF 11/00
`
`[75]
`
`Inventors: Shuang Ji, Foster City; Eva Chen,
`Cupertino, both of Calif.
`
`[73] Assignee:
`
`'IYend Micro, Incorporated, Cupertino,
`Calif.
`
`[2]] Appl. No.: 533,706
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Albert Decady
`Attorney, Agent, or Finn—Christopher M. Tobin; Greg T.
`Sueoka
`
`[57]
`
`ABSTRACT
`.
`.
`.
`.
`.
`A system for detecting and eliminating Viruses on a com-
`puter network includes a File Transfer Protocol (FTP) proxy
`server, for controlling the transfer of files and 3 Sim 1e Mail
`Transfer Protocol (SMTP) proxy server for controfiing the
`transfer of mail messages through the system. The FTP
`proxy server and SMTP proxy server run concurrently with
`the normal operation of the system and operate in a manner
`such that viruses transmitted to or from the network in files
`and messages are detected before transfer into or from the
`system. The FTP proxy server and SMTP proxy server scan
`all incoming and outgoing files and messages, respectively
`before transfer for v1ruses and then transfer the files and
`messages, only if they do not contain any viruses. A method
`for processing a file before transmission into or from the
`network includes the steps of: receiving the data transfer
`command and file name; transfernng the file to a system
`11046; performing virus detection on the file; determining
`whether the file contains any viruses; transferring the file
`from the system to a recipient mode if the file does not
`contain a virus; and deleting the file if the file contains a
`virus.
`
`Filed:
`[22]
`Int. C1.6
`[51]
`[52] US. Cl.
`
`[56]
`
`Sep. 26, 1995
`
`...................................... G06F 11I34
`
`................. 395/187.01; 364/2864;
`364/DIG~ 1
`[58] Field Of Search ................................. 395/186, 187.1,
`395/200-06; 380/4; 364/2851, 286-4
`_
`References Cited
`U.S. PATENT DOCUMENTS
`
`4,975,950 12/1990 Lentz ...........
`5,319,776
`6/1994 Hile et a].
`.
`
`£11133;
`5,444,850
`5,448,668
`5,452,442
`5,485,575
`5,491,791
`5,511,163
`
`
`--------------- 380/4
`‘ 395/137-01
`
`" gggfig
`$133; 2:331:32?"
`
`8/1995 Chang ..........
`395/200
`9/1995 Perelson et a].
`._ 395/182
`
`9/1995 Kephart ........
`395/183
`..
`1/1996 Chess et a].
`__ 395/183
`
`2/1996 Glowny et 211.
`,. 395/183
`
`395/183.15
`4/1996 Lerche et a].
`FOREIGN PATENT DOCUMENTS
`
`666671
`
`8/1995 European Pat. Off.
`
`H04L 29/06
`
`22 Claims, 12 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0001
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0001
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 1 of 12
`
`5,623,600
`
`Telepone Line or
`
`Network Link
`
`Fig. 1 (Prior Art)
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0002
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0002
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 2 of 12
`
`5,623,600
`
`mm
`
`wm
`
`wm
`
`magmoEsEEou
`
`HE:
`
`mm
`
`mm
`
`w.3
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0003
`
`mm
`
`mv
`
`3E.»ow
`
`
`
`mmEBm3mm
`
`83%
`
`
`
`E3&8Lemmmooi83%zmama
`
`Om
`
`
`
`
`
`
`
`v_:_._{9552mo_>wn_:35
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0003
`
`
`
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 3 of 12
`
`5,623,600
`
`66
`
`'
`Operatlng
`
`A lication
`PP
`
`68
`
`FIG. 3
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0004
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0004
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 4 of 12
`
`5,623,600
`
`OSI Layer
`
`Protocol
`
`Implementation
`
`406
`
`423
`
`424
`
`425
`
`426
`
`Application
`
`File Tranfer Electronic
`422
`
`421
`
`FTP Proxy
`Server
`
`SMTP Proxy
`server
`
`Network
`Terminal
`Emulation Management
`
`405
`
`417
`
`418
`
`419
`
`420
`
`Presentation
`
`404
`
`Session
`
`403
`
`Transport
`
`402
`
`Network
`
`401
`
`File Tranfer
`Protocol
`
`(FTP)
`
`Simple Mail
`Tranfer
`
`Protocol
`(SMTP)
`
`415
`
`TELNET
`
`Slmple
`Network
`
`Protocol Management
`Protocol
`(SNMP)
`
`416
`
`Transmission Control
`Protocol
`(TCP)
`412
`
`413
`
`User Datagram Protocol
`(UDP)
`
`414
`
`Address
`Resolution
`
`Internet
`Protocol
`
`(IP)
`
`Internet COWO'
`Message
`Protocol
`(ICMP)
`
`411
`
`Data Link
`
`Network Interface Cards: Ethernet, StarLAN token
`
`
`
`400
`
`Physical
`
`Ring
`41o
`
`Transmission media:
`
`twisted pair, coax or Fiber
`Optics
`
`FIG. 4
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0005
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0005
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 5 of 12
`
`5,623,600
`
`Emmy”9360mm
`
` Emma+3.68%
`..............................................4«6.GE
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0006
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0006
`
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 6 of 12
`
`5,623,600
`
`a
`
`9:
`8mm
`
`bmmm+
`
`Egan+mfimumm
`
`
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0007
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0007
`
`
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 7 of 12
`
`5,623,600
`
`*
`
`600
`
`602
`
`604
`
`606
`
`Client node sends connection request
`
`Internet Daemon creates an instance of the FTP
`
`proxy server
`
`proxy server & passes connection to the FTP
`
`Client node sends data transfer request & file
`name, and establishes a data port
`
`Data transfer request 8: file name received by
`FTP proxy server
`
`608
`
`Yes
`
`
`
`
`being transferred in an outbound
`
`direction?
`
`Is data
`
`No
`
`
`
`FIG. 6A
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0008
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0008
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 8 of 12
`
`5,623,600
`
`N0
`
`
`Is the
`file of a type that can contain
`
`viruses?
`
`Transfer file from client to FTP proxy server
`through port
`
`
`
`Store file temporarily at gateway
`
`
`
`Analyze temporarily stored file for viruses
`
`Send any virus detection messages from FTP
`proxy server to client as a reply
`
`
`Does
`
`
`
`file contain any
`viruses?
`
`Yes
`
`612
`
`Determine configuraton settings
`
`Send request and file to FTP
`
`
`.
`
`7
`
`622
`
`626
`
`
`
`Delete file or store renamed file at gateway node
`depending on configuration setting, and erase
`temporary file
`
`End
`
`614
`
`616
`
`618
`
`620
`
`624
`
`628
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0009
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0009
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 9 of 12
`
`5,623,600
`
`Send data transfer request and file name to
`FTP daemon and then to server
`
`a
`
`Estabish a second port between FTP daemon
`and server
`
`Send file from server to the FTP daemon and
`
`then to FTP proxy sever
`
`640
`
`642
`
`644
`
`He of a type that can contain
`viruses?
`
`
`
`Yes
`
`No
`Is the
`
`
`
`
`Store file temporarily at gateway
`
`Analyze temporarily stored file for viruses
`
`Send any virus detection messages from
`FTP proxy server to client as a reply
`
`
`
` Does
`file contain any
`viruses?
`
`656
`
`
`
`Yes
`
`Retrieve configuration file
`
`660
`
`Transfer file anyway?
`
`650
`
`652
`
`654
`
`658
`
`662
`
`Transfer file from FTP proxy
`server to client through port
`
`
`
`
`
`Delete file or store renamed file at gateway
`node depending on configuration setting,
`and erase temporary file
`
`
`End
`
`FIG. 6C
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0010
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0010
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 10 of 12
`
`5,623,600
`
` Emmm+Q>MQU®MH
` Emmi+8.68%
`
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0011
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0011
`
`
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`. Sheet 11 of 12
`
`5,623,600
`
`Spawn SMTP proxy server
`
`Create a first port for communication between the
`client and SMTP proxy server
`
`Bind SMTP proxy server to the first port
`
`Spawn SMTP daemon
`
`Create a second port for communication from proxy
`server to SMTP daemon
`
`.
`Bind SMTP daemon to the second port
`
`Client node requests a connection from the SMTP
`proxy server
`
`Transmit message from client node to SMTP proxy
`server
`
`802
`
`804
`
`806
`
`808
`
`810
`
`812
`
`800
`
`818
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0012
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0012
`
`
`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 12 of 12
`
`5,623,600
`
`820
`
`Scan message for encoded portions
`
`822
`
`No
`
`Does
`
`Yes
`
`message include encode .
`
`
`- ortions?
`
`
`
`Store message in temporary file(s)
`
`828
`
`824
`
`
`
`Transmit message through
`second port to SMTP daemon
`
`Perform virus detection on message
`
`832
`
`834
`
`
`
`Yes
`Determine configuation for virus
`detection handling
`
`
`
`
`Does
`.
`
`message contain any
`Viruses?
`
`814
`
`
`Create a third port for
`
`communication from SMTP
`
`
`daemon to server task
`
`
`
`
`Bind server task to the third port
`
`816
`
`Determine action to be taken if virus
`detected
`
`Transmit message through third
`port to client
`
`
`
`
`Transmit transformed message and
`perform determined action on each
`encoded portion
`
`
`
`End
`
`836
`
`838
`
`840
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0013
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0013
`
`
`
`1
`VIRUS DETECTION AND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`5,623,600
`
`BACKGROUND OF THE INVENTION
`1. Field of the Invention
`
`The present invention relates generally to computer sys-
`tems and computer networks.
`In particular,
`the present
`invention relates to a system and method for detecting and
`removing computer viruses. Still more particularly,
`the
`present invention relates to a System and method for detect-
`ing and removing computer viruses from file and message
`transfers between computer networks.
`2. Description of the Related Art
`During the recent past, the use of computers has become
`widespread. Moreover,
`the interconnection of computers
`into networks has also become prevalent. Referring now to
`FIG. 1, a block diagram of a portion of a prior art informa—
`tion system 20 is shown. The portion of the information
`system 20 shown comprises a first network 22, a second
`network 24 and third network 26. This information system
`20 is provided only by way of example, and those skilled in
`the art will realize that the information system 20 may
`include any number of networks, each of the networks being
`its own protected domain and having any number of nodes.
`As shown in FIG. 1, each of the networks 22, 24, 26 is
`formed from a plurality of nodes 30. 32. Each of the nodes
`30, 32 is preferably a microcomputer. The nodes 30, 32 are
`coupled together to form a network by a plurality of network
`connections 36. For example,
`the nodes 30, 32 may be
`connected together using a token ring format, ethemet
`format or any of the various other formats known in the art.
`Each of the networks 22, 24, 26 includes a node 32 that acts
`as a gateway to link the respective network 22, 24, 26 to
`other networks 22, 24, 26. Each of the gateway nodes 32 is
`preferably coupled by a standard telephone line connection
`34 such as POTS (Plain Old Telephone Service) or a T—l link
`to the other gateway nodes 32 through a telephone switching
`network 28. All communication between the networks 22,
`24, 26 is preferably performed through one of the gateway
`nodes 32.
`
`One particular problem that has plagued computers, in
`particular microcomputers, have been computer viruses and
`worms. A computer virus is a section of code that is buried
`or hidden in another program. Once the program is executed,
`the code is activated and attaches itself to other programs in
`the system. Infected programs in turn copy the code to other
`programs. The effect of such viruses can be simple pranks
`that cause a message to be displayed on the screen or more
`serious etfects such as the destruction of programs and data.
`Another problem in the prior art is worms. Worms are
`destructive programs that replicate themselves throughout
`disk and memory using up all available computer resources
`eventually causing the computer system to crash. Obviously,
`because of the destructive nature of worms and viruses, there
`is a need for eliminating them from computers and networks.
`The prior art has attempted to reduce the etfects of viruses
`and prevent their proliferation by using various virus detec-
`tion programs. One such virus detection method, commonly
`referred to as behavior interception, monitors the computer
`or system for important operating system functions such as
`write, erase, format disk, etc. When such operations occur,
`the program prompts the user for input as to whether such an
`operation is expected. If such an operation is not expected
`(e.g., the user was not operating any program that employed
`such a function), the user can abort the operation knowing
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`it was being prompted by a virus program. Another virus
`detection method, known as signature scanning, scans pro-
`gram code that is being copied onto the system. The system
`searches for known patterns of program code used for
`viruses. Currently, signature scanning only operates on the
`floppy disk drives, hard drives or optical drives. Yet another
`prior art approach to virus detection performs a checksum on
`all host programs stored on a system and known to be free
`from viruses. Thus, if a virus later attaches itself to a host
`program,
`the checksum value will be different and the
`presence of a virus can be detected.
`Nonetheless, these approaches of the prior art suffer from
`a number of shortcomings. First, behavior interception is not
`successful at detecting all viruses because critical operations
`that may be part of the code for a virus can be placed at
`locations where such critical operations are likely to occur
`for the normal operation of programs. Second, most signa-
`ture scanning is only performed on new inputs from disk
`drives. With the advent of the Internet and its increased
`popularity, there are no prior art methods that have been able
`to successfully scan connections 36 such as those utilized by
`a gateway node in communicating with other networks.
`Third, many of the above methods require a significant
`amount of computing resources, which in turn degrades the
`overall performance of system. Thus, operating the virus
`detection programs on every computer becomes impractical.
`Therefore, the operation of many such virus detection pro-
`grams is disabled for improved performance of individual
`machines.
`'
`
`Therefore, there is a need for a system and method for
`effectively detecting and eliminating viruses without signifi~
`cantly effecting the performance of the computer. Moreover,
`there is a need for a system and method that can detect and
`eliminate viruses in networks attached to other information
`Systems by way of gateways or the Internet.
`
`SUMMARY OF THE INVENTION
`
`invention overcomes the limitations and
`The present
`shortcomings of the prior art with an apparatus and method
`for detecting and eliminating vimses on a computer net-
`work. A system including the present invention is a network
`formed of a plurality of nodes and a gateway node for
`connection to other networks. The nodes are preferably
`microcomputers, and the gateway node comprises: a display
`device, a central processing unit, a memory forming the
`apparatus of the present invention, an input device, a net—
`work link and a communications unit. The memory further
`comprises an operating system including a kernel, a File
`Transfer Protocol (FTP) proxy server, and a Simple Mail
`Transfer Protocol (SMTP) proxy server. The central pro-
`cessing unit, display device, input device, and memory are
`coupled and operate to execute the application programs
`stored in the memory. The central processing unit of the
`gateway node also executes the FTP proxy server for trans-
`mitting and receiving files over the communications unit,
`and executes the SMTP proxy server for transmitting and
`receiving messages over the communications unit. The FTP
`proxy server and SMTP proxy server are preferably
`executed concurrently with the normal operation of the
`gateway node. The servers advantageously operate in a
`manner such that viruses transmitted to or from the network
`in messages and files are detected before the files are
`transferred into or from the network. The gateway node of
`the present invention is particularly advantageous because
`the impact of using the FTP proxy server and SMTP proxy
`server for the detection of viruses is minimized because only
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0014
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0014
`
`
`
`5,623,600
`
`3
`the files leaving or entering the network are evaluated for the
`presence of viruses and all other “intra” network traffic is
`unaffected.
`
`The present invention also comprises a method for pro-
`cessing a file before transmission into the network and a
`method for processing a file before transmission from the
`network. The preferred method for processing a file com-
`prises the steps of: receiving the data transfer command and
`file name; transferring the file to the proxy server; perform~
`ing virus detection on the file; determining whether the file
`contains any viruses; transferring the file from the proxy
`server to a recipient node if the file does not contain a virus;
`and performing a preset action with the file if it does contain
`a virus. The present invention also includes methods for
`processing messages before transmission to or from the
`network that operate in a similar marmer.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG, 1 is a block diagram of a prior art information system
`with a plurality of networks and a plurality of nodes upon
`which the present invention operates;
`FIG. 2 is a block diagram of a preferred embodiment for
`a gateway node including the apparatus of the present
`invention;
`FIG. 3 is a block diagram of a preferred embodiment for
`a memory of the gateway node including the apparatus of the
`present invention;
`FIG. 4 is a block diagram of a preferred embodiment for
`a protocol
`layer hierarchy constructed according to the
`present invention compared to the OSI layer model of the
`prior art;
`FIG. 5A is a functional block diagram showing a preferred
`system for sending data files according to a preferred
`embodiment of the present invention;
`FIG. 5B is a functional block diagram showing a preferred
`system for receiving data files according to a preferred
`embodiment of the present invention;
`FIGS. 6A, 6B and 6C are a flowchart of the preferred
`method for performing file transfer according to the present
`invention;
`FIG. 7 is a functional block diagram showing a preferred
`system for transmitting mail messages according to a pre-
`ferred embodiment of the present invention; and
`FIGS. 8A and 8B are a flow chart of a preferred method
`for sending messages to/from a network.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`The virus detection system and method of the present
`invention preferably operates on an information system 20
`as has been described above with reference to FIG. 1. The
`present invention, like the prior art, preferably includes a
`plurality of node systems 30 and at least one gateway node
`33 for each network 22, 24, 26. However,
`the present
`invention is different from the prior art because it provides
`novel gateway node 33 that also performs virus detection for
`all files being transmitted into or out of a network. Further
`more,
`the novel gateway node 33 also performs virus
`detection on all messages being transmitted into or out of an
`associated network.
`
`Referring now to FIG. 2, a block diagram of a preferred
`embodiment of the novel gateway node 33 constructed in
`accordance with the present invention is shown. A preferred
`embodiment of the gateway node 33 comprises a display
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`
`device 40, a central processing unit (CPU) 42, a memory 44,
`a data storage device 46, an input device 50, a network link
`52, and a communications unit 54. The CPU 42 is connected
`by a bus 56 to the display device 40, the memory 44, the data
`storage device 46, the input device 50, the network link 52,
`and the communications unit 54 in a von Neumann archi-
`tecture. The CPU 42, display device 40, input device 50, and
`memory 44 may be coupled in a conventional manner such
`as a personal computer. The CPU 42 is preferably a micro-
`processor such as an Motorola 68040 or Intel Pentium or
`X86 type processor; the display device 40 is preferably a
`video monitor; and the input device 50 is preferably a
`keyboard and mouse type controller. The CPU 42 is also
`coupled to the data storage device 44 such as a hard disk
`drive in a conventional manner. Those skilled in the art will
`realize that
`the gateway node 33 may also be a mini—
`computer or a mainframe computer.
`The bus 56 is also coupled to the network link 52 to
`facilitate communication between the gateway node 33 and
`the other nodes 30 of the network. In the preferred embodi—
`ment of the present
`invention,
`the network link 52 is
`preferably a network adapter card including a transceiver
`that is coupled to a cable or line 36. For example,
`the
`network link 52 may be an ethernet card connected to a
`coaxial line, a twisted pair line or a fiber optic line. Those
`skilled in the art will realize that a variety of different
`networking configurations and operating systems including
`token ring, ethernet, or arcnet may be used and that the
`present invention is independent of such use. The network
`link 52 is responsible for sending, receiving, and storing the
`signals sent over the network or within the protected domain
`of a given network. The network link 52 is coupled to the
`bus 56 to provide these signals to the CPU 34 and vice versa.
`The bus 56 is also coupled to the communications unit 54
`to facilitate communication between the gateway node 33
`and the other networks. Specifically, the communications
`unit 54 is coupled to the CPU 42 for sending data and
`message to other networks. For example, the communica—
`tions unit 54 may be a modem, a bridge or a router coupled
`to the other networks in a conventional manner. In the
`preferred embodiment of the present invention, the commu—
`nications unit 54 is preferably a router. The communications
`unit 54 is in turn coupled to other networks via a media 34
`such as a dedicated T—l phone line, fiber optics, or any one
`of a number of conventional connecting methods.
`The CPU 42, under the guidance and control of instruc—
`tions received from the memory 44 and from the user
`through the input device 50, provides signals for sending and
`receiving data using the communications unit 54. The trans—
`fer of data between networks is broken down into the
`sending and receiving files and messages which in turn are
`broken down into packets. The methods of the present
`invention employ a virus detection scheme that is applied to
`all transfers of messages and files into or out of a network
`via its gateway node 33.
`Referring now to FIG. 3, the preferred embodiment of the
`memory 44 for the gateway node 33 is shown in more detail.
`The memory 44 is preferably a random access memory
`(RAM), but may also include read-only memory (ROM).
`The memory 44 preferably comprises a File Transfer Pro—
`tocol (FI‘P) proxy server 60, a Simple Mail Transfer Pro—
`tocol (SMTP) proxy server 62, and an operating system 64
`including a kernel 66. The routines of the present invention
`for detecting viruses in file transfers and messages primarily
`include the FTP proxy server 60 and the SMTP proxy server
`62. The FTP proxy server 60 is a routine for controlling file
`transfers to and from the gateway node 33 via the commu~
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0015
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0015
`
`
`
`5,623,600
`
`5
`nications unit 54, and thus controlling file transfers to and
`from a given network of which the gateway node is a part.
`The operation of the FTP proxy server 60 is described below
`in more detail with reference to FIGS. 5A, 5B, 6A, 6B and
`6C. Similarly, the SMTP proxy server 62 is a routine for
`controlling the transfer of messages to and from the gateway
`node 33, and thus to and from the respective network
`associated with the gateway node 33. The operation of the
`SMTP proxy server 62 is described below in more detail
`with reference to FIG. 7 8A and 8B. The present invention
`preferably uses a conventional operating system 28 such as
`Berkeley Software Distribution UNIX. Those skilled in the
`art will realize how the present invention may be readily
`adapted for use with other operating systems such as
`MACINTOSH System Software version 7.1, DOS, WIN—
`DOWS or WINDOWS NT. The memory 44 may also
`include a variety of different application programs 68
`including but not limited to computer drawing programs,
`word processing programs, and spreadsheet programs. The
`present invention is particularly advantageous over the prior
`because it minimizes the impact of virus detection and
`elimination since the FTP proxy server 60 and SMTP proxy
`server 62 are preferably only included or installed in the
`memory 44 of the gateway nodes 33. Thus, all data being
`transferred inside the protected domain of a given network
`will not be checked because the data packets might not be
`routed via the gateway node 33.
`While the apparatus of the present invention, in particular
`the FTP proxy server 60 and SMTP proxy server 62, has
`been described above as being located and preferably is
`located on the gateway node 33, those skilled in the art will
`realize that the apparatus of the present invention could also
`be included on a FTP server or a world wide web server for
`scanning files and messages as they are downloaded from
`the web. Furthermore,
`in an alternate embodiment,
`the
`apparatus of the present invention may be included in each
`node of a network for performing virus detection on all
`messages received or transmitted from that node.
`As best shown in FIG. 4, the CPU 42 also utilizes a
`protocol layer hierarchy to communicate over the network.
`The protocol layers of the hierarchy of the present invention
`are shown in FIG. 4 in comparison to the 180-051 reference
`model, for example. The protocol layers 410—426 of the
`hierarchy of the present invention are similar to the prior art
`protocol layers for the lower four layers 400—403 including:
`(1) a physical layer 400 formed of the transmission media
`410;
`(2) a data link layer 401 formed of the network
`interface cards 411;
`(3) a network layer 402 formed of
`address resolution 412, Internet protocol 413 and Internet
`control message protocol 414; and (4) a transport layer 403
`formed of the transmission control protocol 415 and a user
`datagram protocol 416. Corresponding to the presentation
`405 and session 404 layers, the protocol hierarchy of the
`present invention provides four methods of communication:
`a file transfer protocol 417, a simple mail transfer protocol
`419, a TELNET protocol 419 and a simple network man—
`agement protocol 420. There are corresponding components
`on the application layer 406 to handle file transfer 423,
`electronic mail 424, terminal emulation 425, and network
`management 426. The present
`invention advantageously
`detects, controls and eliminates viruses by providing an
`additional layer between the application layer 406 and the
`presentation layer 405 for the gateway nodes 33. In particu—
`lar, according to the hierarchy of the present invention, a
`FI‘P proxy server layer 421 and a SMTP proxy server layer
`422 are provided. These layers 421,422 operate in conjunc-
`tion with the file transfer layer 423 and file transfer protocol
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`layer 424 and the SMTP
`417, and the electronic mail
`protocol layer 418, to process file transfers and messages,
`respectively. For example, any file transfer requests are
`generated by the file transfer application 423, first processed
`by the FTP proxy server layer 421, then processed by the file
`transfer protocol 417 and other lower layers 415, 413, 411
`until the data transfer is actually applied to the transmission
`media 410. Similarly, any messaging requests are first
`processed by the SMTP proxy server layer 418, and there—
`after processed by the SMTP protocol and other lower layers
`415, 413, 411 until the physical layer is reached. The present
`invention is particularly advantageous because all virus
`screening is performed below the application level. There-
`fore, the applications are unaware that such virus detection
`and elimination is being performed, and these operations are
`completely transparent to the operation of the application
`level layers 406. While the FTP proxy server layer 421 and
`the SMTP proxy server layer 422 have been shown in FIG.
`4 as being their own layer to demonstrate the coupling
`eifects they provide between the file transfer layer 423 and
`file transfer protocol 417, and the electronic mail layer 424
`and the SMTP protocol layer 418, those skilled in the art will
`realize that the FTP proxy server layer 421 and the SMTP
`proxy server layer 422 can also be correctly viewed as being
`part of the file transfer protocol layer 417 and the SMTP
`protocol layer 418, respectively, because they are invisible
`or transparent to the application layer 406.
`A preferred method of operation and an embodiment for
`the FTP proxy server 60 will be described focusing on its
`relationship to and its control of the gateway node 33, and
`thus, control over access to the medium, line 34, for con—
`nections to other networks. The method can best be under-
`stood with referenee to FIGS. 5A and 5B, that graphically
`show the functions performed by an Internet daemon 70, the
`FTP proxy server 60, and an FTP daemon 78, each of which
`resides on the gateway note 33. In FIGS. 5A and 5B, like
`reference numbers have been used for like parts and the
`figures are different only in the direction in which the file is
`being transferred (either from client task 72 to server task 82
`or from server task 82 to client task 72). For the sake of
`clarity and ease of understanding only the data ports are
`shown in FIGS. 5A and 5B, and the bi-directional lines
`represent command or control pathways and are assumed to
`include a command port although it is not explicitly shown.
`The operation FTP proxy server 60 will now be described
`with reference to a file transfer between a client task 72
`(requesting machine) and a server task 82 (supplying
`machine). While it
`is assumed that
`the client
`task 72
`(requesting machine) is inside a protected domain and the
`server task 82 (supplying machine) is outside the protected
`domain, the invention described below is also used by the
`gateway node 33 when client task 72 (requesting machine)
`is outside the protected domain and the server task 82
`(supplying machine) is inside the protected domain.
`FIGS. 6A—6C are a flowchart of a preferred method for
`performing file transfers from a controlled domain of a
`network across a medium 34 to another network (e.g., a file
`transfer from a node 32 of the second network 24 across the
`media 34 to a second node 32 of the third network 26). The
`method begins with step 600 with the client node sending a
`connection request over the network to the gateway node 33.
`In step 602, The gateway node 33 preferably has an oper-
`ating system 64 as described above, and part of the operating
`system 64 includes a fire wall, or program including routines
`for authenticating users. The gateway node 33 first tries to
`authenticate the user and decide whether to allow the
`connections requested, once the request is received. This is
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0016
`
`SOPHOS
`EXHIBIT 1009 - PAGE 0016
`
`
`
`5,623,600
`
`7
`done in a conventional manner typically available as part of
`UNIX. The Internet daemon 70 creates an instance of the
`FTP proxy server 60 and passes the connection to the FTP
`proxy server 60 for servicing in step 602. The Internet
`daemon 70 is program that is part of the operating system 64,
`and it runs in the background. When being run, one of the
`functions of the Internet daemon 70 is to bind socket ports
`for many well—known services, such as TELNET, login, and
`FTP. When a connect request
`is detected,
`the Internet
`daemon 70 constructed in accordance with the present
`invention, spawns the FTP proxy server 60, which is the
`server that will actually handle the data transfer. Thereafter,
`the FTP proxy server 60 controls the network traffic passing
`between the client task 72 and the server task 82. Then in
`step 604, the client node sends a data transfer request and file
`name, and established a first data port 76 through which the
`data will be transferred between the WP proxy server 60 and
`the client task 72. In step 606 the data transfer request and
`file name are received by the FTP proxy server 60. In step
`608, the FTP proxy server 60 determines whether the data is
`being transferred in an outbound direction (e.g., the file is
`being transferred from the client task 72 to the server task
`82). This can be determined by the FTP proxy server 60 by
`comparing the data transfer request. For example, if the data
`transfer request is the STOR command then the data is being
`transferred in an outbound direction; and if the data transfer
`request is the RETR command then the data is not being
`transferred in an outbound direction.
`
`If the data is being transferred in an outbound direction,
`then the method transitions from step 608 to step 610.
`Referring now to FIG. 6B in conjunction with FIG. 5A, the
`process for transferring data out of the protected domain of
`the network is described in more detail. In step 610, the FTP
`proxy server 60 determines whether the file to be transferred
`is of a type that can contain viruses. This step is preferably
`performed by checking the extension of the file name. For
`example, .txt, .bmd, .pcx