United States Patent [19]
`Ji et al.
`
`llllllllllllllIll|l|||llllll?lol?ulgl?gullllllllllllllllllllllllll
`
`Patent Number:
`[11]
`[45] Date of Patent:
`
`5,623,600
`Apr. 22, 1997
`
`[54] VIRUS DETECTION AND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`6350784 6/1994 Japan ............................. .. H04N1/00
`9322723 11/1993 WIPO ........................... .. G06F11/00
`
`[75] Inventors: Shuang Ji, Foster City; Eva Chen,
`Cupertino, both of Calif.
`
`[73] Assignee: Trend Micro, Incorporated, Cupertino,
`Calif.
`
`[21] Appl. No.: 533,706
`[22] Filed:
`Sep. 26, 1995
`
`[51] Int. Cl.6 .................................................... .. G06F 11/34
`[52] US. Cl. ................................ .. 395/187.01; 364/2864;
`364/DIG. l
`[58] Field of Search ............................... .. 395/186, 187.1,
`395/200.06; 380/4; 364/2851, 286.4
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,975,950 12/1990 Lentz ........................................ .. 380/4
`5,319,776
`6/1994 Hile et a1.
`395118701
`5,414,833
`5/1995 Hershey et al. .
`...... ,. 395/575
`5,440,723
`8/1995 Arnold et al.
`395/181
`5,444,850
`8/1995 Chang ........... ..
`395/200
`5,448,668
`9/1995 Perelson et a1. .
`395/182
`5,452,442
`9/1995 Kephart ..... ..
`395/183
`5,485,575
`1/1996 Chess et al. .
`395/183
`5,491,791
`2/1996 Glowny et al. ....................... .. 395/183
`5,511,163
`4/1996 Lerche et al. .................... .. 395/l83.15
`
`FOREIGN PATENT DOCUMENTS
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Albert Decady
`Attorney, Agent, or Firm-Chn'stopher M. Tobin; Greg T.
`Sueoka
`
`[57]
`
`ABSTRACT
`
`A system for detecting and eliminating viruses on a com
`puter network includes a File Transfer Protocol (FTP) proxy
`server, for controlling the transfer of ?les and a Simple Mail
`Transfer Protocol (SMTP) proxy server for controlling the
`transfer of mail messages through the system. The FTP
`proxy server and SMTP proxy server run concurrently with
`the normal operation of the system and operate in a manner
`such that viruses transmitted to or from the network in ?les
`and messages are detected before transfer into or from the
`system. The FTP proxy server and SMTP proxy server scan
`all incoming and outgoing ?les and messages, respectively
`before transfer for viruses and then transfer the ?les and
`messages, only if they do not contain any viruses. A method
`for processing a ?le before transmission into or from the
`network includes the steps of: receiving the data transfer
`command and ?le name; transferring the ?le to a system
`node; performing virus detection on the ?le; determining
`whether the ?le contains any viruses; transferring the ?le
`from the system to a recipient node if the ?le does not
`contain a virus; and deleting the ?le if the ?le contains a
`v1rus.
`
`666671
`
`8/1995 European Pat. Off. ...... .. H04L 29/06
`
`22 Claims, 12 Drawing Sheets
`
`clam nodc scnrlsmnnmmn mq'ursl
`
`Inh'rnu Daemon creates an instance 01 the m‘
`proxy wrvrrk pastel mnncrtmn lo the m
`pmy server
`
`Symantec 1012
`IPR of U.S. Pat. No. 8,677,494
`
`000001
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 1 0f 12
`
`5,623,600
`
`e or f28
`Tele o e Lin
`Link
`N
`ork
`
`Fig. 1 (Prior Art)
`
`000002
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 2 of 12
`
`5,623,600
`
`wm
`
`mm
`
`m at
`
`mcopmoEzEEou
`
`HEB
`
`Ni
`
`VEI vcozswz
`
`OK
`
`mm
`
`@K
`
`NR
`
`
`
`5&3 howwwooi
`
`83% @620
`
`000003
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 3 of 12
`
`5,623,600
`
`56
`
`FTP
`Proxy
`Server
`L\
`60
`
`Kernel
`
`O eratin
`P
`g
`System
`166
`
`5MP T
`Proxy
`Server
`L"62
`
`-
`-
`Apphcatlon
`Programs
`
`La
`68
`
`,_J
`64
`
`Memory
`
`£1
`
`FIG. 3
`
`000004
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 4 of 12
`
`5,623,600
`
`OSI Layer
`
`406
`Appncation
`
`405
`Presentation
`
`404
`Session
`
`403
`Transport
`
`402
`k
`N t
`e w°r
`
`401
`Data Link
`
`400
`physica|
`
`Protocol implementation
`
`423
`424
`FHe Tranfer Electronic
`Mail
`
`42s
`425
`Network
`Terminal
`Emulation Management
`
`421
`422
`FTP Proxy SMTP Proxy
`Server
`server
`
`417
`418
`File Tranfer Simple Mail
`Protocol
`Tranfer
`FTP
`Protocol
`(
`)
`(SMTP)
`
`419
`
`TELNET
`Protocol
`
`420
`Simple
`Network
`Management
`Protocol
`(SNMP)
`
`415
`Transmission Control
`Protocol (TCP)
`412
`Address
`Resolution
`
`416
`User Datagram Protocol
`(UDP)
`414
`Internet Control
`Message
`Protocol (ICMP)
`
`413
`|ntemet
`Protocol (IP)
`
`411
`Network Interface Cards: Ethernet, StarLAN token
`Ring
`
`410
`Transmission media: twisted pair, coax or Fiber
`Optics
`-
`
`FIG. 4
`
`000005
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 5 0f 12
`
`5,623,600
`
`0mg
`
`ow
`
`bmwm
`
`000006
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 6 of 12
`
`5,623,600
`
`000007
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 7 0f 12
`
`5,623,600
`
`Client node sends connection request
`
`602
`l
`Internet Daemon creates an instance of the FTP f
`proxy server & passes connection to the FTP
`proxy server
`
`i
`
`Client node sends data transfer request & file
`name, and establishes a data port
`
`l
`
`Data transfer request 8: file name received by
`FTP proxy server
`
`Yes
`
`Is data
`being transferred in an outbound
`direction?
`
`FIG. 6A
`
`000008
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 8 0f 12
`
`5,623,600
`
`Is the
`file of a type that can contain
`viruses?
`
`Transfer file from client to FTP proxy server
`through port
`i
`l
`Analyze temporarily stored file for viruses
`
`Store file temporarily at gateway
`
`614 f
`
`616 f
`
`I618
`
`Send any virus detection messages from FTP 1-620
`proxy server to client as a reply
`
`NO
`
`Does
`file contain any
`viruses?
`Yes
`
`612
`
`Determine con?guraton settings
`
`622
`
`24 f6
`
`Send request and file to FTP
`daemon for transfer to server
`
`Delete file or store renamed file at gateway node
`depending on con?guration setting, and erase
`temporary file
`
`@
`FIG. 6B
`
`000009
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 9 0f 12
`
`5,623,600
`
`Send data transfer request and file name to
`FTP daemon and then to server
`l
`Estabish a second port between FTP daemon
`and server
`l
`Send file from server to the FTP daemon and
`then to FTP proxy sever
`
`640 f
`
`642 f
`
`644
`
`f.
`
`Is the
`1le of a type that can contain
`viruses?
`
`Yes
`
`646
`
`Store file temporarily at gateway
`l
`Analyze temporarily stored ?le for viruses
`4
`Send any virus detection messages from
`FTP proxy server to client as a reply
`
`Does
`file contain any
`viruses?
`Yes
`
`656
`
`658 f
`
`Y
`Transfer file from FTP proxy
`server to client through port
`
`Delete file or store renamed file at gateway
`node depending on configuration setting,
`and erase temporary ?le
`
`662 f
`
`@
`FIG. 6C
`
`000010
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 10 0f 12
`
`5,623,600
`
`N2
`
`mm
`
`000011
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`. Sheet 11 of 12
`
`5,623,600
`
`Spawn SMTP proxy server
`
`802
`I
`
`l
`
`804
`Create a first port for communication between the f
`client and SMTP proxy server
`
`i
`
`806
`Bind SMTP proxy server to the first port I
`
`l
`Spawn SMTP daemon
`
`r808
`
`i
`
`Create a second port for communication from proxy r810
`server to SMTP daemon
`
`i
`l
`
`Bind SMTP daemon to the second port
`
`r812
`
`Client node requests a connection from the SMTP f 800
`proxy server
`
`i
`
`818
`Transmit message from client node to SMTP proxy f
`server
`
`FIG. 8A
`
`000012
`
`

`
`US. Patent
`
`Apr. 22, 1997
`
`Sheet 12 of 12
`
`5,623,600
`
`Scan message for encoded portions
`
`I820
`
`Store message in temporary fi1e(s) r828
`
`Decode message
`
`I830
`
`Perform virus detection on message r832
`
`N0
`
`Does
`message contain any
`_
`viruses?
`
`834
`
`814
`[
`
`836
`Determine configuation for virus I
`detection handling
`i
`
`824
`\ Y
`Transmit message through
`second port to SMTP daemon
`
`i
`Create a third port for
`communication from SMTP
`daemon to server task
`
`[816 Determine action to be taken if virus f838
`l
`Bind server task to the third port
`detected
`i
`l
`826
`Transmit message through third I Transmit transformed message and I840
`port to client
`‘
`perform determined action on each
`encoded portion
`
`@
`
`FIG. 8B
`
`000013
`
`

`
`5,623,600
`
`1
`VIRUS DETECTION AND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`BACKGROUND THE INVENTION
`
`1. Field of the Invention
`The present invention relates generally to computer sys
`tems and computer networks. In particular, the present
`invention relates to a system and method for detecting and
`removing computer viruses. Still more particularly, the
`present invention relates to a System and method for detect
`ing and removing computer viruses from ?le and message
`transfers between computer networks.
`2. Description of the Related Art
`During the recent past, the use of computers has become
`widespread. Moreover, the interconnection of computers
`into networks has also become prevalent. Referring now to
`FIG. 1, a block diagram of a portion of a prior art informa
`tion system 20 is shown. The portion of the information
`system 20 shown comprises a ?rst network 22, a second
`network 24 and third network 26. This information system
`20 is provided only by way of example, and those skilled in
`the art will realize that the information system 20 may
`include any number of networks, each of the networks being
`its own protected domain and having any number of nodes.
`As shown in FIG. 1, each of the networks 22, 24, 26 is
`formed from a plurality of nodes 30, 32. Each of the nodes
`30, 32 is preferably a microcomputer. The nodes 30, 32 are
`coupled together to form a network by a plurality of network
`connections 36. For example, the nodes 30, 32 may be
`connected together using a token ring format, ethemet
`format or any of the various other formats known in the art.
`Each of the networks 22, 24, 26 includes a node 32 that acts
`as a gateway to link the respective network 22, 24, 26 to
`other networks 22, 24, 26. Each of the gateway nodes 32 is
`preferably coupled by a standard telephone line connection
`34 such as POTS (Plain Old Telephone Service) or a T-1 link
`to the other gateway nodes 32 through a telephone switching
`network 28. All communication between the networks 22,
`24, 26 is preferably performed through one of the gateway
`nodes 32.
`One particular problem that has plagued computers, in
`particular microcomputers, have been computer viruses and
`worms. A computer virus is a section of code that is buried
`or hidden in another program. Once the program is executed,
`the code is activated and attaches itself to other programs in
`the system. Infected programs in turn copy the code to other
`programs. The e?ect of such viruses can be simple pranks
`that cause a message to be displayed on the screen or more
`serious effects such as the destruction of programs and data.
`Another problem in the prior art is worms. Worms are
`destructive programs that replicate themselves throughout
`disk and memory using up all available computer resources
`eventually causing the computer system to crash. Obviously,
`because of the destructive nature of worms and viruses, there
`is a need for eliminating them from computers and networks.
`The prior art has attempted to reduce the effects of viruses
`and prevent their proliferation by using various virus detec
`tion programs. One such virus detection method, commonly
`referred to as behavior interception, monitors the computer
`or system for important operating system functions such as
`write, erase, format disk, etc. When such operations occur,
`the program prompts the user for input as to whether such an
`operation is expected. If such an operation is not expected
`(e.g., the user was not operating any program that employed
`such a function), the user can abort the operation knowing
`
`2
`it was being prompted by a virus program. Another virus
`detection method, known as signature scanning, scans pro
`gram code that is being copied onto the system. The system
`searches for known patterns of program code used for
`viruses. Currently, signature scanning only operates on the
`?oppy disk drives, hard drives or optical drives. Yet another
`prior art approach to virus detection performs a checksum on
`all host programs stored on a system and known to be free
`from viruses. Thus, if a virus later attaches itself to a host
`program, the checksum value will be different and the
`presence of a virus can be detected.
`Nonetheless, these approaches of the prior art suffer from
`a number of shortcomings. First, behavior interception is not
`successful at detecting all viruses because critical operations
`that may be part of the code for a virus can be placed at
`locations where such critical operations are likely to occur
`for the normal operation of programs. Second, most signa
`ture scanning is only performed on new inputs from disk
`drives. With the advent of the Internet and its increased
`popularity, there are no prior art methods that have been able
`to successfully scan connections 36 such as those utilized by
`a gateway node in communicating with other networks.
`Third, many of the above methods require a signi?cant
`amount of computing resources, which in turn degrades the
`overall performance of system. Thus, operating the virus
`detection programs on every computer becomes impractical.
`Therefore, the operation of many such virus detection pro
`grams is disabled for improved performance of individual
`machines.
`'
`Therefore, there is a need for a system and method for
`effectively detecting and eliminating viruses without signi?
`cantly effecting the performance of the computer. Moreover,
`there is a need for a system and method that can detect and
`eliminate viruses in networks attached to other information
`systems by way of gateways or the Internet.
`
`25
`
`SUMMARY OF THE INVENTION
`
`40
`
`45
`
`50
`
`55
`
`65
`
`The present invention overcomes the limitations and
`shortcomings of the prior art with an apparatus and method
`for detecting and eliminating viruses on a computer net
`work. A system including the present invention is a network
`formed of a plurality of nodes and a gateway node for
`connection to other networks. The nodes are preferably
`microcomputers, and the gateway node comprises: a display
`device, a central processing unit, a memory forming the
`apparatus of the present invention, an input device, a net
`work link and a communications unit. The memory further
`comprises an operating system including a kernel, a File
`Transfer Protocol (FTP) proxy server, and a Simple Mail
`Transfer Protocol (SMTP) proxy server. The central pro
`cessing unit, display device, input device, and memory are
`coupled and operate to execute the application programs
`stored in the memory. The central processing unit of the
`gateway node also executes the FTP proxy server for trans
`mitting and receiving ?les over the communications unit,
`and executes the SMTP proxy server for transmitting and
`receiving messages over the communications unit. The FTP
`proxy server and SMTP proxy server are preferably
`executed concurrently with the normal operation of the
`gateway node. The servers advantageously operate in a
`manner such that viruses transmitted to or from the network
`in messages and ?les are detected before the ?les are
`transferred into or from the network. The g'ateway node of
`the present invention is particularly advantageous because
`the impact of using the FTP proxy server and SMTP proxy
`server for the detection of viruses is minimized because only
`
`000014
`
`

`
`5,623,600
`
`3
`the ?les leaving or entering the network are evaluated for the
`presence of viruses and all other “intra” network tra?ic is
`unaffected.
`The present invention also comprises a method for pro
`cessing a ?le before transmission into the network and a
`method for processing a ?le before transmission from the
`network. The preferred method for processing a ?le com
`prises the steps of: receiving the data transfer command and
`?le name; transferring the ?le to the proxy server; perform
`ing virus detection on the ?le; determining whether the ?le
`contains any viruses; transferring the ?le from the proxy
`server to a recipient node if the ?le does not contain a virus;
`and performing a preset action with the ?le if it does contain
`a virus. The present invention also includes methods for
`processing messages before transmission to or from the
`network that operate in a similar manner.
`
`10
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram of a prior art information system
`with a plurality of networks and a plurality of nodes upon
`which the present invention operates;
`FIG. 2 is a block diagram of a preferred embodiment for
`a gateway node including the apparatus of the present
`invention;
`FIG. 3 is a block diagram of a preferred embodiment for
`a memory of the gateway node including the apparatus of the
`present invention;
`FIG. 4 is a block diagram of a preferred embodiment for
`a protocol layer hierarchy constructed according to the
`present invention compared to the OSI layer model of the
`prior art;
`FIG. 5A is a functional block diagram showing a preferred
`system for sending data ?les according to a preferred
`embodiment of the present invention;
`FIG. 5B is a functional block diagram showing a preferred
`system for receiving data ?les according to a preferred
`embodiment of the present invention;
`FIGS. 6A, 6B and 6C are a ?owchart of the preferred
`method for performing ?le transfer according to the present
`invention;
`FIG. 7 is a functional block diagram showing a preferred
`system for transmitting mail messages according to a pre
`ferred embodiment of the present invention; and
`FIGS. 8A and 8B are a ?ow chart of a preferred method
`for sending messages to/from a network.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`25
`
`30
`
`35
`
`45
`
`50
`
`The virus detection system and method of the present
`invention preferably operates on an information system 20
`as has been described above with reference to FIG. 1. The
`present invention, like the prior art, preferably includes a
`plurality of node systems 30 and at least one gateway node
`33 for each network 22, 24, 26. However, the present
`invention is di?'erent from the prior art because it provides
`novel gateway node 33 that also performs virus detection for
`all ?les being transmitted into or out of a network. Further
`more, the novel gateway node 33 also performs virus
`detection on all messages being transmitted into or out of an
`associated network.
`Referring now to FIG. 2, a block diagram of a preferred
`embodiment of the novel gateway node 33 constructed in
`accordance with the present invention is shown. A preferred
`embodiment of the gateway node 33 comprises a display
`
`55
`
`60
`
`65
`
`4
`device 40, a central processing unit (CPU) 42, a memory 44,
`a data storage device 46, an input device 50, a network link
`52, and a communications unit 54. The CPU 42 is connected
`by a bus 56 to the display device 40, the memory 44, the data
`storage device 46, the input device 50, the network link 52,
`and the communications unit 54 in a von Neumann archi
`tecture. The CPU 42, display device 40, input device 50, and
`memory 44 may be coupled in a conventional manner such
`as a personal computer. The CPU 42 is preferably a micro
`processor such as an Motorola 68040 or Intel Pentium or
`X86 type processor; the display device 40 is preferably a
`video monitor; and the input device 50 is preferably a
`keyboard and mouse type controller. The CPU 42 is also
`coupled to the data storage device 44 such as a hard disk
`drive in a conventional manner. Those skilled in the art will
`realize that the gateway node 33 may also be a mini
`computer or a mainframe computer.
`The bus 56 is also coupled to the network link 52 to
`facilitate communication between the gateway node 33 and
`the other nodes 30 of the network. In the preferred embodi
`ment of the present invention, the network link 52 is
`preferably a network adapter card including a transceiver
`that is coupled to a cable or line 36. For example, the
`network link 52 may be an ethemet card connected to a
`coaxial line, a twisted pair line or a ?ber optic line. Those
`skilled in the art will realize that a variety of different
`networking con?gurations and operating systems including
`token ring, ethemet, or arcnet may be used and that the
`present invention is independent of such use. The network
`link 52 is responsible for sending, receiving, and storing the
`signals sent over the network or within the protected domain
`of a given network. The network link 52 is coupled to the
`bus 56 to provide these signals to the CPU 34 and vice versa.
`The bus 56 is also coupled to the communications unit 54
`to facilitate communication between the gateway node 33
`and the other networks. Speci?cally, the communications
`unit 54 is coupled to the CPU 42 for sending data and
`message to other networks. For example, the communica
`tions unit 54 may be a modem, a bridge or a router coupled
`to the other networks in a conventional manner. In the
`preferred embodiment of the present invention, the commu
`nications unit 54 is preferably a router. The communications
`unit 54 is in turn coupled to other networks via a media 34
`such as a dedicated T-l phone line, ?ber optics, or any one
`of a number of conventional connecting methods.
`The CPU 42, under the guidance and control of instruc
`tions received from the memory 44 and from the user
`through the input device 50, provides signals for sending and
`receiving data using the communications unit 54. The trans
`fer of data between networks is broken down into the
`sending and receiving ?les and messages which in turn are
`broken down into packets. The methods of the present
`invention employ a virus detection scheme that is applied to
`all transfers of messages and ?les into or out of a network
`via its gateway node 33.
`Referring now to FIG. 3, the preferred embodiment of the
`memory 44 for the gateway node 33 is shown in more detail.
`The memory 44 is preferably a random access memory
`(RAM), but may also include read-only memory (ROM).
`The memory 44 preferably comprises a File Transfer Pro
`tocol (FI‘P) proxy server 60, a Simple Mail Transfer Pro
`tocol (SMTP) proxy server 62, and an operating system 64
`including a kernel 66. The routines of the present invention
`for detecting viruses in ?le transfers and messages primarily
`include the FTP proxy server 60 and the SMTP proxy server
`62. The FTP proxy server 60 is a routine for controlling ?le
`transfers to and from the gateway node 33 via the commu
`
`000015
`
`

`
`5,623,600
`
`5
`nications unit 54, and thus controlling ?le transfers to and
`from a given network of which the gateway node is a part.
`The operation of the FTP proxy server 60 is described below
`in more detail with reference to FIGS. 5A, 58, 6A, 6B and
`6C. Similarly, the SMTP proxy server 62 is a routine for
`controlling the transfer of messages to and from the gateway
`node 33, and thus to and from the respective network
`associated with the gateway node 33. The operation of the
`SMTP proxy server 62 is described below in more detail
`with reference to FIG. 7 8A and 8B. The present invention
`preferably uses a conventional operating system 28 such as
`Berkeley Software Distribution UNIX. Those skilled in the
`art will realize how the present invention may be readily
`adapted for use with other operating systems such as
`MACINTOSH System Software version 7.1, DOS, WIN
`DOWS or WINDOWS NT. The memory 44 may also
`include a variety of different application programs 68
`including but not limited to computer drawing programs,
`word processing programs, and spreadsheet programs. The
`present invention is particularly advantageous over the prior
`because it minimizes the impact of virus detection and
`elimination since the FTP proxy server 60 and SMTP proxy
`server 62 are preferably only included or installed in the
`memory 44 of the gateway nodes 33. Thus, all data being
`transferred inside the protected domain of a given network
`will not be checked because the data packets might not be
`routed via the gateway node 33.
`While the apparatus of the present invention, in particular
`the FTP proxy server 60 and SMTP proxy server 62, has
`been described above as being located and preferably is
`located on the gateway node 33, those skilled in the art will
`realize that the apparatus of the present invention could also
`be included on a FTP server or a world wide web server for
`scanning ?les and messages as they are downloaded from
`the web. Furthermore, in an alternate embodiment, the
`apparatus of the present invention may be included in each
`node of a network for performing virus detection on all
`messages received or transmitted from that node.
`As best shown in FIG. 4, the CPU 42 also utilizes a
`protocol layer hierarchy to communicate over the network.
`The protocol layers of the hierarchy of the present invention
`are shown in FIG. 4 in comparison to the ISO-OSI reference
`model, for example. The protocol layers 410—426 of the
`hierarchy of the present invention are similar to the prior art
`protocol layers for the lower four layers 400-403 including:
`(1) a physical layer 400 formed of the transmission media
`410; (2) a data link layer 401 formed of the network
`interface cards 411; (3) a network layer 402 formed of
`address resolution 412, Internet protocol 413 and Internet
`control message protocol 414; and (4) a transport layer 403
`formed of the transmission control protocol 415 and a user
`datagram protocol 416. Corresponding to the presentation
`405 and session 404 layers, the protocol hierarchy of the
`present invention provides four methods of communication:
`a ?le transfer protocol 417, a simple mail transfer protocol
`419, a TELNET protocol 419 and a simple network man
`agement protocol 420. There are corresponding components
`on the application layer 406 to handle ?le transfer 423,
`electronic mail 424, terminal emulation 425, and network
`management 426. The present invention advantageously
`detects, controls and eliminates viruses by providing an
`additional layer between the application layer 406 and the
`presentation layer 405 for the gateway nodes 33. In particu
`lar, according to the hierarchy of the present invention, a
`FI‘P proxy server layer 421 and a SMT P proxy server layer
`422 are provided. These layers 421,422 operate in conjunc
`tion with the ?le transfer layer 423 and ?le transfer protocol
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6
`417, and the electronic mail layer 424 and the SMTP
`protocol layer 418, to process ?le transfers and messages,
`respectively. For example, any ?le transfer requests are
`generated by the ?le transfer application 423, ?rst processed
`by the FTP proxy server layer 421, then processed by the ?le
`transfer protocol 417 and other lower layers 415, 413, 411
`until the data transfer is actually applied to the transmission
`media 410. Similarly, any messaging requests are ?rst
`processed by the SMTP proxy server layer 418, and there
`after processed by the SMTP protocol and other lower layers
`415, 413, 411 until the physical layer is reached. The present
`invention is particularly advantageous because all virus
`screening is performed below the application level. There
`fore, the applications are unaware that such virus detection
`and elimination is being performed, and these operations are
`completely transparent to the operation of the application
`level layers 406. While the FTP proxy server layer 421 and
`the SMTP proxy server layer 422 have been shown in FIG.
`4 as being their own layer to demonstrate the coupling
`elfects they provide between the ?le transfer layer 423 and
`?le transfer protocol 417, and the electronic mail layer 424
`and the SMTP protocol layer 418, those skilled in the art will
`realize that the FTP proxy server layer 421 and the SMTP
`proxy server layer 422 can also be correctly viewed as being
`part of the ?le transfer protocol layer 417 and the SMTP
`protocol layer 418, respectively, because they are invisible
`or transparent to the application layer 406.
`A preferred method of operation and an embodiment for
`the FTP proxy server 60 will be described focusing on its
`relationship to and its control of the gateway node 33, and
`thus, control over access to the medium, line 34, for con
`nections to other networks. The method can best be under
`stood with reference to FIGS. 5A and 5B, that graphically
`show the functions performed by an Internet daemon 70, the
`FTP proxy server 60, and an FTP daemon 78, each of which
`resides on the gateway note 33. In FIGS. 5A and 5B, like
`reference numbers have been used for like parts and the
`?gures are different only in the direction in which the ?le is
`being transferred (either from client task 72 to server task 82
`or from server task 82 to client task 72). For the sake of
`clarity and ease of understanding only the data ports are
`shown in FIGS. 5A and 5B, and the bi-directional lines
`represent command or control pathways and are assumed to
`include a command port although it is not explicitly shown.
`The operation FFP proxy server 60 will now be described
`with reference to a ?le transfer between a client task 72
`(requesting machine) and a server task 82 (supplying
`machine). While it is assumed that the client task 72
`(requesting machine) is inside a protected domain and the
`server task 82 (supplying machine) is outside the protected
`domain, the invention described below is also used by the
`gateway node 33 when client task 72 (requesting machine)
`is outside the protected domain and the server task 82
`(supplying machine) is inside the protected domain.
`FIGS. 6A-6C are a ?owchart of a preferred method for
`performing ?le transfers from a controlled domain of a
`network across a medium 34 to another network (e.g., a ?le
`transfer from a node 32 of the second network 24 across the
`media 34 to a second node 32 of the third network 26). The
`method begins with step 600 with the client node sending a
`connection request over the network to the gateway node 33.
`In step 602, The gateway node 33 preferably has an oper
`ating system 64 as described above, and part of the operating
`system 64 includes a ?re wall, or program including routines
`for authenticating users. The gateway node 33 ?rst tries to
`authenticate the user and decide whether to allow the
`connections requested, once the request is received. This is
`
`000016
`
`

`
`7
`done in a conventional manner typically available as part of
`UNIX. The Internet daemon 70 creates an instance of the
`FTP proxy server 60 and passes the connection to the FTP
`proxy server 60 for servicing in step 602. The Internet
`daemon 70 is program that is part of the operating system 64,
`and it runs in the background. When being run, one of the
`functions of the Internet daemon 70 is to bind socket ports
`for many well-known services, such as TELNET, login, and
`FTP. When a connect request is detected, the Internet
`daemon 70 constructed in accordance with the present
`invention, spawns the FTP proxy server 60, which is the
`server that will actually handle the data transfer. Thereafter,
`the FTP proxy server 60 controls the network tra?ic passing
`between the client task 72 and the server task 82. Then in
`step 604, the client node sends a data transfer request and ?le
`name, and established a ?rst data port 76 through which the
`data will be transferred between the FTP proxy server 60 and
`the client task 72. In step 606 the data transfer request and
`?le name are received by the FTP proxy server 60. In step
`608, the FTP proxy server 60 determines whether the data is
`being transferred in an outbound direction (e.g., the ?le is
`being transferred from the client task 72 to the server task
`82). This can be determined by the FTP proxy server 60 by
`comparing the data transfer request. For example, if the data
`transfer request is the STOR command then the data is being
`transferred in an outbound direction; and if the data transfer
`request is the RETR command then the data is not being
`transferred in an outbound direction.
`If the data is being transferred in an outbound direction,
`then the method transitions from step 608 to step 610.
`Referring now to FIG. 6B in conjunction with FIG. 5A, the
`process for transferring data out of the protected domain of
`the network is described in more detail. In step 610, the FTP
`proxy server 60 determines whether the ?le to be transferred
`is of a type that can contain viruses. This step is preferably
`performed by checking the extension of the ?le name. For
`example, .txt, .bmd, .pcx and .gif extension ?les indicate that
`the ?le is not likely to contain viruses while .exe, .zip, and
`.com extension ?les are of the type that often contain
`viruses. If the ?le to be transferred is not of a type that can
`contain viruses, then the method continues in step 612. In
`s