United States Patent [19J
`Ji et al.
`
`[54] APPARATUS AND METHOD FOR
`ELECTRONIC MAIL VIRUS DETECTION
`AND ELIMINATION
`
`[75]
`
`Inventors: Shuang Ji, Foster City; Eva Chen;
`Yung-Chang Liang, both of Cupertino,
`all of Calif.; Warren Tsai, Taipei,
`Taiwan
`
`[73]
`
`Assignee: Trend Micro Incorporated, Taiwan
`
`[21]
`
`Appl. No.: 625,800
`
`[22]
`
`Filed:
`
`Mar. 29, 1996
`
`[63]
`
`[51]
`
`[52]
`
`[58]
`
`[56]
`
`Related U.S. Application Data
`
`Continuation-in-part of Ser. No. 533,706, Sep. 26, 1995, Pat.
`No. 5,623,600.
`Int. Cl.6
`............................. G06F 13/00; G07D 7/00;
`H04L 9/00
`U.S. Cl. .................................. 395/187.01; 364/286.4;
`395!200.06; 340/825.34; 380/49
`Field of Search ......................... 395/183.14, 183.17,
`395/183.18, 186, 187.01, 200.06; 380/4,
`49; 364/269.4, 285.4, 286.4, 222.5; 340/825.34
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,975,950
`5,278,901
`5,319,776
`5,321,840
`5,414,833
`5,428,795
`5,440,723
`5,444,850
`5,448,668
`5,452,442
`5,485,575
`5,491,791
`
`12/1990 Lentz .......................................... 3S0/4
`1!1994 Shieh et a!. ................................. 380/4
`6/1994 Hile et a!. ............................... 395!575
`6/1994 Ahlin eta!. ............................. 395/700
`........................ 395!575
`5/1995 Hershey et a!.
`6/1995 Johnson et a!. ......................... 395!725
`.......................... 395/181
`8/1995 Arnold et a!.
`8/1995 Chang ..................................... 395/200
`9/1995 Perelson et a!. ........................ 395/182
`9/1995 Kephart ................................... 395/183
`............................ 395/183
`1!1996 Chess et a!.
`2/1996 Glowny eta!. ......................... 395/183
`
`111111
`
`1111111111111111111111111111111111111111111111111111111111111
`US005889943A
`[11] Patent Number:
`[45] Date of Patent:
`
`5,889,943
`Mar. 30, 1999
`
`5,511,163
`5,530,757
`5,550,976
`5,550,984
`5,623,600
`
`4/1996 Lerche et a!. ........................... 398/183
`6/1996 Krawczyk ................................. 380/23
`............... 395/200.06
`8/1996 Henderson et a!.
`8/1996 Gelb ................................... 395/200.17
`4/1997 Ji et a!. .............................. 395/187.01
`
`FOREIGN PATENT DOCUMENTS
`
`Japan ............................... H04N 1/00
`6/1994
`6350784
`9322723 11/1993 WIPO ............................. G06F 11/00
`
`OTHER PUBLICATIONS
`
`Omura, Jim K., Novel Applications of Cryptography m
`digital Comms., IEEE, pp. 21-28, May 1990.
`"Tenfour Announces TFS Gateway Release 3-The Next
`Generation of E-mail gateways;"Presswire (entire docu(cid:173)
`ment.), Jun. 12, 1997.
`"First E-mail Virus Protection for HP-UX", Internet Con(cid:173)
`tent Report, vol. 1, No. 18, Comm Industry Researchers
`(entire document), 15 Dec. 1996.
`
`Primary Examiner-Robert W. Beausoliel, Jr.
`Assistant Examiner-Norman Wright
`Attorney, Agent, or Firm---Skjerven, Morrill, MacPherson,
`Franklin & Friel; Norman R. Klivans
`
`[57]
`
`ABSTRACT
`
`The detection and elimination of viruses on a computer
`network is disclosed. An apparatus for detecting and elimi(cid:173)
`nating viruses which may be introduced by messages sent
`through a postal node of a network electronic mail system
`includes polling and retrieval modules in communication
`with the postal node to determine the presence of unscanned
`messages and to download data associated with them to a
`node for treatment by a virus analysis and treatment module.
`A method for detecting and eliminating viruses introduced
`by an electronic mail system includes polling the postal node
`for unscanned messages, downloading the messages into a
`memory of a node, and performing virus detection and
`analysis at the node.
`
`42 Claims, 19 Drawing Sheets
`
`Blue Coat Systems - Exhibit 1015
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 1 of 19
`
`5,889,943
`
`,-----------------------l
`I
`I
`
`20
`
`/
`
`,---------------------,
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L------------------7--~
`
`24
`
`,-------------------------,
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L----------------------r--~
`
`26
`
`FIG. 1
`(Prior Art)
`
`

`
`/33
`
`Display device
`
`Processor (CPU)
`
`Memory
`
`Data storage device
`
`(
`40
`
`(
`42
`
`(
`44
`
`Input Device
`
`Network Link
`
`(
`50
`
`(
`~36 52
`
`Communications
`Unit
`
`r--- 34
`
`(
`54
`
`56
`
`(
`46
`
`56
`I
`
`FIG.
`
`2
`
`j
`
`I
`60
`
`FTP Proxy ~ Server
`
`Operating
`System
`
`66
`
`r
`SMTP Proxy
`Server
`
`~
`
`I
`Application
`Programs
`
`6~
`
`44
`
`I
`64
`
`Memory
`
`FIG. 3
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`!"l
`~
`~=
`'"""'
`'0
`'0
`'0
`
`'JJ. =(cid:173)~
`~ .....
`N
`0 ......,
`'"""'
`'0
`
`Ul
`....
`00
`00
`\C
`....
`\C
`""(cid:173)~
`
`

`
`OSI Loyer
`
`Application
`
`Protocol Implementation
`
`406
`
`File Transfer
`
`Electronic Moil
`424
`
`423
`
`T erminol
`Emulation 425
`
`Network
`Management 426
`
`Pres en tot ion
`
`405
`
`404
`
`403
`
`402
`
`±ill
`
`400
`
`Session
`
`Transport
`
`Network
`
`Data Link
`
`Physical
`
`FTP Proxy
`Server
`
`lli
`
`SMTP Proxy
`Server
`422
`
`File Transfer
`Protocol (FTP)
`
`Simple Moil
`Tron sfer Protocol
`(SMTP)
`
`TEL NET
`Protocol
`
`Simple Network
`Management
`Protocol
`(SNMP)
`
`417
`
`Transmission Control Protocol
`(TCP)
`
`418
`
`415
`
`419
`
`User Datagram Protocol
`(UDP)
`
`420
`
`416
`
`Address Resolution
`
`ill
`
`Internet Protocol
`(IP)
`
`ill
`
`Internet Control
`Message Protocol 414
`
`Network Interface Cords: Ethernet, StorLAN token Ring
`
`Transmission media:
`
`twisted pair, coax or fiber optics
`
`ill
`
`±lQ
`
`- -
`
`FIG. 4
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`!"l
`~
`~=
`'"""'
`'0
`'0
`'0
`
`'JJ. =(cid:173)~
`~ .....
`
`~
`0 ......,
`'"""'
`'0
`
`Ul
`....
`00
`00
`\C
`....
`\C
`""(cid:173)~
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 4 of 19
`
`5,889,943
`
`1-----=
`
`""
`
`""
`co
`
`,--------------,
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L_ _ __ __ __ __ _ _ _j
`
`ii'j
`~
`
`~
`2:
`cJi
`
`r - - - - - - -
`
`1
`I
`I
`I
`I
`I
`I
`I
`
`= =
`
`------------,
`I
`I
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`-----------------------------------l---~
`
`=
`r--
`
`= r--
`
`----,
`
`,-----
`I
`1
`I
`I
`I
`~= I
`r-r:>
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L ____________ _j
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 5 of 19
`
`5,889,943
`
`,-------------,
`I
`I
`I
`f---.____0
`I
`I
`""
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L
`_______ _j
`
`-tj
`~
`
`~
`C
`Ji
`
`0.l
`co
`
`.-----
`
`1
`I
`I
`I
`I
`I
`I
`
`= <D
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`-----------------------------------l---~
`
`0 co
`
`= r--
`
`,----
`
`----,
`I
`1
`I
`I
`h._ a
`I
`I
`I
`r-0
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L ____________ _j
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 6 of 19
`
`5,889,943
`
`Start
`
`Client node sends
`connection request
`
`600
`
`Internet Daemon creates an instance
`of the FTP proxy server and passes
`connection to the FTP proxy server
`
`602
`
`Client node sends data transfer request
`and file name, and establishes a data port
`
`604
`
`Data transfer request and file name
`received by FTP proxy server
`
`606
`
`Yes
`
`608
`
`Is
`data being
`transferred in an
`outbound direction
`?
`
`No
`
`FIG. 6A
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 7 of 19
`
`5,889,943
`
`610
`
`Is
`the file of a
`type that can
`contain viruses
`
`No
`
`Yes
`
`614
`
`616
`
`618
`
`620
`
`Transfer file from client to
`FTP proxy server through port
`
`Store file temporarily at gateway
`
`Analyze temporarily stored file for viruses
`
`Send any virus detection messages from
`FTP proxy server to client as a reply
`
`622
`
`f---------------N_o-<
`
`file contain
`
`Send request and file
`to FTP daemon for
`transfer to server
`
`612
`
`624
`
`Determine con figuration settings
`
`Yes
`
`628
`
`End
`
`Delete file or store renamed file at
`gateway node depending on con figuration
`setting, and erase temporary file
`
`FIG. 6B
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 8 of 19
`
`5,889,943
`
`Send data transfer request and file
`name to FTP daemon and then ta server
`
`Establish a second port between
`FTP daemon and server
`
`Send file from server to the FTP daemon
`and then to FTP proxy server
`
`640
`
`642
`
`644
`
`Is
`the file of a
`type that can
`contain viruses
`
`No
`
`646
`
`650
`
`Yes
`
`Store file temporarily at gateway
`
`652
`
`654
`
`Analyze temporarily stored file for viruses
`
`Send any virus detection messages from
`FTP proxy server to client as a reply
`
`656
`
`No
`
`658
`
`Retreive can figu ra lion fill e
`
`Yes
`
`Transfer file from FTP
`proxy server ta client
`through port
`
`648
`
`662
`
`End
`
`Delete file or store renamed file at
`gateway node depending on configuration
`setting, and erase temporary file
`
`FIG. 6C
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 9 of 19
`
`5,889,943
`
`~
`~
`
`,-------------,
`I
`I
`I
`f--..__=
`I
`1 " "
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L ____________ __j
`
`8
`
`~-------------------------------------- -------------,
`I
`I
`
`--------------------------------------l---~
`
`,---
`
`---------,
`I
`1
`I
`I
`I
`h..__=
`I
`I
`""
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`L ____________ _l
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 10 of 19
`
`5,889,943
`
`Start
`
`Spawn SM TP proxy server
`
`r- 802
`
`Create a first port for communication
`between the client and SMTP proxy server r- 804
`
`Bind SMTP proxy server to the first port
`
`Spawn SMTP daemon
`
`"""'--- 806
`
`"""'--- 808
`
`Create a second port for communication
`from proxy server to SMTP daemon
`
`r- 810
`
`Bind SMTP daemon to the second port
`
`r- 812
`
`Client node requests a connection from
`the SM TP proxy server
`
`r- 800
`
`Transmit message from client node to
`SM TP proxy server
`
`1--- 818
`
`A
`
`FIG. BA
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 11 of 19
`
`5,889,943
`
`820
`
`Yes
`
`No
`
`Does
`message include
`encoded portions
`?
`/
`822
`
`Stare message in
`temporary file( s)
`
`Decode message
`
`Perform virus detection
`an message
`
`834
`
`No
`
`message contain
`
`Determine configuration for
`virus detection handling
`
`Determine action to be
`taken if virus detected
`
`828
`
`830
`
`832
`
`836
`
`838
`
`824
`
`Transmit message through
`second port to SM TP daemon
`
`Create a third port for
`communication from SMTP
`daemon to server task
`
`Bind server task
`to the third port
`
`Transmit message through
`third port to eli en t
`
`814
`
`816
`
`826
`
`Transmit transformed message and
`perform determined action on
`each encoded portion
`
`840
`
`End
`
`FIG. BB
`
`

`
`200~
`
`234
`
`232 (Postal Node) \
`
`FIG. 9
`(Prior Art)
`
`Display Device
`
`CPU
`
`Memory
`
`Data Storage Device
`
`(
`258
`
`(
`260
`
`(
`262
`
`(
`264
`
`2;0
`
`Input Device
`
`Network Link
`
`266-
`
`Communications
`Link
`
`f-- 269
`
`(
`268
`
`r-- 236
`
`1------ 234
`
`FIG.
`
`10a
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`!"l
`~
`~=
`'"""'
`'0
`'0
`'0
`
`'JJ. =(cid:173)~
`~ .....
`'"""' N
`0 ......,
`'"""'
`'0
`
`Ul
`....
`00
`00
`\C
`....
`\C
`""(cid:173)~
`
`

`
`~ Operating
`
`System
`
`291
`
`270
`
`-
`
`I
`
`I
`Mail
`Management
`Program
`
`I
`
`Application
`Progs.
`
`-
`
`(
`292
`
`(
`296
`
`r-- 290
`
`FIG. 10b
`
`Directory
`
`I
`
`Header
`Storage
`
`I
`
`Attachment
`Storage
`
`270
`
`I
`
`Corrupted
`File
`Storage
`
`(
`297
`
`(
`298
`
`(
`300
`
`(
`302
`
`FIG.
`
`tOe
`
`262
`
`264
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`!"l
`~
`~=
`""""
`'0
`'0
`'0
`
`'JJ. =(cid:173)~
`~ .....
`"""" ~
`0 ......,
`""""
`'0
`
`Ul
`....
`00
`00
`\C
`....
`\C
`""(cid:173)~
`
`

`
`230 (Client Node) " \
`
`Display Device
`
`CPU
`
`Memory
`
`Data Storage Device
`
`I
`244
`
`I
`246
`
`7
`248
`
`(
`250
`
`256
`(
`
`Input Device
`
`Network Link
`
`(
`252
`
`I
`254
`
`~ 236
`
`FIG. 11a
`
`256
`
`~ Operating
`
`System
`
`273
`
`I
`
`Local
`Electronic Mail
`Program
`
`I
`
`Mail
`Scanning
`Module
`
`I
`
`Application
`Progs.
`
`248
`
`r---- 272
`
`2~4
`
`2~6
`
`2~8
`
`FIG. 11b
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`!"l
`~
`~=
`'"""'
`'0
`'0
`'0
`
`'JJ. =(cid:173)~
`~ .....
`'"""' ~
`0 ......,
`'"""'
`'0
`
`Ul
`....
`00
`00
`\C
`....
`\C
`""(cid:173)~
`
`

`
`l
`
`Mail
`Sending
`Module
`
`Mail
`Scanning
`Manager
`
`l
`
`Polling
`Module
`
`l
`
`Retrieval
`Module
`
`l
`
`Data
`Buffer
`
`I
`280
`
`I
`281
`
`I
`282
`
`I
`283
`
`I
`284
`
`l
`
`Virus
`Analyzing
`and
`Treatment
`Module
`I
`286
`
`- - - · - - - -
`
`- - -
`
`256
`
`l
`
`Decoder
`
`276
`I . Module)
`
`..J\...\JIII IIIII..
`
`\IVI\JII
`
`I
`Scanned
`Message
`FIFO
`Buffer
`
`I
`288
`
`I
`285
`
`-
`
`FIG. 11c
`
`285~
`
`288
`
`310
`
`314
`
`310
`
`314
`
`Message Identifier
`
`Message Header
`
`•
`•
`•
`
`Message Identifier
`
`Message Header
`
`312
`
`Status
`
`Status
`
`I
`
`FIG. 11d
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`!"l
`~
`~=
`'"""'
`'0
`'0
`'0
`
`'JJ. =(cid:173)~
`~ .....
`'"""' Ul
`0 ......,
`'"""'
`'0
`
`Ul
`....
`00
`00
`\C
`....
`\C
`""(cid:173)~
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 16 of 19
`
`5,889,943
`
`Start
`
`1200
`
`Poll postal node for unread
`messages by emulating the
`Electronic Mail System
`polling routines
`
`Download or copy message
`data to Client Node
`
`Scan message for viruses
`
`1220
`
`No
`
`Does
`message have
`
`1205
`
`1210
`
`1215
`
`Yes
`
`Take corrective action according
`to configuration settings
`
`1225
`
`End
`
`FIG. 12
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 17 of 19
`
`5,889,943
`
`1302
`
`Start
`
`,--------1~ Poll Postal Node for unread messages . - - - - - - - - - - .
`
`1304
`
`1314
`
`No
`
`Predetermined Delay
`
`1312
`
`Yes
`. - - - - - - -<
`
`No
`
`More
`
`Access Postal Node to retrieve
`message ID Number and Message
`header by emulating
`System Mail Protocol
`
`Determine whether unread
`message has been scanned
`
`1306
`
`1308
`
`Yes
`
`1310
`
`1314
`
`Are
`there attachment(s)
`to be analyzed
`?
`
`Copy message information
`in Data Buffer
`
`1318
`
`1500
`
`No
`
`Perform Attachment(s)
`Scanning Protocol
`
`Perform infected Attachment(s)
`T realm en t Protocol
`
`1320
`
`Add message in FIFO Buffer
`and set Flag as scanned
`
`1316
`
`1400
`
`FIG. 13
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 18 of 19
`
`5,889,943
`
`1400
`
`Access Next Attachment
`in temporary file.
`
`1405
`
`1410
`
`Is
`the attachment
`file of the type that
`can contain viruses
`?
`
`No
`
`Yes
`
`Decode Attachment File
`
`Perform Virus Detection
`on Attachment File
`
`1415
`
`1420
`
`No
`
`Identify Attachment File
`as Infected
`
`1430
`
`Yes
`L_ _ ___ ___ ---<
`
`1435
`
`Any
`additional attachment
`Files to Scan for
`
`End
`
`FIG. 14
`
`

`
`U.S. Patent
`
`Mar. 30, 1999
`
`Sheet 19 of 19
`
`5,889,943
`
`Treotment Protocol
`
`1500
`
`Determine Configuration Settings
`
`Access Next Infected
`Attachment in Temporary File
`
`1505
`
`1510
`
`Store o copy of the infected Attachment
`in the Corrupted File Memory
`
`1515
`
`1520
`
`Can
`the Attachment be
`
`No
`
`1525
`
`Replace Attachment File ot Postal Node
`with Treated File or Foward/Resend the
`cleaned attachment to the recipient
`dependent upon configuration settings
`
`1530
`
`1535
`
`1550
`
`Clean portions which con be cleaned,
`delete attachment altogether, strip
`infected portions and/or insert o
`recipient warning dependent
`upon configuration settings
`
`1555
`
`Alert sender ond/or network
`administrator to the
`infected attachment file.
`
`Yes
`>------_J
`
`1545
`
`Yes
`
`Are
`there additional
`attachment files to
`scan for this
`
`Are
`party warning
`settings enabled
`?
`
`No
`
`Erose Temporary File
`
`1540
`
`FIG. 15
`
`

`
`5,889,943
`
`1
`APPARATUS AND METHOD FOR
`ELECTRONIC MAIL VIRUS DETECTION
`AND ELIMINATION
`
`This application is a continuation-in-part of application
`Ser. No. 08/533,706, filed Sep. 26, 1995, now U.S. Pat. No.
`5,623,600.
`
`BACKGROUND OF THE INVENTION
`
`10
`
`2
`programs. The effect of such viruses can be simple pranks
`that cause a message to be displayed on the screen or more
`serious effects such as the destruction of programs and data.
`Another problem in the prior art is worms. Worms are
`5 destructive programs that replicate themselves throughout
`disk and memory using up all available computer resources
`eventually causing the computer system to crash. Obviously,
`because of the destructive nature of worms and viruses, there
`is a need for eliminating them from computers and networks.
`The prior art has attempted to reduce the effects of viruses
`and prevent their proliferation by using various virus detec(cid:173)
`tion programs. One such virus detection method, commonly
`referred to as behavior interception, monitors the computer
`or system for important operating system functions such as
`write, erase, format disk, etc. When such operations occur,
`15 the program prompts the user for input as to whether such an
`operation is expected. If such an operation is not expected
`(e.g., the user was not operating any program that employed
`such a function), the user can abort the operation knowing
`it was being prompted by a virus program. Another virus
`20 detection method, known as signature scanning, scans pro(cid:173)
`gram code that is being copied onto the system. The system
`searches for known patterns of program code used for
`viruses. Currently, signature scanning only operates on the
`floppy disk drives, hard drives or optical drives. Yet another
`25 prior art approach to virus detection performs a checksum on
`all host programs stored on a system and known to be free
`from viruses. Thus, if a virus later attaches itself to a host
`program, the checksum value will be different and the
`presence of a virus can be detected.
`Nonetheless, these approaches of the prior art suffer from
`a number of shortcomings. First, behavior interception is not
`successful at detecting all viruses because critical operations
`that may be part of the code for a virus can be placed at
`locations where such critical operations are likely to occur
`35 for the normal operation of programs. Second, most signa(cid:173)
`ture scanning is only performed on new inputs from disk
`drives. With the advent of the Internet and its increased
`popularity, there are no prior art methods that have been able
`to successfully scan connections 36 such as those utilized by
`a gateway node in communicating with other networks.
`Third, many of the above methods require a significant
`amount of computing resources, which in turn degrades the
`overall performance of system. Thus, operating the virus
`detection programs on every computer becomes impractical.
`Therefore, the operation of many such virus detection pro(cid:173)
`grams is disabled for improved performance of individual
`machines.
`Therefore, there is a need for a system and method for
`effectively detecting and eliminating viruses without signifi-
`50 cantly effecting the performance of the computer. Moreover,
`there is a need for a system and method that can detect and
`eliminate viruses in networks attached to other information
`systems by way of gateways or the Internet.
`Another problem of increasing significance is the spread
`55 of computer viruses through electronic mail
`communications, including intra-network electronic mail
`accesses which do not need to pass through a network
`gateway node 33. The referenced prior art shortcomings are
`also present in the detection and prevention of the spread of
`60 viruses through electronic mail. Additionally problematic
`are electronic mail access by multiple users which may
`exponentially increase the potential for the spread of viruses,
`the detection of viruses on encoded or encrypted files, the
`tendency of computer users not to undertake virus detection
`65 and user impatience during virus detection intervals.
`Therefore, there is also a need for an apparatus and
`method for detecting viruses which may be spread through
`
`1. Field of the Invention
`The present invention relates generally to computer sys(cid:173)
`tems and computer networks. In particular, the present
`invention relates to a system and method for detecting and
`removing computer viruses. Still more particularly, the
`present invention relates to a system and method for detect(cid:173)
`ing and removing computer viruses from file and message
`transfers between computer networks and to an apparatus
`and method for detecting and removing computer viruses
`from files and messages accessed by electronic mail through
`a network postal node.
`2. Description of the Related Art
`During the recent past, the use of computers has become
`widespread. Moreover, the interconnection of computers
`into networks has also become prevalent. Referring now to
`FIG. 1, a block diagram of a portion of a prior art informa(cid:173)
`tion system 20 is shown. The portion of the information
`system 20 shown comprises a first network 22, a second
`network 24 and third network 26. This information system
`20 is provided only by way of example, and those skilled in 30
`the art will realize that the information system 20 may
`include any number of networks, each of the networks being
`its own protected domain and having any number of nodes.
`As shown in FIG. 1, each of the networks 22, 24, 26 is
`formed from a plurality of nodes 30, 32. Each of the nodes
`30, 32 is preferably a microcomputer. The nodes 30, 32 are
`coupled together to form a network by a plurality of network
`connections 36. For example, the nodes 30, 32 may be
`connected together using a token ring format, ethernet
`format or any of the various other formats known in the art. 40
`Each of the networks 22, 24, 26 includes a node 32 that acts
`as a gateway to link the respective network 22, 24, 26 to
`other networks 22, 24, 26. Each of the gateway nodes 32 is
`preferably coupled by a standard telephone line connection
`34 such as POTS (Plain Old Telephone Service) or a T-1link 45
`to the other gateway nodes 32 through a telephone switching
`network 28. All communication between the networks 22,
`24, 26 is preferably performed through one of the gateway
`nodes 32.
`Also of increasing prevalence is the use of electronic mail
`to access information. Referring now to FIG. 9, an electronic
`mail system 200 is shown to include a plurality of client
`nodes 230, which preferably are microcomputers, connected
`to a postal node 232 arranged to facilitate electronic mail
`accesses such as those between the client nodes 230. The
`postal node may also include a communications link 234 to
`another network or may communicate with additional postal
`nodes (not shown). Electronic mail may be accessed from
`the postal node 232 to single or multiple users, and may
`include simple messages or complex information including
`files with viruses.
`One particular problem that has plagued computers, in
`particular microcomputers, have been computer viruses and
`worms. A computer virus is a section of code that is buried
`or hidden in another program. Once the program is executed,
`the code is activated and attaches itself to other programs in
`the system. Infected programs in turn copy the code to other
`
`

`
`5,889,943
`
`3
`electronic mail communications. Moreover, there is a need
`for such an apparatus and method which can prevent mul(cid:173)
`tiplied virus spreading, facilitate encoded file virus
`detection, trigger without requiring user intervention and
`operate in the background.
`
`SUMMARY OF THE INVENTION
`
`The present invention overcomes the limitations and
`shortcomings of the prior art with systems, apparatuses and
`methods for detecting and eliminating viruses on a computer 10
`network.
`A system including the present invention is a network
`formed of a plurality of nodes and a gateway node for
`connection to other networks. The nodes are preferably
`microcomputers, and the gateway node comprises: a display
`device, a central processing unit, a memory forming the
`apparatus of the present invention, an input device, a net(cid:173)
`work link and a communications unit. The memory further
`comprises an operating system including a kernel, a File 20
`Transfer Protocol (FTP) proxy server, and a Simple Mail
`Transfer Protocol (SMTP) proxy server. The central pro(cid:173)
`cessing unit, display device, input device, and memory are
`coupled and operate to execute the application programs
`stored in the memory. The central processing unit of the 25
`gateway node also executes the FTP proxy server for trans(cid:173)
`mitting and receiving files over the communications unit,
`and executes the SMTP proxy server for transmitting and
`receiving messages over the communications unit. The FTP
`proxy server and SMTP proxy server are preferably 30
`executed concurrently with the normal operation of the
`gateway node. The servers advantageously operate in a
`manner such that viruses transmitted to or from the network
`in messages and files are detected before the files are
`transferred into or from the network. The gateway node of 35
`the present invention is particularly advantageous because
`the impact of using the FTP proxy server and SMTP proxy
`server for the detection of viruses is minimized because only
`the files leaving or entering the network are evaluated for the
`presence of viruses and all other "intra" -network traffic is 40
`unaffected.
`The present invention also comprises a method for pro(cid:173)
`cessing a file before transmission into the network and a
`method for processing a file before transmission from the
`network. The preferred method for processing a file com- 45
`prises the steps of: receiving the data transfer command and
`file name; transferring the file to the proxy server; perform(cid:173)
`ing virus detection on the file; determining whether the file
`contains any viruses; transferring the file from the proxy
`server to a recipient node if the file does not contain a virus;
`and performing a preset action with the file if it does contain
`a virus. The present invention also includes methods for
`processing messages before transmission to or from the
`network that operate in a similar manner.
`The present invention also comprises an apparatus for
`detecting and eliminating viruses which may spread
`throughout a network in messages accessed with an elec(cid:173)
`tronic mail system. In such mail systems, messages directed
`to a user at a client node are typically stored a postal node
`prior to their access by the client node. Viruses are detected 60
`and corrective action taken by a mail scanning apparatus
`which preferably resides at the client node. The mail scan(cid:173)
`ning apparatus preferably includes: a polling module for
`determining the presence of unread messages at the postal
`node, a retrieval module for downloading unread messages 65
`to the memory of a client node and a virus analysis and
`treatment module for determining whether the message
`
`4
`contains a virus and for facilitating corrective action to
`prevent its spread. Preferably, these modules are arranged to
`operate without requiring action by any electronic mail
`program files local to the client node to accommodate
`5 unobtrusive virus detection in the background and operation
`without user initiation or triggering. Additionally, the pref(cid:173)
`erable location of the mail scanning apparatus at the client
`node accommodates virus detection without consuming
`postal node resources.
`The present invention also comprises a method for detect-
`ing and eliminating viruses which may spread throughout a
`network in messages accessed by an electronic mail system.
`Preferably, the postal node is polled from the client node for
`unread messages, unread messages are downloaded into the
`15 memory of a client node, the messages are scanned for the
`presence of viruses, and corrective action taken.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram of a prior art information system
`with a plurality of networks and a plurality of nodes upon
`which the present invention operates;
`FIG. 2 is a block diagram of a preferred embodiment for
`a gateway node including the apparatus of the present
`invention;
`FIG. 3 is a block diagram of a preferred embodiment for
`a memory of the gateway node including the apparatus of the
`present invention;
`FIG. 4 is a block diagram of a preferred embodiment for
`a protocol layer hierarchy constructed according to the
`present invention compared to the OSI layer model of the
`prior art;
`FIG. 5Ais a functional block diagram showing a preferred
`system for sending data files according to a preferred
`embodiment of the present invention;
`FIG. 5B is a functional block diagram showing a preferred
`system for receiving data files according to a preferred
`embodiment of the present invention;
`FIGS. 6A, 6B and 6C are a flowchart of the preferred
`method for performing file transfer according to the present
`invention;
`FIG. 7 is a functional block diagram showing a preferred
`system for transmitting mail messages according to a pre(cid:173)
`ferred embodiment of the present invention;
`FIGS. SA and 8B are a flow chart of a preferred method
`for sending messages to/from a network;
`FIG. 9 is a block diagram of a prior art network electronic
`mail system.
`FIG. lOa is a block diagram of a postal node constructed
`50 according to the present invention;
`FIG. lOb is a block diagram of a memory of the postal
`node constructed according to the present invention;
`FIG.lOc is a block diagram of a data storage device of the
`postal node constructed according to the present invention;
`FIG. lla is a block diagram of a preferred embodiment
`for a client node including the present invention;
`FIG. llb is a block diagram of a preferred embodiment
`for the memory of the client node according to the present
`invention;
`FIG. llc is a block diagram of a preferred embodiment for
`the mail scanning module of the present invention;
`FIG. lld is a graphical representation of a preferred
`format for storing data in the data buffer;
`FIG. 12 is a flow chart of a first and preferred embodiment
`of the method for scanning electronic mail messages accord(cid:173)
`ing to the present invention;
`
`55
`
`

`
`5,889,943
`
`5
`FIG. 13 is a flow chart of a second embodiment of the
`method for scanning electronic mail messages according to
`the present invention;
`FIG. 14 is a flow chart of a preferred method for scanning
`an attachment file of an electronic mail message according
`to the present invention; and
`FIG. 15 is a flow chart of a preferred method for treating
`an infected attachment file according to the present inven(cid:173)
`tion to remove viruses.
`
`DETAILED DESCRIPTION OF 1HE
`PREFERRED EMBODIMENT
`
`The virus detection system and method of the present
`invention preferably operates on an information system 20
`as has been described above with reference to FIG. 1. The
`present invention, like the prior art, preferably includes a
`plurality of node systems 30 and at least one gateway node
`33 for each network 22, 24, 26. However, the present
`invention is different from the prior art because it provides
`novel gateway node 33 that also performs virus detection for
`all files being transmitted into or out of a network.
`Furthermore, the novel gateway node 33 also performs virus
`detection on all messages being transmitted into or out of an
`associated network.
`Referring now to FIG. 2, a block diagram of a preferred
`embodiment of the novel gateway node 33 constructed in
`accordance with the present invention is shown. A preferred
`embodiment of the gateway node 33 comprises a display
`device 40, a central processing unit (CPU) 42, a memory 44,
`a data storage device 46, an input device 50, a network link
`52, and a communications unit 54. The CPU 42 is connected
`by a bus 56 to the display device 40, the memory 44, the data
`storage device 46, the input device 50, the network link 52,
`and the communications unit 54 in a von Neumann archi(cid:173)
`tecture. The CPU 42, display device 40, input device 50, and
`memory 44 may be coupled in a conventional manner such
`as a personal computer. The CPU 42 is preferably a micro(cid:173)
`processor such as an Motorola 68040 or Intel Pentium or
`X86 type processor; the display device 40 is preferably a
`video monitor; and the input device 50 is preferably a
`keyboard and mouse type controller. The CPU 42 is also
`coupled to the data storage device 44 such as a hard disk
`drive in a conventional manner. Those skilled in the art will
`realize that the gateway node 33 may also be a mini(cid:173)
`computer or a mainframe computer.
`The bus 56 is also coupled to the network link 52 to
`facilitate communication between the gateway node 33 and
`the other nodes 30 of the network. In the preferred embodi(cid:173)
`ment of the present invention, the network link 52 is
`preferably a network adapter card including a transceiver
`that is coupled to a cable or line 36. For example, the
`network link 52 may be an ethernet card connected to a
`coaxial line, a twisted pair line or a fiber optic line. Those
`skilled in the art will realize that a variety of different
`networking configurations and operating systems including
`token ring, ethernet, or arcnet may be used and that the
`present invention is independent of such use. The network
`link 52 is responsible for sending, rec