Horst Joepen
`
`Martin Stecher; Gary Taggart; Thomas Friedrich; Christian Matzen;
`Jobst Heinemann; Cyntia Sucher (E—|Vlail); Peter Borgolte; Michael
`Vlfittig (E—Mail)
`
`To:
`
`CC:
`
`BCC:
`
`Sent Date:
`
`2004438-18 15:5't:22:OO0
`
`Received Date:
`
`2004-06-18 15:51:23:000
`
`Straw man I Draft Press Release to announce Proactive Security
`Feature
`
`Subject:
`
`Attachments:
`
`All,
`
`looks like it needed the more quiet Friday afternoon hours to get =omething done
`find below my first shot on the "Finjan =i|ler" press release.
`
`piease
`
`I think you have been in the loop and had some discussions about -at with Martin.
`Mike,
`Cynthia, we can talk on Monday to give you some more =ackground on the subject.
`
`intend of the release is to unleash some deals that Finjan still is =tal|ing by their product
`announcements and promises to customers, while 2e have no_ot"ficia| statement about our new
`proactive technology out =et. As our credibility with customers is much higher than Finjan's
`=they announced a SSL Scanner more than one year ago, but still did not =e|lver), we can
`expect that this is suflicient to pull in several =arger deals in which we currently compete
`against Finjan.
`
`Also, as there are new major announcements from other Cyberguard =nits:’products, it might
`well serve to bridge the dry zone in which we =acl< other good news. It would be great to get it
`out before end of =une.
`
`As always, no pride of authorship - any feedback welcome.
`
`Regards
`
`EXHIBIT
`
`3 Q
`
`6C/M‘/U
`
`CyberGuard announces new Webwasher product to protect against Day Zero =irus attacks
`
`Fort Lauderdale, June xxxx. 2004:
`
`Cybersuard today announced a new product version, developed by its =ecently acquired
`Webwasher Content Security Management division, that =iI| contain a new proactive protection
`technoiogy against Viruses and norms. it does not rely on classic Anti Virus patterns. In
`contrast to =urrent|y known behavioural Anti Virus technologies, CyberGuard's new
`
`HlGHLY CONFFDENTIAL-ATTORNEYS EYES ONLY
`
`SC166304
`
`Plaintiff’ 5 Trial Exhibit
`
`PTX-36
`
`Case No. 06-369 GMS
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 1
`
`

`
`%
`
`=echno|ogy offers up to 10 times higher detection rates, combined with =ubstantia|ly reduced
`false positives, resulting from a combination of =nique new algorithms.
`
`As patterns against new viruses by nature only can be devetoped and made =vailable by Anti
`Virus vendors within several hours after a new virus =as been detected, proactive technologies
`anatyze Web and Email traffic =nd look for certain anornalities, objects or combination of
`objects and =ode. The technology is meant not to substitute conventional Anti Virus
`zechnology, but rather to complement it to maximize protection and =erformance - the
`proactive scanner does not need to lock for a known =irus that can be caught faster by the
`pattern based scanner. It kicks =n behind the conventional scanner and only for those viruses,
`whose =attern are not yet known - the so called Day Zero attack. Higher =erformance also is
`achived by avoiding emulation of actual code like in =echnologies commonly known as
`"Sandboxing".
`
`"There has been a tot of hype and disappointed expectations about =o-called Sandbox-
`technologies, that typically have onty 90% detection =ates, along with 10% false positives.
`With CyberGuard’s new technology, =e think the times of playing with toys in the sandbox are
`over - with a =ew virus or worm almost every day people want to have real solutions =hat do
`what they are supposed to do - catching unknown blended threads, =iruses and worms. And
`this solutions needs to be scalable, robust and =igh-performance, because you don't want
`increased security needs throw =ou back to the times when loading a Web page took several
`seconds - =owest latency is absolutely critical for filtering of Web traffic that =eeds to be
`displayed in the browser in real time." said xxxxxx, xxxxxx =t CyberGuard's Webwasher
`division.
`
`"Analyst Quote?" - we can do a briefing call with Brian Burke, using =artin's slide set...
`
`Webwasher by CyberGuard provides leading Content Security technology =hat integrates
`URL Filtering, Web and Email Antivirus, Anti Spam, =Iv1IP2P Filtering and Reporting in one
`product suite.
`
`The new function will be part of Webwasher Antivirus Version 5.2 and =ebwasher CSM Suite
`Version 5.2, which will become available in October, =t no additional cost - the current pricing
`of Webwasher Antivirus will =emain unchanged. All customers purchasing Webwasher
`Antivirus or =ebwasher CSM between now and availability of the new version will =eceive a
`free upgrade.
`
`<Boiler plate: about CyberGuarcl>
`
`> -——--Ursprungliche Nachricht——-
`> Von: Martin Stecher
`
`> Gesendet: Dienstag, 1. Juni 2004 11:30
`> An: 'mwittig@cyberguard.com‘; Gary Taggart; Thomas Friedrich;
`> Christian
`
`> Matzen; Horst Joepen; Jobst Heinemann
`> Cc: Peter Borgolte; Martin Stecher
`> Betreff: Proactive Security Feature Direction
`
`Hi,
`
`} > >
`
`>
`
`HIGHLY CONFIDENTIAL-ATTORNEYS EYES ONLY
`
`SC166305
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 2
`
`

`
`> on Friday we (some techies) met to talk about ways to
`> implement the Proactive Security Feature (a.l<.a. the Finjan
`> Killer) for W 5.1.
`
`> >
`
`We found basically two fundamentally different approaches.
`> Please have a look which of these does better meet corporate
`> policy and sales desire. We need your input and a decision
`> soon. It is not a technical question but only sales and
`> marketing that should decide where we go here.
`
`} >
`
`> '
`
`If I could get your comments until end of this week? Would be great.
`
`9 >
`
`We will need to write a scanner for Javascripts, VB-Scripts,
`> Java Applets, ActiveX Controls and other binaries. Adding a
`> parser for VBA would outperform Finjan feature set as they do
`> not scan Office documents at all.
`
`> >
`
`After the scan. WW must decide what to do with the file. Then
`> we can do one of these options:
`>-
`
`> 1. Look for potentially dangerous stuff within those files.
`> The problem here is that the scanner can only check for some
`> few criteria and there will be tons of bypass
`> vulnerabilities; especially in binary code (such as in
`> Activex controls) calls to dangerous functions can easily be
`> overseen by the scanner. This option has a policy that the
`> admin can modify to filter files.
`>-
`
`> 2. Only allow those files for which a scanner can determine
`> that it is harmless. This would only be a minority of files
`>- as scanning of for example Active X binaries is limited and
`> the code would need to reject all flies that call any unknown
`> kernel function.
`
`> For Javascripts we could implement a parser that would
`> execute some hard to parse function calls in a sandbox to
`> verify the parameters making this.
`> This option has no policy that can be set but a strict
`> hardcoded definition what we believe is harm less.
`
`is what Finjan does. Question is whether our (new)
`Option 1
`> corporate policy allows us to follow this path. It pretends
`> some deep level of security, which is actually not there. We
`> would not feet comfortable with promoting this approach. On
`> the other hand it is that what Finjan has and we would
`> compete exactly with them. But it will also give us a hard
`> time as we cannot expect that the iirst version will have the
`> same number of filter settings and capabilities. They will
`> also check very carefully which of their patents we may touch
`> by recreating their system.
`)-
`
`P >
`
`HIGHLY CONF|DENTlAL—ATTCJRNEY'S EYES ONLY
`
`SC1663D6
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 3
`
`

`
`> Option 2 contains something like a real sandbox for
`> JavaScript, which even Finjan does not have. On the other
`> hand this technology may corrupt some web pages and may
`> create many false positives. especially for the binary files,
`> which the scanner cannot easily parse, more than 90% of the
`> files could not be considered harmless.
`3* This would be the strategy of all customers that like to have
`> a tight Internet policy but do not want to block everything,
`> especially in the Javascript context but could afford to
`> block nearly all executables.
`> in order to make it feasible we should add a fingerprint
`> database in form of a subscription model that will allow us
`> to continuously update a white list of files that we found to
`> be harmless in our lab but found be detected as not harmless
`> by the scanner. An automatic feedback function would allow
`> the customer to send classified files to us for further
`> investigations. This costs many additional resources in TPT.
`
`Option 1 Option 2
`> Undetected malicious scripts -10% -1%
`> Undetected malicious binaries -30% -5%
`
`> Biocked harmless scripts ~10% ~10%
`> Blocked harmless binaries ~1U%
`
`> ~9D% (wlo database)
`
`3 3 >
`
`Whatever option we choose or whether you wish to suggest an
`> alternative way, this feature will cost a lot of resources.
`> Surprise, surprise that a feature that Finjan works on for
`> years cannot be done within a few weeks.
`
`> >
`
`- >
`
`Regards
`> Martin
`bi
`) __
`
`Martin Stecher
`
`b > >
`
`> Dipl.-lnformatiker
`> VP Development
`
`> >
`
`webwasher AG - a CyberGuard Company
`> Vattmannstrasse 3
`
`> 33100 Paderborn l Germany
`3*
`
`> Phone: +49 52 51 I5 00 54-25
`> Fax: +49 52 51 2'5 00 54-11
`> Mobile: +49 1701786 4?’OO
`
`HIGHLY CONFIDENTIAL-ATTORNEYS EYES ONLY
`
`SC1663U7
`
`Estimated error rates:
`
`> >
`
`> >
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 4
`
`

`
`%
`
`> maiIto:martin.stecher@webwasher.com
`> Visit us at: http:t'!www.webwasher.com
`> http:HmmN_cyberguard.com
`
`> > ?
`
`From IMCEAEX~_O=BWASHER-
`MA|L_OU=RST+20ADMINISTRATlVE+20GROUP_CN=CIP|ENTS_CN=RT|N+2ESTECHER@
`Fri Jun 18 19:44:50 2004
`
`X-Mime0LE: Produced By Microsoft Exchange V6.5
`Received: by EMEA.scur.com
`id <01C4555B.F4BA433F@EMEA.scur.com>; Fri, 18 Jun 2004 18:44:50 +0100
`MIME-Version: 1.0
`
`Content-Type: textfplain;
`charset=so-88594 "
`
`-
`
`Content—Transfer-Encoding: quoted-printable
`Contentclass: urn:content—c|asses:message
`Subject: RE: Straw man I Draft Press Release to announce Proactive Security Feature
`Date: Fri, 18 Jun 2004 18:44:50 +0100
`Message—lD: <75FTE6?'FC45F6744A7D328D41E353?6D13EOB6@mai|.webwasher.com>
`X-MS—Has—Attach:
`X-MS-TNEF-Correlator:
`
`Thread—Topic: Proactive Security Feature Direction
`Thread-index: AcRHuwzDri5?Hp0aSzK12FYq+eD!1gL73zrAAGw3V2A=rom: "Martin Stecher“
`<|MCEAEX-_O=BWAS HER-
`MAlL_OU:RST+20ADMINlSTRATlU'E+20GROUP_CN=ClP|ENTS_CN:RTtN+2ESTECHE R@
`To: "Horst Joepen" chorst.joepen@WEBWASHER.com>
`Cc: "Gary Taggart" <gary.taggart@WEBWASHER.com>,
`"Thomas Friedrich" <thornas.friedrich@WEBWASHER.com>,
`"Christian Matzen" <christian.matzen@WEBWASHER.com>,
`"Jobst Heinemann" <jobst.heinemann@WEBWASHER.com>,
`"Cyntia Sucher \(E-Mail\)" <csucher@mpbc_cc>_
`"Peter Borgolte" <peter,borgo|te@WEBWASHER.com>,
`"Michael Wittig t(E-Mait\)" ¢mwittig@cyberguard.com>
`X-Length: 12028
`X—U|D: 109
`
`Horst,
`
`so far we had been looking at these features to become part of the =‘-Nebwasher Content
`Protection" product not the "Webwesher Anti Virus" =roduct.
`Especially if we add the libraryidatabase for known harmless files, we'd =ave the subscription
`model that we wanted to add to Content Protection.
`if this could still be the strategy we may rethink the price of that =roduct.
`
`Regards
`Martin
`
`> ——~—UrsprL'.ing|iche Nachricht—---
`> Von: Horst Joepen
`
`HIGHLY CONF|DENTfAL—ATTORNEY‘S EYES ONLY
`
`SC166308
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 5
`
`

`
`> Gesendet: Freitag, 18. Juni 2004 17:51
`> An: Martin Stecher; Gary Taggart; Thomas Friedrich; Christian Matzen;
`3' Jobst Heinemann; Cyntia Sucher (E—Mail); Peter Borgolte;
`> Michael ‘Wttig
`> (E-Mail)
`> Betreff: Straw man I Draft Press Release to announce
`> Proactive Security
`> Feature
`
`All,
`
`> ) >
`
`> >
`
`looks like it needed the more quiet Friday afternoon hours to
`> get something done
`please find below my first shot on the
`> "Finjan Killer" press release.
`‘>
`
`I think you have been in the loop and had some
`> Mike,
`> discussions about it with Martin. Cynthia, we can talk on
`> Monday to give you some more background on the subject.
`)-
`
`> intend of the release is to unleash some deals that Finjan
`> still is stalling by their product announcements and promises
`> to customers, while we have no official statement about our
`> new proactive technology out yet. As our credibility with
`> customers is much higher than Finjan's (they announced a SSL
`> Scanner more than one year ago, but still did not deliver),
`> we can expect that this is sufficient to pull in several
`> larger deals in which we currently compete against Finjan.
`2-
`
`> Also, as there are new major announcements from other
`*2 Cyberguard unitslproducts, it might well serve to bridge the
`> dry zone in which we lack other good news. It would be great
`> to get it out before end of June.
`>-
`
`> As always, no pride of authorship - any feedback welcome.
`
`Regards
`
`Horst
`
`—--——---------------------------------------------
`
`> >
`
`> >
`
`> > >
`
`>-
`)-
`
`> CyberGuard announces new Webwasher product to protect against
`> Day Zero Virus attacks
`fir
`
`:- Fort Lauderdale, June xxxx, 2004:
`)-
`
`> CyberGuard today announced a new product version, developed
`
`HIGHLY CONFlDENTlAL—ATl'0RNEY‘S EYES ONLY
`
`SC156309
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 6
`
`

`
`> by its recently acquired Webwasher Content Security
`> Management division, that will contain a new proactive
`>- protection technology against Viruses and Worms. It does not
`> rely on classic Anti Virus patterns. In contrast to currently
`> known behavioural Anti Virus technologies, CyberGuard's new
`> technology offers up to 10 times higher detection rates,
`> combined with substantially reduced false positives,
`> resulting from a combination of unique new algorithms.
`
`As patterns against new viruses by nature only can be
`> developed and made available by Anti Virus vendors within
`> several hours after a new virus has been detected, proactive
`> technologies analyze Web and Email traffic and look for
`> certain anomalities, objects or combination of objects and
`> code. The technotogy is meant not to substitute conventional
`> Anti Virus technology, but rather to complement it to
`> maximize protection and performance - the proactive scanner
`> does not need to look for a known virus that can be caught
`> faster by the pattern based scanner. It kicks in behind the
`> conventional scanner and only for those viruses, whose
`> pattern are not yet known — the so called Day Zero attack.
`> Higher performance also is achived by avoiding emutation of
`> actual code like in technologies commonly known as "Sandboxing".
`
`> >
`
`) >
`
`"There has been a lot of hype and disappointed expectations
`> about so-called Sandbox-technotogies, that typically have
`> only 90% detection rates, along with 10% false positives.
`> ‘v'\fth CyberGuard's new technology, we think the times of
`> playing with toys in the sandbox are over - with a new virus
`> or worm almost every day people want to have real solutions
`> that do what they are supposed to do - catching unknown
`> blended threads, viruses and worms. And this solutions needs
`> to be scalable, robust and high-performance, because you
`> don't want increased security needs throw you back to the
`> times when ioading a Web page took several seconds - lowest
`> latency is absolutely critical for filtering of Web traffic
`> that needs to be displayed in the browser in real time." said
`> xxxxxx, xxxxxx at CyberGuard's Webwasher division.
`
`> >
`
`"Analyst Quote?" — we can do a briefing call with Brian
`> Burke, using Martin's slide set...
`>-
`
`> Wet-Washer by CyberGuard provides leading Content Security
`> technology that integrates URL Filtering, Web and Email
`> Anti\/irus, Anti Spam, |lv‘|fP2P Filtering and Reporting in one
`> product suite.
`
`The new function will be part of Webwasher Antivims Version
`> 5.2 and Webwasher CSM Suite Version 5.2, which will become
`3- available in October, at no additional cost - the current
`> pricing of Webwasher Antivirus will remain unchanged. All
`
`3 >
`
`HIGHLY CONFlDENT|AL—ATTORNEY'S EYES ONLY
`
`SC186310
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 7
`
`

`
`> customers purchasing Webwasher Antivirus or Webwasher CSM
`> between now and availability of the new version will receive
`> a free upgrade.
`)-
`
`> <Boiler plate: about CyberGuard>
`
`) ) > >
`
`> —-——Ursprt‘:ngliche Nachricht——--
`> > Von: Martin Stecher
`
`> > Gesendet: Dlenstag, 1. Juni 2004 11:30
`> > An: 'mwittig@cyberguard.com'; Gary Taggart; Thomas Friedrich;
`> > Christian
`
`> > lvlatzen; Horst Joepen; Jobst Heinemann
`> > Co: Peter Borgolte; Martin Stecher
`> > Betreff: Proactive Security Feature Direction
`) D‘
`
`> > Hi,
`> ‘>
`
`> > on Friday we (some techies) met to talk about ways to
`> > implement the Proactive Security Feature (aka. the Finjan
`> > Killer) for W 5.1.
`> >
`
`> > We found basically two fundamentally different approaches.
`> > Please have a look which of these does better meet corporate
`> > policy and sales desire. We need your input and a decision
`> 2» soon. it is not a technical question but only sales and
`> 3- marketing that should decide where we go here.
`‘;v D-
`
`> > if I could get your comments until end of this week? Would be great,
`) 2*
`3» >
`
`> > We will need to write a scanner for JavaScripts, VB-Scripts,
`> > Java Applets, Activex Controls and other binaries. Adding a
`> > parser for VBA would outperform Finjan feature set as they do
`> > not scan Office documents at all.
`5 3
`
`> > After the scan, WW must decide what to do with the file. Then
`> > we can do one of these options:
`> >
`
`> > 1. Look for potentially dangerous stuff within those files.
`> > The problem here is that the scanner can only check for some
`> > few criteria and there will be tons of bypass
`> > vulnerabilities; especially in binary code (such as in
`> > Activex controls) calls to dangerous functions can easily be
`> > overseen by the scanner. This option has a policy that the
`> > admin can modify to filter files.
`> ‘>
`
`> > 2. Only allow those files for which a scanner can determine
`> > that it is harm less, This would only be a minority of files
`
`HIGHLY CONFiDENT|AL—ATTORNEY'S EYES ONLY
`
`SC166311
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 8
`
`

`
`2- > as scanning of for example Active X binaries is limited and
`> > the code would need to reject all files that call any unknown
`> > kernel function.
`
`> > For .JavaScripts we could implement a parser that would
`> > execute some hard to parse function calls in a sandbox to
`> > verify the parameters making this.
`> > This option has no policy that can be set but a strict
`> > hardooded definition what we believe is harmless.
`‘P 3'
`
`> > Option 1 is what Finjan does. Question is whether our (new)
`> > corporate policy allows us to follow this path. It pretends
`> > some deep level of security, which is actually not there. We
`> > would not feel comfortable with promoting this approach. On
`> 2- the other hand it is that what Finjan has and we would
`> > compete exactly with them. But it will also give us a hard
`> > time as we cannot expect that the first version will have the
`> > same number of filter settings and capabilities. They will
`> > also check very carefully which of their patents we may touch
`> > by recreating their system.
`> b
`
`> > Option 2 contains something like a real sandbox for
`> > Javascript, which even Finjan does not have. On the other
`> > hand this technology may corrupt some web pages and may
`> > create many false positives, especially for the binary files,
`> > which the scanner cannot easily parse, more than 90% of the
`> > files could not be considered harmless.
`
`> > This would be the strategy of all customers that like to have
`> > a tight lnternet policy but do not want to block everything,
`> > especially in the Javascript context but could afford to
`> > block nearly all executables.
`> > In order to make it feasible we should add a fingerprint
`> > database in form of a subscription model that will allow us
`> > to continuously update a white list of files that we found to
`> > be harmless in our lab but found be detected as not harmless
`> :> by the scanner. An automatic feedback function would allow
`2» > the customer to send classified files to us for further
`
`> > investigations. This costs many additional resources in TPT.
`> 3-
`
`> > Estimated error rates:
`} }
`
`> 2* Option 1 Option 2
`> 3* Undetected malicious scripts —-10% ~1%
`> 3» Undetected malicious binaries ~30% ~5%
`:— 2» Blocked harmless scripts «-10% -10%
`> 3* Blocked harmless binaries ~10%
`
`> > ~90% (wio database)
`} )-
`> >
`
`> > Whatever option we choose or whether you wish to suggest an
`> > alternative way, this feature will cost a lot of resources.
`> > Surprise, surprise that a feature that Finjan works on for
`
`HlGHt_Y CONFIDENTIAL-ATTORNEYS EYES ONLY
`
`SC166312
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 9
`
`

`
`> > years cannot be done within a few weeks.
`b >
`> >
`
`> > Regards
`> > Martin
`> >
`) 3- _
`> 3
`> >
`
`> > Martin Stecher
`
`> > Dip1.—lnformatiker
`> > VP Development
`> )-
`
`> > webwasher AG - a CyberGuard Company
`> > Vattrnannstrasse 3
`
`> > 33100 Paderbom 1 Germany
`> D
`
`> > Phone: +49 52 51 I5 00 54-25
`> > Fax: +49 52 51.’5 00 54-11
`> > Mobile: +49 1701786 4700
`
`> > mai|to:martin.steoher@webwasher.com
`> 2» Visit us at: http:!iwww.webwasher.com
`> > http:.Uwww.cyberguard.com
`> >
`)3-
`)3‘
`‘D
`
`From IMCEAEX-_O=BWASHER—
`MAIL_OU=RST+20ADM|NlSTRATl‘v'E+20GROUP_CN=CiPlENTS_CN=RST+2EJOEPEN@st;
`Fri Jun 25 10:13:36 2004
`Received: by E|'v1EA.scur.com
`id <01 C45A8C.50D9C?CF@EMEA.scur_com>; Fri, 25 Jun 2004 09:13:37’ +0100
`MIME-Version: 1.0
`
`Content—Type: muitipartfmixed;
`boundary/=——fi=e><tPart_001_0’iC45A8C.50D9C7CF"
`Contentclass: urnrcontenhclasseszmessage
`X-MimeOLE: Produced Ely Microsoft Exchange V6.5
`Subject: Firxjan Kilier Press Release — atmost final version
`Date: Fri, 25 Jun 2004 09:13:36 +0100
`Message-ID: <3805T3FC068DA94984B019D2EE77BCEO0EA54F@maiI.webwasher.corn>
`X-MS-Has—Attach: yes
`X-MS-TNEF-Correlator:
`
`Thread—Topic: Proactive Security Feature Direction
`Thread-Index: AcRHuvvzDri57HpOaSzK’I2FYq+eD;‘1gL73zrAAbg105A=rom: "Horst Joepen"
`<|MCEAEX-_O=BWASHER—
`MAlL_"0U=RST+20ADM|N|STRATIVE+20GROUP_CN=CIPIENTS_CN=RST+2EJOEPEN@sti
`To: "Martin Stecher" <martin.stecher@WEBWASHER.com>,
`"Gary Taggart" <gary.taggart@WE8WASHER.com>,
`"Thomas Friedrich" <thomas.friedrich@WEBWASHER.com>,
`"Christian Matzen" <christian.matzen@WEBWASHER.com>,
`
`HIGHLY CONF|DENT|AL—ATTORNEY‘S EYES ONLY
`
`sc165313
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 10
`
`

`
`"Jobst Heinemann" sjobst.heinemann@WEBWASHER.com>,
`"Peter Borgolte" <peter.borgotte@WEBWASHER.com>
`X—Length: 55925
`X-UIU: Y1
`
`This is a multi—part message in MIME format.
`
`----—_=extPart_001_O1C45A8C.50D9C7CF
`Content-Type: textiplain;
`charset=so-8859-1 "
`
`Content—Transfer—Encoding: quoted-printable
`
`Please find attached the almost finat version after word smithing from =ynthia Sucher and
`incorporating other suggestions for improvement. We =><pect lDC‘s approval for the quote
`today and it is intended to go out =n Monday.
`
`Most importantly, after some discussion about to which product the new =eature will be added,
`we concluded that it will be contained in =ebwasher products Anti Virus, Content Protection
`and CSIVI Suite. In the =elease, only AV and CSM are mentioned.
`
`Regards
`
`Horst
`
`> ——-Ursprijngliche Nachricht--—-
`> Von: Horst Joepen
`> Gesendet: Freitag, 18. Juni 2004 17:51
`> An: Martin Stecher; Gary Taggart; Thomas Friedrich; Christian Matzen;
`2- Jobst Heinemann; Cyntia Sucher (E-Mail); Peter Borgolte;
`> Michael Wittig
`> (E-Mail)
`> Betreff: Straw man I Draft Press Release to announce
`> Proactive Security
`> Feature
`3'
`
`Ail,
`
`> >
`
`‘>
`
`> looks like it needed the more quiet Friday afternoon hours to
`> get something done
`please find below my first shot on the
`> "Finjan Killer" press release.
`
`3 >
`
`I think you have been in the loop and had some
`Mike,
`> discussions about it with Martin, Cynthia, we can taik on
`> Monday to give you some more background on the subject.
`
`> >
`
`intend of the release is to unleash some deals that Finjan
`> still is stalling by their product announcements and promises
`:» to customers, while we have no official statement about our
`> new proactive technology out yet. As our credibility with
`> customers is much higher than Finjan's (they announced a SSL
`
`HIGHLY CONFIDENTIAL-ATTORNEY'S EYES ONLY
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 11
`
`

`
`2’ Scanner more than one year ago, but still did not deiiver)_
`> we can expect that this is sufficient to pull in several
`>~ larger deals in which we currently compete against Finjan.
`
`> >
`
`Also, as there are new major announcements from other
`> Cyberguarci unitsfprociucts, it might well serve to bridge the
`> dry zone in which we lack other good news. It would be great
`> to get it out before end of June.
`
`> >
`
`As always, no pride of authorship ~ any feedback welcome.
`
`Regards
`
`Horst
`
`> >
`
`> >
`
`> > >
`
`..——————————————————————————————————————————————-—
`> m—----—-————-——————--
`
`} > >
`
`CyberGuard announces new Webwasher product to protect against
`> Day Zero Virus attacks
`3*
`
`> Fort Lauderdale, June xxxx, 2004:
`3'
`
`> CyberGuard today announced a new product version, developed
`> by its recently acquired Webwasher Content Security
`> Management division, that will contain a new proactive
`> protection technology against Viruses and Worms. It does not
`> rely on classic Anti Virus patterns. In contrast to currently
`> known behavioural Anti Virus technologies. CyberGuard's new
`> technology offers up to 10 times higher detection rates,
`> combined with substantially reduced false positives,
`> resulting from a combination of unique new algorithms.
`3-
`
`> As patterns against new viruses by nature oniy can be
`> developed and made available by Anti Virus vendors within
`> several hours after a new virus has been detected, proactive
`> technologies analyze Web and Email traffic and took for
`> certain anomalities, objects or combination of objects and
`> code. The technology is meant not to substitute conventional
`> Anti Virus technology, but rather to complement it to
`> maximize protection and performance - the proactive scanner
`> does not need to look for a known virus that can be caught
`> faster by the pattern based scanner. it kicks in behind the
`> conventional scanner and only for those viruses, whose
`> pattern are not yet known ~ the so called Day Zero attack.
`> Higher performance also is achived by avoiding emulation of
`> actual code like in technologies commonly known as "Sandboxing".
`:-
`
`> "There has been a lot of hype and disappointed expectations
`
`HIGHLY CONFIDENTIAL-ATTORNEY'S EYES ONLY
`
`80166315
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 12
`
`

`
`> about so-called Sandbox-technologies, that typically have
`> only 90% detection rates, along with 10% false positives.
`> \Nth CyberGuard's new technology, we think the times of
`> playing with toys in the sandbox are over - with a new virus
`> or worm aimost every day people want to have real solutions
`> that do what they are supposed to do — catching unknown
`> blended threads, viruses and worms. And this solutions needs
`> to be scalable, robust and high-performance, because you
`> don't want increased security needs throw you back to the
`> times when loading a Web page took several seconds - lowest
`> latency is absolutely critical for filtering of Web traffic
`3- that needs to be displayed in the browser in real time." said
`> X)(><XXX, xxxxxx at CyberGuard's Webwasher division.
`>-
`
`> "Analyst Quote?" - we can do a briefing call with Brian
`> Burke, using Martin's slide set...
`
`Webwasher by CyberGuard provides leading Content Security
`"2 technology that integrates URL Filtering, Web and Email
`> Antivirus, Anti Spam, |lWP2P Filtering and Reporting in one
`> product suite.
`>-
`
`> >
`
`> The new function will be part of Webwasher Antivirus Version
`> 5.2 and Webwasher CSM Suite Version 5.2, which will become
`> available in October, at no additional cost - the current
`> pricing of Webwasher Antivirus will remain unchanged. All
`> customers purchasing Webwasher Antivirus or Webwasher CSM
`> between now and availability of the new version will receive
`> a free upgrade.
`
`-<Boiter plate: about CyberGuar‘d>
`
`> >
`
`‘P
`
`> )
`
`- >
`
`3» ——-Ursprl.]ngiiche Nachricht-—~——
`> > Von: Martin Stecher
`
`> > Gesendet: Dienstag, 1. Juni 2004 11:30
`> > An: 'rnwittig@cyberguard.com‘; Gary Taggart; Thomas Friedrich;
`> > Christian
`
`> > Matzen; Horst Joepen; Jobst Heinemann
`> > Cc: Peter Borgolte; Martin Stecher
`> > Betreff: Proactive Security Feature Direction
`b >
`3- >
`
`> > Hi,
`? >
`
`> > on Friday we (some techies) met to talk about ways to
`> > implement the Proactive Security Feature (a_k_a_ the F injan
`> > Killer) forWW5.1.
`> >
`
`> > We found basically two fundamentally different approaches.
`
`HIGHLY CONFIDENTIAL-ATTORNEYS EYES ONLY
`
`sC15s315
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 13
`
`

`
`> e Please have a look which of these does better meet corporate
`> a policy and sales desire. We need your input and a decision
`> > soon. it is not a technical question but only sales and
`> > marketing that should decide where we go here.
`> D
`
`> > If I could get your comments until end of this week? Wouid be great.
`} '2-
`> b
`
`> > We will need to write a scanner for Javascrtpts, VB-Scripts,
`> > Java Applets, Activex Controls and other binaries. Adding a
`> > parser for VBA would outperform Finjan feature set as they do
`> 3 not scan Office documents at all.
`> >-
`
`> > After the scan. WWrnust decide what to do with the file. Then
`> > we can do one of these options:
`> >
`
`> > 1. Look for potentially dangerous stuff within those files.
`> > The problem here is that the scanner can only check for some
`> > few criteria and there will be tons of bypass
`> > vulnerabilities; especially in binary code (such as in
`> > ActiveX controls) calls to dangerous functions can easily be
`> > overseen by the scanner. This option has a policy that the
`> > admin can modify to filter files.
`> >
`
`> > 2. Only allow those files for which a scanner can determine
`> > that it is harmless. This would only be a minority of files
`> > as scanning of for exampte Active X binaries is limited and
`> > the code would need to reject all files that call any unknown
`> > kernel function.
`
`> > For Javascripts we could implement a parser that would
`> > execute some hard to parse function calls in a sandbox to
`> > verify the parameters making this.
`> > This option has no policy that can be set but a strict
`> > hardcoded definition what we believe is harmless.
`> D
`
`> > Option 1 is what Finjan does. Question is whether our (new)
`> > corporate policy ailows us to follow this path. It pretends
`> > some deep level of security, which is actually not there. We
`> > would not feel comfortable with promoting this approach. On
`> > the other hand it is that what Finjan has and we would
`> :- compete exactly with them. But it witl also give us a hard
`e > time as we cannot expect that the first version will have the
`> > same number of filter settings and capabilities. They will
`> > also check very carefully which of their patents we may touch
`> > by recreating their system.
`> >
`
`> > Option 2 contains something like a real sandbox for
`> > Javascript, which even Finjan does not have. On the other
`> > hand this technology may corrupt some web pages and may
`> > create many false positives, especially for the binary files,
`> > which the scanner cannot easily parse, more than 90% of the
`
`HIGHLY CONF|DENT|AL—ATTORNEY'S EYES ONLY
`
`30136317
`
`Patent Owner Finjan, Inc. - Ex. 2052, p. 14
`
`

`
`3- 3 files could not be considered harmless.
`
`> > This would be the strategy of all customers that like to have
`> > a tight Internet policy but do not want to block everything,
`> > especially in the JavaScript context but could afford to
`> > block nearly all executables.
`> > In order to make it feasible we should add a fingerprint
`> > database in form of a subscription model that will allow us
`> > to continuously update a white list of files that we found to
`> > be harmless in our lab but found be detected as not harmless
`
`> > by the scanner. An automatic feedback function would allow
`> > the customer to send classified files to us for further
`
`>~ > investigations. This costs many additional resources in TPT.
`> >
`
`> > Estimated error rates:
`> )-
`
`> 3- Option 1 Option 2
`> > Undetected malicious scripts -10% -1%
`> > Undetected malicious binaries -30% -5%
`> > Blocked harmless scripts —-10% ~10%
`> > Blocked harmless binaries -10%
`
`> > -80% (wfo database]
`) 3
`) >
`
`> > Whatever option we choose or whether you wish to suggest an
`> > alternative way, this feature will cost a lot of resources.
`> > Surprise, surprise that a feature that Finjan works on for
`> > years cannot be done within a few weeks.
`b >
`bib
`
`> > Regards
`> > Martin
`> >
`> > —
`> ‘>-
`3 )-
`
`> > Martin Stecher
`
`> > Dipl.-lnformatiker
`> > VP Development
`> b
`
`> > webwasher AG — a CyberGuard Company
`> > Vattmannstrasse 3
`
`> 3- 33100 Paderborn I Germany
`> >
`
`> > Phone: +49 52 51 I5 00 54-25
`> > Fax: +49 52 51 /5 00 54-1