Avast Software(“Avast”)
`US 8,677,494
`For purposes of this chart, the licensed Avast products include Endpoint Protection and other antivirus products
`utilizing Avast! Research Labs, DynaGen, Malware Similarity Search, and Evo‐Gen technologies.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`Avast’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`Avast products, including Endpoint Protection, are software based products that
`use computer processors for scanning incoming program code, or executable
`files, data, and other content they receive, performing analysis including
`sandboxing, creating a profile of the incoming downloadable and sending the
`information gathered to be stored in a database.
`
`
`
`
`https://www.avast.com/en‐us/business
`
`Avast’s products meet the recited claim language because they receive incoming
`downloadables.
`
`As shown below, Avast’s Endpoint Protection and other antivirus software meet
`the recited claim language. The avast! Research Lab uses DynaGen technology
`to classify files as clean or dirty and create generic malware descriptions from
`multiple dirty files having shared characteristics. avast! 2014 Frequently Asked
`Questions ‐‐ New Features < http://www.avast.com/en‐
`us/faq.php?article=AVKB89#idt_01 >; avast! antivirus: security from cloud (2013)
`at pp. 15‐18; New Toy in the Avast Research Lab (2012) <
`http://blog.avast.com/2012/12/03/new‐toy‐research‐lab/ >; Declaring machine
`
`1b. receiving an incoming
`downloadable
`
`
`
`
`US 8,677,494
`For purposes of this chart, the licensed Avast products include Endpoint Protection and other antivirus products
`utilizing Avast! Research Labs, DynaGen, Malware Similarity Search, and Evo‐Gen technologies.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`Avast’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`Avast products, including Endpoint Protection, are software based products that
`use computer processors for scanning incoming program code, or executable
`files, data, and other content they receive, performing analysis including
`sandboxing, creating a profile of the incoming downloadable and sending the
`information gathered to be stored in a database.
`
`
`
`
`https://www.avast.com/en‐us/business
`
`Avast’s products meet the recited claim language because they receive incoming
`downloadables.
`
`As shown below, Avast’s Endpoint Protection and other antivirus software meet
`the recited claim language. The avast! Research Lab uses DynaGen technology
`to classify files as clean or dirty and create generic malware descriptions from
`multiple dirty files having shared characteristics. avast! 2014 Frequently Asked
`Questions ‐‐ New Features < http://www.avast.com/en‐
`us/faq.php?article=AVKB89#idt_01 >; avast! antivirus: security from cloud (2013)
`at pp. 15‐18; New Toy in the Avast Research Lab (2012) <
`http://blog.avast.com/2012/12/03/new‐toy‐research‐lab/ >; Declaring machine
`
`1b. receiving an incoming
`downloadable
`
`
`
`
`
`
`
`1c. deriving security profile
`data for the Downloadable,
`including a list of suspicious
`computer operations that
`may be attempted by the
`Downloadable; and
`
`war against malicious Android packages (2014) <
`http://blog.avast.com/2014/04/02/declaring‐machine‐war‐against‐malicious‐
`android‐packages/ >.
`
`The files analyzed by DynaGen include unclassified executable files that are
`downloaded over the Internet to endpoints running avast! endpoint security
`software, and then received from the endpoints to the avast! Research Lab for
`"back‐end" analysis.
`Avast’s products meet the recited claim language because it derives security
`profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable.
`
`As shown below, Avast’s Endpoint Protection and other antivirus software meet
`the recited claim language because Avast uses DynaGen technology that includes
`two back‐end classifiers: (1) Malware Similarity Search; and (2) Evo‐Gen.
`See avast! antivirus: security from cloud (2013) at pp. 17; New Toy in the Avast
`Research Lab (2012) < http://blog.avast.com/2012/12/03/new‐toy‐research‐lab/
`>; Declaring machine war against malicious Android packages (2014) <
`http://blog.avast.com/2014/04/02/declaring‐machine‐war‐against‐malicious‐
`android‐packages/ >.
`
`
`
`Malware Similarity Search scans unclassified executable files and creates
`representations of the files. A representation of a file includes its static
`properties as well as dynamic "execution traces" discovered y executing the file
`and logging suspicious operations. Malware Similarity Search scans for over 100
`features that are easily identified and relevant to malware classification. Once
`the representation of the file is generated, the static properties and execution
`traces of the file are compared for similarity with static properties and execution
`
`
`
`
`
`- 2 -
`
`
`
`
`
`traces of known clean and dirty samples and the file is classified as either clean
`or dirty.
`
`Moreover, if the file is classified as dirty, Evo‐Gen creates a generic malware
`description that includes static properties and execution traces that are shared
`by the file and other known dirty samples (security profile data including a list of
`suspicious computer operations that may be attempted by the Downloadable).
`The goal of Evo‐Gen is to produce a brief description that describes as many dirty
`samples as possible without describing any clean sample. The execution traces in
`the generic malware description identify suspicious operations that may be
`attempted by dirty samples from which the description is created, including
`SEND, WRITE, RECEIVE, DISABLE, ACCESS, MOUNT, UNMOUNT, CALL and LOG
`operations. By way of example, a generic malware description created for a
`related group of fake Korean banking Android application packages called
`Android:Telman is shown below.
`
`
`
`
`
`
`Avast’s products meets the recited claim language because it stores the
`Downloadable security profile data in a database.
`
`As shown below, Avast’s Endpoint Protection and other anti‐virus software meet
`the recited claim language because it stores the profile created by the analysis of
`the downloadable in a database. The information is stored and then used to for
`future reference.
`
`The file's execution traces and any generic malware description created using
`the execution traces are stored in the avast! Research Lab database for future
`reference (storing the Downloadable security profile in a database).
`
`See avast! antivirus: security from cloud (2013) at pp. 15‐18; New Toy in the
`Avast Research Lab (2012) < http://blog.avast.com/2012/12/03/new‐toy‐
`research‐lab/ >; Declaring machine war against malicious Android packages
`(2014) < http://blog.avast.com/2014/04/02/declaring‐machine‐war‐against‐
`malicious‐android‐packages/ >.
`
`
`
`- 3 -
`
`1d. storing the Downloadable
`security profile data in a
`database.
`
`
`
`
`
`
`
`
`
`F‐Secure
`US 8,677,494
`For purposes of this chart, the licensed F‐Secure products and services utilizes Real‐Time Protection Network
`(RTPN) and DeepGuard technologies. See https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`F‐Secure’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`F‐Secure products are software based products that use computer processors for
`scanning incoming program code, or executable files, data, and other content
`they receive, performing analysis including sandboxing, creating a profile of the
`incoming downloadable and sending the information gathered to be stored in a
`database. F‐Secure utilizes a Real‐Time Protection Network (“RTPN”), which is a
`crowd‐source means to acquire unknown, potentially malicious files from the
`Internet and store them on F‐Secure’s servers, and process these files thereby
`creating and propagating protection policies. Unknown files are scanned by F‐
`Secure’s “DeepGuard”. DeepGuard is a heuristic and sandboxed based file
`scanning service. DeepGuard monitors potentially malicious files, including
`PDFs. https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`…
`
`
`
`- 4 -
`
`
`
`
`
`
`
`
`
`https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`1b. receiving an incoming
`downloadable
`
`
`https://www.f‐secure.com/documents/10192/137594/FSC_SVCE_functionality‐
`description_htc_web/98f0fbbf‐a8ec‐4d75‐b042‐d20312553aa3
`
`F‐Secure’s products meet the recited claim language because they receive
`incoming downloadables.
`
`As shown below, F‐Secure’s products meet the recited claim language because
`they receive incoming downloadables like PDFs. https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`
`
`
`1c. deriving security profile
`data for the Downloadable,
`including a list of suspicious
`computer operations that
`may be attempted by the
`Downloadable; and
`
`F‐Secure’s products meet the recited claim language because it derives security
`profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable.
`
`As shown below, F‐Secure’s products meet the recited claim language because F‐
`Secure uses DeepGuard looks for suspicious computer operations. (“ DeepGuard
`does not red‐flag a program on the basis of a single action but instead watches
`for multiple suspicious operations.”)
`
`
`
`
`- 5 -
`
`
`
`
`https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`
`
`
`F‐Secure’s products meets the recited claim language because it stores the
`Downloadable security profile data in a database.
`
`As shown below, F‐Secure’s products meet the recited claim language because it
`stores the profile created by the analysis of the downloadable in a database.
`
`
`
`1d. storing the Downloadable
`security profile data in a
`database.
`
`
`
`- 6 -
`
`
`
`The information is stored in RTPN and then used to for future reference.
`
`
`
`https://www.f‐secure.com/documents/10192/137594/FSC_SVCE_functionality‐
`description_htc_web/98f0fbbf‐a8ec‐4d75‐b042‐d20312553aa3
`
`
`
`
`- 7 -
`
`
`
`
`
`
`
`
`
`
`
`Proofpoint and Armorize
`US 8,677,494
`For purposes of this chart, the licensed Proofpoint and Armorize products include Enterprise Protection and
`Targeted Attack Protection.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`Proofpoint’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`Proofpoint products are software based products that use computer processors
`for scanning incoming program code, or executable files, data, and other content
`they receive, performing analysis including sandboxing, creating a profile of the
`incoming downloadable and sending the information gathered to be stored in
`database that can be displayed on threat dashboard.
`
`As shown below, Enterprise Protection and Targeted Attack Protection performs
`a method for preparing profile for detecting threat content.
`
`https://proofpoint.com/sites/default/files/documents/bnt_download/pp‐
`enterprise‐protection‐ds.pdf
`
`
`
`Proofpoint’s products meet the recited claim language because they receive
`incoming downloadables.
`
`As shown below, Enterprise Protection and Targeted Attack Protection meet this
`claim element because it receives and inspects Downloadables by monitoring
`emails in real‐time to detect threats in the emails or email attachments.
`Downloadables are content received over the Internet, and includes web
`content and email content.
`
`1b. receiving an incoming
`downloadable
`
`
`
`- 8 -
`
`
`
`
`
`
`
`https://proofpoint.com/sites/default/files/documents/bnt_download/pp‐
`enterprise‐protection‐ds.pdf
`
`As shown below, Enterprise Protection and Targeted Attack Protection inspect
`Downloadables because it receives web and email content to perform deep
`content inspection techniques to scan and parse text and structure.
`
`
`
`
`http://www‐admin.proofpoint.com/products/platform/cloud‐infrastructure.php
`
`This is further shown in Proofpoint’s documents in describing Attachment
`Defense. As shown below, Enterprise Protection and Targeted Attack Protection
`receive an email message and checks to see if there is an attachment and
`determines whether to scan the downloadable.
`
`- 9 -
`
`
`
`
`
`1c. deriving security profile
`data for the Downloadable,
`including a list of suspicious
`computer operations that
`may be attempted by the
`Downloadable; and
`
`
`
`
`Proofpoint’s products meet the recited claim language because it derives
`security profile data for the Downloadable, including a list of suspicious
`computer operations that may be attempted by the Downloadable.
`
`As shown below, Enterprise Protection and Targeted Attack Protection meets
`the recited claim language because it receives and inspects web and email
`content and develops a profile in memory for the received content. The derived
`profile identifies whether there is suspicious code in the content, including in an
`email/email attachment. Enterprise Protection and Targeted Attack Protection
`derive the security profile using both static and dynamic analysis techniques,
`such as the use of sandbox.
`
`https://proofpoint.com/sites/default/files/documents/bnt_download/pp‐
`enterprise‐protection‐ds.pdf
`
`
`
`- 10 -
`
`
`
`
`
`As shown below, Enterprise Protection and Targeted Attack Protection identifies
`suspicious code in web and email content and sandboxes the destination URL or
`attachments to the email to determine if they are malicious. Enterprise
`Protection and Targeted Attack Protection creates a profile in memory for the
`email that identifies if there is suspicious code in the received email. The
`security profile is generated based on the behavior and patterns observed from
`the destination URL or attachment, which Enterprise Protection records in
`memory in the security profile.
`
`
`http://www‐admin.proofpoint.com/products/targeted‐attack‐protection/next‐
`generation‐detection.php
`
`This element is further shown in Proofpoint’s documents in describing
`Attachment Defense. As shown below, Enterprise Protection and Targeted
`Attack Protection takes the downloadable attachment and sends to the sandbox
`to derive a list of suspicious operations.
`
`
`As shown below, a profile is created using the suspicious behaviors observed.
`
`
`
`
`- 11 -
`
`
`
`
`
`
`
`https://www.globalsign.com/support/ordering‐guides/Hackalert_FAQ_V1.pdf.
`
`
`
`Proofpoint’s products meets the recited claim language because it stores the
`Downloadable security profile data in a database.
`
`As shown below, Enterprise Protection and Targeted Attack Protection meets
`the recited claim language because it stores the profile created by the analysis of
`the downloadable in a database. The information is stored and then used to
`create a threat dashboard that provides information to the system
`administrator.
`
`As shown below, a profile is created using the suspicious behaviors observed.
`
`
`
`
`1d. storing the Downloadable
`security profile data in a
`database.
`
`https://www.globalsign.com/support/ordering‐guides/Hackalert_FAQ_V1.pdf.
`
`Using the details from the profile, Proofpoint’s products shows the forensic
`analysis in a threat dashboard as shown below, including code snippets and
`observed behaviors.
`
`
`
`
`
`
`- 12 -
`
`
`
`
`
`https://www.youtube.com/watch?v=4a3UxJsMNdE
`
`
`
`
`
`- 13 -
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
