`US 8,677,494
`For purposes of this chart, the licensed Avast products include Endpoint Protection and other antivirus products
`utilizing Avast! Research Labs, DynaGen, Malware Similarity Search, and Evo‐Gen technologies.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`Avast’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`Avast products, including Endpoint Protection, are software based products that
`use computer processors for scanning incoming program code, or executable
`files, data, and other content they receive, performing analysis including
`sandboxing, creating a profile of the incoming downloadable and sending the
`information gathered to be stored in a database.
`
`
`
`
`https://www.avast.com/en‐us/business
`
`Avast’s products meet the recited claim language because they receive incoming
`downloadables.
`
`As shown below, Avast’s Endpoint Protection and other antivirus software meet
`the recited claim language. The avast! Research Lab uses DynaGen technology
`to classify files as clean or dirty and create generic malware descriptions from
`multiple dirty files having shared characteristics. avast! 2014 Frequently Asked
`Questions ‐‐ New Features < http://www.avast.com/en‐
`us/faq.php?article=AVKB89#idt_01 >; avast! antivirus: security from cloud (2013)
`at pp. 15‐18; New Toy in the Avast Research Lab (2012) <
`http://blog.avast.com/2012/12/03/new‐toy‐research‐lab/ >; Declaring machine
`
`1b. receiving an incoming
`downloadable
`
`
`
`
`
`
`
`1c. deriving security profile
`data for the Downloadable,
`including a list of suspicious
`computer operations that
`may be attempted by the
`Downloadable; and
`
`war against malicious Android packages (2014) <
`http://blog.avast.com/2014/04/02/declaring‐machine‐war‐against‐malicious‐
`android‐packages/ >.
`
`The files analyzed by DynaGen include unclassified executable files that are
`downloaded over the Internet to endpoints running avast! endpoint security
`software, and then received from the endpoints to the avast! Research Lab for
`"back‐end" analysis.
`Avast’s products meet the recited claim language because it derives security
`profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable.
`
`As shown below, Avast’s Endpoint Protection and other antivirus software meet
`the recited claim language because Avast uses DynaGen technology that includes
`two back‐end classifiers: (1) Malware Similarity Search; and (2) Evo‐Gen.
`See avast! antivirus: security from cloud (2013) at pp. 17; New Toy in the Avast
`Research Lab (2012) < http://blog.avast.com/2012/12/03/new‐toy‐research‐lab/
`>; Declaring machine war against malicious Android packages (2014) <
`http://blog.avast.com/2014/04/02/declaring‐machine‐war‐against‐malicious‐
`android‐packages/ >.
`
`
`
`Malware Similarity Search scans unclassified executable files and creates
`representations of the files. A representation of a file includes its static
`properties as well as dynamic "execution traces" discovered y executing the file
`and logging suspicious operations. Malware Similarity Search scans for over 100
`features that are easily identified and relevant to malware classification. Once
`the representation of the file is generated, the static properties and execution
`traces of the file are compared for similarity with static properties and execution
`
`
`
`
`
`- 2 -
`
`
`
`
`
`traces of known clean and dirty samples and the file is classified as either clean
`or dirty.
`
`Moreover, if the file is classified as dirty, Evo‐Gen creates a generic malware
`description that includes static properties and execution traces that are shared
`by the file and other known dirty samples (security profile data including a list of
`suspicious computer operations that may be attempted by the Downloadable).
`The goal of Evo‐Gen is to produce a brief description that describes as many dirty
`samples as possible without describing any clean sample. The execution traces in
`the generic malware description identify suspicious operations that may be
`attempted by dirty samples from which the description is created, including
`SEND, WRITE, RECEIVE, DISABLE, ACCESS, MOUNT, UNMOUNT, CALL and LOG
`operations. By way of example, a generic malware description created for a
`related group of fake Korean banking Android application packages called
`Android:Telman is shown below.
`
`
`
`
`
`
`Avast’s products meets the recited claim language because it stores the
`Downloadable security profile data in a database.
`
`As shown below, Avast’s Endpoint Protection and other anti‐virus software meet
`the recited claim language because it stores the profile created by the analysis of
`the downloadable in a database. The information is stored and then used to for
`future reference.
`
`The file's execution traces and any generic malware description created using
`the execution traces are stored in the avast! Research Lab database for future
`reference (storing the Downloadable security profile in a database).
`
`See avast! antivirus: security from cloud (2013) at pp. 15‐18; New Toy in the
`Avast Research Lab (2012) < http://blog.avast.com/2012/12/03/new‐toy‐
`research‐lab/ >; Declaring machine war against malicious Android packages
`(2014) < http://blog.avast.com/2014/04/02/declaring‐machine‐war‐against‐
`malicious‐android‐packages/ >.
`
`
`
`- 3 -
`
`1d. storing the Downloadable
`security profile data in a
`database.
`
`
`
`
`
`
`
`
`
`F‐Secure
`US 8,677,494
`For purposes of this chart, the licensed F‐Secure products and services utilizes Real‐Time Protection Network
`(RTPN) and DeepGuard technologies. See https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`F‐Secure’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`F‐Secure products are software based products that use computer processors for
`scanning incoming program code, or executable files, data, and other content
`they receive, performing analysis including sandboxing, creating a profile of the
`incoming downloadable and sending the information gathered to be stored in a
`database. F‐Secure utilizes a Real‐Time Protection Network (“RTPN”), which is a
`crowd‐source means to acquire unknown, potentially malicious files from the
`Internet and store them on F‐Secure’s servers, and process these files thereby
`creating and propagating protection policies. Unknown files are scanned by F‐
`Secure’s “DeepGuard”. DeepGuard is a heuristic and sandboxed based file
`scanning service. DeepGuard monitors potentially malicious files, including
`PDFs. https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`…
`
`
`
`- 4 -
`
`
`
`
`
`
`
`
`
`https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`1b. receiving an incoming
`downloadable
`
`
`https://www.f‐secure.com/documents/10192/137594/FSC_SVCE_functionality‐
`description_htc_web/98f0fbbf‐a8ec‐4d75‐b042‐d20312553aa3
`
`F‐Secure’s products meet the recited claim language because they receive
`incoming downloadables.
`
`As shown below, F‐Secure’s products meet the recited claim language because
`they receive incoming downloadables like PDFs. https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`
`
`
`1c. deriving security profile
`data for the Downloadable,
`including a list of suspicious
`computer operations that
`may be attempted by the
`Downloadable; and
`
`F‐Secure’s products meet the recited claim language because it derives security
`profile data for the Downloadable, including a list of suspicious computer
`operations that may be attempted by the Downloadable.
`
`As shown below, F‐Secure’s products meet the recited claim language because F‐
`Secure uses DeepGuard looks for suspicious computer operations. (“ DeepGuard
`does not red‐flag a program on the basis of a single action but instead watches
`for multiple suspicious operations.”)
`
`
`
`
`- 5 -
`
`
`
`
`https://www.f‐
`secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
`
`
`
`
`
`F‐Secure’s products meets the recited claim language because it stores the
`Downloadable security profile data in a database.
`
`As shown below, F‐Secure’s products meet the recited claim language because it
`stores the profile created by the analysis of the downloadable in a database.
`
`
`
`1d. storing the Downloadable
`security profile data in a
`database.
`
`
`
`- 6 -
`
`
`
`The information is stored in RTPN and then used to for future reference.
`
`
`
`https://www.f‐secure.com/documents/10192/137594/FSC_SVCE_functionality‐
`description_htc_web/98f0fbbf‐a8ec‐4d75‐b042‐d20312553aa3
`
`
`
`
`- 7 -
`
`
`
`
`
`
`
`
`
`
`
`Proofpoint and Armorize
`US 8,677,494
`For purposes of this chart, the licensed Proofpoint and Armorize products include Enterprise Protection and
`Targeted Attack Protection.
`
`As identified and described element by element below, the licensed products specifically listed above meet at
`least claim 1 of the ‘494 Patent.
`Claim 1
`
`Proofpoint’s products meet the recited claim language because it receives an
`1a. A computer based
`incoming downloadable.
`method, comprising the steps
`
`of:
`Proofpoint products are software based products that use computer processors
`for scanning incoming program code, or executable files, data, and other content
`they receive, performing analysis including sandboxing, creating a profile of the
`incoming downloadable and sending the information gathered to be stored in
`database that can be displayed on threat dashboard.
`
`As shown below, Enterprise Protection and Targeted Attack Protection performs
`a method for preparing profile for detecting threat content.
`
`https://proofpoint.com/sites/default/files/documents/bnt_download/pp‐
`enterprise‐protection‐ds.pdf
`
`
`
`Proofpoint’s products meet the recited claim language because they receive
`incoming downloadables.
`
`As shown below, Enterprise Protection and Targeted Attack Protection meet this
`claim element because it receives and inspects Downloadables by monitoring
`emails in real‐time to detect threats in the emails or email attachments.
`Downloadables are content received over the Internet, and includes web
`content and email content.
`
`1b. receiving an incoming
`downloadable
`
`
`
`- 8 -
`
`
`
`
`
`
`
`https://proofpoint.com/sites/default/files/documents/bnt_download/pp‐
`enterprise‐protection‐ds.pdf
`
`As shown below, Enterprise Protection and Targeted Attack Protection inspect
`Downloadables because it receives web and email content to perform deep
`content inspection techniques to scan and parse text and structure.
`
`
`
`
`http://www‐admin.proofpoint.com/products/platform/cloud‐infrastructure.php
`
`This is further shown in Proofpoint’s documents in describing Attachment
`Defense. As shown below, Enterprise Protection and Targeted Attack Protection
`receive an email message and checks to see if there is an attachment and
`determines whether to scan the downloadable.
`
`- 9 -
`
`
`
`
`
`1c. deriving security profile
`data for the Downloadable,
`including a list of suspicious
`computer operations that
`may be attempted by the
`Downloadable; and
`
`
`
`
`Proofpoint’s products meet the recited claim language because it derives
`security profile data for the Downloadable, including a list of suspicious
`computer operations that may be attempted by the Downloadable.
`
`As shown below, Enterprise Protection and Targeted Attack Protection meets
`the recited claim language because it receives and inspects web and email
`content and develops a profile in memory for the received content. The derived
`profile identifies whether there is suspicious code in the content, including in an
`email/email attachment. Enterprise Protection and Targeted Attack Protection
`derive the security profile using both static and dynamic analysis techniques,
`such as the use of sandbox.
`
`https://proofpoint.com/sites/default/files/documents/bnt_download/pp‐
`enterprise‐protection‐ds.pdf
`
`
`
`- 10 -
`
`
`
`
`
`As shown below, Enterprise Protection and Targeted Attack Protection identifies
`suspicious code in web and email content and sandboxes the destination URL or
`attachments to the email to determine if they are malicious. Enterprise
`Protection and Targeted Attack Protection creates a profile in memory for the
`email that identifies if there is suspicious code in the received email. The
`security profile is generated based on the behavior and patterns observed from
`the destination URL or attachment, which Enterprise Protection records in
`memory in the security profile.
`
`
`http://www‐admin.proofpoint.com/products/targeted‐attack‐protection/next‐
`generation‐detection.php
`
`This element is further shown in Proofpoint’s documents in describing
`Attachment Defense. As shown below, Enterprise Protection and Targeted
`Attack Protection takes the downloadable attachment and sends to the sandbox
`to derive a list of suspicious operations.
`
`
`As shown below, a profile is created using the suspicious behaviors observed.
`
`
`
`
`- 11 -
`
`
`
`
`
`
`
`https://www.globalsign.com/support/ordering‐guides/Hackalert_FAQ_V1.pdf.
`
`
`
`Proofpoint’s products meets the recited claim language because it stores the
`Downloadable security profile data in a database.
`
`As shown below, Enterprise Protection and Targeted Attack Protection meets
`the recited claim language because it stores the profile created by the analysis of
`the downloadable in a database. The information is stored and then used to
`create a threat dashboard that provides information to the system
`administrator.
`
`As shown below, a profile is created using the suspicious behaviors observed.
`
`
`
`
`1d. storing the Downloadable
`security profile data in a
`database.
`
`https://www.globalsign.com/support/ordering‐guides/Hackalert_FAQ_V1.pdf.
`
`Using the details from the profile, Proofpoint’s products shows the forensic
`analysis in a threat dashboard as shown below, including code snippets and
`observed behaviors.
`
`
`
`
`
`
`- 12 -
`
`
`
`
`
`https://www.youtube.com/watch?v=4a3UxJsMNdE
`
`
`
`
`
`- 13 -