5,623,600
`(11) Patent Number:
`United States Patent
`Apr. 22, 1997
`(45) Date of Patent:
`Ji et al.
`
`
`{19
`
`PNAAT
`
`US005623600A
`
`(54] VIRUS DETECTION AND REMOVAL 6350784=G/1994 Japan wessssseecssseessseeneee HOAN 1/00
`
`
`APPARATUS FOR COMPUTER NETWORKS
`9322723
`11/1993 WIPO uu...esse GOBF 11/00
`
`(75]
`
`Inventors: Shuang Ji, Foster City; Eva Chen,
`Cupertino, both of Calif.
`
`(73] Assignee: Trend Micro, Incorporated, Cupertino,
`Calif.
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Albert Decady
`Attorney, Agent, or Firm—Christopher M. Tobin; Greg T.
`Sueoka
`
`21] Appl. Noy SEI06
`[22] Filed:
`Sep. 26, 1995
`we GOGF 11/34
`”
`[51] It. Ch erneenen
`
`[SZ] UwS. Ce eeeeeetorsersststen
`|395/187.01; 364/286.4;
`364/DIG. 1
`[58] Field of Search .
`- 395/186, 187.1,
`395/200.06;+380/4;364/285.1, 286.4
`
`[56]
`
`[57]
`ABSTRACT
`A system for detecting and eliminating viruses on a com-
`puter network includesa File Transfer Protocol (FTP) proxy
`server, for controlling the transferof files and a Simple Mail
`Transfer Protocol (SMTP) proxy server for cooing the
`transfer of mail messages through the system. The FTP
`proxy server and SMTP proxy server run concurrently with
`the normal operation of the system and operate in a manner
`such that viruses transmitted to or from the network infiles
`and messages are detected before transfer into or from the
`system. The FTP proxy server and SMTPproxyserver scan
`References Cited
`all incoming and outgoing files and messages, respectively
`U.S. PATENT DOCUMENTS
`before transfer for viruses and then transfer the files and
`messages, only if they do notcontain any viruses. A method
`- 380/4
`12/1990 Lentar-sscisissssissisiccnssciesinaes
`A975,950:
`6/1994 Hile ctal. .....
`5,319,776
`for processing a file before transmission into or from the
`-395/187.01
`5/1995 Hershey et al.
`5,414,833
`network includes the steps of: receiving the data transfer
`see 395/575
`~~ 395/81
`command andfile name; transferring the file to a system
`8/1995 Arnold etal. ....
`5,440,723
`5,444,850=8/1995 Chang o....eseccceseeeeoes
`.. 395/182
`node; performing virus detection on the file; determining
`5,448,668
`9/1995 Perelson et al. uu...
`. 395/183
`whether the file contains any viruses; transferring the file
`5,452,442
`9/1995 Kephart .............
`5,485,575
`1/1996 Chess etal. .
`.. 395/183
`from the system to a recipient node if the file does not
`
`5,491,791
`2/1996 Glownyetal.
`seitt 395/183
`contain a virus; and deleting the file if the file contains a
`5,511,163
`4/1996 Lercheett al. cesses395/183.15
`virus.
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`666671
`
`8/1995 Buropean Pat, Off.
`
`........ HO4L 29/06
`
`22 Claims, 12 Drawing Sheets
`
`Cliens roadssents:
`Pauy seer
`Intrenet Demoncreatesan instunaced the FIT
`FTP proay serwvr
`
`fpresy screnrfe posers connection tothe FIT
`
`‘Clie made saris diana teaneder pared Ee
`
`fuses,dinedov adata pret
`
`6
`
`Tha iramaics neque’ ke tilenamemeriendey LS
`
`
`
`
`
` aie ine persiaparry:eae
`
`
`genresey a
`‘Travaer feren FTEprieay
`sererdadhent
`Bewuiph pert
` iteKleoreinew named Bleargairway |
`ode depecheonconibieeamonwere,
`td caekeregemary Ble
`
`
`
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1
`
`
`
`
`I
`
`Tranaier fie irceneLesta FF proersenioretT
`T
`iu
`Streetenporinly. a pahewrty
`T
`“Araipectempvearitysieved leloe vinwes
`
`ry
`
`Sendcata lrancor rocquest weed Fle rue te
`TITwaceren and thembeterre
`
`Se ee)
`“ Seieepmivaiaiers
`ee ee
`Sendary eredeiectonmewweratorm |
`ERGproweactvests¢tivetona neve
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 1 of 12
`
`5,623,600
`
`Telepone Line or
`
`Network Link
`
`Fig. 1 (Prior Art)
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 2
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 2
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 2 of 12
`
`5,623,600
`
`gS
`
`
`
`abesojysejeq
`
`gdIAep
`
`ce
`
`9”
`
`vv
`
`ra
`
`Ov
`
`ve
`
`9&
`
`¢bly
`
`vS
`
`eS
`
`OS
`
`SUOJEDIUNLWILUOS)
`
`wun
`
`
`
`UI]JJOMION
`
`
`
`sdiAeq ndu|
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 3
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 3
`
`
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 3 of 12
`
`5,623,600
`
`68
`
`FIP
`
`Server
`
`60
`
`SMPT
`
`Proxy
`
`Server
`
`—
`Application
`
`Programs
`
`FIG. 3
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 4
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 4
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 4 of 12
`
`5,623,600
`
`OSI Layer
`
`Protocol
`
`Implementation
`
`406
`
`Application
`
`423
`424
`File Tranfer| Electronic
`Mail
`421
`422
`FTP Proxy|SMTP Proxy
`Server
`server
`
`425
`Terminal
`Emulation
`
`426
`Network
`{Management
`
`405
`
`417
`
`Physical
`
`Presentation
`
`404
`
`Session
`
`403
`
`Transport
`
`402
`
`Network
`
`401
`
`Data Link
`
`400
`
`File Tranfer
`
`Protocol
`(FTP)
`
`418
`Simple Mail
`Tranfer
`Protocol
`(SMTP)
`
`419
`
`TELNET
`Protocol
`
`420
`Simple
`Network
`{Management
`Protocol
`(SNMP)
`
`415
`Transmission Control
`Protocol
`(TCP)
`412
`Address
`Resolution
`
`416
`User Datagram Protocol
`(UDP)
`
`413
`Internet
`Protocol
`
`414
`Internet Control
`Message
`Protocol
`(ICMP)
`
`(IP)
`
`411
`Network Interface Cards: Ethernet, StarLAN token
`Ring
`410
`Transmission media: twisted pair, coax or Fiber
`Optics
`
`FIG. 4
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 5
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 5
`
`

`

`Sheet 5 of 12
`
`5,623,600
`
`U.S. Patent
`
`Apr. 22, 1997
`
`VS‘Ola
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 6
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 6
`
`

`

`Sheet 6 of 12
`
`5,623,600
`
`Apr. 22, 1997
`
`U.S. Patent
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 7
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 7
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 7 of 12
`
`5,623,600
`
`Start
`
`600
`
`602
`
`604
`
`606
`
`Client node sends connection request
`
`
`
`Internet Daemon creates an instance of the FTP
`proxy server & passes connection to the FTP
`proxy server
`
`Client node sends data transfer request & file
`name, andestablishes a data port
`
`Data transfer request & file name received by
`FTP proxyserver
`
`608
`
`Yes
`
`
`
`
`Is data
`
`being transferred in an outbound
`direction?
`
`
`FIG. 6A
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 8
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 8
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 8 of 12
`
`5,623,600
`
`Is the
`file of a type that can contain
`viruses?
`
`Transfer file from client to FTP proxy server
`through port
`
`Store file temporarily at gateway
`
`Analyze temporarily storedfile for viruses
`
`Send any virus detection messages from FTP
`proxy serverto client as a reply
`
`Does
`
`
`file contain any
`viruses?
`
`Gee
`
`Yes
`
`
`
`
`
`
`
`
`612
`
`Determine configuraton settings
`
`Send request andfile to FTP
`
`626
`
`.
`
`
`
`No
`
`
`
`:
`
`
`
`Delete file or store renamed file at gateway node
`depending on configuration setting, and erase
`temporary file
`
`614
`
`616
`
`618
`
`620
`
`624
`
`628
`
`End
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 9
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 9
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 9 of 12
`
`5,623,600
`
`Send data transfer request andfilename to
`FTP daemonandthento server
`
`Estabish a second port between FTP daemon
`and server
`
`Send file from server to the FTP daemon and
`then to FTP proxy sever
`
`640
`
`642
`
`644
`
`Send any virus detection messages from
`FTP proxy serverto client as a reply
`
`
`
` Does
`
`file contain any
`viruses?
`
`Yes
`
`656
`
`Retrieve configurationfile
`
`660
`
`
`
`
`Transferfile anyway?
`
`
`
`Delete file or store renamedfile at gateway
`node depending on configuration setting,
`
`and erase temporary file
`
`
`654
`
`658
`
`662
`
`Transferfile from FTP proxy
`server to client through port
`
`End
`
`FIG. 6C
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 10
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 10
`
`

`

`Sheet 10 of 12
`
`5,623,600
`
`Apr. 22, 1997
`
`U.S. Patent
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 11
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 11
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 11 of 12
`
`5,623,600
`
`Spawn SMTP proxy server
`
`Create a first port for communication between the
`client and SMTP proxy server
`
`Bind SMTPproxyserver to the first port
`
`Spawn SMTP daemon
`
`Create a second port for communication from proxy
`server to SMTP daemon
`
`:
`Bind SMTP daemonto the second port
`
`Client node requests a connection from the SMTP
`proxy server
`
`Transmit message from client node to SMTP proxy
`server
`
`802
`
`804
`
`806
`
`ve
`
`810
`
`812
`
`800
`
`818
`
`FIG. 8A
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 12
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 12
`
`

`

`U.S. Patent
`
`Apr. 22, 1997
`
`Sheet 12 of 12
`
`5,623,600
`
`Scan message for encoded portions
`
`820
`
`822
`
`No
`
`Does
`,
`message include encoded
`
`824
`
`Perform virus detection on message
`
`Transmit message through
`second port to SMTP daemon
`
`Create a third port for
`a
`as
`communication from SMTP
`daemonto server task
`
`aah
`
`830
`
`na
`
`836
`
`834
`
`portions?
`
`Store message in temporary file(s)
`
`
`Decode message
`
`
`Does —
`
`message contain any
`viruses?
`814
`Yes
`,
`
`;
`:
`Determine configuation for virus
`;
`;
`detection handling
`
`
`: 816|Determineaction to be takenif virus 838
`
`
`
`Bind server task to the third port
`detected
`
`Transmit message through third
`portto client
`
`Transmit transformed message and
`perform determined action on each
`encodedportion
`
`840
`
`
`
`End
`
`FIG. 8B
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 13
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 13
`
`

`

`5,623,600
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`1
`VIRUS DETECTION AND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`2
`it was being prompted by a virus program. Another virus
`detection method, known as signature scanning, scans pro-
`gram codethat is being copied onto the system. The system
`searches for known patterns of program code used for
`viruses. Currently, signature scanning only operates on the
`floppy disk drives, hard drivesor optical drives. Yet another
`prior art approachto virus detection performs a checksum on
`The present invention relates generally to computer sys-
`all host programs stored on a system and known to be free
`tems and computer networks.
`In particular,
`the present
`from viruses. Thus, if a virus later attaches itself to a host
`invention relates to a system and method for detecting and
`removing computer viruses. Still more particularly,
`the 10 program,
`the checksum value will be different and the
`present invention relates to a System and method for detect-
`presenceof a virus can be detected.
`ing and removing computer viruses from file and message
`Nonetheless, these approaches of the prior art suffer from
`transfers between computer networks.
`a numberof shortcomings. First, behavior interception is not
`2. Description of the Related Art
`successful at detecting all viruses becausecritical operations
`:
`:
`that may be part of the code for a virus can be placed at
`During the recent past, the use of computers has become
`fs
`ne
`5
`:
`widespread. Moreover,
`the interconnection of computers
`locations where such Critical operationsare likely to occur
`into networks has also become prevalent. Referring now to
`for the scapepeng2 aaams: Second, ae enx
`FIG.1, a block diagram ofa portion of a prior art informa-
` “UZ© Scanning 1s only performed on new inputs trom lis
`tion system 20 is shown. The portion of the information
`drives. With the advent of the Internet and its increased
`system 20 shown comprises a first network 22, a second ~” Popularity, there are nopriorart methodsthat have been able
`network 24 and third network 26. This information system
`to successfully scan connections 36 suchas those utilized by
`20is provided only by way of example,andthose skilled in
`a gateway node in communicating with other networks.
`the art will realize that the information system 20 may
`Third, many of the above methods DegnTe a: eeificant
`include any numberof networks, each of the networks being 25
`amountof computing resources, which in tum degrades the
`overall performance of system. Thus, operating the virus
`its own protected domain and having any number of nodes.
`detection programs on every computer becomes impractical.
`As shown in FIG. 1, each of the networks 22, 24, 26 is
`Therefore, the operation of many such virus detection pro-
`formed from a plurality of nodes 30, 32. Each of the nodes
`grams is disabled for improved performance ofindividual
`30, 32 is preferably a microcomputer. The nodes 30, 32 are
`machines.
`coupled together to form a network by a plurality of network
`connections 36. For example, the nodes 30, 32 may be 30
`‘Therefore, there is a need for a system and method for
`connected together using a token ring format, ethernet
`effectively detecting and eliminating viruses withoutsignifi-
`format or any ofthe various other formats known in the art.
`cantly effecting the performanceof the computer. Moreover,
`Eachofthe networks 22, 24, 26 includes a node 32thatacts
`there is a need for a system and methodthat can detect and
`as a gateway to link the respective network 22, 24, 26 to 44 eliminate viruses in networks attached to other information
`other networks 22, 24, 26. Each of the gateway nodes32 is
`systems by way of gateways or the Internet.
`preferably coupled by a standard telephone line connection
`SUMMARYOF THE INVENTION
`34 such as POTS(Plain Old Telephone Service) or a T-1 link
`The present
`invention overcomes the limitations and
`to the other gateway nodes 32through a telephone switching
`shortcomingsoftheprior art with an apparatus and method
`— 28. All eae between the networks 22, ,,
`
`»26is preferably performed through one of the gateway for detecting and eliminating viruses on a computernet-
`nodes 32.
`work. A system including the present invention is a network
`One particular problem that has plagued computers, in_—formed ofa plurality of nodes and a gateway node for
`particular microcomputers, have been computerviruses and
`connection to other networks. The nodes are preferably
`worms. A computer virusis a section of code that is buried 45 microcomputers, and the gateway node comprises:a display
`or hidden in another program. Oncethe program is executed,
`device, a central processing unit, a memory forming the
`the codeis activated and attaches itself to other programsin
`apparatus of the present invention, an input device, a net-
`the system. Infected programs in turn copy the codeto other
`work link and a communications unit. The memory further
`programs. The effect of such viruses can be simple pranks
`comprises an operating system including a kernel, a File
`that cause a message to be displayed on the screen or more
`Transfer Protocol (FTP) proxy server, and a Simple Mail
`serious effects such as the destruction of programs and data.
`Transfer Protocol (SMTP) proxy server. The central pro-
`Another problem in the prior art is worms. Worms are
`cessing unit, display device, input device, and memory are
`destructive programs that replicate themselves throughout
`coupled and operate to execute the application programs
`disk and memory using upall available computer resources
`stored in the memory. The central processing unit of the
`eventually causing the computersystem to crash. Obviously, 55 gateway nodealso executes the FTP proxyserverfor trans-
`becauseof the destructive nature of worms and viruses, there
`mitting and receiving files over the communications unit,
`is aneed for eliminating them from computers and networks.
`and executes the SMTP proxy server for transmitting and
`The prior art has attemptedto reduce theeffects of viruses
`receiving messages over the communications unit. The FTP
`and preventtheir proliferation by using various virus detec-
`proxy server and SMTP proxy server are preferably
`tion programs. One such virus detection method, commonly 60 executed concurrently with the normal operation of the
`referred to as behavior interception, monitors the computer
`gateway node. The servers advantageously operate in a
`or system for important operating system functions such as
`mannersuch that viruses transmitted to or from the network
`write, erase, format disk, etc. When such operations occur,
`in messages and files are detected before the files are
`the program prompisthe userfor input as to whether such an
`transferred into or from the network. The gateway node of
`operation is expected. If such an operation is not expected 65
`the present invention is particularly advantageous because
`(e.g., the user was not operating any program that employed
`the impact of using the FTP proxy server and SMTP proxy
`such a function), the user can abort the operation knowing
`server for the detection of viruses is minimized because only
`
`15
`
`50
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 14
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 14
`
`

`

`5,623,600
`
`3
`the files leaving or entering the networkare evaluated for the
`presence of viruses and all other “intra” network traffic is
`unaffected.
`
`The present invention also comprises a method forpro-
`cessing a file before transmission into the network and a
`method for processing a file before transmission from the
`network. The preferred method for processing a file com-
`prises the stepsof: receiving the data transfer command and
`file name;transferring the file to the proxy server; perform-
`ing virus detection on the file; determining whetherthefile
`contains any viruses; transferring the file from the proxy
`serverto a recipient nodeif the file does not contain a virus;
`and performinga preset action with thefile if it does contain
`a virus. The present invention also includes methods for
`processing messages before transmission to or from the
`network that operate in a similar manner.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG, 1 is a block diagram ofa priorart information system
`with a plurality of networks and a plurality of nodes upon
`which the present invention operates;
`FIG. 2 is a block diagram of a preferred embodimentfor
`a gateway node including the apparatus of the present
`invention;
`FIG. 3 is a block diagram of a preferred embodimentfor
`a memory of the gateway node including the apparatusofthe
`present invention;
`FIG. 4 is a block diagram of a preferred embodiment for
`a protocol
`layer hierarchy constructed according to the
`present invention compared to the OSI layer model of the
`priorart;
`FIG. 5A is a functional block diagram showing a preferred
`system for sending data files according to a preferred
`embodimentofthe present invention;
`FIG. 3Bis a functional block diagram showing a preferred
`system for receiving data files according to a preferred
`embodimentof the present invention;
`FIGS. 6A, 6B and 6C are a flowchart of the preferred
`method for performingfile transfer according to the present
`invention;
`FIG.7 is a functional block diagram showing a preferred
`system for transmitting mail messages according to a pre-
`ferred embodiment of the present invention; and
`FIGS. 8A and 8B are a flow chart of a preferred method
`for sending messages to/from a network.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`The virus detection system and method of the present
`invention preferably operates on an information system 20
`as has been described above with reference to FIG. 1. The
`present invention, like the prior art, preferably includes a
`plurality of node systems 30 and at least one gateway node
`33 for each network 22, 24, 26. However,
`the present
`invention is different from the prior art because it provides
`novel gateway node33 that also performsvirus detection for
`all files being transmitted into or out of a network. Further-
`more,
`the novel gateway node 33 also performs virus
`detection on all messages being transmitted into or out of an
`associated network.
`
`Referring now to FIG.2, a block diagram of a preferred
`embodiment of the novel gateway node 33 constructed in
`accordance with the present invention is shown. A preferred
`embodiment of the gateway node 33 comprises a display
`
`10
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55:
`
`60
`
`65
`
`4
`device 40, a central processing unit (CPU) 42, a memory 44,
`a data storage device 46, an input device 50, a network link
`52, and a communications unit 54, The CPU 42is connected
`by a bus 56to the display device 40, the memory 44,the data
`storage device 46, the input device 50, the network link 52,
`and the communications unit 54 in a von Neumann archi-
`tecture. The CPU 42,display device 40, input device 50, and
`memory 44 may be coupled in a conventional manner such
`as a personal computer. The CPU 42 is preferably a micro-
`processor such as an Motorola 68040 or Intel Pentium or
`X86 type processor; the display device 40 is preferably a
`video monitor; and the input device 50 is preferably a
`keyboard and mouse type controller. The CPU 42 is also
`coupled to the data storage device 44 such as a hard disk
`drive in a conventional manner. Those skilled in the art will
`realize that
`the gateway node 33 may also be a mini-
`computer or a mainframe computer.
`The bus 56 is also coupled to the network link 52 to
`facilitate communication between the gateway node 33 and
`the other nodes 30 of the network, In the preferred embodi-
`ment of the present
`invention,
`the network link 52 is
`preferably a network adapter card including a transceiver
`that is coupled to a cable or line 36. For example, the
`network link 52 may be an ethernet card connected to a
`coaxial line, a twisted pair line or a fiber optic line. Those
`skilled in the art will realize that a variety of different
`networking configurations and operating systems including
`token ring, ethernet, or arcnet may be used and that the
`present invention is independent of such use. The network
`link 52 is responsible for sending, receiving, and storing the
`signals sent over the networkor within the protected domain
`of a given network. The network link 52 is coupled to the
`bus 56 to provide these signals to the CPU 34andviceversa.
`The bus 56 is also coupled to the communications unit 54
`to facilitate communication between the gateway node 33
`and the other networks. Specifically, the communications
`unit 54 is coupled to the CPU 42 for sending data and
`message to other networks. For example, the communica-
`tions unit 54 may be a modem,a bridge ora router coupled
`to the other networks in a conventional manner. In the
`preferred embodimentof the present invention, the commu-
`nications unit 54 is preferably a router. The communications
`unit 54 is in turn coupled to other networks via a media 34
`such as a dedicated T-1 phoneline, fiber optics, or any one
`of a number of conventional connecting methods.
`The CPU 42, under the guidance and control of instruc-
`tions received from the memory 44 and from the user
`throughthe input device 50, provides signals for sending and
`receiving data using the communications unit 54. Thetrans-
`fer of data between networks is broken down into the
`sending and receiving files and messages which in turn are
`broken down into packets. The methods of the present
`invention employ a virus detection schemethat is applied to
`all transfers of messages and files into or out of a network
`via its gateway node 33.
`Referring now to FIG. 3, the preferred embodimentof the
`memory 44for the gateway node 33 is shownin more detail.
`The memory 44 is preferably a random access memory
`(RAM), but may also include read-only memory (ROM).
`The memory 44 preferably comprises a File Transfer Pro-
`tocol (FTP) proxy server 60, a Simple Mail Transfer Pro-
`tocol (SMTP) proxy server 62, and an operating system 64
`including a kernel 66. The routinesof the present invention
`for detecting virusesin file transfers and messages primarily
`include the FTP proxy server 60 and the SMTP proxy server
`62. The FTP proxy server 60 is a routine for controlling file
`transfers to and from the gateway node 33 via the commu-
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 15
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 15
`
`

`

`5,623,600
`
`5
`6
`nications unit 54, and thus controlling file transfers to and
`layer 424 and the SMTP
`417, and the electronic mail
`from a given network of which the gateway nodeis a part.
`protocol layer 418, to process file transfers and messages,
`The operation of the FTP proxy server 60 is described below
`respectively. For example, any file transfer requests are
`in more detail with reference to FIGS. 5A, 5B, 6A, 6B and
`generated bythe file transfer application 423,first processed
`6C. Similarly, the SMTP proxy server 62 is a routine for
`by the FTP proxyserverlayer 421, then processed bythefile
`controlling the transfer of messages to and from the gateway
`transfer protocol 417 and other lower layers 415, 413, 411
`node 33, and thus to and from the respective network
`until the data transfer is actually applied to the transmission
`associated with the gateway node 33. The operation of the
`media 410. Similarly, any messaging requests are first
`SMTP proxy server 62 is described below in more detail
`processed by the SMTP proxy server layer 418, and there-
`with reference to FIG. 7 8A and 8B. The present invention
`after processed by the SMTP protocoland other lowerlayers
`415, 413, 411 until] the physical layer is reached. The present
`preferably uses a conventional operating system 28 such as
`invention is particularly advantageous because all virus
`Berkeley Software Distribution UNIX. Those skilled in the
`screening is performed below the application level. There-
`art will realize how the present invention may bereadily
`fore, the applications are unaware that such virus detection
`adapted for use with other operating systems such as
`15 and elimination is being performed,and these operations are
`MACINTOSH System Software version 7.1, DOS, WIN-
`completely transparent to the operation of the application
`DOWS or WINDOWS NT. The memory 44 may also
`level layers 406. While the FIP proxy server layer 421 and
`include a varicty of different application programs 68
`the SMTP proxy server layer 422 have been shownin FIG.
`including but not limited to computer drawing programs,
`4 as being their own layer to demonstrate the coupling
`word processing programs, and spreadsheet programs. The
`€llects
`they provide between thefile transfer layer 423 and
`present invention is particularly advantageousoverthe prior a9
`file transfer protocol 417, and the electronic mail layer 424
`because it minimizes the impact of virus detection and
`and the SMTPprotocol layer 418, those skilled in the art will
`elimination since the FTP proxy server 60 and SMTP proxy
`realize that the FTP proxy server layer 421 and the SMTP
`server 62 are preferably only included orinstalled in the
`proxy server layer 422 can also be correctly viewed as being
`memory 44 of the gateway nodes 33. Thus,all data being
`transferred inside the protected domain of a given network ,, part of the file transfer protocol layer 417 and the SMTP
`will not be checked because the data packets might not be
`protocol layer 418, respectively, because they are invisible
`routed via the gateway node 33.
`or transparent to the application layer 406.
`While the apparatus of the present invention, in particular
`A preferred method of operation and an embodiment for
`the FIP proxy server 60 and SMTP proxy server 62, has
`the FTP proxy server 60 will be described focusing onits
`been described above as being located and preferably is 39
`relationship to andits control of the gateway node 33, and
`located on the gateway node 33, those skilled in the art will
`thus, control over access to the medium, line 34, for con-
`realize that the apparatusof the present invention could also
`nections to other networks. The method can best be under-
`be included on a FTP server or a world wide webserver for
`stood with reference to FIGS. 5A and 5B,that graphically
`scanning files and messages as they are downloaded from
`show the functions performed by an Internet daemon 70, the
`the web. Furthermore,
`in an alternate embodiment,
`the 3; FIP proxy server 60, and an FIP daemon78, each of which
`apparatus of the present invention may be included in each
`resides on the gateway note 33. In FIGS. 5A and 5B,like
`node of a network for performing virus detection on all
`reference numbers have been used for like parts and the
`messages received or transmitted from that node.
`figures are different only in the direction in whichthefile is
`As best shown in FIG. 4, the CPU 42 also utilizes a
`being transferred (either from client task 72 to server task 82
`protocol layer hierarchy to communicate over the network. 40 or from server task 82 to client task 72), For the sake of
`The protocollayers of the hierarchy of the present invention
`clarity and ease of understanding only the data ports are
`are shown in FIG.4 in comparison to the ISO-OSIreference
`shown in FIGS. 5A and 5B, and the bi-directional lines
`model, for example. The protocol layers 410-426 of the
` _Tepresent commandorcontrol pathways and are assumed to
`hierarchy of the present invention are similar to the prior art
`include a commandport althoughit is not explicitly shown.
`protocollayers for the lower four layers 400-403 including: 45 The operation FTP proxy server 60 will now be described
`(1) a physical layer 400 formed ofthe transmission media
`with reference to a file transfer between a client task 72
`
`410; (2) a data link layer 401 formed of the network|(fequesting machine) and a server task 82 (supplying
`interface cards 411; (3) a network layer 402 formed of
`machine). While it is assumed that
`the client
`task 72
`address resolution 412, Internet protocol 413 and Internet
`(requesting machine) is inside a protected domain and the
`control messageprotocol 414; and (4) a transport layer 403 so Server task 82 (supplying machine)is outside the protected
`formed of the transmission control protocol 415 and a user
`domain, the invention described below is also used by the
`datagram protocol 416. Corresponding to the presentation|gateway node 33 whenclient task 72 (requesting machine)
`405 and session 404 layers, the protocol hierarchy of the
`is outside the protected domain and the server task 82
`present invention provides four methods of communication:
`(supplying machine) is inside the protected domain.
`a file transfer protocol 417, a simple mail transfer protocol ss|FIGS. 6A-6C are a flowchart of a preferred method for
`419, a TELNETprotocol 419 and a simple network man-
`performing file transfers from a controlled domain of a
`agementprotocol 420. There are corresponding components
`network across a medium 34 to another network(e.g., a file
`on the application layer 406 to handle file transfer 423,
`transfer from a node 32 of the second network 24 across the
`electronic mail 424, terminal emulation 425, and network
`media 34 to a second node 32of the third network 26). The
`management 426. The present invention advantageously 60 method begins with step 600 with the client node sending a
`detects, controls and eliminates viruses by providing an
`connection request over the network to the gateway node 33.
`additional layer between the application layer 406 and the
`In step 602, The gateway node 33 preferably has an oper-
`presentation layer 405 for the gateway nodes 33. In particu-
`ating system 64 as described above, andpart ofthe operating
`lar, according to the hierarchy of the present invention, a
`system 64 includesa fire wall, or program including routines
`FTP proxy server layer 421 and a SMTPproxyserver layer 65
`for authenticating users. The gateway node 33first tries to
`authenticate the user and decide whether to allow the
`422 are provided. These layers 421,422 operate in conjunc-
`tion with the file transfer layer 423 andfile transfer protocol
`connections requested, once the request is received. This is
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 16
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 16
`
`

`

`5,623,600
`
`7
`done in a conventional mannertypically available as part of
`UNIX. The Internet daemon 70 creates an instance of the
`FTP proxy server 60 and passes the connection to the FTP
`proxy server 60 for servicing in step 602. The Internet
`daemon70is program thatis part of the operating system 64,
`and it runs in the background. When being run, one of the
`functions of the Internet daemon 70 is to bind socket ports
`for many well-knownservices, such as TELNET,login, and
`FTP. When a connect request
`is detected,
`the Internet
`daemon 70 constructed in accordance with the present
`invention, spawns the FTP proxy server 60, which is the
`server that will actually handle the data transfer. Thereafter,
`the FIP proxy server 60 controls the network traffic passing
`between the client task 72 and the server task 82. Then in
`step 604, the client node sends a datatransfer request andfile
`name, and established a first data port 76 through which the
`data will be transferred between the FTP proxy server 60 and
`the client task 72. In step 606 the data transfer request and
`file name are received by the FTP proxy server 60. In step
`608, the FTP proxy server 60 determines whetherthe data is
`being transferred in an outbound direction (e.g., the file is
`being transferred from the client task 72 to the