US006195587B1
`(io) Patent No.:
`a2) United States Patent
`US 6,195,587 B1
`Hruskaetal.
`(45) Date of Patent:
`Feb. 27, 2001
`
`
`(54) VALIDITY CHECKING
`
`(75)
`
`Inventors: Jan Hruska, Tubney; Peter Lammer,
`Abingdon, both of (GB)
`
`(73) Assignee: Sophos PLC (GB)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 08/234,239
`:
`Apr. 28, 1994
`Filed:
`(22)
`Foreign Application Priority Data
`(30)
`Oct. 29, 1993
`(GB)
`cescsssssscsessscsssscecsssneessssssnsnsnnssesees 9927092
`CSE
`STEEN? scescscccscscsneccazapeneancceccstuescamara G05B 19/18
`(52) US. Ce cescccccscscccsscccsssccerrecee 700/2; 713/201; 713/187
`(58)
`Field of Search oo... 380/3,
`4, 25: 700/2;
`713/200, 201, 187; 714/812
`select
`
`(56)
`
`References Cited
`
`U.S, PATENT DOCUMENTS
`4,845,715 *
`F/19BO Francisco cascssscscscsecsseseaneversass 371/53
`§,050,213 * O/L991 Shear
`cocceccceccceeeseseeeeeseeeeee 380/25
`
`4/1992 Waite et al. wccccsccceesssessnen 380/4
`$5,103,476 *
`5.121345 * 6/902 Lentz ceaccacacususecn 364/550
`SBATSTS © G{19D4 DURDUTY sncercscerroncsnsescersencserenss: 380/3
`5,359,659 * 10/1994 Rosenthal
`.....cccccseecsescsneenene 380/4
`
`FOREIGN PATENT DOCUMENTS
`
`(EP).
`«3/1991
`0449242
`1/1993 (WO).
`WO9301550
`11/1993 (WO) .
`9322723
`* cited by examiner
`
`Primary Examiner—William Grant
`Assistant Examiner—Sheela S. Rao
`(74) Attorney, Agent, or Firm—Greer, Burns & Crain, Ltd.
`(57)
`ABSTRACT
`yseunaer ane appabetin ie olweking thecvialaity OE an HER
`of data stored for access by a first data processor of a data
`processing network having at least two interconnected data
`processors. The first data processor provides a second data
`processor with a copy ofan item ofdata and the second data
`processor determines whetherthe item of data is valid. The
`second data processor then reports tothe first data processor
`on the validity of the item of data so that the first data
`processor can prevent access to any invalid data.
`
`14 Claims, 5 Drawing Sheets
`
`
`
`CALCULATE A CRYPTOGRAPHIC
`CHECKSUM FOR THE ITEM.
`
`
`
`
`
`1S THE
`CHECKSUM THAT OF A
`PREVIOUSLY CHECKED
`(TEM?
`
`
`
` COPY THE (TEM 10 A CENTRAL SERVER
`
`WHERE |7 WILL BE SCANNED FOR DATA
`
`OF CHARACTERISTIC FORMS. WAIT FOR
`A REPLY
`
`
`
`
`
`THE
`ITEM
`
`STORE THE
`CONTAIN DATA OF
`CHECKSUM
`
`A CHARACTERISTI
`ORM?
`
`.--..--.-------—__
`
`ALLOW ACCESS
`TO THE ITEM
`
`
`
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1
`
`

`

`U.S. Patent
`
`Feb. 27, 2001
`
`Sheet 1 of5
`
`US 6,195,587 B1
`
`\ ©
`
`ic
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 2
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 2
`
`

`

`U.S. Patent
`
`Feb. 27, 2001
`
`Sheet 2 of 5
`
`US 6,195,587 B1
`
`We?Old
`
`‘W4llHLY04WASNIAH)
`
`
`
`IHdVYSOLdAYIVALVINITVIaL
`
`
`G4XIJAHI
`
` AISNOIAIYdV40LVHLWNSX33H9=AHLSI
`
`LL
`
`éWIL!
`
`VIVOY04GINNVIS48111MLlJYIHM
`
`
`
`AldidVYOFLIVMSWYO4JILSIMALIVYVHI40
`
`
`
`YIAUISTYINGVOLWALIFHLAdOd7ON
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 3
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 3
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 27, 2001
`
`4HLAOL
`
`WASHIIHI
`
`W411dH
`
`$400
`
`40VIVONIVINOD
`
`—-
`—_—
`
`Sheet 3 of 5
`
`US 6,195,587 B1
`
`cl
`
`$$493VMO11V
`
`JHLOL
`
` WAL!
`
`
`
`W311FHLOLSS3IIVJ18VSI0
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 4
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 4
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 27, 2001
`
`Sheet 4 of 5
`
`US 6,195,587 B1
`
`
`
`02WNSYISHIJLVINIIWVI
`
`"eOld
`
`
`
`JILSTYSLIVYVHSSNIVINOS
`
`éV1V0
`
`WLI
`
`
`
`WASHISH9JH!
`
`AISNOIASYdV40LVHL
`
`Q3STYOHIAV
`
`éWll
`
`SILZ
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 5
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 5
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 27, 2001
`
`Sheet 5 of 5
`
`US 6,195,587 B1
`
`as
`
`WNSHIIHI
`
`éYOSIAYAdNS
`
`A@O3SIYOHLNY
`
`LZ
`
`
`
`JOVSSIWONVWALISSVd
`
`YOSIAYAdNSOL
`
`92
`
`
`xJOVSSIW09195130
`I9VSSIW,05193130
`
`VIVOONAlVY3NI9
`
`
`
`VIVO,UIVYINI
`
`12
`
`Wil!
`
`3401SGE9/4
`
`W311FHLOLSS399V
`
`WLIFHL01SS499V
`
`INIMOTIV39VSSIWNYNLAY
`
`
`
`INSAIYdOLINVSSIWNUNLIY97
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 6
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 6
`
`
`
`
`
`
`

`

`US 6,195,587 B1
`
`1
`VALIDITY CHECKING
`
`BACKGROUNDOF THE INVENTION
`
`The present invention relates to a method and apparatus
`for checking the validity of data in a data processing
`network, for example for checking whetherthe data contains
`viruses or other unwanted data or whether it has been
`
`Preferably, the second data processor reports to the first
`data processor on the validity (or invalidity) of the item of
`data.
`
`Preferably, information defining a plurality of character-
`istic forms of data to be tested for is stored by, or for access
`by, the second data processor, and the second data processor
`tests for the presence of such characteristic forms in an item
`of data by testing for the presence of data of any of the
`characteristic forms in the item.
`
`20
`
`2
`only by the second data processor. When new characteristics
`are to be added only a single storage means (to which the
`second data processor has access) needs to be updated.
`Where the network includes further data processors equiva-
`lent to the first data processor these can preferably also cause
`any item of data stored for access by them whosevalidity is
`to be checked to be copied to the seconddata processor. The
`authorised for or barred from use in the network or a part of
`first data processor and any data processors equivalent to it
`IL.
`preferably do not store or normally have accesstoalist of
`In general, data of a computerfile or disk sector (such as
`information defining any characteristic forms ofdata to be
`tested for.
`a computer program) can be checkedfor unwanteddata, or
`information indicating whether the file has been authorized
`for or barred from use, by the file being searched for data of
`a predetermined form. This form may comprise predeter-
`mined characteristics such as the presence of certain infor-
`mation anywhere in the file, possibly in any order, or at a
`certain location in the file, possibly in combination with
`other such data. For instance, computer viruses are stored in
`the data of a computerfile as a set ofvirus data which can
`serve as instructions for the virus to operate. A file can be
`checked for known viruses by a virus detection procedure
`which searches the file for characteristics that are known to
`be indicative of each virus. As the number of known viruses
`to be checked for increases (around 3000 are currently
`known) the amount of storage capacity needed to store
`information defining the characteristics of all
`the known
`viruses increases too.
`
`The item of data may suitably be a file or program to be
`accessed, for example by being loaded or executed, by the
`first data processor. The item of data preferably comprises a
`sequence of executable instructions.
`Preferably, the first data processor intercepts commands
`to access an item ofdata and in response to such a command
`being detected causes the validity of the item of data to be
`In a computer network of workstations andafile server it
`checked. Preferably, the first data processor prevents access
`is conventional for each workstation to itself check on the
`to the item of data, for example by a user of the first data
`validity of the data held by it. However, this means that
`processor, unless or until the item has been foundto be valid,
`every workstation must use a portion of its storage capacity
`i.e. free of unwanted data of the characteristic form(s) or of
`to store information defining all the characteristic forms to
`data indicating that the item has been barred from use. To
`be searched for. In total this requires a large amount of
`achievethis, the first data processor suitably includes means
`storage capacity, and as more characteristic forms come to
`for detecting a command to access an item of data, to allow
`be searchedfor, for example as new virusesare identified, it
`it to intercept that command and ensurethat the item is valid
`may becomeinfeasible for workstations to carry out search-
`before it is accessed. Preferably the first data processor may
`ing themselves because of the limitations oftheir operating
`allow a user ofthe first data processorto force the system to
`systems. Also, each workstation must be updated individu-
`check the validity of any orall items of data stored for access
`ally to include new characteristics. This is inconvenient
`by the first data processor, Preferably, the first data processor
`where there is a large number of workstations.
`is configured to, on receipt of a report from the second data
`WO 93/01550 discloses a system for controlling the use
`processor on whether data of the characteristic form(s) has
`of a licensed product, in which in order to determine whether
`been found in the item, prevent or deny access to an item of
`access can be madetoa licensed product stored for access
`data that has been found to contain data of the characteristic
`by a licensee’s data processor a licence datagram is copied
`forms, and/or to allow access to an item of data that has been
`to a licensor’s data processor which returns a reply message.
`found not
`to contain such data. Thus access may be pre-
`The licence datagram contains different data from the
`vented to items that contain unwanted data such as viruses
`licensed product.
`or which have been barred from use.
`SUMMARY OF THE INVENTION
`
`40
`
`According to a first aspect of the present invention there
`is provided a method for checking the validity of an item of
`data stored for access by a first data processor of a data
`processing network comprising at least two interconnected
`data processors, the method comprising the steps of: the first
`data processor causing the item of data to be copied to the
`second data processor; and the second data processor deter-
`mining whether data of a characteristic form indicative of
`validity or invalidity of the item is present in the item and
`reporting to the first data processor on the validity of the
`item. Preferably, the first data processor is a workstation of
`the network. Preferably, the second data processor is a file
`server of the network. The data of a characteristic form is
`suitably indicative of the invalidity of the item of data, for
`example indicating a virus or other unwanted data or indi-
`cating that the item has been barred from use.
`In a system of this type information defining the charac-
`teristic form(s) to be tested for needs to be stored for access
`
`60
`
`Preferably, the characteristic forms of data may include
`forms of data indicative ofthe validity of the item of data,
`for example indicating whetherthe item has been authorized
`for use. The first data processor may then prevent or deny
`access to any item that does not include such data and/or
`allow access only to items that do include such data.
`Preferably, the first data processor stores or has access to
`a set of records, each characteristic of an item of data that
`has been found to be valid, and the method comprises the
`steps of: generating a record characteristic of an item ofdata
`whose validity is to be checked; searching for that record in
`the set of records; and causing the item of data to be copied
`to the second data processor only if the record is not found
`in the set of records. Preferably,
`the first data processor
`includes storage meansfor storing the set of records and/or
`processing means for generating records and comparing
`them with the contents of the set of records. Preferably, in
`response to the second data processor reporting that an item
`of data its valid the record that is characteristic of that item
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 7
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 7
`
`

`

`US 6,195,587 B1
`
`3
`of data is added to the set of records. Each record is
`preferably a checksum calculatedfor the corresponding item
`of data.
`
`According to the present invention from a second aspect
`there is provided a data processing system comprising a
`plurality ofdata processors interconnected as a network, and
`comprising: meansin a first data processor of the network
`(preferably a workstation) for causing an item of data to be
`copied to a second data processor of the network (preferably
`a file server); means in the second data processor for testing
`for the presence, in the item, ofdata indicative of the validity
`or
`invalidity of the item and on the basis of that
`test
`generating a validity signal indicative of the validity ofthe
`item; and means for transmitting the validity signal to the
`first data processor.
`The second data processor preferably reports or transmits
`the validity signal to the first data processor in the form of
`a report message, file or packet. The second data processor
`may suitably scan periodically to determine whether it has
`received an item of data for testing; alternatively the first
`data processor may transmit a signal, for example as a
`packet, to the second data processor informing it that it has
`sent an item ofdata for testing.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention will now be described by way of
`example with reference to the accompanying drawings, in
`which:
`
`FIG. 1 shows schematically a typical data processing
`system for use with the present invention;
`FIGS. 2@ and 2b are a flow diagram illustrating one
`embodiment of the present invention; and
`FIGS. 3a and 36 are a flow diagram illustrating another
`embodiment ofthe present invention.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG, 1 showsa data processing system in the form of a
`network including data processors configured as a file server
`1 and workstations 2@, 2b and 2c. The general architecture
`of the network is conventional, for example with IBM
`PC-type or Apple Macintosh workstations and a VAX/VMS,
`Novell or OS2 file server. Each workstation can store data
`files and execute programs. Thefile server 1 includes storage
`means 3 for storing data, data processing means 4 and
`communication means 5 for communication with the work-
`
`station. The workstation 2a includes storage means 6, data
`processing means 7 and communication means 8 for com-
`munication with the file server. Each other workstation
`includes equivalent components. The storage means of each
`workstation may be located remotely of the rest of the
`workstation, for example at the file server.
`When the validity of a file, for example a sequence of
`executable instructions such as a program, or in general an
`item of data, that is stored for access by or about to be
`executed at a workstation needs to be checked, the file is
`copied to the file server, which tests for the presence of data
`of a characteristic form in the file and returns a report
`message, or in general a signal, indicating whether thefile
`contains such data or whether the file in valid or invalid.
`
`In more detail, each workstation is configured to detect
`when there is a need for the validity of a file to be checked,
`by intercepting commandsto access, for example by loading
`or executing, any file on the workstation and immediately
`preventing access to that
`file until
`its validity has been
`
`20
`
`oeun
`
`40
`
`60
`
`4
`checked and the file found to be valid. The workstation may
`be configured only to intercept commandsto access certain
`“protected” items, such as programs and bootsectors.
`The procedure shown in FIGS, 2a and 2b is executedto
`check the validity of a file. First, the workstation carries out
`a preliminary procedure to find whether the file has previ-
`ously been checked and found to be valid, to avoid a need
`to carry out the full validity-checking procedure more than
`once for each file. The workstation calculates (box 10 in
`FIG. 2a) a cryptographic checksum that is characteristic of
`the file that is to be checked. This may suitably be done
`using a standard ANSI X9.9 or [SO 8731 part 2 procedure
`to calculate a 32 or 64 bit checksum. This checksum is
`searched forin a list to which the workstation has access of
`checksumsoffiles that have already been checked and have
`been found to be valid (box 11). This list may be stored in
`the storage means of the workstation or by the file server as
`a network service. If the checksum of the file under test is
`found in the list, then it is assumed thatthe file is valid, and
`accesstothe file is allowed (box 12). If the checksum of the
`file undertest is not found in thelist, then the file is copied
`to the file server (box 13), to be tested directly for validity.
`The steps carried out by the file server are indicated
`generally by box 14 in FIG. 2b. Information defining the
`characteristic forms of data indicativeof the file’s validity or
`invalidity is stored at
`the file server. These characteristic
`forms may indicate whetherthe file contains unwanted data,
`such as a virus, or whether it has been authorized for or
`barred from use. For a virus, for example, the characteristics
`may indicate the form ofdata characteristic ofthe virus such
`as instructions found at the start of the file (typically “jump”
`instructions) or elsewherein the file, which for some viruses
`may appear in any sequence. When the file server receives
`a copy ofa file that it is to test for the presence ofdata of
`the characteristic forms, it scans the file (box 15) to find
`whether any data of the characteristic forms is present in the
`file and returns a report message to the workstation that sent
`the file for checking,
`indicating whether such data was
`found. Ifthe file serveris to test for datain the file indicating
`that the file has been authorized for use, then (notillustrated
`in FIG, 2a) its report message to the workstation must also
`define whether the data that was found is indicative of
`
`validity or invalidity. Alternatively, the report message may
`report directly on whether the file is valid or invalid.
`If the report message indicates that
`the file is free of
`unwanted data or data indicative of barring and/or (where
`implemented) that the file contains data indicative of autho-
`rization (i.e. the message indicatesthat thefile is valid), then
`the workstation adds the checksum of the file to its list of
`checksumsof valid files (box 16), and it allows access to the
`file. Otherwise, if the report message indicates that the file
`is invalid, then the workstation informs the user (box 17), for
`example by displaying a message, and prevents access to the
`file (box 18).
`Alternatively, an operator of the workstation can instruct
`the validity of any or all files stored for access by the
`workstation to be checked, to authenticate the stored files,
`This authentication may be carried out omitting the step of
`testing the file’s checksum against the stored list (box 11), so
`as to ensure that each file is tested directly by the file server
`for the presence of data of the characteristic forms.
`The system may also be configured to require that, in
`addition to being checked for data indicating that the file is
`validor invalid,any file that is introduced to the system must
`be known to the system as having been authorized by a
`network supervisor before it can be accessed. One way of
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 8
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 8
`
`

`

`US 6,195,587 B1
`
`6
`The system may operate by workstations communicating
`with each other or the file server via intermediate networks.
`
`20
`
`40
`
`5
`achieving this is the procedure shown in FIGS. 3a and b,
`which may be followed when a file has been copied to the
`file server for testing. The file server calculates a checksum
`Instead ofthe file server testing for the presence of data
`for the file (box 20) and searchesfor it in a list stored by the
`of the characteristic forms this function may be performed
`file server of checksums of files that have already been
`by a selected workstation of the network.
`authorized by the supervisor for use (box 21). If the check-
`While the invention has been particularly shown and
`sum is found in the list then a report message is returned to
`described with reference to a preferred embodiment thereof
`the relevant workstation, indicating that the file can be used
`it will be understood by those skilled in the art that various
`(box 22). This might happen if another workstation has
`changes in form and details may be made without departing
`previously passedthe file to the file server for testing. If the
`from the spirit and scope of the invention.
`checksum is not found, then thefile is tested for the presence
`What is claimed is:
`of data of the characteristic forms in the way described
`1. A method for checking the validity of an item of data
`above (boxes 23 to 25) and is sent to the network supervisor
`(box 26) together with a message reporting on the file’s
`stored for access byafirst data processor of a data process-
`validity. If the file is then authorized by the supervisor, its
`ing network comprising at least
`two interconnected data
`checksum as calculated by the file server is added tothefile
`processors, the method comprising the steps of:
`server's list of checksumsof authorized files (box 27) and a
`storing for access by a second data processor a plurality
`report message is returnedto the relevant workstation indi-
`ofdefinitions of forms of data indicative of invalidity of
`cating that access to the file can be allowed (box 22). If the
`items ofdata;
`file is not authorized by the supervisor, then its checksum is
`causing the first data processor to provide the seconddata
`not added to the list and a report message is returned to the
`processor with a copy ofthe item of data;
`relevant workstation indicating that the file is not
`to be
`accessed (box 28). This procedure may be used in addition
`determining, using the second data processor, whether
`to the inclusionin files of data indicating whether the file has
`any of the stored forms of data are present in the item
`been authorized or barred from use (notillustrated in FIGS.
`of data and declaring the item of data invalid if any of
`3a or 3b).
`the stored formsof data are present in the item of data;
`Since according to the system described above only one
`reporting to the first data processor on the validity of the
`list of information defining the characteristics to be tested
`item of data; and
`for needsto be stored-bythe file server, only one copy ofthe
`causing the first data processor to prevent access to the
`list needs to be altered when the system is to be updated.
`item of data if the item ofdata is declared as invalid.
`This is more convenient than prior systems in which copies
`2. A method as claimed in claim 1, wherein a set of
`held by every workstation must be altered. As more char-
`records, each characteristic of an item of data that has been
`acteristic forms come to be searched for, for example as new
`found to be valid,
`is stored for access by the first data
`viruses are identified,
`file servers (typically having more
`processor and the method comprises the steps of:
`powerful operating systems than workstations) will remain
`generating a record which is characteristic of the item of
`capable of testing for characteristic forms. Also, if a single
`data whose validity is to be checked;
`list of checksums of valid files is stored for access by all
`workstations then action to check a file for characteristic
`searching for the record in the set of records; and
`causing the item ofdata to be copied to the second data
`data is needed only when the file is first accessed by any
`workstation, not each time each workstation accesses it for
`processor only if the record is not foundin the set of
`records.
`the first time.
`3. Amethodas claimed in claim 2, wherein in response to
`the second data processor reporting that the item of data is
`valid the record that is characteristic of the item ofdata is
`
`Two methods by which a file may be transferred to the file
`server and the report message returned to the workstation
`will now be described. According to the first method the
`workstation copies the file to be tested (in an encrypted
`form), together with data identifying the workstation, to the
`file server as a file of a randomly-chosen name having a
`predetermined format (for example, having a predetermined
`file extension). The file server is configured to scan periodi-
`cally for such files and when one is foundit is decrypted by
`the file server and tested for the presence of data of the
`characteristic forms. The file server returns the response
`message to the workstation identified in the received file by
`generating a response file, containing the response message,
`for transmission to the workstation. The name of the
`
`added to the set of records stored for access by the first data
`processor.
`4. A method as claimed in claim 1, wherein the first data
`processor in response to a command to access the item of
`data causes the item of data to be checked for the presence
`of any ofthe stored forms of data.
`5. A method as claimed in claim 1, wherein the first data
`processor prevents access to the item of data unless oruntil
`it has been found to be valid.
`6. A method as claimed in claim 1, wherein the item of
`data comprises a sequence of executable instructions.
`7. Amethod as claimed in claim 1, wherein the first data
`response file is generated as a function of the name ofthe
`processor is a workstation.
`corresponding file transmitted by the workstation, so that
`8. A method as claimed in claim 1, wherein the second
`where several workstations have sent files for checking each
`data processor is a file server.
`can identify the file containing the response to its request for
`9. Adata processing system comprising a plurality of data
`checking.
`60
`processors interconnected as a network, and comprising:
`According to the second method, the transmission offiles
`means inafirst data processor of the network for provid-
`may rely on network packets. The file to be tested is copied
`to the file server as described above but instead of the file
`ing a second data processor of the network with a copy
`of an item of data whichis storedfor access bythefirst
`data processor;
`storage means for access by the second data processor for
`storing a set of information defining data ofa plurality
`of characteristic forms that are indicative of invalidity.
`
`server scanning periodically for files to be tested, the trans-
`mitting workstation sends a packet message tothe file server
`informingit that it has sent a file to be tested. When this is
`received, the file servertests the file. The report message is
`returned to the transmitting workstation as a packet.
`
`65
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 9
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 9
`
`

`

`US 6,195,587 B1
`
`7
`means in the second data processor for testing for the
`presence of data of any of the characteristic forms, in
`the item of data, and generating a validity signal
`indicative of whether data of any of the characteristic
`forms has been detected in the item of data; and
`
`means for transmitting the validity signal to the first data
`processorto indicate whetherit may allow accessto the
`item of data.
`
`10. A data processing system as claimed in claim 9,
`wherein the first data processor has no access to the set of
`information defining data of the characteristic forms.
`li. A data processing system as claimed in claim 9,
`wherein the first data processor includes meansfor accepting
`a command to check for the presence of data of the char-
`
`10
`
`8
`acteristic form(s) in the item ofdata and, in response to such
`a command, checking for the presence of such data in the
`item.
`
`12. A data processing system as claimed in claim 9,
`comprising at least three data processors connected as a
`network and means for causing the item of data to be copied
`to the said second data processor from any other data
`processor of the network for testing for the presence of data
`of the characteristic form(s) in the item.
`13. A data processing system as claimed in claim 9,
`wherein the first data processor is a workstation.
`14. A data processing system as claimed in claim 9,
`wherein the second data processoris a file server.
`Eo
`*
`*
`*
`*
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 10
`
`CS-1016
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 10
`
`