5,623,600
`[11] Patent Number:
`119]
`Ulllted States Patent
`
`Ji et al.
`[45] Date of Patent:
`Apr. 22, 1997
`
`U8005623600A
`
`[54] VIRUS DETECTIONAND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`6350784
`9322723
`
`Japan
`611994
`1111993 WIPO
`
`H04»: 1100
`GOEF 11100
`
`[75]
`
`Inventors: Shuang Ji, Foster City; Eva Chen,
`(hipertino, both of Calif.
`
`[73] Assignce:
`
`"It-end Micro, Incorporated, Copertino,
`Calif.
`
`[21] Appl' No" 533306
`[22] Filed:
`Sep. 26, 1995
`'GMF 11134
`[51]
`Int. Cl'6
`‘ '
`
`395f187-01 364’23644
`[52} U'S' C"
`'
`-
`364(9161
`3951'185 137 l
`[53] Field or 583011
`3951'20005‘1‘3801’4-1-3‘541’235 1 236-4
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`4,975,950 122'1990 Lent!
`5,319,776
`611994 Hilc eta].
`5,414,833
`51" 1995 Hershey et a1.
`5.440.723
`811995 Arnold et a1.
`5,444,851]
`311995 Chang
`5,448,668
`911995 Perelson et a].
`5,452,442
`911995 Kephart .............
`5,435,515
`111996 Chess ct a1.
`..
`5,491,791
`211996 Glowny et a1.
`5,511,163
`411996 Lerche 1:1 3].
`
`
`
`
`
`38014
`- 395113101
`3951575
`33:23:]
`__ 3951132
`395mg
`__ 395.1133
`...... 3951183
`395113115
`
`Primary Examiner—Robert W. Beansoliel, Jr.
`Assistant Examiner—Albert Decady
`Attorney, Agent, or Firm—Christopher M. Tobin; Greg T.
`Sueoka
`
`[57]
`ABSTRACT
`A system for detecting and eliminating viruses on a com—
`puter network includes a File Transfer Protocol (FTP) proxy
`server, for controlling the transfer of files and a Sim le Mai]
`Transfer Protocol (SMTP) proxy server for controlling the
`transfer of mail messages through the system. The FTP
`proxy server and SMTP proxy server run concurrently with
`the normal operation of the system and operate in a manner
`such that viruses transmitted to or from the network in files
`and messages are detected before transfer into or from the
`system. The FTP proxy server and SMTP proxy server scan
`all incoming and outgoing files and messages, respectively
`before transfer for vtruses and then transfer the files and
`
`messages, only if they do not contain any viruses, A method
`for processing a file before transmission into or from the
`network includes the steps of: receiving the data transfer
`command and_file name; transferring the file to a system
`11096; performing v1rus detection on the file; determining
`whether the file contains any viruses; transferring the file
`from the system to a recipient node if the file does not
`contain a virus; and deleting the file if the file contains a
`virus.
`
`FOREIGN PATENT DOCUMENTS
`
`666671
`
`811995 European Pat. on.
`
`11041. 29106
`
`22 Claims, 12 Drawing Sheets
`
`
`pm 11111-1
`
`
`
`Him 11.1.4.1 W 11111 r 11 m 1-
`
`"l‘d-tmflthwhknw
`
`
`
`".'mwrxnat-Klntnuwvll
`
`
`_......_x—, 1
`| Mlil'lurvt‘nkmu1mm
`r‘
`sparse-11mm1n 111-111111111011“
`filJIl‘l-fivdflflnnflmmffim .
`
`I
`
`1111111111 Mneemsnin‘md um
`luau-1.1.11 rum 11.111111111me
`
`
`(In-.11 Mr 1.1111. 11.111 2.111" 111,” s: 1.;-
`m. 1.111 “11111115111 1 am ".1
`
`
`um 11mm 11mm 11 1111 mummt 11,:
`HT penny 1111-11-1
`
`
`1w; met-unis" amumu
`11mm..-
`
`
`
`1Ilmlflf1wllmr—l;.'l RIF“I ”Wm
`“Writ-F- _
`r _._.
`*‘NJkWWL*‘WII
`11111111" Imus-1:111:11.“ in. 1.1 1.1.1111
`Hmmmamn “mm-um-
`
`i
`
`_
`
`-_
`P 11
`F
`
`”"
`
`'
`
`
`11.111.111.111 .1... ”filth-ll p.11...» 111a.-
`Inn-11 Newt-11PM...
`wxmmlflmmxnll:m
`mums-
`wamlflwrm
`nun—111.11" 1.11am 111.11,.111111111 "
`
`
`1wumem1mm1n
`
`
`“Mommas
`
`
`CS-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 1 of 12
`
`5,623,600
`
`Telepone Line or
`
`Network Link
`
`Fig. 1 (Prior Art)
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 2
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 2
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 2 of 12
`
`5,623,600
`
`mm
`
`
`
`$9053mm
`
`83%
`
`Wm
`
`vm
`
`mCOHmUEDF—EOU
`
`Es
`
`mm
`
`mm
`
`
`
`
`
`HE:Vtoaumz83mm.59:
`
`Om
`
`mm
`
`mw
`
`3Vm¢ow
`
`mat
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 3
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 3
`
`
`
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 3 of 12
`
`5,623,600
`
`68
`
`Operating
`System
`
`66
`
`Kernel
`
`Algiplication
`rograms
`
`FIG. 3
`
`08-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 4
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 4
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 4 of 12
`
`5,623,600
`
`08] Layer
`
`Protocol
`
`Implementation
`
`406
`
`423
`
`424
`
`425
`
`426
`
`Application
`
`File Tranfer Electronic
`Mail
`422
`
`421
`
`FTP Proxy
`Server
`
`SMTP Proxy
`server
`
`Network
`Terminal
`Emulation Management
`
`Physical
`
`405
`
`417
`
`413
`
`419
`
`420
`
`Presentation
`
`4134
`
`Session
`
`403
`
`Transport
`
`402
`
`Network
`
`401
`
`File Tranfer
`
`Protocol
`
`(FTP)
`
`Simple Mail
`Tranfer
`
`Protocol
`
`(SMTP)
`
`415
`
`TELNET
`
`Protocol
`
`Simple
`Network
`
`Management
`Protocol
`
`(SNM P)
`
`416
`
`Transmission Control
`
`User Datagram Protocol
`
`Protocol
`412
`
`(TCP)
`
`413
`
`(UDP)
`
`414
`
`Address
`Resolution
`
`Internet
`Protocol
`
`(IP)
`
`Internet Control
`Message
`Protocol
`(ICMP)
`
`411
`
`Data Link
`
`Network Interface Cards: Ethernet, StarLAN token
`
`400
`
`Fiing
`41o
`
`Transmission media: twisted pair. coax or Fiber
`Optics
`
`FIG. 4
`
`08-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 5
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 5
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 5 of 12
`
`5,623,600
`
`Emmi+wfiwumm
`
` $va+358.9%
`
`08-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 6
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 6
`
`
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 6 of 12
`
`5,623,600
`
`Emma+mfimuwm
`
`m3.
`8mm
`
`Emmy”+
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 7
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 7
`
`
`
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 7 of 12
`
`5,623,600
`
`'
`
`600
`
`602
`
`604
`
`606
`
`Client node sends connection request
`
`Internet Daemon creates an instance of the FTP
`
`proxy server 8: passes connection to the FTP
`
`
`
`proxy server
`
`Client node sends data transfer request 8: file
`name, and establishes a data port
`
`Data transfer request 6: file name received by
`FTP proxy server
`
`608
`
`
`
`Yes
`
`
`
`13 data
`being transferred in an outbound
`
`direction?
`
`No
`
`
`
`FIG. 6A
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 8
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 8
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 3 of 12
`
`5,623,600
`
`N0
`
`
`Is the
`file of a type that can contain
`
`viruses?
`
`Transfer file from client to FTP proxy server
`through port
`
`
`
`Store file temporarily at gateway
`
`
`
`Analyze temporarily stored file for viruses
`
`Send any Virus detection messages fmm FTP
`proxy server to client as a reply
`
` Does
`file contain any
`viruses?
`
`
`
`612
`
`Determine configuraton settings
`
`
`
`
`622
`
`626
`
`Send request and file to FTP
`daemon for transfer to server
`
`Transfer file anyway?
`
`
`
`
`
`
`
`No
`
`Delete file or store renamed file at gateway node
`depending on configuraticm setting, and erase
`temporary file
`
`61
`
`624
`
`628
`
`End
`
`FIG. 68
`
`08-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 9
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 9
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 9 of 12
`
`5,623,600
`
`Send data transfer request and file name to
`FTP daemon and then to server
`
`.
`
`Estabish a second port between FTP daemon
`and server
`
`Send file from server to the FTP daemon and
`
`then to FTP ‘- roxy sever
`
`640
`
`642
`
`644
`
`Yes
`
`No
`lie of a type that can contain
`
`
`
`Store file temporarily at gateway
`
`Analyze temporarily stored file for viruses
`
`Send any virus detection messages from
`FTP proxy server to client as a reply
`
`
`
` 656
`Does
`file contain any
`viruses?
`
`
`
`Yes
`
`Retrieve configuration file
`
`Transfer file anyway?
`
`660
`
`Transfer file from FTP pmxy
`server to chent through port
`
`650
`
`652
`
`654
`
`658
`
`662
`
`Delete file or store renamed file at gateway
`
`node depending on configuration setting,
`and erase temporary file
`
`
`
`
`
`End
`
`FIG. 6C
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 10
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 10
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 10 of 12
`
`5,623,600
`
` bmwm+wkfimUmM—h
` Emmi+mfimuwm
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 1'1
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 11
`
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 11 of 12
`
`5,623,600
`
`Spawn SMTP proxy server
`
`Create a first port for communication between the
`client and SMTP proxy server
`
`Bind SMTP proxy server to the first port
`
`Spawn SMTP daemon
`
`Create a second port for communication from proxy
`server to SMTP daemon
`
`.
`Blnd SMTP daemon to the second port
`
`Client node requests a connection from the SMTP
`proxy server
`
`Transmit message from client node to SMTP proxy
`server
`
`802
`
`804
`
`806
`
`808
`
`810
`
`812
`
`8'00
`
`818
`
`FIG. 8A
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 12
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 12
`
`

`

`US. Patent
`
`Apr. 22, 1997
`
`Sheet 12 of 12
`
`5,623,600
`
`820
`
`Scan message for encoded portions
`
`822
`
`No
`
`Does
`
`Yes
`
`message include encode
`- ortions?
`
`
`
`
`Store message in temporary file(s)
`
`.
`.
`Perform vrrus detectlon on message
`
`Transmit message through
`second port to SMTP daemon
`
`
`
`
`message contain any
`viruses?
`
`Does
`
`828
`
`832
`
`836
`
`838
`
`840
`
` 824
`
`
`
`Create a third port for
`.
`.
`communication from SMTP
`daemon to server task
`
`.
`.
`.
`.
`Deterrmne configuatlon for vrrus
`.
`.
`detecnon handling
`
`814
`
`Yes
`
`
`816
`'
`
`Bind server task to the third port
`
`Determine action to be taken if virus
`detected
`
`Transmit message through third
`port to client
`
`'
`
`Transmit transformed message and
`perform determined action on each
`encoded portion
`
`
`
`End
`
`FIG. 88
`
`08-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 13
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 13
`
`

`

`1
`VIRUS DETECTION AND REMOVAL
`APPARATUS FOR COMPUTER NETWORKS
`
`5,623 ,600
`
`2
`
`5
`
`50
`
`BACKGROUND OF THE INVENTION
`
`it was being prompted by a virus program. Another virus
`detection method, known as signature scanning, scans pro-
`gram code that is being copied onto the system. The system
`searches for known patterns of program code used for
`viruses. Currently, signature scanning only operates on the
`floppy disk drives, hard drives or optical drives. Yet another
`1. Field of the Invention
`priorart approach to virus detection performs acheeksun't 01"
`The present invention relates generally to computer sys-
`all hOSt programs stored 011 a system and known to be free
`terns and computer networks.
`In particular,
`the present
`from “111595- Thus, if a virus later attaches itself t0 a h05t
`invention relates to a system and method for detecting and
`“31110,.ng computer viruses. Still more pmiCulal—ly,
`the to program,
`the checksum value will be different and the
`present invention relates to a System and method for deteet—
`presence or a virus can be detected.
`ing and removing computer viruses from file and message
`Nonetheless, these approaches of the prior art suffer from
`transfers between computer networks.
`a number of shortcomings. First, behavior interception is not
`1 Description of the Related Art
`successful at detecting all viruses because critical operations
`During the recent past, the use of computers has become 15
`that may be part Of the. code for a-vtrus can be placed at
`widespread. Moreover,
`the interconnection of computers
`locations where sueherltleal operatlons are likely to occur
`into networks has also become prevalent. Referring now to
`for the normal-operation of programs. Second, “‘9” srgpa-
`FIG. 1, a block diagram of a portion of a prior art inforrna—
`gtéicicanwnil‘ggul]: Ogicfifigflidlgrgi? $3“; lir::c:s::]ci
`1101] system 20 is shown. The portion of the information 20
`popularity, there are no prior art methods that have been able
`system 20 shown comprises a first network 22, a second
`to successfully scan connections 36 such as those utilized by
`network 24 and third network 26. This information system
`a gateway node in communicating with other networks.
`20 is provided only by way of example, and those skilled in
`Third, many of the above methods require a significant
`the art will realize that the information system 20 may
`amount of computing resources, which in turn degrades the
`include any number of networks, each of the networks being
`overall performance of system. Thus, operating the virus
`its own protected domain and having any number of nodes.
`detection programs on every computer becomes impractical.
`As shown in FIG. 1, each of the networks 22, 24, 26 is
`Therefore, the operation of many such virus detection pro-
`formed from a plurality of nodes 30, 32. Each of the nodes
`grams is disabled for improved performance of individual
`30, 32 is preferably a microcomputer. The nodes 30, 32 are
`machines.
`'
`coupled together to form a network by a plurality of network
`Therefore, there is a need for a system and method for
`connections 35_ For example, the nodes 30. 32 may be 30
`effectively detecting and eliminating viruses without signifi-
`connected together using a token ring format, ethemet
`Ctltttt)’ efl‘ecting the performance 0f the CDmPUtCT- MDTCOVCT’
`format or any of the various other formats known in the art.
`1115??? is a sped f0r_ a system and method that cat} detect and
`Each of the networks 22, 24, 26 includes a node 32 that acts
`as a gateway to link the mgpgcfivc network 22’ 24, 26 to 35 eltnnnate Vll‘uSCS in networks attached to other information
`other networks 22, 24, 26. Each of die gateway nodes 32 is
`systems by way 0f gateways 01' the Internet.
`preferably coupled by a standard telephone line connection
`SUMMARY OF THE INVENTION
`34 such as POTS (Plain Old Telephone Service) or aT—l link
`The present
`invention overcomes the limitations and
`to the other gateway nodes 32through a telephone switching
`ELEM]? 28. All clommurucatlon between the networks 22, 40 shortconlirlgs of the prior art with an apparatus and method
`‘
`6 ‘5 preferab 5! performed through one Of the gateway
`for detecting and eliminating viruses on a computer net-
`nodes 32'
`work. A system including the present invention is a network
`one particular problem that has Plagl-lcd CDmPUtCFS’ ttl
`formed of a plurality of nodes and a gateway node for
`particular microcomputers, have been computer viruses 311d
`connection to other networks. The nodes are preferably
`Wfltms- A CDmPUtBI' virus is a 580mm 0f 00th that is buried 45 microcomputers, and the gateway node comprises: a display
`or hidden in another program. Once the program is executed,
`device, a central processing unit, a memory forming the
`the code is activated and attaches itself to other programs in
`apparatus of the present invention, an input device, a net-
`the system. Infected programs in turn copy the code to other
`work ]ink and a communications unit. The memory further
`programs. The effect of such viruses can be simple pranks
`comprises an operating system including a kernel, a File
`that cause a message to be displayed on the screen or more
`Transfer Protocol (FTP) proxy server, and a Simple Mail
`serious effects such as the destruction of programs and data.
`Transfer Protocol (SMTP) proxy server. The central pro-
`Another problem in the prior art is worms. Worms are
`cessing unit, display device, input device, and memory are
`destructive programs that replicate themselves throughout
`coupled and operate to execute the application programs
`disk and memory using up all available computer resources
`stored in the memory. The central processing unit of the
`eventually causing the computer system to crash. Obviously. 55 gateway node also executes the FTP proxy server for trans-
`hccausc of the destructive nature of WORDS and Viruses, them
`mining and receiving files over [he commurdcafions unit,
`is a need for eliminating thfim frflm Compulfirs and networks.
`and executes the SMTP proxy server for transmtting and
`The prior art has attempted to reduce the effects of viruses
`receiving messages over the communications unit. The FTP
`and prevent their proliferation by using various virus dctee—
`proxy server and SMTP proxy server are preferably
`tion programs. One such virus detection method, commonly so executed concurrently with the normal operation of the
`referred to as behavior interception, monitors the computer
`gateway node. The servers advantageously operate in a
`or system for important operating system functions such as
`manner such that viruses transmitted to or from the network
`write, erase, format disk, etc. When such operations occur,
`in messages and files are detected before the files are
`the program prompts the user for input as to whether such an
`transferred into or from the network. The gateway node of
`operation is expected. If such an operation is not expected 65
`the present invention is particularly advantageous because
`the impact of using the FTP proxy server and SMTP proxy
`(e.g., the user was not operating any program that employed
`such a function), the user can abort the operation knowing
`server for the detection of viruses is minimized because only
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 14
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 14
`
`

`

`3
`
`4
`
`5,623,600
`
`the files leaving or entering the network are evaluated for the
`presence of viruses and all other “intra” network traffic is
`unaffected.
`
`The present invention also comprises a method for pro—
`cessing a file before transmission into the network and a
`method for processing a file before transmission from the
`network. The preferred method for processing a file com—
`prises the steps of: receiving the data transfer command and
`file name; transferring the file to the proxy server; perform-
`ing virus detection on the file; determining whether the file
`contains any viruses; transferring the file from the proxy
`server to a recipient node if the file does not contain a virus;
`and performing a preset action with the file if it does contain
`a virus. The present invention also includes methods for
`processing messages before transmission to or from the
`network that operate in a similar manner.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. I is a block diagram of a prior an information system
`with a plurality of networks and a plurality of nodes upon
`which the present invention operates;
`FIG. 2 is a block diagram of a preferred embodiment for
`a gateway node including the apparatus of the present
`invention;
`
`FIG. 3 is a block diagram of a preferred embodiment for
`a memory of the gateway node including the apparatus of the
`present invention;
`
`FIG. 4 is a block diagram of a preferred embodiment for
`a protocol
`layer hierarchy constructed according to the
`present invention compared to the OSI layer model of the
`prior art;
`FIG. 5A is a functional block diagram showing apreferred
`system for sending data files according to a preferred
`embodiment of the present invention;
`FIG. 5B is a functional block diagram showing a preferred
`system for receiving data files according to a preferred
`embodiment of the present invention;
`FIGS. 6A, (JB and 6C are a flowchart of the preferred
`method for performing file transfer according to the present
`invention;
`
`FIG. 7 is a functional block diagram showing a preferred
`system for transmitting mail messages according to a pre—
`ferred embodiment of the present invention; and
`FIGS. 8A and BB are a flow chart of a preferred method
`for sending messages toffrom a network.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`The virus detection system and method of the present
`invention preferably operates on an information system 20
`as has been described above with reference to FIG. 1. The
`present invention, like the plior art, preferably includes a
`plurality of node systems 3!} and at least one gateway node
`33 for each network 22, 24, 26. However,
`the present
`invention is different from the prior art because it provides
`novel gateway node 33 that also performs virus detection for
`all files being transmitted into or out of a network. Further—
`more,
`the novel gateway node 33 also performs virus
`detection on all messages being transmitted into or out of an
`associated network.
`
`Referring now to FIG. 2, a block diagram of a preferred
`embodiment of the novel gateway node 33 constructed in
`accordance with the present invention is shown. A preferred
`embodiment of the gateway node 33 comprises a display
`
`5
`
`ID
`
`15
`
`2t}
`
`25
`
`30
`
`35
`
`4t}
`
`45
`
`St)
`
`55
`
`6t}
`
`65
`
`device 40, a central processing unit (CPU) 42, a memory 44-,
`a data storage device 46, an input device 50, a network link
`52, and a communications unit 54. The CPU 42 is connected
`by a bus 56 to the display device 40, the memory 44, the data
`storage device 46. the input device 50, the network link 52,
`and the communications unit 54 in a von Neumarm archi-
`tecture. The CPU 42, display device 40, input device 50, and
`memory 44 may be coupled in a conventional manner such
`as a personal computer. The CPU 42 is preferably a micro—
`processor such as an Motorola 6804-0 or Intel Pentium or
`X86 type processor; the display device 40 is preferably a
`video monitor; and the input device 50 is preferably a
`keyboard and mouse type controller. The CPU 42 is also
`coupled to the data storage device 44 such as a hard disk
`drive in a conventional manner. Those skilled in the art will
`realize that
`the gateway node 33 may also be a mini-
`computer or a mainframe computer.
`The bus 56 is also coupled to the network link 52 to
`facilitate communication between the gateway node 33 and
`the other nodes 30 of the network. In the preferred embodi-
`ment of the present
`invention,
`the network link 52 is
`preferably a network adapter card including a transceiver
`that is coupled to a cable or line 36. For example, the
`network link 52 may he an ethemet card connected to a
`coaxial line, a twisted pair line or a fiber optic line. Those
`skilled in the art will realize that a variety of different
`networking configurations and operating systems including
`token ring, ethemet, or arcnet may be used and that the
`present invention is independent of such use. The network
`link 52 is responsible for sending, receiving, and storing the
`signals sent over the network or within the protected domain
`of a given network. The network link 52 is coupled to the
`bus 56 to provide these signals to the CPU 34 and vice versa.
`The bus 56 is also coupled to the communications unit 54
`to facilitate communication between the gateway node 33
`and the other networks. Specifically, the communications
`unit 54 is coupled to the CPU 42 for sending data and
`message to other networks. For example, the communica—
`tions unit 54 may be a modem, a bridge or a router coupled
`to the other networks in a conventions} manner. In the
`preferred embodiment of the present invention, die commu-
`nications unit 54 is preferably a router. The communications
`unit 54 is in turn coupled to other networks via a media 34
`such as a dedicated T—l phone line, fiber optics, or any one
`of a number of conventional connecting methods.
`The CPU 42, under the guidance and control of instruc-
`tions received from the memory 44 and from the user
`through the input device 50, provides signals for sending and
`receiving data using the communications unit 54. The trans—
`fer of data between networks is broken down into the
`sending and receiving files and messages which in turn are
`broken down into packets. The methods of the present
`invention employ a virus detection scheme that is applied to
`all transfers of messages and files into or out of a network
`via its gateway node 33.
`Referring now to FIG. 3, the preferred embodiment of the
`memory 44 for the gateway node 33 is shown in more detail.
`The memory 44 is preferably a random access memory
`(RAM), but may also include read-only memory (ROM).
`The memory 44 preferably comprises a File Transfer Pro-
`tocol (FTP) proxy server 60, a Simple Mail Transfer Pro-
`tocol {SMTP} proxy server 62, and an operating system 64
`including a kernel 66. The routines of the present invention
`for detecting viruses in file transfers and messages primarily
`include the FTP proxy server 60 and the SMTP proxy server
`62. The FTP proxy server 60 is a routine for controlling file
`transfers to and from the gateway node 33 via the commu—
`
`CS-1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 15
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 15
`
`

`

`5
`
`6
`
`5,623,600
`
`nications unit 54, and thus controlling file transfers to and
`layer 424 and the SMTP
`417, and the electronic mail
`from a given network of which the gateway node is a part.
`protocol layer 418, to process file transfers and messages,
`The operation of the FTP proxy server 60 is described below
`respectively. For example, any file transfer requests are
`in more detail with reference to FIGS. 5A, SB, 6A, 6B and
`generated by the file transfer application 423, first processed
`6C. Similarly, the SMTP proxy server 62 is a routine for
`by the FTP proxy server layer 421, then processed by the file
`controlling the transfer of messages to and from the gateway
`transfer protocol 41'? and other lower layers 415, 413, 411
`node 33, and thus to and from the respective network
`until the data transfer is actually applied to the transmission
`associated with the gateway node 33. The operation of the
`media 410. Similarly. any messaging requests are first
`SMTP proxy server 62 is described below in more detail
`processed by the SMTP proxy server layer 418, and there-
`with reference to FIG. 7 8A and SB. The present invention
`after processed by the SMTP protocol and other lower layers
`preferably uses a conventional operating system 28 such as to 415, 413, 411 until the physical layer is reached. The present
`Berkeley Software Distribution UNIX. Those skilled in the
`invention is particularly advantageous because all virus
`art will realize how the present invention may be readily
`screening is performed below the application level. There-
`adaptcd for use with other operating systems such as
`fore, the applications are unaware that such virus detection
`MACINTOSH System Software version 7.1, DOS, WIN— ,5 and elimination is being performed, and these operations are
`DOWS or WINDOWS NT. The memory 44 may also
`completely transparent to the operation of the application
`include a variety of different application programs 68
`level layers 406. While the FTP proxy server layer 421 and
`including but not limited to computer drawing programs,
`the SMTP proxy server layer 422 have been shown in FIG.
`word processing programs, and spreadsheet programs. The
`4 as being their own layer to demonstrate the coupling
`present invention is particularly advantageous over the prior 20 elfects they provide between the file transfer layer 423 and
`because it minimizes the impact of virus detection and
`file transfer protocol 41?, and the electronic mail layer 424
`elimination since the FTP proxy server 60 and SMTP proxy
`and the SMTP protocol layer 418, those skilled in the art will
`server 62 are preferably only included or installed in the
`realize that the FTP proxy server layer 421 and die SMTP
`memory 44 of the gateway nodes 33. Thus, all data being
`proxy server layer 422 can also be correctly viewed as being
`transferred inside the protected domain of a given network 25 part of the file transfer protocol layer 41'?l and the SMTP
`will not be checked because the data packets might not be
`protocol layer 418, respectively, because they are invisible
`routed via the gateway node 33.
`or transparent to the application layer 406.
`While the apparatus of the present invention. in particular
`A preferred method of operation and an embodiment for
`the FTP proxy server 60 and SMTP proxy server 62, has
`the FTP proxy server 60 will be described focusing on its
`been described above as being located and preferably is 30
`relationship to and its control of the gateway node 33, and
`located on the gateway node 33, those skilled in the art will
`thus, control over access to the medium, line 34, for con-
`realize that the apparatus of the present invention could also
`nections to other networks. The method can best be under—
`be included on a FTP server or a world wide web server for
`stood with reference to FIGS. 5A and SB, that graphically
`scanning files and messages as they are downloaded from
`show the functions performed by an lntemet daemon 70, the
`the web. Furthermore,
`in an alternate embodiment,
`the 35 FTP proxy server 60, and an FTP daemon 78, each of which
`apparatus of the present invention may be included in each
`resides on the gateway note 33. In FIGS. 5A and SB, like
`node of a network for performing virus detection on all
`reference numbers have been used for like parts and the
`messages received or transmitted from that node.
`figures are different only in the direction in which the file is
`As best shown in FIG. 4’ me CPU 42 3130 utilizes a
`being transferred (either from client task 72 to server task 82
`protocol layer hierarchy to communicate over the network. 40 01' from server “33k 82 ‘0 client [35k 72)- For the sake Of
`The protocol layers of the hierarchy of the present invention
`clarity and case Of understanding only the data ports are
`are shown in FlG.4in comparison to the ISO—051 reference
`shown in FIGS- 5A 311d 53, and the bi—directional lines
`model, for example. The protocol layers 410-426 of the
`rcpmscnt command or control Pathways and massumcd to
`hierarchy of the present invention are similar to the prior art
`include 3- conunand P011 although it is not explicltly shown.
`protocol layers for the lower four layers 400—403 including: 45 The operation FTP proxy server 60 Will now h“ described
`(1) a physical layer 490 formed of the transmission media
`with reference to a file transfer between a client task 72
`410;
`(2} a data link layer 401 formed of the network
`(requesting machine) and a scrvcr task 82 (supplying
`interface cards 41]; (3) a network layer 402 formed of
`machine). While it
`is assumed “181 “16 Chi-711$ MSk 72
`address resolution 412, Internet protocol 413 and Internet
`(requesting machine) is inside a protected domain and the
`control message protocol 414; and (4] a transport layer 403 so server task 32 (supplying machine) is OUISidC the protected
`formed of the transmission control protocol 415 and a user
`domain, the invention described 13‘3th is also used by the
`datagram protocol 416. Corresponding to the presentation
`gateway “Ode 33 When client [33k 72 (fall-1054113 maChiIIB)
`405 and session 404 layers, the protocol hierarchy of the
`is outside the protected domain and the 5'31“” 135k 82
`present invention provides four methflds of commumcafiun;
`(supplying machine) is inside the protected domain.
`a file transfer protocol 41?, a simple mail transfer protocol 55
`FIGS. (IA—6C are a flowchart of a preferred method for
`419, a TELNET protocol 419 and a simple network man—
`performing file transfers from a controlled domain of a
`agernent protocol 420. There are corresponding components
`network across a medium 34 to another network (e.g., a file
`on the application layer 406 to handle file transfer 423,
`transfer from a node 32 of the second network 24 across the
`electronic mail 424, terrrtinal emulation 425, and network
`media 34 to a second node 32 of the third network 26). The
`management 426. The present invention advantageously no method begins with step 600 with the client node sending a
`detects, controls and eliminates viruses by providing an
`connection request over the network to the gateway node 33.
`additional layer between the application layer 406 and the
`In step 602, The gateway node 33 preferably has an oper-
`presentation layer 405 for the gateway nodes 33. In particu—
`ating system 64 as described above, and part of the operating
`lar, according to the hierarchy of the present invention, a
`system 64 includes afire wall, orprogram including routines
`FTP proxy server layer 421 and a SMTP proxy server layer 65
`for authenticating users. The gateway node 33 first tries to
`authenticate the user and decide whether to allow the
`422 are provided. These layers 421,422 operate in conjunc—
`tion with the file transfer layer 423 and file transfer protocol
`
`connections requested, once the request is received. This is
`
`CS—1012
`
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 16
`
`CS-1012
`Cisco Systems, Inc. v. Finjan, Inc.
`Page 16
`
`

`

`7
`
`8
`
`5,623,600
`
`done in a conventional manner typically available as part of
`UNIX. The Internet daemon 70 creates an instance of the
`FTP proxy server 60 and passes the connection to the FTP
`proxy server 60 for servicing in step 602. The Internet
`daemon 70 is program that is part of the operating system 64,
`and it runs in the background. When being run, one of the
`functions of the Internet daemon '70 is to bind socket ports
`for many well—known services, such as TELNET, login, and
`FTP. When a connect request
`is detected,
`the Internet
`daemon 7|] constructed in accordance with the present
`invention, spawns the FTP proxy server 60, which is the
`server that will actually handle the data transfer. Thereafter,
`the FTP proxy server 60 controls the network traffic passing
`between the client task 72 and the server task 82. Then in
`
`step 604, the client node sends a data transfer request and file
`name, and established a first data port 76 through which the
`data will be transferred between the FTP proxy server 60 and
`the client task 72. In st