`
`
`as) United States
`
`
`
`
`
`
`
`
`a2) Patent Application Publication (10) Pub. No.: US 2003/0055994 Al
`
`
`
`
`
`(43) Pub. Date: Mar. 20, 2003
`
`
`
`Herrmannetal.
`
`US 20030055994A1
`
`
`
`
`
`
`
`
`(54) SYSTEM AND METHODS PROVIDING
`ANTI-VIRUS COOPERATIVE
`
`
`ENFORCEMENT
`
`
`
`
`(75)
`
`
`
`
`
`
`
`Inventors: Conrad K. Herrmann, Oakland, CA
`
`
`
`
`(US); Kaveh Baharestan, San
`
`
`
`Francisco, CA (US); Joseph E.
`
`
`
`
`
`Bentley, San Jose, CA (US); Jess A.
`
`
`
`
`Leroy, San Francisco, CA (US)
`
`
`
`
`
`
`
`
`(60) Provisional application No. 60/303,653,filed on Jul.
`
`
`
`
`
`
`6, 2001. Provisional application No. 60/362,525, filed
`
`
`
`
`
`
`on Mar. 6, 2002. Provisional application No. 60/372,
`
`
`
`
`
`
`907, filed on Apr. 15, 2002.
`Publication Classification
`
`
`
`
`
`
`
`
`
`
`
`
`
`SD A ©)AAnn GOG6F 15/16
`
`
`
`
`(52) US. Ch.
`ceeesecssssssssstsesssnstnstvasnesnstnsevesse 709/229
`
`
`
`
`
`Correspondence Address:
`JOHN A. SMART
`
`
`
`
`
`
`708 BLOSSOM HILL RD., #201
`
`
`
`
`LOS GATOS, CA 95032 (US)
`
`
`
`
`(73) Assignee: Zone Labs, Inc.
`
`
`
`(21) Appl. No.:
`
`
`
`
`
`
`
`
`10/192,819
`
`
`
`
`
`(57)
`
`
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`
`A system providing methods for anti-virus cooperative
`
`
`
`
`
`
`enforcement is described. In response to a request from a
`
`
`
`
`
`
`
`device for access to protected resources, such as a network
`
`
`
`
`
`
`or protected data, a determination is made as to whether an
`
`
`
`
`
`
`
`
`anti-virus policy applies to the request for access made by
`
`
`
`
`
`
`the device. If an anti-virus policy is applicable, information
`
`
`
`
`
`
`
`
`pertaining to virus protection available on the device is
`
`
`
`
`
`
`
`collected. The virus protection information that is collected
`
`
`
`
`
`
`
`
`is evaluated to determine whether the device is in compli-
`
`
`
`
`
`
`
`
`ance with the anti-virus policy. If the device is determined
`
`
`
`
`
`
`
`
`to be in compliance with the anti-virus policy, the device is
`
`
`
`
`
`allowed to access the protected resources.
`
`
`
`
`(22)
`
`Filed:
`
`
`Jul. 9, 2002
`
`
`
`
`Related U.S. Application Data
`
`
`
`
`(63) Continuation-in-part of application No. 09/944,057,
`
`
`
`
`
`filed on Aug. 30, 2001. Continuation-in-part of appli-
`
`
`
`
`
`
`
`cation No. 10/159,820, filed on May 31, 2002.
`
`
`A GATEWAYCLIENT ON A CLIENT COMPUTER CONNECTS TO A
`
`GATEWAY SERVER TO OBTAIN ACCESS TO PROTECTED DATA
`
`
`
`
`
`OR RESOURCES. THE GATEWAY SERVER ACCEPTS THE
`
`
`
`
`
`CONNECTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE GATEWAYCLIENT NOTIFIES THE TrueVector SERVICE THAT
`THE CONNECTION HAS BEEN CREATED OR THE TrueVector
`
`
`
`
`
`
`
`SERVICE NOTICES THE CREATION OF THE CONNECTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE TrueVector SERVICE SENDS A MESSAGE INFORMING THE
`INTEGRITY SERVER ABOUT THE CONNECTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE INTEGRITY SERVER RETRIEVES THE APPROPRIATE POLICY
`CONTAINING ANTI-VIRUS POLICY OPTIONS FROM THE POLICY
`
`
`
`
`
`STORE AND SENDS THE POLICY TO THE TrueVector SERVICE ON
`
`
`
`
`
`THE CLIENT COMPUTER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE TrueVector SERVICE RECEIVES THE POLICY, STORESIT
`
`LOCALLY AND CHECKSIF AN ANTI-VIRUS APPLICATION IS
`
`
`
`
`
`
`
`REQUIRED BY THE POLICY
`
`
`
`
`
`
`
`
`
`
`a 406
`
`IF AN ANTI-VIRUS APPLICATION IS REQUIRED BY THE POLICY,
`THE TrueVector SERVICE CALLS THE AV PLUG-IN
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 1 of 45
`
`Netskope Exhibit 1005
`
`Page 1 of 45
`
`Netskope Exhibit 1005
`
`

`

`Patent Application Publication Mar. 20,2003 Sheet 1 of 5
`
`
`
`US 2003/0055994 Al
`
`
`
`(LYvYOIed)L‘Old
`
`YsLNldd
`
`AW1dSI0
`
`ZO
`
`LvOL
`
`SOL
`
`OL}
`
`ONILNIOd
`
`
`
`SOIAaGuVOSAay
`
`801
`
`901
`
`ydLdvdv
`
`OadIA
`
`OACIA
`
`AYOWSW
`
`Sbb
`
`AIEVAOWSY
`
`dASVYeOLs
`
`
`
`ONISSSIONdIVYHLNAD
`
`SalldVLVd
`
`SNOILVONdd¥
`
`&)
`
`SYaAred
`
`sO
`
`daxis
`
`ADVYOLS
`
`
`
`(S).LINN
`
`
`
`(ndd)
`
`MYOMLAN
`
`AOVAYALNI
`
`OLL
`
`||.WNOO
`
`HOVANSLNI
`
`Page 2 of 45
`
`Netskope Exhibit 1005
`
`OOL
`
`€OLcol
`
`
`
`
`
`Page 2 of 45
`
`Netskope Exhibit 1005
`
`
`
`
`
`

`

`
`
`
`
`
`
`Patent Application Publication Mar. 20,2003 Sheet 2 of 5
`
`
`
`US 2003/0055994 Al
`
`200
`
`
`
`201a
`
`
`
`201b
`
`
`
`201¢
`
`
`
`201d
`
`
`
`
`
`
`
`
` APPLICATION
`BROWSER
`APPLICATION
`APPLICATION
`
`
`
`
`PROGRAM N
`PROGRAM
`PROGRAM 2
`PROGRAM1
`
`
`
`
`
`
`
`
`201
`
`
`
`
`
`
`
`
`
`
`OPERATING SYSTEM
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(e.g., WINDOWS 9X/NT/2000/XP, SOLARIS, UNIX, LINUX, MAC OS, OR LIKE) 210
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`BIOS
`
`
`
`
`
`(MICROCODE)
`
`
`
`DISPLAY MONITOR
`
`
`NETWORK INTERFACE
`
`COMM PORT
`
`
`KEYBOARD
`
`MODEM
`
`MOUSE
`
`DISKS
`
`PRINTER
`
`
`
`
`FIG. 2
`
`Page 3 of 45
`
`Netskope Exhibit 1005
`
`Page 3 of 45
`
`Netskope Exhibit 1005
`
`

`

`
`
`
`
`
`
`Patent Application Publication Mar. 20, 2003 Sheet 3 of 5
`
`
`
`US 2003/0055994 Al
`
`CLIENT COMPUTER SYSTEM 310
`
`
`
`
`
`
`
`
`
`INTEGRITY
`
`
`
`
`PROTECTED
`GATEWAY
`GATEWAY
`AGENT
`
`
`
`
`
`
`
`
`SERVER
`CLIENT
`DATA
`(CLIENT MODULE)
`
`
`
`
`
`324
`(RESOURCES)
`330
`350
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TrueVector
`
`
`SERVICE
`INTEGRITY SERVER
`
`
`
`
`
`
`320
`(SUPERVISOR MODULE)
`370
`
`
`
`
`390
`
`
`
`
`
`
`
`
`
`
`ANTI-VIRUS
`
`
`
`POLICY STORE
`INFORMATION
`
`
`
`
`
`
`PROVIDER
`371
`
`POLICY
`
`
`
`
`328
`PLUG-IN
`POLICY
`
`
`
`
`
`(INTERFACE
`SPECIFICATION
`
`
`
`MODULE)
`373
`
`
`326
`ANTI-VIRUS
`
`
`POLICY
`
`OPTIONS
`
`‘
`375
`ANTI-VIRUS APPLICATION
`
`
`
`
`
`
`(VIRUS PROTECTION
`
`
`MODULE)
`
`340
`
`
`
`
`
`342
`
`(VERSION 1.2.3.4)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` ANTI-VIRUS ENGINE
`
`
`
`
`
` ANTI-VIRUS DAT FILE
`
`
`
`
`
`
`344
`
`(Version 236
`
`
`Date: 3 Jan., 2002
`
`
`4:24 p.m. GMT)
`
`
`
`
`
`
`
`FIG. 3
`
`Page 4 of 45
`
`Netskope Exhibit 1005
`
`Page 4 of 45
`
`Netskope Exhibit 1005
`
`

`

`
`
`
`
`
`
`Patent Application Publication Mar. 20,2003 Sheet 4 of 5
`
`
`
`US 2003/0055994 Al
`
`
`
`BEGIN
`
`A GATEWAYCLIENT ONACLIENT COMPUTER CONNECTS TOA
`
`
`
`
`
`
`GATEWAY SERVER TO OBTAIN ACCESS TO PROTECTED DATA
`
`
`
`
`
`
`OR RESOURCES. THE GATEWAY SERVER ACCEPTS THE
`
`
`
`
`
`
`
`CONNECTION
`
`
`400
`
`
`
`402
`
`
`
`403
`
`
`
`404
`
`
`
`405
`
`
`
`406
`
`THE TrueVector SERVICE CALLS THE AV PLUG-IN
`
`THE GATEWAYCLIENT NOTIFIES THE TrueVector SERVICE THAT
`
`
`
`
`
`
`
`THE CONNECTION HAS BEEN CREATED OR THE TrueVector
`
`
`
`
`
`
`
`SERVICE NOTICES THE CREATION OF THE CONNECTION
`
`
`
`
`
`
`
`
`
`
`
`THE TrueVector SERVICE SENDS A MESSAGE INFORMING THE
`
`
`
`
`
`
`INTEGRITY SERVER ABOUT THE CONNECTION
`
`
`
`
`
`
`
`
`THE INTEGRITY SERVER RETRIEVES THE APPROPRIATE POLICY
`
`
`
`
`
`
`
`CONTAINING ANTI-VIRUS POLICY OPTIONS FROM THE POLICY
`
`
`
`
`
`
`
`STORE AND SENDS THE POLICY TO THE TrueVector SERVICE ON
`
`
`
`
`
`
`
`
`THE CLIENT COMPUTER
`
`
`
`
`
`
`
`
`
`
`
`THE TrueVector SERVICE RECEIVES THE POLICY, STORESIT
`LOCALLY AND CHECKSIF AN ANTI-VIRUS APPLICATION IS
`
`
`
`
`
`
`REQUIRED BY THE POLICY
`
`
`
`
`
`
`
`
`
`IF AN ANTI-VIRUS APPLICATION IS REQUIRED BY THE POLICY,
`
`
`
`
`
`
`
`
`
`TO FIG. 4B
`
`
`
`'
`
`
`FIG. 4A
`
`
`
`Page 5 of 45
`
`Netskope Exhibit 1005
`
`Page 5 of 45
`
`Netskope Exhibit 1005
`
`

`

`
`
`
`
`
`
`Patent Application Publication Mar. 20,2003 Sheet 5 of 5
`
`
`
`US 2003/0055994 Al
`
`FROM FIG. 4A
`
`
`
`CURRENTLY-INSTALLED ANTI-VIRUS DATFILE
`
`
`
`
`
`
`
`THE AV PLUG-IN RETRIEVES INFORMATION FROM THE
`
`
`
`
`
`CURRENTLY-UTILIZED ANTI-VIRUS ENGINE AND FROM THE
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE TrueVector SERVICE RECEIVES THIS INFORMATION AND
`
`
`
`
`SENDS IT TO THE INTEGRITY SERVER
`
`
`
`
`
`
`
`
`
`THE INTEGRITY SERVER EVALUATES THE INFORMATION TO
`
`
`
`
`
`DETERMINE IF THE CLIENT COMPUTER IS IN COMPLIANCE WITH
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THE ANTI-VIRUS POLICY OPTIONS
`
`
`
`
`
`
`
`
`
`IF THE CLIENT COMPUTER IS IN COMPLIANCE, THE INTEGRITY
`
`
`
`
`
`
`SERVER SENDS A MESSAGE TO THE GATEWAY SERVER TO
`
`
`
`
`
`
`
`
`
`PERMIT ACCESS FROM THE GATEWAYCLIENT TO THE
`
`
`
`PROTECTED DATA OR RESOURCES
`
`407
`
`
`
`408
`
`
`
`409
`
`
`
`410
`
`
`
`411
`
`
`
`
`
`TO REMEDY THE NON-COMPLIANCE
`
`
`
`
`
`
`
`(OPTIONAL) IF THE CLIENT COMPUTER IS NOT IN COMPLIANCE,
`
`
`
`
`
`
`THE CLIENT COMPUTER IS REDIRECTED TO A SANDBOX SERVER
`
`
`
`
`
`DONE
`
`
`
`
`FIG. 4B
`
`Page 6 of 45
`
`Netskope Exhibit 1005
`
`Page 6 of 45
`
`Netskope Exhibit 1005
`
`

`

`
`
`US 2003/0055994 Al
`
`
`
`Mar.20, 2003
`
`
`
`SYSTEM AND METHODS PROVIDING
`
`
`
`ANTI-VIRUS COOPERATIVE ENFORCEMENT
`
`
`RELATED APPLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`[0007]
`In addition, various types of connections may be
`
`
`
`
`
`
`
`utilized to connect to these different networks. A dial-up
`
`
`
`
`
`
`
`
`modem may be used for remote access to an office network.
`
`
`
`
`
`
`
`
`Various types of wireless connectivity,
`including TEEE
`
`
`
`
`
`
`
`(Institute of Electrical and Electronics Engineers) 802.11
`
`
`
`
`
`
`
`
`[0001] The present applicationis related to and claims the
`
`
`
`
`
`
`
`
`and Bluetooth, are also increasingly popular. Wireless net-
`
`
`
`
`
`
`benefit of priority of the following commonly-owned pro-
`
`
`
`
`
`
`
`
`
`worksoften have a large numberof users that are occasion-
`
`
`
`
`
`
`visional application(s): application Ser. No. 60/372,907
`
`
`
`
`
`
`
`ally connected from time to time. Moreover, connection to
`
`
`
`
`
`
`
`
`(Docket No. VIV/0006.00), filed Apr. 15, 2002, entitled
`
`
`
`
`
`
`
`
`
`these networks is often very easy, as connection does not
`
`
`
`
`
`
`“System and Methods Providing Anti-Virus Cooperative
`
`
`
`
`
`
`
`
`require a physical link. Wireless and other types of networks
`
`
`
`
`
`
`Enforcement”, of which the present application is a non-
`
`
`
`
`
`
`
`are frequently provided in cafes, airports, convention cen-
`
`
`
`
`
`
`provisional application thereof. The present application is
`
`
`
`
`
`
`
`
`ters, and other public locations to enable mobile computer
`
`
`
`
`
`
`
`
`related to and claimsthe benefit of priority of the following
`
`
`
`
`
`
`
`
`users to connect to the Internet. Increasingly, users are also
`
`
`
`
`commonly-owned non-provisional application(s): applica-
`
`
`
`
`
`
`
`using the Internet
`to remotely connect
`to a number of
`
`
`
`
`
`
`
`
`tion Ser. No. 09/944,057 (Docket No. VIV/0003.01), filed
`
`
`
`
`
`
`
`
`different systems and networks. For example, a user may
`
`
`
`
`
`
`
`
`Aug. 30, 2001, entitled “System Providing Internet Access
`
`
`
`
`
`
`
`connect his or her home computer to a corporate network
`
`
`
`
`
`
`Management with Router-based Policy Enforcement”, of
`
`
`
`
`
`
`
`through a virtual private network (VPN) which creates a
`
`
`
`
`
`
`which the present application is a Continuation-in-part
`
`
`
`
`
`
`
`
`
`secure session between the home computer and the corpo-
`
`
`
`
`
`
`
`application thereof; and application Ser. No. 10/159,820
`ration’s network.
`
`
`
`
`
`
`
`
`
`(Docket No. VIV/0005.01), filed May 31, 2002, entitled
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`“System and Methodology for Security Policy Arbitration”,
`[0008] As more and more computers are connecting to a
`
`
`
`
`
`
`
`
`
`
`
`
`of which the present application is a Continuation-in-part
`number of different networks (including the Internet), a
`
`
`
`
`
`
`
`
`
`
`
`
`
`application thereof. The disclosures of each of the foregoing
`whole new set of challenges face network administrators and
`
`
`
`
`
`
`
`
`
`
`
`
`
`applications are hereby incorporated by reference in their
`individual users alike: previously closed computing envi-
`
`
`
`
`
`
`
`
`
`
`
`
`entirety, including any appendices or attachments thereof,
`ronments are now open to a worldwide network of computer
`
`
`
`
`
`
`
`
`
`
`
`for all purposes.
`systems. Specific challenges, for example, include the fol-
`
`
`
`
`
`
`
`
`(1) attacks by perpetrators (hackers) capable of
`lowing:
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`damaging the local computer systems, misusing those sys-
`
`
`
`
`
`
`
`
`
`
`
`
`
`tems, or stealing proprietary data and programs; (2) unau-
`1. Field of the Invention
`
`
`
`
`
`
`
`thorized access to external data (e.g., pornographic or other
`
`
`
`
`
`
`
`[0003] The present invention relates generally to informa-
`
`
`
`
`
`
`
`
`inappropriate Web sites);
`(3) infiltration by viruses and
`
`
`
`
`
`
`
`
`tion processing and, moreparticularly, to systems and meth-
`
`
`
`
`
`
`
`
`“Trojan horse” programs; and (4) employee abuse of busi-
`
`
`
`
`
`ods for cooperative enforcementof anti-virus protections on
`
`
`
`
`
`
`
`ness computer resources for unauthorized personalactivities
`
`
`
`
`
`
`
`computer systems connected to one or more networks, such
`
`
`
`
`
`
`(e.g., accessing on-line games or streaming audio/video
`
`
`
`
`
`
`
`
`
`as Local Area Networks (LANs) and Wide Area Networks
`
`programs).
`
`
`
`
`(WANs), including the Internet.
`
`
`
`
`
`
`
`[0009] One mechanism traditionally used to address sev-
`
`
`
`
`
`
`2. Description of the Background Art
`[0004]
`
`
`
`
`
`
`eral of the above challengesis a firewall product. Traditional
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`firewall products guard a boundary (or gateway) between a
`[0005] The first computers were largely stand-alone units
`
`
`
`
`
`
`
`
`
`
`
`
`
`local network, such as a corporate network, and a larger
`with no direct connection to other computers or computer
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network, such as the Internet. These products primarily
`networks. Data exchanges between computers were mainly
`
`
`
`
`
`
`
`
`
`
`
`
`regulate traffic between physical networks by establishing
`accomplished by exchanging magnetic or optical media such
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and enforcing rules that regulate access based uponthe type
`as floppy disks. Over time, more and more computers were
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of access request, the source requesting access, the connec-
`connected to each other using Local Area Networks or
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tion port to be accessed, and other factors. For example, a
`“LANs”. In both cases, maintaining security and controlling
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`firewall may permit access from a specific IP address or
`what information a computer user could access wasrela-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`range (or zone) of IP addresses, but deny access from other
`tively simple because the overall computing environment
`
`
`
`
`
`
`
`
`
`
`
`
`addresses. However, one of the implications of the increas-
`waslimited and clearly defined.
`
`
`
`
`
`
`ing numberof devices occasionally connected to different
`
`
`
`
`
`
`
`[0006]
`In traditional computing networks, a desktop com-
`
`
`
`
`
`
`networks is that traditional corporate firewall technologies
`
`
`
`
`
`
`
`
`puter largely remained inafixed location and wasphysically
`
`
`
`
`
`
`
`are no longer effective. Traditional firewall
`technology
`
`
`
`
`
`
`
`connected to a single local network via Ethernet. More
`
`
`
`
`
`
`
`
`guarding a network boundary does not protect againsttraffic
`
`
`
`
`
`
`recently, however, an increasingly large numberof business
`
`
`
`
`
`
`
`
`
`that does not traverse that boundary. It does not regulate
`
`
`
`
`
`
`
`
`and individual users are using portable computing devices,
`traffic between two devices within the network or two
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`such as laptop computers, that are moved frequently and that
`
`
`
`
`
`
`
`devices outside the network. A corporate firewall provides
`
`
`
`
`
`
`
`
`
`connect into more than one network. For example, many
`
`
`
`
`
`
`
`somedegree of protection when a device is connected to that
`
`
`
`
`
`
`
`
`
`users now have laptop computers that are plugged into a
`
`
`
`
`
`
`particular corporate network, but it provides no protection
`
`
`
`
`
`
`
`
`
`corporate network during the day and are plugged into a
`
`
`
`
`
`
`whenthe device is connected to other networks. In addition,
`
`
`
`
`
`
`
`
`home network during the evening. Computers can be con-
`
`
`
`
`
`
`
`
`a traditional firewall may not protect against
`intrusions
`
`
`
`
`
`
`
`nected to networks at home, at work, and in numerous other
`
`
`
`
`
`
`originating from a remote device which is connected to a
`
`
`
`
`
`
`
`
`
`locations. Many users also have home computers that are
`
`
`
`
`corporate (or similar) network.
`
`
`
`
`
`
`remotely connected to various organizations from time to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`time through wide area networks (WANs), including the
`[0010] More recently, a security measure that has been
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`utilized by manyusersis to install a personalfirewall (or end
`Internet. The number of computing devices, and the number
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of networks that these devices connect to, has increased
`point security) product on a computer system to control
`
`
`
`
`
`
`
`
`
`
`
`
`
`dramatically in recent years.
`traffic into and out of the system. An end point security
`
`[0002]
`
`
`
`
`
`
`
`
`Page 7 of 45
`
`Netskope Exhibit 1005
`
`Page 7 of 45
`
`Netskope Exhibit 1005
`
`

`

`
`
`US 2003/0055994 Al
`
`
`
`Mar.20, 2003
`
`
`
`
`
`
`
`
`
`
`
`
`product can regulate all traffic into and out of a particular
`
`
`
`
`
`
`
`
`computer. For example, an end point security product may
`
`
`
`
`
`
`
`expressly seek authorization from a user or administrator (or
`
`
`
`
`
`
`
`from a policy established by a user or administrator) for each
`
`
`
`
`
`
`network connection to or from a computing device, includ-
`
`
`
`
`
`
`
`
`
`ing connectionsinitiated from the device and those initiated
`from external sources. This enables a user or administrator
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to monitor what applications on a device are accessing the
`
`
`
`
`
`
`Internet. It also enforces security by obtaining authorization
`
`
`
`
`
`
`
`
`
`for each Internet or network connection to (or from) the
`device.
`
`
`
`
`
`
`
`[0011] Another protective measure implemented by many
`
`
`
`
`
`
`users and administratorsis to install an anti-virus application
`
`
`
`
`
`
`
`on their machines to provide protection against infiltration
`
`
`
`
`
`
`
`
`by viruses and “Trojan horse” programs. An anti-virus
`
`
`
`
`
`
`
`application typically includes an engine which has a data-
`
`
`
`
`
`
`base or repository of virus information (typically referred to
`
`
`
`
`
`
`
`as “virus signatures”) that enables identification of viruses
`
`
`
`
`
`
`
`
`and other malicious code. At specified intervals the anti-
`
`
`
`
`
`
`
`
`
`virus engine will scan the computer system to detect any
`
`
`
`
`
`
`
`
`files that match known virus signatures. The anti-virus
`
`
`
`
`
`
`
`
`
`engine may also analyze new files received, opened, or
`
`
`
`
`
`
`
`saved on the computer system in orderto barinfiltration by
`
`
`
`
`
`
`
`
`viruses. For example,
`the anti-virus engine may check
`
`
`
`
`
`
`
`e-mail attachments received by the local system. Typically,
`
`
`
`
`
`
`
`
`
`the anti-virus engine analyzes all files that are to be stored
`
`
`
`
`
`
`
`
`
`locally before such files are saved to disk in an effort to avoid
`
`
`
`
`
`
`installation of files containing viruses. Anti-virus programs
`
`
`
`
`
`
`
`are currently available from a number of vendors, including
`
`
`
`
`
`
`
`Norton (Symantec), McAfee, and Trend Micro. Typically,
`
`
`
`
`
`
`
`these vendors of anti-virus programs also provide frequent
`
`
`
`
`
`
`
`virus signature updates (usually through provision of a
`
`
`
`
`
`
`
`
`
`virus-data definition or “DAT” file) as new viruses are
`
`
`
`
`
`
`
`discovered. The updated virus information in the DAT file
`
`
`
`
`
`
`
`received by a user is added to the local database or reposi-
`
`
`
`
`
`
`
`tory, enabling identification and avoidance of new viruses.
`
`
`
`
`
`
`
`
`[0012] Although end point security and anti-virus prod-
`
`
`
`
`
`
`
`ucts, when properly used, provide considerable protection to
`
`
`
`
`
`
`
`users and administrators of computer systems and networks,
`
`
`
`
`
`
`
`several problems remain. One problem is that if a machine
`
`
`
`
`
`
`connected to a corporate network (e.g., a remote client
`
`
`
`
`
`
`
`machine connected through a VPN gateway)is infected with
`
`
`
`
`
`
`
`
`
`a virus, it may infect other machines on the same network.
`
`
`
`
`
`
`
`An infected computer that
`is connected to a particular
`
`
`
`
`
`
`
`
`network (e.g., a corporate LAN) mayput the entire network
`
`
`
`
`
`
`
`
`
`at risk. For instance, the computer may be infected with a
`
`
`
`
`
`
`
`
`
`virus that
`intentionally tries to spread itself
`to other
`
`
`
`
`
`
`
`
`machines in the network. One machinethat is not running
`
`
`
`
`
`
`
`
`the correct anti-virus engine or is not equipped with current
`
`
`
`
`
`
`
`virus signature definitions may jeopardize the security of the
`
`
`
`
`
`
`
`
`entire network. Ensuring that machines are running current
`
`
`
`
`
`
`anti-virus programsis particularly important, as virus issues
`
`
`
`
`
`
`
`
`
`are very time sensitive. New viruses are frequently released
`
`
`
`
`
`
`
`
`that cannot be identified using older anti-virus engines and
`
`
`
`
`
`
`definitions. It becomescritical therefore to promptly update
`
`
`
`
`
`
`anti-virus applications on all machines in a network in a
`
`
`
`
`
`
`
`timely fashion before the network is infiltrated by a newly
`released virus.
`
`
`
`
`
`
`
`
`
`
`[0013] Several currently available tools provide function-
`
`
`
`
`
`
`
`ality for “pushing” program updates, including anti-virus
`
`
`
`
`
`
`
`
`engine and virus signature updates,
`to client machines.
`
`
`
`
`
`
`
`Typically, this is in the nature of a one-time broadcast of new
`
`
`
`
`
`
`
`
`anti-virus engine and/orvirus definition (DAT file) updates.
`
`
`
`
`
`
`
`
`A numberof anti-virus products also include functionality
`
`
`
`
`
`
`
`
`that automatically checksfor the availability of updates from
`
`
`
`
`
`
`
`
`
`a vendor website and downloads any such updates to the
`
`
`
`
`
`
`
`
`client device. While these current solutions make updates
`
`
`
`
`
`
`
`
`
`available, they do not provide any mechanism for central-
`
`
`
`
`
`
`ized enforcementof anti-virus policies. Existing solutions
`
`
`
`
`
`
`
`
`
`do not ensure that all machines accessing a network have
`
`
`
`
`
`
`
`
`installed and are using current versions of particular anti-
`
`
`
`
`
`
`
`
`
`
`virus products, nor do they ensure that
`two or more
`
`
`
`
`
`
`
`
`machines that are connected together are sufficiently pro-
`
`
`
`
`
`
`
`
`tected against virus infiltration. For example, a Trojan horse
`
`
`
`
`
`
`
`routine on a client computer may intentionally deactivate the
`
`
`
`
`
`
`
`
`anti-virus engine on that machine. A user may also inten-
`
`
`
`
`
`
`
`
`tionally or unintentionally disable virus checking on the
`machine. Another concern is that these current solutions
`
`
`
`
`
`
`
`
`
`
`
`
`
`typically allow client machines to connect to a network
`
`
`
`
`
`
`
`
`before pushing updates to such client machines. These
`
`
`
`
`
`
`limitations make the network potentially vulnerable to mali-
`cious code on a client machine that is connected to the
`
`
`
`
`
`
`
`
`
`network.
`
`
`
`
`
`
`
`
`
`
`[0014] What is needed is a solution that ensures that all
`
`
`
`
`
`
`machines connected to a server or a network,
`including
`
`
`
`
`
`
`
`
`client computers that are joining (e.g., remotely connecting
`
`
`
`
`
`
`
`to) a network, are using specified anti-virus products to
`
`
`
`
`
`
`
`protect against infiltration by viruses. This solution should
`
`
`
`
`
`
`
`
`verify that all machines connected to a network (or each
`
`
`
`
`
`
`
`
`other) are using current releases of both anti-virus engines
`
`
`
`
`
`
`
`and virus signature updates to provide appropriate protection
`to all users. The solution should also bar access to the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network to non-compliant systemsthat are not using current
`
`
`
`
`
`
`
`
`versions of the required anti-virus programs. Ideally, the
`
`
`
`
`
`
`
`
`solution should be easy to use and should facilitate updating
`
`
`
`
`
`
`
`
`anti-virus engines and virus signature definitions on all
`
`
`
`
`
`
`
`
`
`
`systems as and when required in an efficient and time-
`
`
`
`
`
`
`
`
`sensitive manner. The present invention fulfills these and
`other needs.
`
`
`
`GLOSSARY
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0015] The following definitions are offered for purposes
`
`
`
`
`
`
`
`of illustration, not limitation, in order to assist with under-
`
`
`
`
`
`standing the discussion that follows.
`
`
`
`
`
`
`[0016] Bluetooth: Bluetooth refers to the Bluetooth wire-
`
`
`
`
`
`less specification, a communications standard for sending
`data to and from small wireless radio communications
`
`
`
`
`
`
`
`
`
`
`
`
`
`devices, such as notebook and handheld computers, con-
`
`
`
`
`
`sumer electronics, personal digital assistants, cellular
`
`
`
`
`
`
`
`phones and other portable, handheld devices. The Bluetooth
`
`
`
`
`
`
`
`specification includes both link layer and application layer
`
`
`
`
`
`
`
`definitions for product developers which support data, voice
`
`
`
`
`
`
`and content-centric applications. Devices that comply with
`
`
`
`
`
`
`
`the Bluetooth wireless specification operate in the unli-
`
`
`
`
`
`
`censed, 2.4 GHz radio spectrum ensuring communication
`
`
`
`
`
`
`compatibility worldwide. The Institute of Electrical and
`
`
`
`
`
`Electronics Engineers (IEEE) standards association has
`
`
`
`
`
`
`approved the Bluetooth specification for wireless personal
`area networks as IEEE standard 802.15.1 “Wireless MAC
`
`
`
`
`
`
`
`
`
`
`
`
`
`and PHY Specifications for Wireless Personal Area Net-
`
`
`
`
`
`works (WPANs)”, the disclosure of which is hereby incor-
`
`
`porated by reference.
`
`
`
`
`
`
`[0017] Endpoint security: Endpoint security is a way of
`
`
`
`
`
`
`
`managing and enforcing security on each computer instead
`
`
`
`
`
`
`
`
`of relying upon a remote firewall or a remote gateway to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 8 of 45
`
`Netskope Exhibit 1005
`
`Page 8 of 45
`
`Netskope Exhibit 1005
`
`

`

`
`
`US 2003/0055994 Al
`
`
`
`Mar.20, 2003
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`provide security for the local machine or environment. End
`
`
`
`
`
`
`
`point security involves a security agent that resides locally
`
`
`
`
`
`
`
`
`on each machine. This agent monitors and controls the
`interaction of the local machine with other machines and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`devices that are connected on a LAN ora larger wide area
`
`
`
`
`
`
`
`network (WAN), such as the Internet, in order to provide
`
`
`
`security to the machine.
`
`
`
`
`
`
`[0018] Firewall: A firewall is a set of related programs,
`
`
`
`
`
`
`
`typically located at a network gateway server, that protects
`
`
`
`
`
`
`
`the resources of a private network from other networks by
`
`
`
`
`
`
`
`
`
`controlling access into and out of the private network. (The
`
`
`
`
`
`
`
`
`
`
`term also implies the security policy that is used with the
`
`
`
`
`
`
`
`programs.) A firewall, working closely with a router pro-
`
`
`
`
`
`
`
`gram, examines each network packet to determine whether
`
`
`
`
`
`
`
`
`to forward it toward its destination. A firewall may also
`
`
`
`
`
`
`
`
`
`include or work with a proxy server that makes network
`
`
`
`
`
`
`requests on behalf of users. A firewall is often installed in a
`
`
`
`
`
`
`
`
`specially designated computer separate from the rest of the
`
`
`
`
`
`
`
`network so that no incoming request directly access private
`network resources.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`input. The MD5 algorithm is used primarily in digital
`
`
`
`
`
`
`
`signature applications, where a large file must be “com-
`
`
`
`
`
`
`
`pressed” in a secure mannerbefore being encrypted with a
`
`
`
`
`
`
`
`private (secret) key under a public-key cryptosystem. Fur-
`
`
`
`
`
`
`
`
`
`ther description of MDF is available in “RFC 1321: The
`
`
`
`
`
`
`
`MD5 Message-Digest Algorithm,” (April 1992), the disclo-
`
`
`
`
`
`sure of which is hereby incorporated by reference.
`
`
`
`
`
`[0023] Network: A network is a group of two or more
`
`
`
`
`
`
`
`systems linked together. There are many types of computer
`
`
`
`
`
`
`networks,
`including local area networks (LANs), virtual
`
`
`
`
`
`private networks
`(VPNs), metropolitan area networks
`
`
`
`
`
`
`
`(MANs), campus area networks (CANs), and wide area
`
`
`
`
`
`
`
`networks (WANs)including the Internet. As used herein,the
`
`
`
`
`
`
`
`term “network”refers broadly to any group of two or more
`
`
`
`
`
`
`
`computer systems or devices that are linked together from
`time to time.
`
`
`
`
`
`
`
`
`
`[0024] Security policy: In general terms, a security policy
`
`
`
`
`
`
`
`
`
`is an organization’s statement defining the rules and prac-
`
`
`
`
`
`
`
`
`tices that regulate how it will provide security, handle
`
`
`
`
`
`
`
`intrusions, and recover from damage caused by security
`
`
`
`
`
`
`
`
`[0019] HTTP: HTTPis the acronym for HyperText Trans-
`
`
`
`
`
`
`
`breaches. An explicit and well-defined security policy
`
`
`
`
`
`
`
`includesa set of rules that are used to determine whether a
`fer Protocol, which is the underlying communication pro-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tocol used by the World Wide Web on the Internet. HTTP
`
`
`
`
`
`
`
`given subject can be permitted to gain access to a specific
`
`
`
`
`
`
`
`
`defines how messages are formatted and transmitted, and
`
`
`
`
`
`
`
`object. A security policy may be enforced by hardware and
`what actions Web servers and browsers should take in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`software systemsthat effectively implementaccessrules for
`
`
`
`
`
`
`
`response to various commands. For example, when a user
`
`
`
`
`
`
`access to systems and information. Further information on
`
`
`
`
`
`
`
`
`enters a Uniform Resource Locator (URL) in his or her
`
`
`
`
`
`
`
`
`security policies is available in “RFC 2196: Site Security
`
`
`
`
`
`
`
`
`
`browser, an HTTP command is sent
`to the Web server
`
`
`
`
`
`
`
`Handbook, (September 1997),” the disclosure of which is
`
`
`
`
`
`
`
`
`
`directing it to fetch and transmit the requested Web page.
`
`
`
`
`
`
`hereby incorporated by reference. In this document, “secu-
`
`
`
`
`
`
`
`
`Further description of HTTP is available in “RFC 2616:
`
`
`
`
`
`
`
`
`rity policy” or “policy”refers to a set of security policies and
`
`
`
`
`
`Hypertext Transfer Protocol—HTTP/1.1,” the disclosure of
`
`
`
`
`
`rules employed by an individual or by a corporation, gov-
`
`
`
`
`
`
`
`which is hereby incorporated by reference. RFC 2616 is
`
`
`
`
`
`
`
`
`ernment entity, or any other organization operating a net-
`
`
`
`
`
`
`
`
`
`available from the World Wide Web Consortium (W3C), and
`
`
`
`
`work or other computing resources.
`
`
`
`
`
`
`
`is currently available via the Internet at http://www.w3.org/
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0025]
`SSL: SSL is an abbreviation for Secure Sockets
`Protocols/. Additional description of HTTPis available in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Layer, a protocol developed by Netscape for transmitting
`the technical andtrade literature, see e.g., William Stallings,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`“The Backbone of the Web,” BYTE, October 1996, the
`private documents over the Internet. SSL works by using a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`public key to encrypt data that is transferred over the SSL
`disclosure of which is hereby incorporated by reference.
`
`
`
`
`
`
`
`connection. Both Netscape Navigator and Microsoft Internet
`
`
`
`
`
`
`
`[0020] HTTPS: HTTPS stands for Hypertext Transfer
`
`
`
`
`
`
`
`
`
`
`Explorer support SSL, and many Websites use the protocol
`
`
`
`
`
`
`
`
`Protocol over Secure Socket Layer, or HTTP over SSL, a
`
`
`
`
`
`
`
`
`to obtain confidential user information, such as credit card
`
`
`
`
`
`communications protocol designed to transfer encrypted
`numbers. SSL creates a secure connection betweenaclient
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`information between computers over the World Wide Web.
`
`
`
`
`
`
`
`
`
`and a server, over which data can be sent securely. For
`
`
`
`
`
`
`
`
`HTTPSinvolves the use of a Secure Socket Layer (SSL) as
`
`
`
`
`
`
`
`
`further information, see e.g., “The SSL Protocol, version
`
`
`
`
`a sublayer under HTTP.
`
`
`
`
`
`
`
`
`
`3.0,” (Nov. 18, 1996), from the Internet Engineering Task
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Force (IETF),the disclosure of which is hereby incorporated
`[0021]
`IPsec:
`IPsec is short for IP Security, a set of
`
`
`
`
`
`
`
`
`
`by reference.
`protocols developed by the Internet Engineering Task Force
`
`
`
`
`
`
`
`(IETF) to support secure exchangeof packets at the IP layer.
`
`
`
`
`
`
`
`
`[0026] VPN: VPNstands for Virtual Private Network, a
`
`
`
`
`
`
`
`
`IPsec has been deployed widely to implementvirtual private
`
`
`
`
`
`
`
`network that is constructed by using public wires to connect
`
`
`
`
`
`
`
`networks (VPNs). IPsec supports two encryption modes:
`
`
`
`
`
`
`
`