Registers – Systems controlled by data bearing records
Reexamination Certificate
2002-08-01
2003-12-16
Pitts, Harold I. (Department: 2876)
Registers
Systems controlled by data bearing records
C235S376000
Reexamination Certificate
active
06663000
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the field of malware scanners and the validating of components forming a malware scanner.
2. Description of the Prior Art
It is known to provide malware scanners that comprise multiple components. As an example, a malware scanner resident on a client computer may include an updating component responsible for checking for updates of the other components of the malware scanner and installing those updated components when they become available having first downloaded them from a remote source. Further components will typically provide a malware scanner engine responsible for controlling and directing the malware scanning operation and malware definition data used to identify the different types of malware for which a scan is being made.
As illustrated in
FIG. 1
of the accompanying drawings, a malware scanner provider may have a server
2
connected to the internet
4
and upon which server
2
they make available regularly updated malware scanner components, such as malware scanner engines and malware definition data sets, for download. Typically the malware definition data (DAT) will be updated most frequently as new viruses and variants of viruses are encountered. The malware scanner engine will also be updated from time to time, although generally less frequently than the malware definition data. The malware scanning engine may be updated for reasons such as a requirement to support new types of algorithm for scanning for malware.
As illustrated in
FIG. 1
, individual computers
6
and networks
8
will be connected to the internet
4
and under control of their update programs will periodically check the server
2
to determine whether more up-to-date versions of the malware scanner engine and the malware definition data are available compared to the versions of these components that are currently present. As illustrated, the computer
6
is fully up-to-date and has the latest versions (V
n
) of both the malware scanner engine and the malware definition data. Conversely, two of the client computers
10
,
12
on the network
8
have out of date versions of at least one of the malware scanner components and accordingly are in need of updating by downloading the latest versions of those components from the server
2
or from a locally held copy.
It will be appreciated that malware can include a wide variety of different forms of unwanted material that may be present upon a computer, such as computer viruses, worms, Trojans, banned computer files, documents containing banned words, banned images and the like. It will be understood that in order to provide a high degree of protection against such threats it is important that the components of the malware scanner be regularly and promptly updated as new versions become available. However, this regular and routine updating of malware scanner components introduces a vulnerability into the protection being provided in that these components may be targets for spoofing and tampering by virus writers and viruses. There have been known cases in which false malware definition data updates have been distributed with malicious intent.
In order to provide a defence against tampering and spoofing of malware scanner components it is known to digitally sign and/or encrypt the components. As is illustrated in
FIG. 2
of the accompanying drawings, the malware definition data
14
and the malware scanner engine
16
are both signed with a digital signature which has been calculated using a private key of an asymmetric private key/public key encryption mechanism, such as a PGP or the like. The private keys for generating the signature on the malware definition data
14
and the malware scanner engine
16
are secret and known only to the provider of these malware scanner components. The public key necessary for validating the signature on the malware definition data
14
is carried by the malware scanner engine
16
. Accordingly, when a new set of malware definition data
14
is loaded, the malware scanner engine
16
may read its signature and validate this using the public key carried by the malware scanner engine
16
. In a similar way, the malware scanner engine
16
is digitally signed with a signature derived from a private key known only to the engine provider and the corresponding public key is held within the update software of the client computer and is used to check the signature on the malware scanner engine
16
when a new malware scanner engine
16
is loaded.
It is an object of the present invention to improve the security and ease of maintenance and update of malware scanner systems.
SUMMARY OF THE INVENTION
Viewed from one aspect the present invention provides a computer program product for controlling a computer to validate a plurality of components of a malware scanner, said computer program product comprising:
validating code operable to validate each component of said plurality of components using signature data associated with said component and validating data associated with another of said components such that said plurality of components validate each other.
The invention both recognises and addresses problems associated with the above described prior art techniques. More particularly, the invention recognises that it is difficult and slow to update the updating component of a malware scanner system. Also, the updating component may not be present in some configurations. Accordingly, should it be necessary or desirable to change the public key information held within the update software, then considerable difficulty is encountered in making this change across the user base of the malware scanner. Furthermore, the invention recognises that the protection of the malware scanner engine from tampering or spoofing is in some ways more important than protecting the malware definition data since the malware scanner engine will typically be one or more DLLs with a documented format that may be relatively easily understood, modified and/or patched for malicious purposes. Any modification to the engine (malicious or not) can cause malfunction, false alarms and even a data loss.
In contrast, the malware definition data is much less likely to be spoofed or tampered with since its format is generally undocumented and it may be encrypted or otherwise protected in ways which make it difficult to understand. Having recognised the problem of the difficulty in updating the updating software itself and the relative vulnerability of the malware scanner engine, the present invention addresses these problems by providing a plurality of malware scanner components that cross-check each other without any dependence outside of the group for validation. Thus, for example, the malware scanner engine and the malware definition data may be made to validate each other respectively so that the updating software need carry no public key data and accordingly should a change need to be made in the keys being employed, then no changes are needed in the updating software. This also gives an advantage in a configuration where the scanner software resides on a computer that is not networked and so the updating component may not be installed. Furthermore, placing the public key used to validate the malware scanner engine within the malware definition data makes this more difficult to identify and accordingly generally improves the level of security.
For additional security it may be desirable to store the private key in another component rather then in the one that performs the validation.
Whilst it will be appreciated that the above has discussed malware scanner engine and malware definition data components as particularly suitable for use with the current technique, it will be appreciated that other components within a malware scanner system may be dealt with in the same way and included within a closed group which self-checks one another.
Whilst it will be appreciated that the signature data an
Hinchliffe Alexander James
Kollberg Dirk
Muttik Igor Garrievich
Hamaty Christopher J.
Networks Associates Technology Inc.
Nixon & Vanderhye P.C.
Pitts Harold I.
LandOfFree
Validating components of a malware scanner does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Validating components of a malware scanner, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Validating components of a malware scanner will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3173744