Patent US7748038 - Method and apparatus for managing computer virus outbreaks

Early detection of computer viruses is provided by collecting information about suspicious messages and generating virus outbreak information. In one embodiment, a method comprises receiving the virus outbreak information that has been determined by receiving message information for messages that have characteristics associated with computer viruses, wherein the messages were determined by a virus-check component as not comprising a virus, and mapping the message information received in a specified time period to the virus outbreak information; and when the virus outbreak information indicates initiation of a virus attack, performing a message flow control action for additional messages that have the same characteristics associated with computer viruses as the first messages. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages.

Inventors: Michael Olivier, Craig Sprosts, Scot Kennedy, Daniel Quinlan, Larry Rosenstein, Craig Taylor
Original Assignee: IronPort Systems, Inc.
Primary Examiner: Kimyen Vu
Secondary Examiner: Darren Schwartz
Attorney: Hickman Palermo Truong & Becker LLP
Current U.S. Classification: 726/24; 713/188; 726/22

View patent at USPTO
Search USPTO Assignment Database

Citations

Cited Patent	Filing date	Issue date	Original Assignee	Title
US4956769	May 16, 1988	Sep 11, 1990	Sysmith, Inc.	Occurence and value based security system for computer databases
US5319776	Sep 29, 1992	Jun 7, 1994	Hilgraeve Corporation	In transit detection of computer virus with safeguard
US5623600	Sep 26, 1995	Apr 22, 1997	Trend Micro, Incorporated	Virus detection and removal apparatus for computer networks
US5802178	Jul 30, 1996	Sep 1, 1998	ITT Industries, Inc.	Stand alone device for providing security within computer networks
US5805810	Apr 27, 1995	Sep 8, 1998		Apparatus and methods for converting an electronic mail to a postal mail at the receiving station
US5832208	Sep 5, 1996	Nov 3, 1998	Cheyenne Software International Sales Corp.	Anti-virus agent for use with databases and mail servers
US5889943	Mar 29, 1996	Mar 30, 1999	Trend Micro Incorporated	Apparatus and method for electronic mail virus detection and elimination
US5915087	Dec 12, 1996	Jun 22, 1999	Secure Computing Corporation	Transparent security proxy for unreliable message exchange protocols
US5933416	Feb 9, 1996	Aug 3, 1999	Loran Network Systems, LLC	Method of determining the topology of a network of objects
US5958005	Jul 17, 1997	Sep 28, 1999	Bell Atlantic Network Services, Inc.	Electronic mail security
US5968176	May 29, 1997	Oct 19, 1999	3Com Corporation	Multilayer firewall system
US5970149	Jul 15, 1997	Oct 19, 1999		Combined remote access and security system
US5983270	Apr 2, 1997	Nov 9, 1999	Sequel Technology Corporation	Method and apparatus for managing internetwork and intranetwork activity
US5983350	Sep 18, 1996	Nov 9, 1999	Secure Computing Corporation	Secure firewall supporting different levels of authentication based on address or encryption status
US5999967	Aug 17, 1997	Dec 7, 1999		Electronic mail filtering by electronic stamp
US6003084	Sep 13, 1996	Dec 14, 1999	Secure Computing Corporation	Secure network proxy for connecting entities
US6006329	Aug 11, 1997	Dec 21, 1999	Symantec Corporation	Detection of computer viruses spanning multiple data streams
US6052709	Dec 23, 1997	Apr 18, 2000	Bright Light Technologies, Inc.	Apparatus and method for controlling delivery of unsolicited electronic mail
US6072942	Sep 18, 1996	Jun 6, 2000	Secure Computing Corporation	System and method of electronic mail filtering using interconnected nodes
US6119236	Dec 10, 1998	Sep 12, 2000		Intelligent network security device and method
US6131110	Jul 11, 1997	Oct 10, 2000	International Business Machines Corporation	System and method for predicting user interest in unaccessed site by counting the number of links to the unaccessed sites in previously accessed sites
US6161130	Jun 23, 1998	Dec 12, 2000	Microsoft Corporation	Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set
US6161185	Mar 6, 1998	Dec 12, 2000	MCI Communications Corporation	Personal authentication system and method for multiple computer platform
US6192114	Sep 2, 1998	Feb 20, 2001	CBT Flint Partners	Method and apparatus for billing a fee to a party initiating an electronic mail communication when the party is not on an authorization list associated with the party to whom the communication is directed
US6195587	Apr 28, 1994	Feb 27, 2001	Sophos PLC	Validity checking
US6212558	Dec 24, 1997	Apr 3, 2001		Method and apparatus for configuring and managing firewalls and security devices
US6226670	Jun 15, 1998	May 1, 2001	Fujitsu Limited	E-mail distribution system
US6233618	Mar 31, 1998	May 15, 2001	Content Advisor, Inc.	Access control of networked data
US6266664	Oct 1, 1998	Jul 24, 2001	Rulespace, Inc.	Method for scanning, analyzing and rating digital information content
US6266692	Jan 4, 1999	Jul 24, 2001	International Business Machines Corporation	Method for blocking all unwanted e-mail (SPAM) using a header-based password
US6289105	Jul 26, 1996	Sep 11, 2001	Kabushiki Kaisha Toshiba	Method and apparatus for encrypting and transferring electronic mails
US6330590	Jan 5, 1999	Dec 11, 2001		Preventing delivery of unwanted bulk e-mail
US6334193	May 29, 1997	Dec 25, 2001	Oracle Corporation	Method and apparatus for implementing user-definable error handling processes
US6341309	Dec 24, 1997	Jan 22, 2002	Novell, Inc.	Firewall system for quality of service management
US6393568	Oct 23, 1997	May 21, 2002	Entrust Technologies Limited	Encryption and decryption system and method with content analysis provision
US6408336	Mar 4, 1998	Jun 18, 2002		Distributed administration of access to information
US6421709	Jul 7, 1999	Jul 16, 2002	Accepted Marketing, Inc.	E-mail filter and method thereof
US6434600	Sep 15, 1998	Aug 13, 2002	Microsoft Corporation	Methods and systems for securely delivering electronic mail to hosts having dynamic IP addresses
US6453327	Jun 10, 1996	Sep 17, 2002	Sun Microsystems, Inc.	Method and apparatus for identifying and discarding junk electronic mail
US6460050	Dec 22, 1999	Oct 1, 2002		Distributed content identification system
US6484261	Dec 11, 1998	Nov 19, 2002	Cisco Technology, Inc.	Graphical network security policy management
US6502131	Dec 4, 1998	Dec 31, 2002	Novell, Inc.	Directory enabled policy management tool for intelligent traffic management
US6507866	Jul 19, 1999	Jan 14, 2003	AT&T Wireless Services, Inc.	E-mail usage pattern detection
US6539430	Nov 30, 1999	Mar 25, 2003	Symantec Corporation	System and method for filtering data received by a computer system
US6587550	Feb 14, 2001	Jul 1, 2003		METHOD AND APPARATUS FOR ENABLING A FEE TO BE CHARGED TO A PARTY INITIATING AN ELECTRONIC MAIL COMMUNICATION WHEN THE PARTY IS NOT ON AN AUTHORIZATION LIST ASSOCIATED WITH THE PARTY TO WHOM THE COMMUNICATION IS DIRECTED
US6591291	Mar 12, 1998	Jul 8, 2003	Lucent Technologies Inc.	System and method for providing anonymous remailing and filtering of electronic mail
US6609196	Nov 3, 1998	Aug 19, 2003	Tumbleweed Communications Corp.	E-mail firewall with stored key encryption/decryption
US6650890	Sep 29, 2000	Nov 18, 2003	Postini, Inc.	Value-added electronic messaging services and transparent implementation thereof using intermediate server
US6654787	Dec 31, 1998	Nov 25, 2003	Brightmail, Incorporated	Method and apparatus for filtering e-mail
US6675162	May 7, 2001	Jan 6, 2004	Microsoft Corporation	Method for scanning, analyzing and handling various kinds of digital information content
US6701440	Jan 6, 2000	Mar 2, 2004	Networks Associates Technology, Inc.	Method and system for protecting a computer using a remote e-mail scanning device
US6728690	Nov 23, 1999	Apr 27, 2004	Microsoft Corporation	Classification system trainer employing maximum margin back-propagation with probabilistic outputs
US6732157	Dec 13, 2002	May 4, 2004	Networks Associates Technology, Inc.	Comprehensive anti-spam system, method, and computer program product for filtering unwanted e-mail messages
US6757830	Oct 3, 2000	Jun 29, 2004	Networks Associates Technology, Inc.	Detecting unwanted properties in received email messages
US6785732	Sep 11, 2000	Aug 31, 2004	International Business Machines Corporation	Web server apparatus and method for virus checking
US6886099	Sep 12, 2000	Apr 26, 2005	Networks Associates Technology, Inc.	Computer virus detection
US6894981	Dec 20, 2001	May 17, 2005	Cisco Technology, Inc.	Method and apparatus for transparently proxying a connection
US6944616	Nov 28, 2001	Sep 13, 2005	Pavilion Technologies, Inc.	System and method for historical database training of support vector machines
US7076527	Jun 14, 2001	Jul 11, 2006	Apple Computer, Inc.	Method and apparatus for filtering email
US7181498	Mar 1, 2004	Feb 20, 2007	Yahoo! Inc.	Community-based green list for antispam
US7206814	Oct 9, 2003	Apr 17, 2007	Propel Software Corporation	Method and system for categorizing and processing e-mails
US7219148	Mar 3, 2003	May 15, 2007	Microsoft Corporation	Feedback loop for spam prevention
US7272853	Jun 4, 2003	Sep 18, 2007	Microsoft Corporation	Origination/destination features and lists for spam prevention
US7331061	Sep 7, 2001	Feb 12, 2008	Secureworks, Inc.	Integrated computer security management system and method
US7342906	Apr 4, 2003	Mar 11, 2008	Airespace, Inc.	Distributed wireless network security system
US7366761	Oct 9, 2003	Apr 29, 2008	Abaca Technology Corporation	Method for creating a whitelist for processing e-mails
US7409708	May 28, 2004	Aug 5, 2008	Microsoft Corporation	Advanced URL and IP features
US7475118	Feb 3, 2006	Jan 6, 2009	International Business Machines Corporation	Method for recognizing spam email
US7523168	Oct 16, 2007	Apr 21, 2009	The Go Daddy Group, Inc.	Mail server probability spam filter
US7610344	Dec 13, 2004	Oct 27, 2009	Microsoft Corporation	Sender reputations for spam prevention
US7627670	Apr 29, 2004	Dec 1, 2009	International Business Machines Corporation	Method and apparatus for scoring unsolicited e-mail
US20010005885	Dec 19, 2000		Netscape Communications Corporation	Cryptographic policy filters and policy control method and apparatus
US20020004908	Mar 20, 2001		NICHOLAS PAUL ANDREW GALEA	Electronic mail message anti-virus system and method
US20020016824	May 29, 1998			JUNK ELECTRONIC MAIL DETECTOR AND ELIMINATOR
US20020073240	Nov 21, 2001			Server
US20020133469	Mar 19, 2001			Electronic mail filtering system
US20020143888	Apr 1, 2002		Akamai Technologies, Inc.	Scalable, high performance and highly available distributed storage system for internet content
US20020184315	Mar 16, 2001			Redundant email address detection and capture system
US20020199095	May 22, 2002			Method and system for filtering communication
US20030023875	Jul 26, 2001			Detecting e-mail propagated malware
US20030050988	Aug 31, 2001			E-mail system providing filtering methodology on a per-domain basis
US20030079142	Oct 22, 2001		ALADDIN KNOWLEDGE SYSTEMS LTD.	Classifying digital object security category
US20030088680	Oct 4, 2002			Temporal access control for computer virus prevention
US20030093689	Nov 15, 2001		ALADDIN KNOWLEDGE SYSTEMS LTD.	Security router
US20030097591	Nov 20, 2001			System and method for protecting computer users from web sites hosting computer viruses
US20030110224	Dec 12, 2001			Message auto-routing for electronic mail
US20030115485	Sep 20, 2002			Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
US20030149726	Feb 5, 2002		AT&T Corp.	Automating the reduction of unsolicited email in real time
US20030158905	Feb 19, 2003		Postini Corporation	E-mail management services
US20030167402	Aug 16, 2002			System and methods for detecting malicious email transmission
US20030172050	Mar 6, 2002			System and method for monitoring a network site for linked content
US20030172291	Feb 7, 2003			Systems and methods for automated whitelisting in monitored communications
US20030185391	Dec 24, 2002		Broadcom Corporation	Methods and apparatus for performing hash operations in a cryptography accelerator
US20030208562	May 6, 2002			Method for restricting access to a web site by remote users
US20040006747	Jun 25, 2003			Electronic publishing system and method
US20040019651	Jul 29, 2002			Categorizing electronic messages based on collaborative feedback
US20040054742	Jun 17, 2003			Method and system for detecting malicious activity and virus outbreak in email
US20040054917	Aug 30, 2002		WholeSecurity, Inc.	Method and apparatus for detecting malicious code in the form of a trojan horse in an information handling system
US20040058673	Sep 26, 2003		Postini, Inc.	Value-added electronic messaging services and transparent implementation thereof using intermediate server
US20040064371	Sep 30, 2003			On-line registration system and method
US20040068542	Oct 7, 2002			Method and apparatus for authenticating electronic mail
US20040073617	Sep 4, 2003			Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20040083230	Oct 24, 2002			Method and system for automatically managing an address database
US20040083408	Oct 24, 2002			Heuristic detection and termination of fast spreading network worm attacks
US20040093384	Oct 7, 2003			Method of, and system for, processing email in particular to detect unsolicited bulk email
US20040117648	Dec 16, 2002			Proactive protection against e-mail worms and spam
US20040167968	Feb 20, 2003		MailFrontier, Inc.	Using distinguishing properties to classify messages
US20040177120	Mar 7, 2003			Method for filtering e-mail messages
US20040215977	Feb 13, 2004			Intelligent quarantining for spam prevention
US20040250115	Apr 21, 2003		Trend Micro Incorporated.	Self-contained mechanism for deploying and controlling data security services via a web browser platform
US20040250134	Nov 3, 2003			Data collectors in connection-based intrusion detection
US20040260922	Mar 25, 2004			Training filters for IP address and URL learning
US20050005107	May 3, 2004			Method and system for caching at secure gateways
US20050060295	Sep 12, 2003		Sensory Networks, Inc.	Statistical classification of high-speed network data through content inspection
US20050060643	Aug 12, 2004		MiaVia, Inc.	DOCUMENT SIMILARITY DETECTION AND CLASSIFICATION SYSTEM
US20050064850	Oct 14, 2004		Postini, Inc	E-mail filtering services and e-mail service enrollment techniques
US20050071485	Sep 26, 2003			System and method for identifying a network resource
US20050080856	Oct 9, 2003			Method and system for categorizing and processing e-mails
US20050108518	Dec 2, 2004			Runtime adaptable security processor
US20050177868	Jul 9, 2004			Method and system for protecting against computer viruses
US20050182959	Apr 26, 2005		POSTINI, INC.	SYSTEMS AND METHODS FOR MANAGING THE TRANSMISSION OF ELECTRONIC MESSAGES VIA MESSAGE SOURCE DATA
US20050193429	Jan 24, 2005		The Barrier Group	Integrated data traffic monitoring system
US20050246440	Mar 9, 2005		MAILSHELL, INC.	Suppression of undesirable network messages
US20050265319	May 26, 2005			Method and apparatus for destination domain-based bounce profiles
US20050283837	Dec 6, 2004			Method and apparatus for managing computer virus outbreaks
US20060095410	Nov 16, 2004			Personal video recorder for home network providing filtering and format conversion of content
US20060123083	Dec 3, 2004			Adaptive spam message detector
US20060149820	Jan 4, 2005			Detecting spam e-mail using similarity calculations
US20060161988	Jan 14, 2005		Microsoft Corporation	Privacy friendly malware quarantines
US20080104186	Oct 29, 2007			Automated Whitelist
US20080104187	Oct 29, 2007			Message Testing
US20080256072	May 23, 2008		James D. Logan	Methods and apparatus for controlling the transmission and receipt of email messages
US20080270540	Mar 30, 2005			Filter and a Method of Filtering Electronic Messages
US20090019126	Sep 18, 2008			AUTHORIZED EMAIL CONTROL SYSTEM

Referenced by

Citing Patent	Filing date	Issue date	Original Assignee	Title
US8087085	Nov 27, 2007	Dec 27, 2011	Juniper Networks, Inc.	Wireless intrusion prevention system and method
US8239915	Jun 30, 2006	Aug 7, 2012	Symantec Corporation	Endpoint management using trust rating data

Claims

1. A method, comprising the computer-implemented steps of:

receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;

sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;

receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses;

in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values, determining that the one or more first messages do comprise one or more viruses; and

in response to the determining that the one or more first messages do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages;

wherein the method is performed by one or more processors.

2. A method as recited in claim 1, wherein the virus score value is associated with a particular message, and wherein the virus score value is determined based on the mapping step.

3. A method as recited in claim 2, wherein the virus score value is determined without examining the contents of any attachment to the particular message.

4. A method as recited in claim 1, wherein the virus outbreak information includes one or more rules that each associates a virus score value with one or more first messages suspected to be associated with computer viruses.

5. A method as recited in claim 4, wherein each rule applies to one or more second messages that are suspected to be associated with computer viruses.

6. A method as recited in claim 5, wherein the virus outbreak information includes at least two rules that apply to a particular second message of the one or more second messages, and the virus outbreak information indicates initiation of the virus attack based on a highest virus score value from among the virus score values for the at least two rules.

7. A method as recited in claim 1, wherein the one or more first messages are suspected to be associated with computer viruses if the one or more first messages have file attachments having a file type associated with computer viruses.

8. A method as recited in claim 7, wherein the file type is any of EXE, ZIP, COM, SCR, BAT, and PIF.

9. A method as recited in claim 1, wherein receiving one or more sets of message information comprises receiving at least one set of message information from a spamtrap.

10. A method as recited in claim 1, wherein receiving one or more sets of message information comprises receiving, from one or more spamtraps, one or more counts of messages that are suspected to be associated with computer viruses, wherein the messages were determined by the virus-check component as not comprising a virus.

11. A method as recited in claim 1, wherein the virus outbreak information indicates initiation of the virus attack when the virus outbreak information satisfies a specified relationship with a specified threshold.

12. A method as recited in claim 1, wherein for each of a plurality of file attachment types of the one or more first messages to result in generating a plurality of percent-of-normal virus score values respectively associated with each of the plurality of file attachment types.

13. A method as recited in claim 12, further comprising computing an average of all the plurality of percent-of-normal virus score values to create an overall percent-of-normal value, and mapping the overall percent-of-normal value to the range of virus score values, to result in creating a particular virus score value for a particular file attachment type.

14. A method as recited in claim 1, wherein the message flow control action comprises delaying delivery of the one or more second messages for a specified time.

15. A method as recited in claim 14, wherein the message flow control action further comprises releasing the one or more second messages upon expiration of the specified time and then scanning the one or more second messages for viruses prior to delivery.

16. A method as recited in claim 1, wherein the message flow control action comprises storing the one or more second messages in a quarantine queue for a specified time.

17. A method as recited in claim 16, wherein the message flow control action further comprises releasing the one or more second messages upon expiration of the specified time and then scanning the one or more second messages for viruses prior to delivery.

18. A method as recited in claim 16, wherein the message flow control action further comprises applying an overflow policy when the quarantine queue is full.

19. A method as recited in claim 18, wherein the overflow policy comprises stripping any attachments from the one or more second messages and then delivering the one or more second messages without the attachments.

20. A method as recited in claim 18, wherein the overflow policy comprises releasing the one or more second messages and then scanning the one or more second messages for viruses prior to delivery.

21. A method as recited in claim 18, wherein the overflow policy comprises appending a warning indication to a subject of the one or more second messages and then scanning the one or more second messages for viruses prior to delivery.

22. A method as recited in claim 16, further comprising the steps of:

receiving user input requesting deletion of the one or more second messages in the quarantine queue; and

deleting the one or more second messages in the quarantine queue in response to the user input.

23. A method as recited in claim 16, further comprising the steps of:

receiving user input requesting release of the one or more second messages from the quarantine queue; and

releasing the one or more second messages and then scanning the one or more second messages for viruses prior to delivery.

24. A method as recited in claim 16, further comprising the steps of:

receiving user input requesting a rescan for virus of a particular second message of the one or more second messages from the quarantine queue; and

based on the particular second message not comprising a virus, releasing the one or more second messages and then scanning the one or more second messages for viruses prior to delivery.

25. A method as recited in claim 1, wherein the message flow control action comprises not delaying delivery of a particular second message because the particular second message is addressed to a recipient for whom message delivery has been specified to performed even if the virus outbreak information indicates initiation of a virus attack.

26. A method, comprising the computer-implemented steps of:

receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;

sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;

receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses;

wherein the method is performed by one or more processors.

27. A method as recited in claim 26, wherein the file type is any of EXE, ZIP, COM, SCR, BAT, and PIF.

28. A method as recited in claim 26, wherein receiving one or more sets of message information comprises receiving at least one set of message information from a spamtrap.

29. A method as recited in claim 26, wherein receiving one or more sets of message information comprises receiving, from one or more spamtraps, one or more counts of messages that are suspected to be with computer viruses, wherein the messages were determined by the virus-check component as not comprising a virus.

30. A method as recited in claim 26, wherein the virus outbreak information indicates initiation of a virus attack when the virus outbreak information satisfies a specified relationship with a specified threshold.

31. A method as recited in claim 26, wherein for each of a plurality of file attachment types of the one or more first messages to result in generating a plurality of percent-of-normal virus score values respectively associated with each of the plurality of file attachment types.

32. A method as recited in claim 31, further comprising computing an average of all the plurality of percent-of-normal virus score values to create an overall percent-of-normal value, and mapping the overall percent-of-normal value to the range of virus score values, to result in creating a particular virus score value for a particular file attachment type.

33. A method, comprising the computer-implemented steps of:

receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;

sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;

receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses;

wherein the method is performed by one or more processors.

34. The method of claim 33, wherein said one or more first messages are suspected to be associated with computer viruses if the one or more first messages include one or more of the following:

(a) an Internet Protocol (IP) address associated with the sender of said message,

(b) a number of hops taken by said message prior to receipt,

(d) a mime structure associated with said message.

35. A non-transitory machine-readable storage medium storing one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to perform:

receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;

sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;

in response to determining that the one or more first message do comprise one or more viruses, performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages.

36. An apparatus, comprising:

one or more processors;

means for receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;

means for sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;

means for receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses;

means for determining that the one or more first messages do comprise one or more viruses in response to receiving the indication that the one or more first messages do not comprise any viruses and that the one or more first messages was sent from a source not known to be associated with viruses but that sent a large number of messages according to a message sending pattern suspected to be associated with computer viruses and comprising at least one attachment, and based on mapping the one or more sets of message information received in a specified time period to virus outbreak information by generating a current average virus score value by combining one or more prior virus score values associated with respective one or more prior time periods, generating a percent-of-normal virus score value by comparing the current average virus score value with a long-term average virus score value and mapping the percent-of-normal virus score value to a range of virus score values; and

means for performing a message flow control action for one or more second messages that are also suspected to be associated with computer viruses as the one or more first messages in response to the determining that the one or more first messages do comprise one or more viruses.

37. An apparatus, comprising:

a network interface that is coupled to a data network for receiving one or more packet flows therefrom;

a processor;

one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform:

receiving one or more sets of message information for one or more first messages that are suspected to be associated with computer viruses;

sending the one or more sets of message information to a virus-check component to determine whether the one or more first messages comprise one or more viruses;

receiving an indication from the virus-check component that the one or more first messages do not comprise any viruses;

Drawings

Patents

Method and apparatus for managing computer virus outbreaks

Citations

Referenced by

Claims

Drawings