1. Field of the Invention
The present invention relates generally to a virus detection system. More specifically, a system and method for protecting a computer system by using a remote e-mail virus scanning device are disclosed.
2. Description of Related Art
Since 1987, when a virus infected ARPANET (Advanced Research Projects Agency Network), a large network used by the Defense Department and many universities, many antivirus programs have become commercially available for installation on computer systems and/or servers. Generally, a virus is a manmade destructive computer program or code that is loaded onto the computer system without the knowledge of the user and runs against the user""s wishes and/or knowledge. Most viruses can replicate themselves and a simple virus that can replicate itself over and over is relatively easy to generate. However, even a simple virus can be dangerous as the virus can quickly use much or all of the available memory and possibly bring the computer system to a halt. A particularly dangerous type of virus is one that is capable of transmitting itself across networks and bypassing security systems.
One common type of virus is a macro virus which is encoded as a macro embedded in a document. Many applications, such as Microsoft Word(copyright) and Microsoft Excel(copyright), support macro languages which allow the user to embed a macro in a document and have the macro execute each time the document is opened. Once a computer system is infected with a macro virus, the macro virus can embed itself in all future documents created with the associated application.
Another common virus is a master boot record (xe2x80x9cMBRxe2x80x9d) virus which replaces the computer system""s MBR with its own code. The MBR is a small program executed each time a computer boots. Typically, the MBR resides on the first sector of the computer hard disk. Since the MBR executes every time a computer is started, the MBR virus can be very dangerous to the integrity of the computer system. The MBR virus typically enters the computer systems through a floppy disk that is installed in the floppy drive when the computer system is started up. The floppy disk can infect the MBR even if the floppy disk is not bootable.
Worms is another example of a virus although some distinguish between viruses and worms. Worms typically refer to a type of virus that can replicate itself and use memory but cannot attach itself to other programs.
Another type of a destructive program is a Trojan horse which masquerades as a benign application. Unlike typical viruses, Trojan horses do not replicate themselves but can be just as or more destructive. One example of a type of Trojan horse is a program that purports to rid one""s computer system of viruses but instead introduces viruses onto the computer system. The term xe2x80x9cTrojan horsexe2x80x9d comes from a story in Homer""s Iliad in which the Greeks gave a giant wooden horse to their enemies, the Trojans, ostensibly as a peace offering. However, after the Trojans bring the horse inside their city walls, the Greek soldiers hidden inside the hollow belly of the wooden horse sneak out of the horse and open the city gates to allow their Greek compatriots to come enter and capture Troy.
It is noted that the term xe2x80x9cvirusxe2x80x9d generally and broadly refers to any destructive or harmful program or code. As used herein, the term virus includes, among others, worms and Trojan horses.
As noted, many antivirus programs have become commercially available for protection against viruses. The antivirus program is typically a utility that searches a hard disk for viruses and removes any that are found. The antivirus program may periodically check the computer system for the best-known types of viruses. Most antivirus programs include an auto-update feature that enables the antivirus program to download profiles of new viruses so that the antivirus program can check for new viruses soon after the new viruses are discovered.
Currently, one of the most popular ways to infect computer systems with viruses is via electronic mail or e-mail message, particularly with e-mail attachments having viruses embedded therein. Such an e-mail attachment is typically an executable file which performs some task, such as a video and/or audio display, and may not appear to contain a virus. However, upon the opening of the e-mail attachment, for example, the computer system becomes infected with the virus.
E-mail has become an extremely popular method of communication, for both business purposes and personal purposes, such as forwarding of various information, documents, and/or executable programs. Many computer users have e-mail accounts through their employers. In addition, many computer users may also have e-mail accounts through an Internet application service provider (ASP), such as YAHOO and HOTMAIL, that provide web-based e-mail application services. Internet ASPs are third-party entities that manage and distribute software-based services and solutions to customers via the Internet from a central data center. ASPs that provide web-based e-mail application service typically maintain each user""s e-mail box contents on its servers while the users may download attachments or executable programs to the users"" computer systems for access, execution, and/or manipulation. Further, many computer users may also have e-mail accounts through an Internet service provider (ISP) that typically include e-mail services with subscriptions to Internet access.
Some companies that provide e-mail services offer them in combination with virus detecting services. For example, Microsoft Hotmail, an ASP, offers web-based e-mail services with optional delivery of virus protection or anti-virus software service for protecting the computer systems of its members from viruses received via file attachments. In particular, Hotmail""s members have the option to scan e-mail attachments with the virus protection software prior to downloading the attachments. According to Microsoft, this option is available to members regardless of the operating system or the geographic location of the member""s computer system and addresses e-mail attachments other than in-line graphics presented within the message text. The anti-virus software may be equipped with an automatic repair function for cleaning virus infections.
U.S. West, an ISP, also offers web-based e-mail services with optional virus detection with U.S. WEST Anti-Virus(copyright) to its U.S. WEST.net(copyright) Internet access subscribers. U.S. WEST Anti-Virus automatically scans e-mail attachments for viruses prior to delivering the e-mail message to the subscriber""s in-box. According to U.S. West, the U.S. West Anti-Virus software is continually updated with emergency response to virus outbreaks to ensure provision of up-to-date virus protection. Such a web-based anti-virus e-mail service is provided via a centrally controlled server-based virus and malicious code protection and enables Internet-based security services.
However, an e-mail user must subscribe to the specific web-based e-mail service and access e-mail messages from that specific web-based e-mail service in order to receive virus protection service. The e-mail user must log-in or otherwise access and retrieve his/her e-mail messages from the mailbox stored on a server of that web-based e-mail service provider.
Furthermore, with the recent outbreaks of e-mail borne viruses and especially in e-mail attachments, it is desirable to provide a system and method to prevent the outbreak of the virus while the e-mail message is in transit before the e-mail message reaches the end user at a destination e-mail address.
A system and method for a remote or network-based application service offering virus scanning, sniffing, or detecting of e-mail viruses prior to the e-mail messages arriving at the destination system or server are disclosed. It should be appreciated that the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication lines. Several inventive embodiments of the present invention are described below.
The method protects a computer system that is configured to receive an e-mail message addressed to a destination e-mail address from viruses in an incoming e-mail message. The method generally includes receiving the incoming e-mail message at a remote e-mail receiving server, scanning the e-mail message for virus, forwarding the e-mail message if it is clean to a remote e-mail sending server, attempting to clean the e-mail message if it is infected to generate a cleaned e-mail message, forwarding the cleaned e-mail message, if any, to the remote e-mail sending server, and forwarding the clean or cleaned e-mail message, if any, to the destination e-mail address from the remote e-mail sending server.
The method may further comprise quarantining the infected incoming e-mail message to a remote quarantine server prior to attempting to clean by the quarantine server. The method may also comprise deleting all or an infected portion, such as an attachment, of the infected incoming e-mail message after the attempt to clean is unsuccessful. In addition, the method may include storing the infected e-mail message in memory if the attempt to clean is unsuccessful and optionally attempting to clean the infected e-mail message again after storing the infected e-mail message. The method may also comprise sending a notification e-mail message to the destination e-mail address regarding the infected incoming e-mail message, inserting a text message to the clean or cleaned e-mail message prior to forwarding it to the destination e-mail address, and/or automatically removing the clean or cleaned e-mail message from memory of the system after forwarded it to the destination e-mail address.
In another embodiment, the system generally includes a remote e-mail receiving server for receiving the incoming e-mail message, a virus-detection program for scanning the e-mail message for virus, a remote e-mail virus processing server for attempting to clean the infected e-mail message, and a remote e-mail sending server forwarding the clean or cleaned e-mail message, if any, to the destination e-mail address.
In yet another embodiment, a computer program product for protecting a computer configured to receive an e-mail message addressed to a destination e-mail address from virus in an incoming e-mail message is disclosed. The computer program product generally comprises computer code that receives the incoming e-mail message at a remote e-mail receiving server, computer code that scans the incoming e-mail message for virus, computer code that forwards the clean e-mail message to a remote e-mail sending server, computer code that attempts to clean the infected incoming e-mail message to generate a cleaned e-mail message if the cleaning is successful, computer code that forwards the cleaned e-mail message, if any, to the remote e-mail sending server, computer code that forwards one of the clean and cleaned e-mail message, if any, to the destination e-mail address from the remote e-mail sending server, and a computer readable medium that stores the computer codes. The computer readable medium may be any of a CD-ROM, floppy disk, tape, flash memory, system memory, hard drive, and a data signal embodied in a carrier wave.