The present invention relates to methods and apparatuses for detecting viruses that may be transferred between a distributed computer network, such as the Internet, and a host computer connected thereto. More particularly, the present invention relates to improved techniques for permitting a host computer to perform its own virus scanning on HTTP transferred data using executables downloaded to its browser upon startup.
With the rising popularity of the Internet, there are now millions of users connecting to the Internet daily from their host computers to conduct e-commerce transactions, perform searches for information and/or download executable programs to enhance the capability and performance of their own host computers. The interaction between these users and the other host servers on the Internet generally involves the transfer of some amount of data, which may include both static displayable information and executable codes. Generally speaking, static displayable information refers to static information to be displayed at the host computer while executable codes or executables refer to computer instructions configured to be executed at the host computer to perform some task thereat.
In general, the vast majority of the downloadable data from the Internet represents useful or at least non-harmful content material. However, there exists a class of executable codes which, if downloaded and executed at host computers, may wreak havoc with the operating system, the hardware, and/or other software of the host computers. These executable codes are popularly known as viruses.
To combat viruses, users and administrators of computer networks (such as corporate local area networks or wide area networks) have long employed a variety of tools designed to detect and block the downloading of harmful viruses from the Internet. In a corporate local area network (LAN), for example, network administrators may employ proxy servers, which are disposed between the host computers of the LAN and the Internet, to perform virus scanning and blocking. By channeling the data transfers between the host computers of the LAN and the Internet through proxy servers, and performing virus scanning at the proxy servers, viruses may be removed from the transferred data prior to reaching the host computers where they may cause harm.
To illustrate, FIG. 1 depicts, in a simplified schematic format, a corporate environment 102 within which multiple host computers 104, 106, and 108 are interconnected via a local area network (LAN) 110. LAN 110, in addition to allowing the host computers to exchange data among themselves and/or other I/O devices or storage devices connected thereto, also facilitates data transfer between the host computers and the distributed computer network 112 (such as the Internet). As shown in FIG. 1, a proxy server 114 is interposed between LAN 110 and distributed computer network 112 to monitor data transfers between distributed computer network 112 and the host computers connected to LAN 110.
In the current art, one of the more popular application protocols for data transfers via the world wide web (WWW) is the Hypertext Transfer Protocol (HTTP). Thus, for data transfers via the world wide web, proxy server 114 typically implements the HTTP protocol. There is also shown in proxy server 114 a scan engine 116, representing the software and/or hardware portion configured to detect viruses that may be present in the HTTP data transfers. When a host computer, such as host computer 104, wishes to download data from one of the web servers connected to distributed computer network 112, e.g., one of web servers 120, 122, or 124, the data transfer therefrom traverses proxy server 114 and is scanned by scan engine 116 to ensure that the data transfer is free of viruses.
Although the virus detection arrangement of FIG. 1 performs quite well for some corporate environments, it is recognized that, for some other corporate environments or individual users, it may not be desirable to perform virus scanning only at one or more proxy servers interposed between the host computers and the Internet. This is particularly true in cases where no separate central scan engine/proxy server is available or where there is a large number of host computers connected to each scan engine/proxy server. The latter situation may occur in, for example, organizations that employ few proxy servers, for economic or maintenance-related reasons, for a large number of users. In this situation, a few scan engine/proxy servers must perform virus scanning for a high volume of transferred data associated with a large number of host computers, resulting in a high server load and/or long delays for the data transfers. The high server load and/or long delay problems are compounded if some or most of the data transfers involve the transfers of large or multimedia files, which are increasingly offered as high speed, broad band technologies become more accessible.
One way to alleviate the bottleneck associated with the centralized virus scanning arrangement of FIG. 1 involves the use of more powerful centrally located proxy servers. However, this solution tends to be uneconomical since powerful computers tend to be specialized and expensive. Other products such as ViruScan (version 4.0.3, for example) by Network Associates of Santa Clara, Calif. employ the host computers themselves to perform the virus scanning. This approach has the advantage of leveraging on the processing and I/O resources of the host computers themselves to perform virus scanning, thereby relieving the processing bottleneck and the concomitant data transfer delays associated with centralized virus scanning arrangements. However, these products tend to be file-based, i.e., they operate by invoking file system hooks for detecting viruses residing in the persistent storage areas of the host computers (e.g., the hard or floppy drives). If the virus is not saved onto the persistent storage areas but is instead executed from the host computer""s high speed, volatile memory after downloading, these file-based virus detection products tend to be ineffective. Such products cannot generally deal with network traffic directly.
A further disadvantage associated with the prior art file-based virus detection arrangement (such as the aforementioned VirusScan) relates to the requirement that the user or network administrator must manually install each copy on each host machine. Furthermore, because new viruses are introduced every now and then, the user or network administrator must also perform maintenance and upgrade frequently at each host machine to ensure that the virus detection program is properly updated to detect the latest viruses. As can be appreciated by those skilled in the art, such a requirement disadvantageously increases the workload of the human network administrators and/or leaves open the possibility that the virus scanning products are not always timely updated to detect the latest viruses.
In view of the foregoing, there are desired improved techniques for enabling distributed virus scanning on data transfers between a distributed computer network and the host computers. The improved distributed virus scanning techniques preferably employ the processing and I/O resources of the host computers themselves to alleviate processing bottleneck issues associated with the centralized virus scanning approach while substantially eliminating the burden of maintaining and updating the scanning product at each host computer individually.
The present invention relates to at least one method and apparatus for detecting viruses that may be transferred between a distributed computer network, such as the Internet, and a host computer connected thereto. More particularly, the present invention relates to improved techniques for permitting a host computer to perform its own virus scanning on HTTP transferred data using executables downloaded to its browser upon startup.
According to one aspect of the present invention, a method is provided for detecting a virus from data transferred between a host computer and the Internet, comprising: downloading to said host computer a first set of codes from a designated computer different from said host computer, said first set of codes being configured to create a virus scan module on said host computer; creating said virus scan module on said host computer responsive to a request for said data; and thereafter, employing said virus scan module to detect said virus for said data transferred between said host computer and said Internet.
According to still another aspect of the present invention, a method is provided for detecting a virus from data transferred between a browser running on a host computer and the Internet, said host computer being coupled to other host computers on a local area network (LAN), comprising: receiving at said host computer a first set of codes, said first set of codes being configured to cause said host computer to download a second set of codes from a server coupled to said LAN when a request for data from said Internet is issued from said browser, said second set of codes being configured to create a virus scan module locally on said host computer; downloading to said host computer said second set of codes from said server when said request for data from said Internet is issued from said browser; creating said virus scan module on said host computer responsive to a receipt of said second set of codes at said host computer; and thereafter, employing said virus scan module to detect said virus for said data transferred between said host computer and said Internet.
Still another aspect of the present invention provides for a method for detecting a virus from data transferred between a browser running on a host computer and the Internet, said host computer being coupled to other host computers on a local area network (LAN), comprising: receiving at said host computer a first set of codes, said first set of codes being configured to cause, if said browser is determined to be capable of supporting local virus scanning, said host computer to download a second set of codes from a server coupled to said LAN when a request for data from said Internet is issued from said browser, said second set of codes being configured to create a virus scan module locally on said host computer; determining, using said first set of codes, whether said browser is capable of performing said local virus scanning; if said browser is determined to be capable of supporting said local virus scanning, performing steps a) through c) below: a) downloading to said host computer said second set of codes from said server when said request for data from said Internet is issued from said browser, b) creating said virus scan module on said host computer responsive to a receipt of said second set of codes at said host computer, and c) thereafter, employing said virus scan module to detect said virus for said data transferred between said host computer and said Internet.
These and other features of the present invention will be described in more detail below in the detailed description of the invention and in conjunction with the following figures.