The term “gateway” refers in the art to a bridge between two networks. For each network, the gateway is a point that acts as an entrance to another network. From the implementation point of view, a gateway is often associated with both a router, which knows where to direct a given packet that arrives to the gateway and a switch, which provides the packet with the actual path in and out of the gateway. Due to its nature, the gateway to a local network is a proper point for checking out objects (e.g. files and email messages) that pass through it, in order to detect viruses and other forms of maliciousness (“inspection”) before reaching the user.
As a filtering facility, a gateway server has to deal with two contradicting objects: on the one hand, it has to hold a file that reaches the gateway in its path from a source to a destination until the inspection indicates it is harmless and thereby prevents its execution on the destination site, on the other hand holding a file at the gateway server until the inspection process terminates which results in a bottleneck to data traffic passing through the gateway.
Inspection activity has a substantial influence on the traffic speed through a gateway. U.S. patent application Ser. No. 10/002,407, titled as Security Router, deals with this problem by skipping the inspection of trusted files. According to this invention, since multimedia files (e.g. JPG files) do not comprise executable code (according to their definition), these files are not inspected, thereby diminishing the delay caused by the inspection process.
U.S. patent application Ser. No. 09/498,093, titled as “Protection of computer networks against malicious content”, deals with this problem by holding in a checkpoint (e.g. a gateway) only a part of the file, such as the last packet of the file, and releasing it once the file has been indicated as harmless. This way the majority of the file is not delayed at the gateway, but its execution at the destination site cannot be carried out until the last part reaches the destination. This solution is applicable only for files that in order to be executed or activated, the whole file has to be available on the executing platform. However, if the executing platform activates a file even in the case where only a part of the file is available, the executing platform is exposed to viruses and other malicious forms.
Furthermore, some inspection methods, such as CRC-based methods, require that the whole file be available during the inspection process. Files that should be fully accessible for inspection, may cause a substantial delay to the traffic through a checkpoint since the inspection can start only after the whole file is accessible to the inspection facility. Thus, in this case, the parts of a file should be accumulated and held at the inspection point until the inspection indicates that it is harmless, and only then the file may be “released” to its destination.
It is an object of the present invention to provide a method for preventing activation of malicious objects.
It is a further object of the present invention to provide a method for preventing from a checkpoint the activation of malicious objects on the executing platform.
It is a still further object of the present invention to provide a method for inspecting a file on a checkpoint, by which the delay thereof is decreased in comparable to the prior art.
Other objects and advantages of the invention will become apparent as the description proceeds.