In a public computing network, such as the Internet, anyone can distribute files. Malicious people can distribute fake versions or virus infected versions of legitimate popular software programs and other types of files. Several “Trojan horse” and other malware attacks have occurred due to some popular programs distributed over the Internet. In addition to distribution using the Internet, there are also many ways a file can be distributed publicly, for example, using “Shareware” CDs (compact disks). Many programs are also pre-installed on a computer shipped to the end-user. In all these cases, there is a need for the end-user to make sure that a file received through a public distribution channel is authentic and safe before using it.
File safety is conventionally provided in two ways. First, anti-virus software can be used by each individual user to scan received files. This solution is reactionary, in that first a virus must be identifiable by the anti-virus software. Conventional anti-virus software programs provide little or no protection against new viruses. A virus has to first be discovered, then, a considerable amount of research may be required to be performed to find ways to detect and destroy the virus. Finally, the solution has to be distributed to potentially millions of anti-virus software users. This is very inefficient. Alternatively, a digital signature can be applied to a file to ensure file authenticity. The digital signature can be verified prior to using or accessing the file. This solution is also problematic. The creator of a file has to take actions to certify their public keys and digitally-sign the file to be distributed. Since this requires a considerable amount of work and cost, not many files distributed over the Internet have been signed by their authors, even though the technology has been available for many years. Many useful files distributed publicly are not digitally-signed. A malicious person can attack these unsigned files. Another problem of this approach is that the files are not generally authenticated in the real time. That is, in general, the file is authenticated one time by the creator. If some virus or other defects are discovered in the file after it is digitally-signed, the creator may not be able to tell all the users to avoid that signed file, especially when the file has already been burned into CDs and distributed publicly.
In a U.S. Pat. No. 7,096,493 co-owned by the same inventors of the current invention, Gary Liu described an Internet File Safety Information Center (“IFSIC”) system to enhance file safety. The system stores the safety information about each file in a central server indexed by the hash of the file. When a user computes a hash from a file downloaded or otherwise obtained and presents the hash to the central server, the central server will return the safety information about that file. The system is secure if a cryptographically secure hash function is used. A user having an authentic file will always compute the correct hash value and will see the information related to the authentic file. On the other hand, a user with a modified or bogus version of a file will always compute a different hash value and will see different information or no information. A user having a file that is known to be malicious will always see the information that contains warnings about the malicious file. However, Gary Liu did not describe several possible improvements that can make the system better.
For example, an end-user using the system to check the safety information regarding one file may want to know whether the file is the latest version, and if not, where to get the latest version, etc. It may also be desirable that advertising materials and information about other similar or dissimilar files be displayed to the user. In these cases, the information returned from the IFSIC should contain not only the information about the file being checked, but also advertising materials and information about other similar or dissimilar files. Although Gary Liu has recognized that the information about a file can be any type of information, not restricted to file safety information, he did not specifically point out that the IFSIC can be supported by advertising and can be used to provide information about file updates.
In the system described by Gary Liu, the hash of a file is sent to the central server to retrieve the information about the file without identifying the user. In many situations, it is desirable that an identifier of the user be sent to the central server along with the hash of the file. This allows a profile of the user to be established for better targeted advertising or for notifying the user about file updates, and in case a file originally determined to be safe is later discovered to be unsafe or having flaws, the user can be notified. Also, the system would allow the end-user to periodically check all files against the IFSIC to proactively remedy this problem.
Many computer files always go together. A software program may include several executable programs (EXEs), dynamical link libraries (DLLs), and other types of files. An operating system pre-installed on a computer shipped to an end-user can contain hundreds or even thousands of systems files. Although the IFSIC disclosed by Gary Liu can be used to check the authenticity of these files one-by-one, it would be much more efficient if several files can be grouped together in a certain order to compute a hash value and use the hash value to retrieve the authenticity information about the group of files. Furthermore, the checking of the system files does not have to be initiated by a user, it can be automatically started periodically to ensure the system integrity. In the event that a large group of tiles is being checked collectively and the result is not a positive match, then each individual file in the group can automatically be checked to determine which of the individual files are bogus or out-of-date.
Malicious or unwanted programs, such as spyware and adware are often installed into a system without the user's knowledge. There is a need to conduct a complete check of a computer system to ensure that every file that could be potentially harmful, such as executable programs (EXEs), dynamical link libraries (DLLs), visual basic scripts (VBS files), etc. are authentic and safe.
Files distributed through email carry higher risks than files distributed at a downloading web site or from shareware CDs. For this reason, many email programs and email servers block executable file attachments or other potentially harmful attachments indiscriminately. Email users often become frustrated when a file attachment that is known to be safe is indiscriminately blocked. On the other hand, because the attachment blocking is often based on the file extension or the MIME type of the file, it is very easy to circumvent such a blocking mechanism by simply renaming the file into a different type. There is a need for a blocking mechanism that cannot be circumvented by renaming the files and will not block files that are already known to be safe but would otherwise be blocked because of the file extension or MIME type.
There is a need to improve the IFSIC to provide all the desirable features described above.