Implementing Virus Scanning in Computer Networks

Transcription

1 From the SelectedWorks of Umakant Mishra May, 2012 Implementing Virus Scanning in Computer Networks Umakant Mishra Available at:

2 Implementing Virus Scanning in Computer Networks A TRIZ based analysis Umakant Mishra Bangalore, India Contents 1. Problem of viruses in computer networks Characteristics of computer viruses Limitations of conventional scanning in networks Conventional methods of virus detection Limitations of conventional methods for scanning networks Firewall based virus scanning Limitations of firewall based virus scanning Contradictions Methods of scanning files in a network Inventions on virus scanning in networks Computer virus screening methods and systems (Patent and ) System for virus-checking network data during download to a client device (Patent ) Computer security using virus probing (Patent ) Distributed virus scanning arrangements and methods therefor (Patent ) Response to a computer virus outbreak (Patent ) System and method for network virus protection (Patent ) Virus epidemic damage control system and method for network environment (Patent ) Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait (Patent ) System and method for certifying that data received over a computer network has been checked for viruses (Patent ) Detecting dissemination of malicious programs (Patent ) Summary...22 Reference:...23

3 1. Problem of viruses in computer networks There are different types of computer viruses or malware causing different types of damages and disturbances to a computer system and networking environment. Their behaviors, targets and operational mechanisms are also different. Some viruses target at executable files while some others target at users documents. Some viruses destroy data on the disk while some viruses create havoc in a network. A virus in a network environment is a serious concern and needs to be tackled in a more systematic way. That is because; As the computers are all connected in a network, the virus can easily spread to other computers through the network connection. The virus may increase network activities and thereby choke the network traffic. Besides, disinfecting all the computers in a network is more challenging than disinfecting a stand-alone computer. 1.1 Characteristics of computer viruses Before getting into the problems created by network viruses and their solutions, it will be useful to have a look at the characteristics of computer viruses. One of the fundamental characteristics of a computer virus is that it replicates. Without replication the virus cannot grow and ultimately cannot survive. Another fundamental characteristic of a computer virus is that it transmits. It transmits from one computer to another computer through infected files or infected disks. A virus generally infects computer programs by attaching itself to those programs. Some viruses are capable of transmitting themselves across networks even bypassing the network security systems. Different types of viruses have different capabilities and limitations. For example, a boot sector virus infects boot sector and not the data files, a macro virus infects the documents and not the executable files and so on. The patterns of virus infections are different for different viruses. Some viruses attach themselves to the beginning of the file whereas some others attach themselves to the end of the file. Some viruses modify or scramble the original data whereas some other viruses delete the original content and replace with virus codes. Every virus does not act immediately. Some viruses wait patiently as benign programs until their events are triggered to become active.

4 2. Limitations of conventional scanning methods 2.1 Conventional methods of virus detection Conventionally several methods have been adopted for detecting viruses. As the characteristics of different viruses are different the detection methods are also different. All methods do not work for all types of viruses. Some of the important methods adopted by anti-virus manufacturers are the following: Signature scanning scanning each file for extracted bytes form the virus. Heuristic scanning scanning each file for virus-like code. Activity monitoring checking for any abnormal behavior of a program. Integrity checking checking a file with a backup copy for any changes 2.2 Limitations of conventional methods for scanning networks As the conventional scanning methods intend to scan viruses in individual workstations, they don t work efficiently in scanning computers in a network. As per the conventional scanning methods, each computer user has to install the virus detection software. This mechanism requires a lot of maintenance activities in a network environment such as installing and upgrading of virus databases at every workstation. Installing virus-detection software on each individual computer consumes a lot of system resources on each computer in the network. This reduces the capability of each computer, which could have been utilized for other purposes. The virus scanner running on one machine in a network cannot scan the files residing on another machine. This is because the scanning machine typically cannot have access to the files on the local hard disk of other machines in the network. Generally in a network environment a large number of files are moved from one system to another. When these moving files are already scanned in the source computer, they are unnecessarily scanned again in the destination computer, which wastes time and system resources. The traditional scanning method is file based which cannot deal with the network traffic directly. In other words, they cannot detect a virus when the data is being downloaded from the server. The scanner has to wait until the infected file is fully downloaded onto the user s system. When there is a viral outbreak (an outbreak is more than just viral infections in individual files) the whole network is affected. A large number of systems may get infected and/or the network traffic may get choked.

5 In a network environment it is necessary to scan and disinfect each and every machine in the network. Even if one single machine is left infected, it can easily spread the virus to all other machines in the network thus increasing the problem to be multifold. Other limitations of conventional scanning also hold good in a network environment. For example, the new and unknown viruses cannot be detected by the conventional signature scanning. 3. Firewall based virus scanning As we saw above, the conventional method of installing anti-virus on each individual computer in a network environment has several limitations. In order to avoid these problems, there is another method of scanning viruses in a network by installing an anti-virus directly into the firewall. A firewall-based virus scanning method solves the above-mentioned problems to some extent. In this method, all the data transfer between the LAN and Internet is channeled through the proxy server. The scanner is implemented at the proxy server which detects and cleans the data prior to reaching the user computers (Principle-24: Intermediary, Principle-10: Prior Action). 3.1 Limitations of firewall based virus scanning However, a firewall based virus-filtering feature is also not very effective because (i) a substantial amount of processing at the firewall degrades the network performance, (ii) investing in specialized computers for centralizing virus scanning becomes very expensive, (iii) the firewall contains less operational data which leads to a less precise scan compared to a client based virus scanning.

6 3.2 Contradictions Thus we saw that both the methods of administering anti-virus software, whether installing on each individual computer or installing directly into the firewall, have several disadvantages. On one hand a single point protection makes the scanning slow, whereas on the other hand putting on individual computers increases administration. This situation leads to the following contradiction. Implementing anti-virus directly into the firewall prevents viruses from entering from the Internet but fails to provide protection from viruses spreading within the LAN. Implementing anti-virus on every computer within a LAN protects individual computers from viruses, but increases administration work for installation and configuration of antivirus on each individual computer. We need a method of administering anti-virus so that the computers are protected from both internet and internal (within the LAN) without much of administration load. 4. Methods of scanning files in a network Let s see what special methods have been or can be adopted to implement efficient virus scanning in a network environment. There should be a mechanism of scanning files in a network environment so that the same files need not be scanned again and again in every workstation. For example, the scanned files may be certified as virus free so that other users / systems in the network trust the files to be virus free (Principle-35: Parameter Change). As the major threat of viral attack remains from outside, it would be useful to screen all the data on the way when transferred from one computer to another through telephone/ cabled network (Principle-10: Prior Action). The virus scanner may be deployed in the servers and gateways to scan the data being transferred through them. In such cases the data/ files can be scanned when they are transferred from one computer to another computer (Principle-24: Intermediary). Data may be scanned while being downloaded from a server. If an infection is detected during download, then the anti-virus program should cure the virus or delete the partially downloaded file. This will prevent unnecessary downloading of infected files from the server which would later be deleted when detected to be infected.

7 It will be useful to employ distributed virus scanning on data transfers between a distributed computer network and the host computers (Principle-1: Segmentation). The most appropriate scanning module and/or virus signatures may be obtained from an anti-virus server as and when necessary to ensure effective scanning. The anti-virus should check virus-outbursts to prevent other computers in the network from being infected (Principle-9: Prior Counteraction). Store the hash tables or fingerprints on a server computer so that they remain safe from viral attacks in the local host. These fingerprints can be reliably used at the time of scanning (Principle-2: Taking out). There should be a method to detect and isolate the infected machine in a network automatically (Principle-2: Taking out, Principle-25: Self Service) so that the infected machine cannot spread infection to other computers. While disseminating malicious programs, the virus typically transmits the malicious programs to random IP address destinations. This feature of the virus may be used to detect it. In other words a virus may be detected by detecting the randomness of its IP destination addresses (Principle-13: Other way round). 5. Inventions on virus scanning in networks 5.1 Computer virus screening methods and systems (Patent and ) While downloading data through a telephone network, the computers in a network are under threat of viral infection. In order to be safe from virus, each user has to install virus detection software in individual machines. Besides, each user has to upgrade the subsequent revisions of anti-virus programs (or signature database) when released to ensure protection from the recently discovered viruses. This method creates too much of burden for users working in a network environment. Computer virus screening methods and systems (Patent and ) Patent (invented by Franczek, et al., assignee Ameritech Corporation, Nov 1999) proposes to virus screen the data on the telephone network so that the end users can download any computer data without any fear of getting virus. (This patent is further continued in patent by the same inventors and assignee later in May 2002).

8 Let s take an example where different computers are connected through a telephone network, such as, a PSTN or a Private Network. In such cases when one computer sends data to another computer, the data has to go though the telephone network. According to the invention, the telephone network, instead of simply passing the raw data, will screen the data for virus. If no virus is detected in the screening then the data is communicated to the second party. On the other hand, if a virus is detected then the telephone network performs necessary corrective actions, such as, removing the virus, communicating messages to the computer users or inhibiting the communication etc. In this way the telephone network provides a virus screening service to its customers. As the data is screened for specific viruses prior to its delivery to an end user, the computer data need not be screened for those viruses again by the end user s computer. This type of virus screen service may be provided only to the subscribers, who pay for the service. TRIZ based Analysis This invention utilizes the telephone network to scan computer viruses. (Principle-24: Intermediary). This method has an advantage as the new virus definitions can be updated only at one place (i.e. telephone network) instead of each end user s computer. As the data is screened on the way when transferred from one computer to another, the computer users need not screen the data again at their computers (Principle-9: Prior Counteraction).

9 5.2 System for virus-checking network data during download to a client device (Patent ) The conventional virus scanning utilities are typically installed on the end-user systems. In such cases the infected files are still downloaded to the end-user s storage device without the user s knowledge and remain undetected on the user s system for a long time or passed on to other systems before detected by a scanner. Possible solution: It would have been useful to prevent infected files from being downloaded to the end-user s machine in the first place. System for virus-checking network data during download to a client device (Patent ) Patent (invented by Tso, et al., assignee Intel Corporation, July 2000) discloses a method of checking virus while downloading data to a network client. According to the invention a virus checking software may be installed on a network device (or on a device coupled to the network device). When a client requests for a data object, the network device invokes the virus checker and scans the requested file as input (Principle- 9: Prior Counteraction). If the requested file does not contain a virus then the network device transmits the file to the client device, alternatively, if the file is detected to be infected then the network device interrupts transmission of data and transmits an appropriate message to the client device and/or the message server. In a conventional downloading situation the content server transmits the requested data object as a series of contiguous portions and the network device transmits those portions to the client device as soon as they are received from the server (referred to as streaming ). But in the present invention the network device delays the transmission slightly to withhold the most recently portion to ensure that a virus-infected file does not reach the client device in its entirety (Principle-9: Prior counteraction).

10 According to the invented method, the network devices scan the portions of the file being downloaded. Assuming the virus checker does not first detect a virus, it also performs an additional virus checking upon completion of the entire file. If no virus is detected, the network device transmits the withheld portion to the client. On the other hand, if a virus is detected the network device terminates transmission to the client device with an appropriate message to the client. The client device is does not receive the infected file, as the last portion of the file has still not reached the client. (If the file is repaired then the network device may retransmit the repaired file with appropriate message). However, there is one problem in the process. Since the virus scanning operation may be time consuming, the download may result in a time-out error. The invention prevents this potentially large final delay by artificially delaying individual segments of the requested file before transmitting them to the client device (Principle-8: Counterweight). In other words the delay required for scanning is spread over individual segments (Principle-1: Segmentation) to avoid a time-out error.

11 5.3 Computer security using virus probing (Patent ) A firewall based virus-filtering feature is not effective because (i) substantial amount of processing at the firewall degrades network performance, (ii) the firewall contains less operational data which leads to a less precise scan compared to a client based virus scanner. Although a client-based scanner is more effective the task of installing and upgrading scanners in each individual machine of large networks is a tremendous job. There is a need for configuring the security features in the client computers throughout a computer network. Computer security using virus probing (Patent ) Patent (invented by Grosse, assignee Lucent Technologies, March 2001) discloses a method for determining whether particular clients within a computer network are universally configured in accordance with the desired network security features of the computer network. The method inserts a probe within the incoming files in the computer network. The probe is typically configured as a virus in the form of a Trojan horse (Principle-26: Copying). If the client is properly configured then the probe will not execute. However if the client is misconfigured (i.e., not in compliance with the network security measures) the probe will execute a security alert indicating that the client is vulnerable to a security breach. This method reduces the workload of a network administrator. The network administrator need not go from computer to computer to identify which machine is not in compliance with the standard security measures. The probe executes an alarm in the firewall indicating which clients are vulnerable to a security breach. The network administrator can take appropriate action to correct those clients which are misconfigured.

12 Since all the requests must be made through the firewall the probe is configured to trigger such a request that can be effectively utilized as a signal to the firewall (Principle-23: Feedback). The firewall identifies the probe and generates a security alert. The security alert can be immediately notified to the network administrator or stored in a database to be reviewed at a later time. For example, in a private network all web browsers are to have their JavaScript interpreter disabled to prevent the execution of scripts, which may be introduced from foreign sources to create security risks. In this case the probe can be a JavaScript instruction through an HTML page. If JavaScript is disabled at the client browser then the probe will not be executed. If JavaScript is not disabled then the probe (in this example) will request for the image file which will be captured by the firewall. This situation informs the network administrator that the particular browser is JavaScript enabled which is not in compliance with the desired security measure of the private network.

13 5.4 Distributed virus scanning arrangements and methods therefor (Patent ) When a client computer downloads content from the Internet the infected content can infect the client computer. The prior art virus scanners are all file-based which cannot deal with the network traffic directly. In other words, they cannot detect the virus unless the infected file is fully downloaded and saved onto a persistent storage in the computer. Although in a corporate network, the network administrators may employ a proxy server and perform virus scanning at the proxy server (Principle-24: Intermediary) to remove virus from the transferred data prior to reaching the host computer (Principle-10: Prior Action) the method is expensive and not viable for standalone computers. It is desirable to have improved techniques for enabling distributed virus scanning on data transfers between a distributed computer network and the host computers. Distributed virus scanning arrangements and methods therefor (Patent ) Patent (invented by Ji et al., assignee Trend Micro Incorporated, April 2004) discloses a technique of performing virus scanning by host computers on HTTP transferred data by downloading scanning programs. According to the invention, the distributed virus scan engine at each host computer is created from codes/ data centrally maintained at one or more servers in the LAN. When the browser is loaded on the host computer, the first HTTP request accesses a virus-scan enabling server to download codes to create a local scan engine and/or a local proxy server (Principle-3: Local Quality). Once a local proxy server is created, the host directly accesses the Internet bypassing the central proxy server. This method has the advantage of centrally managing virus scanning solutions and eliminates the disadvantage of periodical updating and maintenance at each host computer. If the browser of a host computer does not support the ability to create a local scan engine then all data transfers are routed through the central proxy server allowing the virus scanning to be performed at the central server. As many of the host computers will have ability for local scanning the load on the central server will be greatly reduced.

14 When the host computer downloads data, a request is sent to download the executable code to create a virus scan module. This module is then used to detect viruses in data transferred between the host computer and the Internet. If the browser of the host computer supports creating local scan engine and/or local proxy server then the virus scan module is downloaded and executed at the host computer (Principle-3: Local Quality). If on the other hand the browser of the host computer does not support the signed applet technology to download and create local scan engine, then the data will be transferred through the central proxy server and scan engine. Thus the proposed method provides virus scanning for all the host computers, whether they support signed applet technology (local scan engine) or not. 5.5 Response to a computer virus outbreak (Patent ) Generally anti-virus programs search for viruses and disinfect computer files that have been infected. But they are not quite efficient to handle virus outbreaks. As an outbreak is considered to be more than just infection of individual files, mere detection of individual viruses are not enough. There is a need for a system to deal with such virus outbreaks. Response to a computer virus outbreak (Patent ) Patent (invented by Smithson, et al., assignee Networks Associates Technology, May 2005) discloses a robust method of dealing

15 with virus outbreaks. According to the invention, when a virus outbreak is detected, a predefined sequence of steps is automatically (or manually) followed to invoke anti-virus counter measures. The counter-measures can include reducing virus notification, increasing scanning options, blocking attachments, hiding address books and the like. This method automatically provides an appropriate response to the virus outbreak even if there is no IT support personnel present in the environment (Principle-25: Self Service, Principle-9: Prior Counteraction). The invention provides a methodical approach to counter measure a virus outbreak. Although most actions can be pre-defined and fixed, some actions can also be user defined which might preferably vary from computer to computer. For example, when a virus outbreak is detected, steps 1,3 and 4 (in the above list) execute automatically following expiry of their escalation time whereas steps 2 and 5 require user confirmation prior to being executed. As the load on computers may vary significantly between working hours and non-working hours, the invention allows that the sequence of predefined actions may be arranged depending on time of the day and/or the day of the week. In this way different strategies can be implemented in business hours and leisure hours (Principle-3: Local Quality, Principle-15: Dynamize). In this way the strategy for dealing with a virus outbreak can be established in advance without suffering from the time pressure during a real virus outbreak (Principle-10: Prior Action).

16 5.6 System and method for network virus protection (Patent ) There are two methods of administering anti-virus software in a LAN. One is to install the anti-virus directly into the firewall and the other is to install anti-virus on each individual computer. But both the methods have several disadvantages. Installing in the firewall can protect the computers from external infection but does not protect against infection from within the LAN. Besides, having a single point protection makes the scanning slow. On the other hand, installing antivirus on each individual computer increases administrative overhead. Implementing anti-virus directly into the firewall prevents viruses from entering from the Internet but fails to provide protection from viruses spreading within the LAN. Implementing anti-virus on every computer within a LAN protects individual computers from virus, but increases administration work for installation and configuration of antivirus on each individual computer. We need a method of administering anti-virus so that the computers are protected from both external (Internet) and internal (within the LAN) infections without much of administration load. System and method for network virus protection (Patent ) Patent (invented by Yanovsky, assignee SonicWALL, March 2006) discloses a method of protecting computers in a local area network by implementing a anti-virus policy programmed into the firewall. According to the invention, the LAN s anti-virus policy is programmed into the firewall or other Internet access module (IAM), which applies that policy to the client computers on the LAN. This policy might include the frequency with which the anti-virus software is updated and the number of versions that the software is permitted to be out of date. Any client computer not meeting the anti-virus policy is not permitted to access the Internet. The firewall can also update the out-of-date client computers to make them compliant with the policy.

17 Let s see what is the novelty here in this invention. In fact the concept of network policy is known to the prior art. Firewall is also known to the prior art. The novelty of this invention is to integrate an anti-virus policy into the network policy (Principle-5: Merging). According to the invented method, the system administrator has to set a range of compliance for the anti-virus protection policy which is implemented into the firewall. The firewall verifies whether the host device is in compliance with the anti-virus policy. If any host device is not in compliance with the anti-virus polity, the firewall does not allow it to access the Internet (Principle-24: Intermediary, Principle-9: Prior Counteraction). 5.7 Virus epidemic damage control system and method for network environment (Patent ) In a network environment, whether internet or corporate LAN, a fast paced virus can spread throughout the entire network unless effectively stopped. The conventional anti virus schemes are effective against known computer viruses, but are unable to block unknown viruses. There is a need for effective damage control against the fast spreading viruses in a network. Virus epidemic damage control system and method for network environment (Patent ) Patent (invented by Liang, assignee Trend Micro, June 2006) discloses a method of providing damage control caused by a virus epidemic in a network environment.

18 The invented method detects the traffic flow and analyses the files being modified. If any node is detected with an unpredicted traffic flow within a predetermined time interval, the system suspects the activity to be caused by a virus and initiates anti-virus tasks into the abnormal segment. Similarly when two different files are detected to be modified identically within a predefined short period of time the method notifies the network server about the presence of a suspected malicious program in the network. On getting such notification the server transfers an anti-virus task to the suspicious area for finding and eradicating the virus. In a typical scenario the first file can be on a first node and the second file can be on a second node in the computer network. The system compares the first modified file against the second modified file. If the modifications in the first content and the second content are not substantially identical the

19 method allows continuation of normal operation in the network. If, on the other hand, the modifications are found to be identical, then the management server is informed about a suspected virus attack. In that case a damage control system is initiated to identify and remove the virus. Thus the method identifies viral infections by detecting irregularities in the traffic flow and by detecting identical modifications of files within a short time period. The method compares the first modified section in the first file and second modified section in the second file, which is different from the conventional method of comparing the file with virus signatures (as in signature scanning method) or comparing the file with its backup (as in integrity check method) (Principle-35: Parameter Change). The method also prevents spreading of virus in a network environment and reduces the level of damage during a virus epidemic (Principle-9: Prior counteraction). 5.8 Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait (Patent ) When the computers in a network are infected, it is necessary to disinfect each and every machine in the network. After each machine has been checked and disinfected, it is desirable to detect and eliminate the source of the worm; otherwise the whole network can be re-infected again when connected to the offending system. However detecting the source of infection out of several infected machines in a large network can be a difficult job. There is a need for an easy method to detect, locate and eliminate the source of the virus without requiring great skill on the part of an administrator.

20 Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait (Patent ) Patent (invented by Chefalas et al., assignee Lenovo (Singapore) Pte. Ltd., Aug 2006) discloses a method of identifying, locating and deleting viruses in a network by using a promiscuous system as a bait server. The method includes a bait server, wherein the bait server s address is not published to the clients in the network. (Principle-32: Color Change). In such case, any attempt to access the bait server would indicate the presence of a virus on the client attempting access. The bait server identifies the offending system from which the request originated and alerts the local server about the identity of the offending system. The bait server monitors itself and also directs the local server to disconnect the offending system from the network (Principle-25: Self service, Principle-2: Taking out). Unlike conventional methods the approach here is not to search for the infected system; rather whichever system tries to communicate with the bait server is identified as the infected system. Thus the bait server automatically identifies the offending client and notifies the network administrator (Principle-25: Self Service). This method simplifies the job of a network administrator and enables him to take appropriate action to disinfect the offending client..

21 5.9 System and method for certifying that data received over a computer network has been checked for viruses (Patent ) When an virus infects a computer, it sends out s to addresses listed in the address book. In such cases the s received even from trusted senders can contain viruses. Although such viruses are generally scanned by anti-virus software installed at the receivers end, there may be situations where the recipient doesn t have an anti-virus installed on his computer or the anti-virus database has not have been updated. To overcome this situation, there is a need for certifying a received data to be virus free so that the recipient can open the document safely without requiring for a virus scan. System and method for certifying that data received over a computer network has been checked for viruses (Patent ) Patent (invented by Gordon et al, assignee McAfee, Sep 2006) discloses a method of scanning an and certifying that the is free from viruses. The method scans an before it is sent from the computer and attaches a certificate identifying that the is free from viruses. The certificate is also sent along with the to the recipient computer (Principle-5: Merging). This certificate reassures the recipients that the data received has been checked for viruses and is safe to open.

22 The same method can also be used to certify content of websites. The method scans the content available for download on a host site and displays a certificate on the host site identifying the content to be virus free. The certificate may sate that the has been scanned for viruses and certified etc. The certificate may also contain a logo of the virus scanning company that indicates that the has been scanned for viruses. Moreover, a digital signature may be attached to the stating that the has not been tampered while in transit from the sending computer to the receiving computer Detecting dissemination of malicious programs (Patent ) The prior art security management tools are configured to detect only known patterns of malicious programs. If no known pattern is detected the security management tools may determine a malicious program to be safe. Hence a newly created malicious program whose pattern is unknown may not be detected by the security management tools. While disseminating malicious programs, the attacker typically transmits the malicious programs to random IP address destination address. The dissemination of a newly created malicious program may be detected by detecting the randomness of its IP destination addresses.

23 Detecting dissemination of malicious programs (Patent ) Patent (invented by Jeffries et al, assignee International Business Machines Corporation, Nov 2006) provides a method for detecting viruses by detecting the randomness in destination addresses. The invention performs a hash function on the IP destination addresses and generates one or more different hash values. If a high number of different hash values were generated for a small number of IP packets examined, then random IP destinations are detected. This randomness of IP addresses detects the malicious programs like viruses and worms. The invention is based on certain assumptions on the characteristics of the malicious programs. For example, a malicious program typically has the characteristics like, a constant or nearly constant IP packet size, a constant or random IP source address and transfer will involve an unacknowledged datagram. The invented system analyzes the IP packets received by the gateway working as the entry/exit point to the external network. Assuming that a malicious IP packet will have random IP address the invented system detects the presence of worms or viruses if the IP destination addresses are detected to be random (Principle-13: Other way round). 6. Summary A network virus has special capabilities to spread fast in network environments by exploiting the features and capabilities of the networking technology. For example, the virus may copy itself to other computers in the network or may increase network activities congesting the network traffic. The conventional anti-viruses are not efficient enough to detect and control viruses in a network environment. First of all they have to be installed on each computer in a network, which requires a lot of maintenance activities. Secondly, they consume a lot of system resources on each individual computer. Besides,

24 the traditional scanning is file based and cannot scan the data while being downloaded from the server. Last but not the least, many files are scanned repeatedly as a lot of files are generally transferred from one computer to another in the network. A firewall-based virus scanning, although solves most of the above problems (such as reduced maintenance), it requires high-end machines to withstand the scanning load. Besides, implementing anti-virus into the firewall prevents viruses from entering from the Internet but fails to provide protection from viruses spreading within the LAN. A network virus scanner should be specially designed in order to protect computers in a network environment. It should have capability to scan the data while being transferred from server to client or from one computer to other in order to prevent transfer of infected data. The anti-virus should be capable of controlling virus-outbursts to prevent other commuters in the network from being infected. The article illustrates 10 interesting inventions from US patent database dealing with scanning viruses in a network. Reference: 1. US Patent and , Computer virus screening methods and systems, Inventor- Franczek, et al, Assignee- Ameritech Corporation, Nov US Patent , System for virus-checking network data during download to a client device, Inventor- Tso, et al., Assignee- Intel Corporation, July US Patent , Computer security using virus probing, Inventor- Grosse, Assignee Lucent Technologies, March US Patent , Distributed virus scanning arrangements and methods therefor, Inventor- Ji et al., assignee Trend Micro Incorporated, April US Patent , Response to a computer virus outbreak, Inventor- Smithson, et al., assignee Networks Associates Technology, May US Patent , System and method for network virus protection, Inventor- Yanovsky, assignee SonicWALL, March US Patent , Virus epidemic damage control system and method for network environment, Inventor- Liang, assignee Trend Micro, June US Patent , Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait, Inventor- Chefalas et al., assignee Lenovo (Singapore) Pte. Ltd., Aug US Patent , System and method for certifying that data received over a computer network has been checked for viruses, Inventor- Gordon et al, assignee McAfee, Sep 2006

25 10. US Patent , System and method for certifying that data received over a computer network has been checked for viruses, Inventor- Gordon et al, assignee McAfee, Sep US Patent , Detecting dissemination of malicious programs, Inventor- Jeffries et al, assignee International Business Machines Corporation, Nov Umakant Mishra, Methods of Virus detection and their limitations, Umakant Mishra, Solving Virus Problems by Anti-Virus Developers- A TRIZ Perspective, Umakant Mishra, Improving Speed of Virus Scanning- Applying TRIZ to Improve Anti-Virus Programs, Umakant Mishra, The Revised 40 Principles for Software Inventions, US Patent and Trademark Office (USPTO) site, About the author After working for more than 18 years in various fields of Information Technology Umakant is currently doing independent research on TRIZ and IT since He last worked as Director and Chief Technology Officer ( ) in CREAX Information Technologies (Bangalore). Before that he worked as IS/IT manager ( ) for ActionAid India (Bangalore). Umakant is a Master in Philosophy (MA), Master in Business Administration (MBA), Bachelor in Law and Logic (LLB), Microsoft Certified Systems Engineer (MCSE+I), Certified Novel Engineer (CNE), Master Certified Novell Engineer (MCNE), Certified Intranet Manager (CIM), Certified Internet Professional (CIP), Certified Software Test Manager (CSTM) and holds many other global IT certifications. Umakant has authored the books "TRIZ Principles for Information Technology", Improving Graphical User Interface using TRIZ, Using TRIZ for Anti-Virus Development etc. and working on a book on Management Information Systems. Many of his articles are available in SSRN elibrary ( bepress ( Arxiv ( etc. More about Umakant is available at