RE: Vulnerability-based IPS Patent

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to Richard M. Smith:

> > > > > I *know* what was in Dr Solomon's Antivirus Toolkit :-)
> >
> > Are you (or anyone else) aware of prior art for this AV patent:
> >
> > http://tinyurl.com/39ntx
> >
> > Patent 5,319,776 
> > In transit detection of computer virus with safeguard 
> >
> > Abstract
> >
> > Data is tested in transit between a source medium and a destination medium,
> > such as between two computer communicating over a telecommunications link or
> > network. Each character of the incoming data stream is tested using a finite
> > state machine which is capable of testing against multiple search strings
> > representing the signatures of multiple known computer viruses. When a virus
> > is detected the incoming data is prevented from remaining on the destination
> > storage medium. Both hardware and software implementations are envisioned. 

What (I think) they were trying to patent was the idea of virus-
scanning conetnet coming into an off-site backup facility.  IIRC, 
Hilgreave had an interest in one of those early "backup is easy if you 
don't mind your phone line being tied up 18 hours a day" services, back 
in the 2400/4800/9600 bps days.

Their patent lawyers wrote a much broader patent though, virtually 
patenting the notion of "known virus scanning" itself.  The patent is 
laughable on its face and the fact that it was never seriously 
challenged to the point of overturning it shows how difficult (or at 
least expensive) it is to get shockingly bad (US) sofwtare patents 
overturned (a good pragmatic reason for dissolving all existing US s/w 
patents and preventing the morons at the USPTO from ever issuing any 
more).

> > Filed:  September 29, 1992
>  
> > Symantec seems to own the patent now:
> >
> > Symantec Buys Key Security Technology 
> > Patent, Records First Quarter Charge 
> > http://symantec.co.uk/press/2003/n030818a.html

Yes -- Hilgreave made a small pile of dosh (mostly non-public pay-outs 
suspected to be in the range of US$1 to several tens or hundreds of 
thousands) plus much publicity from the also required public 
apology/admission of infringement from it's patent lawyer's (and the 
patently nonsensical US legal system's) victims (most of the well-known 
AV companies).  They did once "Email virus scanning" had become a 
necessary evil and most AV vendors had established a significant market 
base for such products in the US, leveraging the threat of a product 
sales ban against the exhorbitant cost of their victims actually 
showing what a pile of shit this nonsense patent is.  (This was not 
helped by a few of the VERY large players being the first target and 
rapidly deciding that pay-up and publicly apologize was the best 
_commercial_ strategy.  This also spurred a rash of similarly nonsense 
AV-related patents from most of those vendors burned by the Hilgreave 
action.)

Anyway, back to the story -- as I recall (and I'm sure Rob Slade has a 
much better memory of this, and maybe even notes to look up to back it 
all up!  8-) ), somewhere down the line from this, Symantec and another 
large AV developer (I'm going to hazard Trend Micro, but it's pretty 
hazy) were in some other patent dispute and Symantec realized that its 
opponent had not settled with Hilgreave.  It then became cheaper for 
Symantec to buy the patent rights from Higreave (or whoever then had 
them to protect itself from this other action than to settle that 
action directly.

> Ah, the Hilgraeve patent, I remember that. I think Virus Guard (a TSR
> scanner) was previous to September 1992. I'd have to check back on old
> versions of the Toolkit to find out when we shipped it. I do remember that 
> they wrote to us about 10 years ago suggesting that we might like to 
> licence their patent, and we told them "No thank you", because we thought 
> at the time that they'd have no claim. I don't think they took it any 
> further at that time, so maybe they agreed with our opinion, or thought 
> it wasn't worth disputing.

Yes, that was my take on Hilgreave's patent too -- _any_ pre-existing 
resident AV that used any form of pattern scanning and could block/ 
prevent/usurp copying of an infected file was _trivially obvious_ prior 
art, technically rendering the patent invalid.

> Interesting sentence "Both hardware and software implementations are 
> envisioned."; I'm pretty sure they didn't have an antivirus at the time, 
> so they were patenting an idea, not an implementation.

Again, also my understanding.  See my comments above about virus-
scanning backups en route to an offsite storage facility...

(I also have a very vague idea Hilgreave also took another operation to 
task that later (actually) implemented this, perhaps using McAfee as 
the "inline" virus scanner.  This was somewhat before the Email virus 
scanning fiasco kicked off...)


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.