RE: Vulnerability-based IPS Patent

["Richard M. Smith" <rms () bsf-llc com>]

Nick,

Here the folks that settled rather going to court over the '776 patent:

   - Symantec
   - Alladin
   - McAfee
   - Clearswift

A TSR product is a good place to look for prior art.  However, the TSR had
to operate on an incoming file before it is written to disk.

I thought that Hilgreave made terminal emulator software and they
implemented a virus scanner for files being downloaded from a BBS.  Their
patent lawyer generalized this idea a bit in the '776 patent. At the time,
most DOS-based AV companies were focused on floppy-based viruses. 

Richard



 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Nick FitzGerald
Sent: Wednesday, March 29, 2006 7:07 PM
To: funsec () linuxbox org
Subject: RE: [funsec] Vulnerability-based IPS Patent

Drsolly to Richard M. Smith:

> > > > > I *know* what was in Dr Solomon's Antivirus Toolkit :-)
> >
> > Are you (or anyone else) aware of prior art for this AV patent:
> >
> > http://tinyurl.com/39ntx
> >
> > Patent 5,319,776
> > In transit detection of computer virus with safeguard
> >
> > Abstract
> >
> > Data is tested in transit between a source medium and a destination 
> > medium, such as between two computer communicating over a 
> > telecommunications link or network. Each character of the incoming 
> > data stream is tested using a finite state machine which is capable 
> > of testing against multiple search strings representing the 
> > signatures of multiple known computer viruses. When a virus is 
> > detected the incoming data is prevented from remaining on the
destination storage medium. Both hardware and software implementations are
envisioned.

What (I think) they were trying to patent was the idea of virus- scanning
conetnet coming into an off-site backup facility.  IIRC, Hilgreave had an
interest in one of those early "backup is easy if you don't mind your phone
line being tied up 18 hours a day" services, back in the 2400/4800/9600 bps
days.

Their patent lawyers wrote a much broader patent though, virtually patenting
the notion of "known virus scanning" itself.  The patent is laughable on its
face and the fact that it was never seriously challenged to the point of
overturning it shows how difficult (or at least expensive) it is to get
shockingly bad (US) sofwtare patents overturned (a good pragmatic reason for
dissolving all existing US s/w patents and preventing the morons at the
USPTO from ever issuing any more).

> > Filed:  September 29, 1992
>  
> > Symantec seems to own the patent now:
> >
> > Symantec Buys Key Security Technology Patent, Records First Quarter 
> > Charge http://symantec.co.uk/press/2003/n030818a.html

Yes -- Hilgreave made a small pile of dosh (mostly non-public pay-outs
suspected to be in the range of US$1 to several tens or hundreds of
thousands) plus much publicity from the also required public
apology/admission of infringement from it's patent lawyer's (and the
patently nonsensical US legal system's) victims (most of the well-known AV
companies).  They did once "Email virus scanning" had become a necessary
evil and most AV vendors had established a significant market base for such
products in the US, leveraging the threat of a product sales ban against the
exhorbitant cost of their victims actually showing what a pile of shit this
nonsense patent is.  (This was not helped by a few of the VERY large players
being the first target and rapidly deciding that pay-up and publicly
apologize was the best _commercial_ strategy.  This also spurred a rash of
similarly nonsense AV-related patents from most of those vendors burned by
the Hilgreave
action.)

Anyway, back to the story -- as I recall (and I'm sure Rob Slade has a much
better memory of this, and maybe even notes to look up to back it all up!
8-) ), somewhere down the line from this, Symantec and another large AV
developer (I'm going to hazard Trend Micro, but it's pretty
hazy) were in some other patent dispute and Symantec realized that its
opponent had not settled with Hilgreave.  It then became cheaper for
Symantec to buy the patent rights from Higreave (or whoever then had them to
protect itself from this other action than to settle that action directly.

> Ah, the Hilgraeve patent, I remember that. I think Virus Guard (a TSR
> scanner) was previous to September 1992. I'd have to check back on old 
> versions of the Toolkit to find out when we shipped it. I do remember 
> that they wrote to us about 10 years ago suggesting that we might like 
> to licence their patent, and we told them "No thank you", because we 
> thought at the time that they'd have no claim. I don't think they took 
> it any further at that time, so maybe they agreed with our opinion, or 
> thought it wasn't worth disputing.

Yes, that was my take on Hilgreave's patent too -- _any_ pre-existing
resident AV that used any form of pattern scanning and could block/
prevent/usurp copying of an infected file was _trivially obvious_ prior art,
technically rendering the patent invalid.

> Interesting sentence "Both hardware and software implementations are 
> envisioned."; I'm pretty sure they didn't have an antivirus at the 
> time, so they were patenting an idea, not an implementation.

Again, also my understanding.  See my comments above about virus- scanning
backups en route to an offsite storage facility...

(I also have a very vague idea Hilgreave also took another operation to task
that later (actually) implemented this, perhaps using McAfee as the "inline"
virus scanner.  This was somewhat before the Email virus scanning fiasco
kicked off...)


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.