RE: Vulnerability-based IPS Patent

[Nick FitzGerald <nick () virus-l demon co uk>]

Richard M. Smith wrote:

> Here the folks that settled rather going to court over the '776 patent:
>
>    - Symantec
>    - Alladin
>    - McAfee
>    - Clearswift

Cheers -- was fairly sure that SYMC and McAfee did and Trend didn't.

I know the threat or worry that they may be targetted by a worriesome 
Hilgraeve patent suit prevented or significantly delayed the release of 
several Email scanners, or at least resulted in their non-US developers 
not making them available to US customers, but happily selling them 
everywhere sensible on the planet...

> A TSR product is a good place to look for prior art.  However, the TSR had
> to operate on an incoming file before it is written to disk.

Yes, but don't thinking of "incoming" in local/remote terms.  That's 
covered in Claim 16 and 19 (only?) as an "also" condition (or are these 
to be read as ANDs??  If so, Hilgraeve has _other_ problems...).  The 
claims simply boil down to intercepting the making of a copy on a 
different storage medium (and poorly define even that).  An on-access 
scanner preventing an infected file from being copied from a floppy to 
a local HDD, or vice versa, or from one local HDD to another and even 
from one partition on a physical HDD to another (see Claim 12), are 
technically covered by the Hilgraeve patent claims.

I strongly believe that that was not what was intended to be claimed, 
as that would _CLEARLY_ have made the patent ungrantable on obvious 
prior art grounds, but if you read it carefully, that _IS_ what is 
claimed.  (This is often the best way to attack a patent -- they tend 
to be worded in extremely vague and thus commonly "overly general" 
terms and that often makes it easy to show that they claim to cover 
something that the claimants (probably) would not have imagined they 
could cover _AND_ that is clearly exempted by prior art, albeit perhaps 
entirely unrelated to the apparent mainstay of the patent's claim.  
Hilgraeve is an astounding example of such bad claims drafting and if 
there were any justice in the US patents process it would have been 
thrown out years ago as a result.)

> I thought that Hilgreave made terminal emulator software and they
> implemented a virus scanner for files being downloaded from a BBS.  ... 

Yes, that was pretty much it -- either you have a better memory than I, 
or more patience dredging through Google...  (Or both!  8-) )

> ...  Their
> patent lawyer generalized this idea a bit in the '776 patent. At the
> time, most DOS-based AV companies were focused on floppy-based
> viruses. 

Well, not only "floppy-based" viruses, BUT data and program transfer 
via floppy was far and away the most common means of virus transmission 
between computers at the time and boot viruses were the most common and 
widespread type.  (I started with PCs when virtually every diskette had 
at least a bare-bones system on it so you could start any machine from 
any diskette, and those 360KB 5.25" drives were slooooooow, even by the 
standards of the day.  The first hard drive I ever bought for my own PC 
was a _huge_ 30MB drive, but at least it was only a half-height (i.e. 
one panel unit) device.)

...

Oh, and on consideration, it would appear that even if we grant that 
the patent may, in fact, have merit, a process _otherwise_ apparently 
in breach of the patent could subvert that breach by not "inhibiting" 
the writing of the data in question, but simply writing it "elsewhere" 
(different filename/folder/etc) or "otherwise" (cyphered) _on the 
intended medium_.  This gets around the "automatically inhibiting the 
screened digital data from being stored on said destination storage 
medium if at least one predefined sequence is present" issue, by (say) 
putting the "infected" Email message into a special holding queue 
rather than the "keep processing" queue or whatever.  The writing of 
the data to the destination storage medium" is thus _not_ "inhibited", 
so long as the holding queue's data is stored on the same disk as the 
"continue processing" queue's...

The Hilgraeve patent, whether intended to or not, claims to patent (a 
form of) on-access virus scanning which was already available in 
freeware and commercial applications _at least two years before_ the 
Hilgraeve patent was even _filed_.  It is a nonsense, and that it even 
exists and companies have extorted money and/or other benefits from 
others as a result of its existence is a sad reflection on the state of 
US IP law and practice.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.