Abstract: Pre-emptive malware scanning of user specified operating system 10, 12 defined storage locations is performed to establish whether those storage locations contain any malware containing computer files. If the storage locations are malware-free, then they are classified as clean storage locations and subsequent read accesses to those storage locations will be permitted without requiring further malware scanning. Writes to clean storage locations will continue to be malware scanned.

Abstract: An anti-virus system provider distributes an e-mail identifying content filtering rule seeking to identify e-mail messages suspected of containing an item of malware from a central source (20) to users (2). This distribution may be by an e-mail message itself which is appropriately signed and encrypted. At the user system (2), the received e-mail identifying content filtering rule is extracted from the e-mail message and added to the content filtering rules (18) being applied within that user system. In this way, malware which is distributed by e-mail may be identified by characteristics of its carrier e-mail rather than characteristics of the malware itself which not yet have been properly analyzed or the mechanisms for detecting such characteristics of the malware itself not yet put in place.

Abstract: An event report, such as a virus detection event, is sent from a reporting computer 2 to a receiving computer 6 via an internet link 4. The report data may take the form of a URL requesting a web page 28 to be provided by the receiving computer 6, the URL bearing an encrypted form 24 of the report data that is used to identify the requested web page as well as pass further information to the receiving computer 6. Alternatively, the report data may be collated in the reporting computer 2 and passed to the receiving computer 6 when a computer virus definition data update is requested. The report data seeks to uniquely identify the event by incorporating the MAC address of the reporting computer 2, the date, time, computer product identifier, version identifier, update identifier and driver triggered. Additionally, a checksum derived from the infected file together with an indication of the corrective action, if any, taken by the reporting computer 2 may be included.

Abstract: A computer file may be scanned for suspicious words 18 occurring within suspicious contexts 20. Thus, messages embedded by malware authors within their malware may be detected. The detection of such embedded messages may be used to identify otherwise unknown items of malware or as a pre-filtering technique for controlling the use of further scanning techniques.

Abstract: A source computer 2 having a copy of a computer file that it is desired to download to a plurality of target computers issues broadcast messages via a computer network linked to those target computers. The broadcast messages indicate the availability of the computer file for download and include a download qualifying parameter. The download qualifying parameter is used by receiving target computers to determine whether or not they qualify to attempt a download from the source computer in response to the received broadcast message. Only those target computers that do qualify attempt a download. The source computer monitors how many target computers make a download attempt in response to a particular broadcast message and adjusts the download qualifying parameters in subsequent broadcast messages so that the target computers progressively download the new computer file without overloading the source computer.

Abstract: A system, method and computer program product are provided for scanning data utilizing multiple scanning engines. Initially, a request for data to be scanned for viruses is generated utilizing a scanning interface. Thereafter, such request to scan data is sent to a plurality of scanning engines utilizing an engine interface application control module coupled between the scanning interface and the scanning engines. The request is adapted for prompting the scanning engines to scan the data and respond with events upon locating a virus. Such events are then received utilizing an event processor module coupled to the scanning engines and the engine interface application control module for processing the events. The processed events are then sent to the engine interface application control module for being monitored by the scanning interface.

Abstract: A scan of computer files for predefined properties indicative of such things as viruses is disclosed. The scan is performed in a circular manner, such that when all of the files to be scanned have been scanned it starts again from the first file. The ability to update the data defining the properties to be scanned for during a scan is provided.

Abstract: A system, method and computer program product are provided for affording virus-related services utilizing a network browser toolbar. Initially, a request for virus-related services is received over a network from a network browser associated with a computer. In response thereto, virus-related information is transmitted to the computer for being used in conjunction with the network browser to provide virus-related services. In use, the virus-related services are administered utilizing the virus-related information and a toolbar associated with the network browser.

Abstract: Received e-mail messages are subject to a minimum delay period determined in dependence upon characteristics of the e-mail message received. Prior to release of the e-mail message upon expiry of the minimum delay period a check is made that the most up-to-date anti-virus and anti-spamming tests have been applied to the e-mail message. Characteristics that may be used to determine the minimum delay period applied include sender characteristics, recipient characteristics, attachment type characteristics and message content type characteristics.

Abstract: A system, method and computer program product are provided for affording virus-related services utilizing a network browser toolbar. Initially, a request for virus-related services is received over a network from a network browser associated with a computer. In response thereto, virus-related information is transmitted to the computer for being used in conjunction with the network browser to provide virus-related services. In use, the virus-related services are administered utilizing the virus-related information and a toolbar associated with the network browser.

Abstract: The present invention provides a computer program product, method and data processing apparatus for reviewing files for potential malware. The computer program product comprises logging code operable to maintain a statistical log having an entry for each file sent for review, each entry being arranged to store a count value indicating the number of times that the file has been sent for review and a value of one or more predetermined attributes relating to the file. Weighting table code is also used to maintain a weighting table identifying, for each value of said one or more predetermined attributes, a weighting indicating the likelihood that a file having that value of the one or more predetermined attributes will be malware.

Abstract: A computer file may be scanned for suspicious words 18 occurring within suspicious contexts 20. Thus, messages embedded by malware authors within their malware may be detected. The detection of such embedded messages may be used to identify otherwise unknown items of malware or as a pre-filtering technique for controlling the use of further scanning techniques.

Abstract: Pre-emptive malware scanning of user specified operating system 10, 12 defined storage locations is performed to establish whether those storage locations contain any malware containing computer files. If the storage locations are malware-free, then they are classified as clean storage locations and subsequent read accesses to those storage locations will be permitted without requiring further malware scanning. Writes to clean storage locations will continue to be malware scanned.

Abstract: A system, method and computer program product are provided for scanning data utilizing multiple scanning engines. Initially, a request for data to be scanned for viruses is generated utilizing a scanning interface. Thereafter, such request to scan data is sent to a plurality of scanning engines utilizing an engine interface application control module coupled between the scanning interface and the scanning engines. The request is adapted for prompting the scanning engines to scan the data and respond with events upon locating a virus. Such events are then received utilizing an event processor module coupled to the scanning engines and the engine interface application control module for processing the events. The processed events are then sent to the engine interface application control module for being monitored by the scanning interface.

Abstract: A scan of computer files for predefined properties indicative of such things as viruses is disclosed. The scan is performed in a circular manner, such that when all of the files to be scanned have been scanned it starts again from the first file. The ability to update the data defining the properties to be scanned for during a scan is provided.

Abstract: Archive copies of active computer files are generated and stored when a computer file is created or copied onto a computer system. These archive copies are compared with the current active copies upon subsequent access to detect malicious alterations in the active copies. If such alterations are detected, then a repair of the active copy may be made by replacing it with the archived copy. This replacement may be subject to user confirmation or user defined rules. The technique may be selectively applied to certain file types, such as executable files or dynamic link libraries, that are known to infrequently change during normal use.

Abstract: An event report, such as a virus detection event, is sent from a reporting computer 2 to a receiving computer 6 via an internet link 4. The report data may take the form of a URL requesting a web page 28 to be provided by the receiving computer 6, the URL bearing an encrypted form 24 of the report data that is used to identify the requested web page as well as pass further information to the receiving computer 6. Alternatively, the report data may be collated in the reporting computer 2 and passed to the receiving computer 6 when a computer virus definition data update is requested. The report data seeks to uniquely identify the event by incorporating the MAC address of the reporting computer 2, the date, time, computer product identifier, version identifier, update identifier and driver triggered. Additionally, a checksum derived from the infected file together with an indication of the corrective action, if any, taken by the reporting computer 2 may be included.

Abstract: A anti-computer virus system is used to enforce the banning of computer programs. A user is provided with a tool for creating their own banned computer program identifying data. The user-created data is then used to control the anti-virus system to identify banned computer programs and take appropriate banned computer program actions. The banned computer program identifying data can be encrypted with an organization's private PGP key such that it will only be capable of successful decryption and use upon computer systems within that organization bearing the corresponding public PGP encryption key.

Abstract: An anti computer virus program uses a library of virus drivers that includes an indication of whether a particular virus can cause irreparable damage and data indicating enhanced user warnings and actions that might be associated with such viruses. If a detected computer virus is one that can cause irreparable damage, then an enhanced user warning (16) is issued indicating this to the user and a notification (28) of the possibility of such corruption is added into the repaired computer file. The notification may take the form of an electronically signed (30) banner message or the like.

Abstract: A software audit system is provided in conjunction with an anti-virus system. A computer virus scan request received by the anti-virus system (16) is used to trigger an audit data generator (18) to generate audit data. The audit data generator (18) may also serve to ban certain computer programs from execution and monitor the concurrent usage of other computer programs.