Abstract: A computer system scans image files for pornographic image content by pre-filtering image files to detect the presence in copyright data fields of stored items of copyright information deemed to indicate that the image file is one of acceptable or unacceptable. On detecting such items of copyright information, a signal is output indicating that the image file does or does not contain pornographic image content without the need to analyse the image content of the image file.

Abstract: Heuristic analysis of image is performed to detect pornographic content. Pixels of an image representing a flesh-tone are identified. A heuristic analysis of the image is performed to classify the image as being pornographic or not. The analysis uses measures of a set of predetermined characteristics of the identified pixels as a heuristic to indicate a likelihood that the identified pixels contain pornographic content or not. Particular characteristics used are: the thickness of a region of identified pixels; the area of regions of adjacent identified pixels; the flatness of regions of adjacent identified pixels; the distance of pixels from the centre of the image; the degree of texture of regions adjacent identified pixels; the likelihood of the identified pixels being flesh-tone, and the area of the identified pixels.

Abstract: A method of scanning a computer file for virus infection attempts to identify whether the file contains program code and if it does, it then attempts to identify the compiler used to generate the code and performs a frequency distribution analysis of instructions found in the code to see whether it corresponds with an expected distribution for a program created with that compiler; if it does not, then the file is flagged as possibly having a viral infection.

Abstract: A method of, and system for, virus detection has a database of known patterns of start-up code for executable images created using a collection of known compilers and uses examination of the start-up code of the image by reference to this database to determine whether or not the executable image is likely to have been subject to infection by viral code. In particular, the system seeks to determine whether the expected flow and execution of the image during start up has had viral code interjected into it. Various heuristics to assist in assessing the likely presence of viral code are disclosed.

Abstract: An anti malware scanner for files is provided with means for processing script and macro files and flagging them as suspect or not based upon an automated analysis of source code in the file. This analysis involves separating the program source into groups of parts such as comment, variable names and routine names, eliminating duplicates and performing a character frequency distribution analysis of the resulting strings. The system may include an exception list to omit flagging a file as suspect if it is on the exception list.

Abstract: A content scanner for electronic documents such as email scans objects which are the target of hyperlinks within the document. If they are determined to be acceptable, the hyperlinks are replaced by ones pointing to copies of the objects stored on a trusted server.

Abstract: A message processing system 1 processes messages 5 such as emails being delivered across a network. A plurality of processing modules 10 are each operable to perform an action. A policy engine 11 causes the operation of processing modules 10 selectively in accordance with rules in a rules data store 12 and facts in the fact data store 13. The rules specifying the performance of actions in dependence on facts. The actions performed by the modules 10 include actions of analysing a message 5 and generating message facts specifying information about messages 5, such as the presence of unacceptable content. Thus the rules may specify actions dependant on such message facts. The actions include actions of controlling the delivery of a message 5 or other remedial action.

Abstract: Scanning of computer files for malware uses a classifying technique to classify an input file as a clean file or a dirty file. The parameters of the classifying technique are derived to train the classification on a corpus of reference files including clean files known to be free of malware and dirty files known to contain malware. The classification is performed using a representation of the files in a feature space defined by a set of predetermined features for respective file formats, the features being a predetermined value or range of values for one or more data fields of given meanings. The representation of a file is derived by determining the file format, parsing the file on the basis of the structure of data fields in the determined file format to identify the data fields and their meaning, and determining, on the basis of the identified data fields, which of the set of predetermined features are present.

Abstract: A scanning system for scanning computer files for exploits uses a database of validation rules, in respect of each of a plurality of file formats comprising data fields having a predetermined structure, the validation rules specifying valid structure and/or content for the data fields of the respective file format. Files are analysed to determine their file format. A validation process is performed comprising parsing the file to determine the structure and content of its data fields and validating the structure and/or content of the data fields of the file against the validation rules stored in the database in respect of the determined file format of the file. A file is determined to contain an exploit in response to the structure and/or content of the data fields of the file failing to be validated.

Abstract: A system for anti-virus processing an email having an executable attachment extracts structural elements of the email and examines the executable attachments for code, data or encoded data that could have created these elements. This is effective to detect at least some mass mailing viruses where the executable attachment creates later generations of the attachment and structural elements such as strings which appear in the later emails are present in the attachment.

Abstract: Identification of spam honeypot domains is performed automatically by a system 1. The system 1 searches sources of Internet domains based on user input to identify Internet domains which are candidates for acting as a honeypot domain. The list 7 of domains is refined by a determination unit 8 to exclude domains which are unlikely to be useful.

Abstract: A content scanner for electronic documents such as email scans objects which are the target of hyperlinks within the document. If they are determined to be acceptable, a copy of the object is attached to the document and the link is replaced by one pointing to the copied object.

Abstract: A scanning system 1 scans electronic objects for exploits. An object analyser 5 detects objects using various techniques. Some techniques involve detection of a pattern of bytes which is characteristic of a program file of a specific format. Other techniques use statistical fingerprinting.

Abstract: A method of detecting spam images in electronic objects such as emails comprises compressing images extracted from the electronic object into a common representation using a lossy compression function and determining if the compressed forms of the extracted images are identical to the compressed form of any known spam image from a corpus of known spam images, which compressed forms are the known spam images compressed into said common representation using said lossy compression function. The electronic objects are signalled as embedding a spam image on the basis of a compressed form of an extracted image extracted from an electronic object being determined to be identical to the compressed form of a known spam image.

Abstract: A system for processing a computer file to determine whether it contains a virus or other malware maintains a database of known files which it references to determine whether the file is an instance of a known file, and if so, whether it has been known about long enough that it can be regarded as safe. If it can be regarded as safe, the file is subject to less thorough processing for detecting malware, or no such processing at all.