decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal


User Functions

Username:

Password:

Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Tuesday, January 29 2008 @ 08:00 AM EST

We have another Pick Your Brain request. This one comes from Barracuda Networks, the email and web security appliances company, but it's about an attack on ClamAV, the Open Source antivirus product.

Barracuda includes ClamAV in some of its enterprise solutions, although it's a small part of what Barracuda does. And Trend Micro has accused ClamAV of infringing a patent it owns, #5,623,600. It specifically has named Barracuda Spam Firewall, the Barracuda Web Filter, and the Barracuda IM Firewall as infringing. Trend Micro has been trying to get Barracuda to either pay license royalties for including ClamAV or stop using ClamAV in its products.

Barracuda, however, is an Open Invention Network licensee, and it decided to stand up and defend ClamAV against what it views as a bogus claim. Barracuda believes the patent is questionable, at best, and believes there is prior art to be found, so it decided to defend ClamAV on behalf of the community, and it asks for our help in finding prior art. Here's the specific Barracuda request for prior art:

People should look for art dated prior to Trend Micro's filing date of September 26, 1995. The '600 patent is entitled "Virus Detection And Removal Apparatus For Computer Networks." We are interested in all material, including software, code, publications or papers, patents, communications, other media or Web sites that relate to the technology described prior to the filing date.

In particular, this prior art should show antivirus scanning on a firewall or gateway. However, many of the claims do not require virus detection at a gateway. So any material that illustrates virus scanning on a file server is also of interest.

We also believe that a product called MIMESweeper 1.0 from a company called Clearswift, Authentium, or Integralis anticipates several claims of the '600 patent. We have yet to locate a copy of this product and would appreciate anyone who has a copy sending it our way.

Litigation has begun, as I'll explain in detail in a minute, and there is a complaint filed by Trend Micro at the International Trade Commission, against Barracuda and Panda Software International and Panda Distribution of California, and the ITC decided on December 21st to investigate the complaint.

Here's how Trend Micro describes its patent in the ITC complaint:

To decrease the risk of a virus entering and/or leaving a network, the ‘600 Patent scans for viruses and other undesired software at the gateway of a network. Moreover, because viruses may be embedded in the content (such as, for example, email attachments and other content from the World Wide Web), the ‘600 Patent scans the content.

I know. You are rolling on the floor, gasping for breath because you are laughing so hard that anyone would even try to claim such an obvious thing as blocking viruses at the gateway. What can I tell you? Patents have gone berserk. For any who don't know what blocking at the gateway means, it's just that in the enterprise, you block before anything even reaches the employees' computers, as opposed to each one installing antivirus software individually. Obvious. Obvious. Obvious business method.

But believe it or not, that's what is being claimed as patented. I know. But with patents, what's the use in being surprised or indignant? The whole system has veered so far from true North that the best response at this point is to find prior art and knock them down one by one until the message is received that attacking FOSS with patents is counterproductive.

Here's what the ITC said the complaint is about and what happens next:

The complaint alleges violations of section 337 of the Tariff Act of 1930 in the importation into the United States of certain systems for detecting and removing viruses and worms, components thereof, and products containing same that infringe a patent owned by Trend Micro. The complainant requests that the ITC issue an exclusion order and cease and desist orders....

By instituting this investigation (337-TA-624), the ITC has not yet made any decision on the merits of the case. The case will be referred to the Honorable Carl C. Charneski, an ITC administrative law judge, who will schedule and hold an evidentiary hearing. Judge Charneski will make an initial determination as to whether there is a violation of section 337; that initial determination is subject to review by the Commission.

The ITC will make a final determination in the investigation at the earliest practicable time. Within 45 days after institution of the investigation, the ITC will set a target date for completing the investigation. ITC remedial orders in section 337 cases are effective when issued and become final 60 days after issuance unless disapproved for policy reasons by the U.S. Trade Representative within that 60-day period.

I think they pretty much always do investigate complaints, by the way. If you'd like to read the ITC complaint, go to this page and search for Investigation Number: 337-624 or search by title: Certain Systems for Detecting and Removing Viruses or Worms, Components Thereof, and Products Containing Same, 337-TA-624. But no matter how you slice it, it's a serious matter, and the time to find prior art is now.

Barracuda isn't just interested in prior art regarding blocking at the gateway. In addition, specific features of interest listed include the following:

  • virus detection at an FTP proxy server

  • use of an FTP daemon

  • virus detection at an SMTP proxy server

  • use of an SMTP daemon

  • determining whether the data is of a type that is likely to contain a virus, and only determining whether that data contains a virus

  • signature scanning

  • file typing by comparing extensions

  • determining whether email messages with multiple encoded portions (i.e., attachments) contain viruses by storing each encoded portion in a separate temporary file, decoding the encoded portions of the mail message to produce decoded portions, and scanning each decoded portion for a virus

  • mail parsing

  • only scanning mail messages that have attachments

  • performing a preset action if a virus is found, including, among other things, transferring the data unchanged, not transferring the data, storing the data with a new file name and alerting the recipient of the new file name, and transferring modified data.

So if you know of anything that did such things, or were written about, prior to the September 26, 1995 date, sing out. Barracuda has some examples of prior art it has in hand already, and if you go to their Legal Defense of Free and Open Source Software page, and scroll down to the Prior Art heading, you'll find them.

I can't help but note that Trend Micro didn't go after ClamAV developers directly; it zeroed in on a business using ClamAV instead. Why might that be? I think it's patent pragmatism at work. Litigation often starts with a "who has the deep pockets?" analysis, because most litigation is about money. And I understand that McAfee, Symantec and Fortinet have all settled with Trend Micro already, although the details are not public. But this seems to be about more than that. Anyway, FOSS projects really can't play that patent money game. We don't usually have the money. Anyone using ClamAV, should Trend Micro be successful, is potentially a target.

More About the Litigation

Barracuda went to federal court first, filing a lawsuit [PDF] against Trend Micro, seeking a declaratory judgment that Trend Micro's '600 patent is invalid and that ClamAV does not infringe it anyhow, and Trend Micro filed an Answer with Counterclaims [PDF] to which Barracuda has replied [PDF]. Trend Micro accuses Barracuda of infringing its patent directly, contributorily, and by inducement. A declaratory judgment is the same thing Red Hat asked the court in Delaware for against SCO. You can read more about what a declaratory judgment is here, in an article I wrote way back in June of 2003, if you are curious, but the short version is that it's asking the court to settle a controversy. It's not asking for money, just that rights be established to settle whatever the controversy is.

Trend Micro then filed the complaint with the International Trade Commission (ITC), complaining about patent infringement but essentially trying to block Barracuda from importing ClamAV on the basis of the alleged infringement, as best as I can make out. Not that Barracuda does import it, and in fact it specifically denies importing ClamAV in its Answer [PDF] to the IDC complaint, but that's the Trend Micro claim. Barracuda's CEO Dean Drako, in today's press release says this:

“Barracuda Networks designs and manufactures all of the products in question in the United States. We believe that Trend Micro’s actions are a blatant abuse of the U.S. legal system. Since Trend Micro is a consumer of free and open source software we call on Trend Micro to drop these attacks.”

Here's the essential Trend Micro allegation:

In particular, as discussed above, ClamAV antivirus software which is included in Barracuda’s antivirus system is specifically designed to provide protection from computer viruses at the network gateway....

...upon information and belief, Barracuda's AV systems contain open source antivirus software, known as ClamAV, that is specifically designed to protect against computer viruses at the network gateway...Further, upon information and belief, ClamAV software is written, at least in part, by ClamAV developer team members located in Europe and Australia. Thus, Barracuda imports software specifically designed to protect against viruses at the network gateway.

High crime indeed, blocking viruses at the gateway. But Barracuda says it downloads ClamAV from servers in the US. Did you notice, though, how Trend Micro mentioned that ClamAV is Open Source? That is part of what makes me think this is yet another attack on the development method itself, this time trying to use its international development as the wedge. If you think about it, though, blocking FOSS antivirus solutions only makes the Internet more dangerous for everyone. It's considered one of the very best in its league. And it's obvious that FOSS projects can't pay patent license royalties, so it's a stranglehold maneuver.

Unlike commercial software vendors that typically have a defensive patent portfolio as a deterrent -- and thus maintain a kind of cold war truce against such suits -- or don't mind trading and swapping money in reaction to such attacks, the Free and Open Source community is more vulnerable. I have never forgotten that Microsoft's Bill Gates said in 2003, right after SCO sued IBM and began trash talking Linux, that Linux would find itself under legal attack for the next five years. And so it has proven to be. Partly, I believe, the goal was to tax the community, not just for the joy of getting the tax money, but to add the heavy costs of legal defense to FOSS development, so it couldn't be free anymore, and so proprietary software would have more of a chance against it in any TCO analysis. The expense of legal defense alone could put a heavy tax on the community, and I am very glad to see Barracuda, which has benefited from ClamAV, be willing to take on the cost of defending it.

In other words, this is a serious situation. I think it's another attempt to attack the FOSS development model and force those using such software to pay the proprietary dudes a tax. That's the same dream that SCO started with, and Microsoft shares the dream. A lot of proprietary software folks realize the sun is setting on their business model, and they would like a piece of what is replacing it, without having to actually do anything to earn the money they want to collect, and patents are simply perfect for lazy incumbents. If ClamAV is not successfully defended, I think there may be an avalanche of this kind of attack, proprietary vendors looking for some silver to cross their palms from anyone using FOSS software.

Is it all coordinated? Maybe. But who cares? (Unless you are the EU Commission.) It's serious, no matter who is behind it. Taxing or restricting Free and Open Source software based on questionable patents affects both security innovation and industry pricing of security products. And with more than one million unique IP addresses downloading updates of ClamAV from SourceForge daily, this attack potentially can impact a lot of people.

And let me add one final thing: I know some of us don't use any antivirus on our GNU/Linux computers. I don't myself. But businesses do. In many cases, they have to if they wish to fulfill certain legal requirements or if they wish certain kinds of business. So, instead of wasting energy arguing the point, let's just get to work on the prior art. And if you have a copy of MIMEsweeper 1.0, please go to this page that Barracuda has set up for prior art submissions and tell them you have it in addition to mentioning it here in your comments.

Update: Don Marti has a story on LinuxWorld about the Barracuda request for help. He spoke with the attorney for Barracuda, James Yoon of Wilson, Sonsini, and with Eben Moglen of Software Freedom Law Center. Here's what Moglen has to say:

Eben Moglen, professor of law and legal history at Columbia Law School and chairman of the Software Freedom Law Center, says that his organization and other concerned users can act as a "Business Improvement District rent-a-cop" to help protect companies that work with free and open source software from so-called "patent trolls."

"A troll that might have thought it was safe to take a bite out of a business in the past might find that the business is aligned with the free world," he said in a phone interview. "We want the trolls to go and work in some other neighborhood."

And Yoon, who intriguingly is both an IP attorney and in the past worked as an electrical engineer, talks about both the litigation scheduling and the ITC importation complaint:

Trend and Barracuda are in the discovery phase of the ITC case, but, Yoon says, "a scheduling order is not in place," leaving time for Barracuda to introduce additional prior art. Drako says he believes the ITC filing is an abuse of the US legal system, since, although ClamAV has non-US contributors, the free antivirus software is maintained by Maryland-based Sourcefire, Inc., and Barracuda downloads and compiles ClamAV in the USA. Other imported parts that Trend cites in its complaints are standard PC hardware, "staple" components not specific to virus filtering, Drako says.

Update 2: Here are some more court filings that I know will help you focus on precisely what to look for in the way of prior art, the Joint Statement of Claim Construction and a list of all the precise ways Trend Micro thinks ClamAV infringes. Take a look:

The Joint Claims Construction Statement is particularly useful, because it's what the parties believe is in dispute. And they get together and decide what terms in the patent claims mean. For example, in this litigation, the parties have agreed that the word server means either software or a computer used as one, or more precisely, "A computer and/or software that performs services for other computers or programs". But they can't agree on what the word "file" means. If you look at the chart of disputed words and the evidence in support on page 8, perhaps you can figure out why each wishes to define it the way it does, but I was so far unable to solve that mystery, except that one has to assume that each wants the definition to match the claims and/or defenses against them. They are also in dispute over what a proxy server definition should be.

Not every claim listed in Trend Micro's patent is still in dispute, so to be really useful here, it is worth slogging thorugh the details in that document. Happy prior art hunting!

Update 3: I had an idea regarding MIMEsweeper 1.0. Who, I asked myself, would be most likely to have a copy? What about security guys? For example, would the individual who reported this exploit to SecurityTracker not have a copy? I think he must. Also, a Groklaw member tells me that Clearswift offers the product still, at least on the German site, and there are forums, where you can ask questions, and since it's frequented by both employees and customers, you might bump into an old-time programmer or sales guy there who has a clue, and he says most of them will speak English.


  


Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs | 432 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections Here
Authored by: feldegast on Tuesday, January 29 2008 @ 08:03 AM EST
So they can be fixed

---
IANAL
My posts are ©2004-2008 and released under the Creative Commons License
Attribution-Noncommercial 2.0
P.J. has permission for commercial use.

[ Reply to This | # ]

[NP] News Picks discussion
Authored by: Aladdin Sane on Tuesday, January 29 2008 @ 08:13 AM EST
Discuss Groklaw News Picks here.

Please reference which News Pick you are commenting on.

Thanks.

---
Form follows function

[ Reply to This | # ]

[OT] Off Topic discussion
Authored by: Aladdin Sane on Tuesday, January 29 2008 @ 08:17 AM EST
Place comments that don't fit in other threads here.

Please format your comment as best you can using the "Preview" button.

For really good formatting help see Groklaw's HTML How To.

---
Form follows function

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Tuesday, January 29 2008 @ 08:21 AM EST
Story with quotes from Barracuda lawyer James Yoon and SFLC's Eben Moglen: LinuxWorld.com story

[ Reply to This | # ]

Prior art - McAfee Netshield
Authored by: Anonymous on Tuesday, January 29 2008 @ 08:25 AM EST
Here is a link to a zdnet article from January 1993 announcing the release of McAfee Netshield version 1.0.

This was the first of a series of products that they still produce to this day. It is a file server base anti-virus product that scans files for viruses and can be configured to scan (or not to scan) based on the filename extension and other criteria, including virus "signature" scanning, and can be configured to perform various actions, including but not limited to, moving an infected file to a "quarantine" location, renaming an infected file, deleting an infected file, or doing nothing to an infected file while alertung an administrator of the infection.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: dyfet on Tuesday, January 29 2008 @ 08:30 AM EST
I find this interesting for a number of reasons. First, of course, I have used
clamav, mostly to filter e-mail so that we do not accidentally receive/forward
some embedded virus that while harmless here might harm others who are not yet
on free software platforms, and because it is a GPL licensed solution.

I also recall the only other major anti-virus-like product I was aware of for
use on GNU/Linux systems was made by a Romanian company and was then removed
from the marketplace after the company was sold to it's new owner, Microsoft. I
note this because the question of coordinated action was mentioned in PJ's
article, and the fact that clamav, as a foss product, could not be removed from
the marketplace by the same methods, so I wonder if this is an attempt to do so
by other means.

As a matter of principle, I believe we should stand in solidarity and in support
of any group, company, or institution under threat from simply exercising
freedom, developing products in freedom, or offering products under freedom. I
have no immediate awareness of prior art relevant to this case, but I image
others in the community most likely do.

[ Reply to This | # ]

I seem to remember...
Authored by: Anonymous on Tuesday, January 29 2008 @ 08:43 AM EST
...back in the old NetWare v.3 period when we were using GroupWise that we
implemented some virus scanning on the mail server. This would be in the early
half of the '90s, but I can't remember which product we used back then (Norton?
Norman?).

*pnd*

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: knarf on Tuesday, January 29 2008 @ 08:49 AM EST

The first thing I thought about with regard to prior 'art' (between quotes because this is about as artistic as eating a banana) was the lock and guard at the door to the building. Instead of putting heavy duty locks on all drawers, filing cabinets, keyboards, internal doors, powder rooms and water coolers someone somewere in time came up with the splendid idea of sorting out the wanted from the unwanted at the entry to the cave/castle/fortress/building/city. Some even go as far as to search and/or scan everything and everyone before entry as that nice suit and tie might hide a nasty surprise in its briefcase.

This seems to translate almost one to one into ingress control on a network:

  • control on entry: check
  • opening briefcases to look what is inside: check
  • scanning for known bad entities/substances: check
  • etcetera...

Translating common practice in the physical domain into similar practice in the information processing domain should not be patentable. Given recent rulings about non-obviousness this should be enough to invalidate this sorry excuse for a patent...

---
[ "Omnis enim res, quae dando non deficit, dum habetur
et non datur, nondum habetur, quomodo habenda est." ]

[ Reply to This | # ]

Another possible prior art?
Authored by: Anonymous on Tuesday, January 29 2008 @ 08:57 AM EST
Here is a Link to a company named Service Strategies, Inc. They make an email gateway product called SMF Email Gateway that converts between SMTP and " Standard Message Format (SMF), the format used by ExpressIT!, DaVinci eMAIL, Beyond Mail, Office Logic, and other applications". It allows you to use third party visrus scanning utilities to scan file attachments in the email on the gateway server.

I am not sure when they started making this product, but according to their web site they have been in business since 1995, and since Beyond mail and DaVinci eMAIL have not been made in a number of years, it is possible that they developed this technology before the Trend patent application was filed. Their web site does not give enough information, so you would have to contact them to get details.

[ Reply to This | # ]

It seems to me that prior art doesn't have to be strictly computer?
Authored by: MDT on Tuesday, January 29 2008 @ 09:05 AM EST
I mean, this type of 'quarantine' operations is centuries old, just applied to
an electronic environment, not a physical environment.

For example :

1200 AD. Castle is surrounded by large stone walls. Guards at a gate with a
portcullis and drawbridge screen people entering and leaving to prevent
dangerous people from entering. Direct correlation : Castle - Server, Stone
Walls - Firewall, Gate - Port, Guards - AV Software, Dangerous People -
Virus's.

1970 AD. Hospital has an outbreak of e-bola. Hospital is quaranteened. All
doors and windows are sealed. Anyone coming or going has to be tested for ebola
before they are allowed to leave. Hospital - Server, Sealed Doors/Windows -
Firewall, Hospital Entrance - Port, Doctors testing blood - AV Software, Danger
to society (Ebola Virus) - Computer Virus.

I am not a lawyer, but I seem to remember the Supreme Court recently saying that
applying recognized methods that work in a physical environment cannot be called
'innovative' or 'non-obvious' if they work in an electronic environment as a
person of reasonable skill would expect.

There's thousands of years of real life experience with limiting your entrances
and putting guards on it to keep undesirable elements out. Why would anyone
think it wouldn't work in an electronic environment?

---
MDT

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:08 AM EST
Err... Barracuda's attorneys couldn't even get the name of the patent right in
their filing. That doesn't bode well for them...

[ Reply to This | # ]

A networked computer, is a networked computer is a ..........
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:10 AM EST
Email implies a networked computer. What difference does it make on WHICH
computer it is scanned? This is a client/server model. Centralization of a
service is an 'inherent' network model. I'd say the whole networking model is
prior art, but legal is not the same as right and wrong.

[ Reply to This | # ]

Devil's Advocate for a Moment, and also old possible prior art
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:17 AM EST
While scanning for viruses in the firewall is an obvious thing today, for a long
time, it was not being done. Virus scanning was only done on the client or
server machines for a long time, and someone had to come up with the idea of
doing the scanning on the firewall. Remember that early firewalls were quite
limited devices, and doing extensive scans was not necessarily practical.

That said, the real question is when were the first anti-virus scans done in a
firewall or similar gateway machine, rather than on the end machine. I suspect
it was well before 1995.

There is a very old and obscure paper from 1975 that suggests using an external
minicomputer to monitor another computer for bad security things. This was
before the term computer virus had been introduced, and it's not clear whether
the idea would even have worked, but it might constitute prior art from a patent
perspective.

Painter, J. A., "A Minicomputer Network to Enhance Computer
Security", Computer Networks, Online Conferences, Ltd,
Uxbridge, England, 1975.

[ Reply to This | # ]

"Trend Micro is a consumer of free and open source software"
Authored by: Aladdin Sane on Tuesday, January 29 2008 @ 09:19 AM EST
I'm disturbed by the hypocrisy.

I wonder if any of the FOSS that Trend Micro consumes is licensed under GPL v3, and if so does their litigation spree affect their right to use it?

---
Form follows function

[ Reply to This | # ]

Simple
Authored by: NZheretic on Tuesday, January 29 2008 @ 09:22 AM EST
Go ogle Groups Search virus "proxy server" (smtp OR ftp) before patent date
March 22 1995 No rman Defense Systems Unveils the Norman Firewall

Mar 29 1994 FAQ: Computer Security Frequently Asked Questions TAMU : " A wonderful paper about TAMU was presented at the 4th USENIX Security Symposium, and is reprinted in the proceedings of the same"

[ Reply to This | # ]

Network scanning vs. filesystem scanning
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:29 AM EST
It seems to me that most "network" virus scanners are applied to
protect a network by working on a filesystem at an obvious place. This may be
possible because the firewall is receiving ALL mail, and is forwarding it on to
various other email servers via subdomains or a DNS round-robin scheme. The mail
actually resides on the firewall filesystem before it is forwarded on to another
system.

If it were a true network virus scanner, then it would obviously be working on a
network stream using libpcap or tcpdump, and then modifying the network data
stream in real time, keeping track of the fact that the stream is not sequential
and may include broadcast retries.

Obviously [to me], the product that the patent is talking about is the same no
matter where it is applied. It works on a filesystem. It could just as easily be
applied at all the terminal points [sorry about the pun] as at the entry point.
Maybe not as effectively, but it would be doing the same job. At that point,
it's just an architectural process.

Corrections and illustrations of How It Really Works [TM] will be accepted
graciously. Maybe something came out in the last five years that negates this
argument.

[ Reply to This | # ]

Wayback machine / internet archive / etc
Authored by: knarf on Tuesday, January 29 2008 @ 09:30 AM EST
This goes back to 1996 so it is not conclusive but still...

McAfee in December 1996

Review of Thunderbyte server edition in the April 1996 issue of a magazine...

---
[ "Omnis enim res, quae dando non deficit, dum habetur
et non datur, nondum habetur, quomodo habenda est." ]

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: TemporalBeing on Tuesday, January 29 2008 @ 09:34 AM EST
Well...I don't have prior art to list, however, at least from PJ's summary it seems to me that this case is more about how Barracuda will be bundling ClamAV with other products than simply ClamAV itself.

ClamAV itself is simply an antivirus scanner and just checks files that are requested of it to check. It only works in conjunction with a gateway, firewall, e-mail server, file server, real-time scanning, etc. if there is either a wrapper program to make it do so (e.g. WinPooch) or the application itself integrates the ClamAV API Library (libclamav).

I mention this because I think this is why Trend Micro went after Barracuda directly and not the developers of ClamAV, who while certainly making it easy for other developers to integrate ClamAV into other products do not provide claimed functionality themselves.

That said, SourceFire Inc. who recently bought ClamAV for integration with Snort might also come under fire because of integrating it with Snort for a similar purpose.

So...one might want to look at how old Snort is and see if it integrated any similar features in the past with similar tools as that might also be a source of prior art.

This will be a very important case as it will end up being applicable to several open source products - at least ClamAV, Snort, SpamAssassin, and others - in the long run.

Please correct me if I'm wrong on any of the above points.

As always, hope this helps someone - whether Barracuda's attorney's or someone else here helping out.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:36 AM EST
A Secure Sendmail Based DMZ for the Corporate Email Environment

Jason D. McLellan
January 13, 2003
GSEC version 1.4b

The specific areas we will explorer are; the benefits of this approach, design considerations and example designs, sendmail compilation and configuration, and content security strategies for antivirus and unsolicited email control.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:39 AM EST
Not sure where I would find any proof, but I remember using Mcafee on the Mac's
back in 1991-1992. My high school had a mac lab that was connected to a
localtalk network and we were served apps from the server. I am sure it was
running Mcafee too. Not sure if thats any help....

[ Reply to This | # ]

Bibliography of targets - Please locate copies
Authored by: NZheretic on Tuesday, January 29 2008 @ 09:47 AM EST
Author: Nick Lai
Author: Terence E. Gray
Title: Strengthening Discretionary Access Controls to Inhibit Trojan
Horses and Computer Viruses
Pages: 275-286
Publisher: USENIX
Proceedings: USENIX Conference Proceedings
Date: Summer 1988
Location: San Francisco
Institution: University of California, Los Angeles

Neil's Bibliography on
Computer Viruses and Malicious Code
http://www.jjtc.com/Security/bib/virus.htm

A. Doumas and K. Mavroudakis and D. Gritzalis and S. Katsikas
Design of a neural network for recognition and classification of computer
viruses
Computers & Security, 14(5), pp. 435-48, 1995.

Anonymous
Resource Guide: Virus Protection for Networks
Byte Magazine, 18(6), p. 144, May 1993.

Anonymous
Software Roundup: Virus-Prevention NLMs: As the computing world becomes
increasingly interconnected through LANs, wide-area links, the Internet, and
on-line services, corporations are more vulnerable to the threat of computer
viruses. BYTE evaluates a convenient and effective solution: antivirus software
that works as NetWare NLMs. We test seven products for performance,
effectiveness, usability, and versatility
Byte Magazine, 19(8), p. 129-130, 132--134, 136, August 1994.

B. Nance
Keep networks safe from viruses
BYTE Magazine, 21(11), p. 167, 169, 171, 173, 175, November 1996.

11. Catherine L. Young
Taxonomy of Computer Virus Defense Mechanisms
10th National Computer Security Conference, pp. 220-225, 1987.

14.

15. David M. Chess
Computer viruses and related threats to computer and network integrity
Computer Networks and ISDN Systems, 17(2), pp. 141-148, July 1989.

41.

42. Harold Joseph Highland
How to Detect a Computer Virus in Your System
Computer & Security, 8(7), pp. 557-559, 1989.

Jeffrey O. Kephart and Steve R. White
How Prevalent are Computer Viruses?
Technical Report, IBM Research Division, Thomas J.Watson Research Center,
Yorktown Heights, NY 10598, Number RC 17822 No78319, March 1992.

52.

53. John DeHaven
Stealth Virus Attacks: Anonymous attack software targets networked
computers
Byte Magazine, 18(6), p. 137-138, 140, 142, May 1993.

K. Gaj and K. Gorski and R. Kossowski and J. Sobczyk
Methods of Protection against Computer Viruses
(SAFECOMP'90): Safety Security and Reliability Related Computers for the 1990s,
p. 43, Pergamon Press, Oxford, 1990.

69.

70. M. Schlack
How to keep viruses off your LAN
Datamation, 37(20), p. 87-88, 90, October 1991.
70.

71. Maria M. Pozzo and Terence E. Gray
An Approach to Containing Computer Viruses
Computers & Security, Vol. 6, pp. 321-331, 1987.

89.

90. Terence E. Gray Nick Lot
Strengthening Discretionary Aceess Controls to Inhibit Trojan Horses and
Computer Viruses
Proceedings of the USENIX Summer Conference, pp. 275-286, USENIX
Association, June 1988.


92.

93. Varney
Adequacy of Checksum Algorithms for Computer Virus Detection
SIGSMALL: SIGSMALL/PC NOTES (ACM Special Interest Group on Small and
Personal Computing Systems and Applications), Vol. 17, 1991.



[ Reply to This | # ]

80s/early-90s file sharing systems
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:52 AM EST
Look at virus scanners that ran on:
* AppleShare servers
* Netware servers
* DOS and Windows machines that happen to be acting as file servers
* Unix machines that happened to be sharing files with Windows or Apple
machines

The "trivial" case has plenty of examples, including just about every
DOS, Windows, or Mac antivirus software package before 1995:
A Mac, DOS, or Windows 3.x/95 machine that happens to be serving files on the
network and which is running client-oriented antivirus software. Any patent
which claims to cover this is obvious on its face.

More interesting cases would be software which was aware that it was on a file
server and which took specific action using that knowledge.

The most interesting cases would be those where the antivirus software was
specifically designed to protect "the network" or "files visible
to the network" and did so more efficiently than a typical "protect
the host and its files" antivirus product. Products which recognized and
quarantined infected machines on the network are also interesting.

[ Reply to This | # ]

THIS OUGHT TO BE ILLEGAL
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:05 AM EST
to make a living off hardship
to sue people trying to help people

these kinds a suits make me completely sick

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:05 AM EST
you may want to look at novell's netware offerings along
with border manager. we were scanning viruses on novell
servers way before 95.

but I believe novell networks were doing this before 1995.
border manage may of came out later but I can't remember
the dates.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: kozmcrae on Tuesday, January 29 2008 @ 10:08 AM EST
Someone should tell Trend Micro the wheelbarrow hasn't been patented.

Richard


---
Coming soon: Signature 2.0

[ Reply to This | # ]

Firewalls and Internet Security, Cheswick & Bellovin
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:14 AM EST
"Repelling the Wily Hacker"

ISBN 0-201-63357-4 Copyright 1994 AT&T Bell Laboratories Inc.

P.S. Does anyone know the history of SNORT? It may be old enough to apply as a
source of prior-art.

agriffin

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: pshempel on Tuesday, January 29 2008 @ 10:19 AM EST
In 1989 I was running a BBS and every file that was sent onto this BBS would be
scanned for viruses. If you look at the history of BBS's and the online world
then during the late 80's early 90's, this was common practice.

You can look at WildCat BBS as one that did this and there thousands more that
did the same. The doors applications have built in anti-virus protection.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:25 AM EST
we ran novell 3.x and 4.x servers in our manufacturing
plants and routed between subnets on each server and on
the server we had virus scanning software to scan for
viruses on our windows3.11 and 95 networks. this was
common place and just common sense to contain viruses and
their damage so they wouldn't spread through the networks.

so you could consider this a gateway and I know this was
before 95.

just ceases to amaze the obvious patents that get shoved
through just so the government can make some money.

[ Reply to This | # ]

  • Hmmm... - Authored by: OrlandoNative on Tuesday, January 29 2008 @ 11:02 AM EST
    • Hmmm... - Authored by: Anonymous on Tuesday, January 29 2008 @ 12:59 PM EST
Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:37 AM EST
Cheswick and Bellovin "Firewalls and Internet Security".
Addison-Wesley, Copyright 1994 by AT&T Bell Labs.

Pg 76

"The type of filtering used depends on local needs and customs. A location
with many PC users might wish to scan incoming files for viruses."

This would seem to imply that it was already well-known to the security
profession that it could be done -- and in fact that it was not even worth
saying how to do it, a simple aside was enough.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: James Wells on Tuesday, January 29 2008 @ 10:38 AM EST
Greetings,

In '91, I built a network for the US Navy at White Sands New Mexico. The
core of the network was file 5 SUN Sparc's that I built out as file servers (For
Mac / DOS & Win), email servers, and gopher / ftp proxies. Due to the
number of files / users I had on the network and my previous work with
Anti-Virus stuff, I wrote a couple of tools that allowed the file servers, ftp
proxies, and mail servers to be scanned for all known virus signatures at the
time.

Additionally, our network had a dedicated link to the US Navy network at
China Lake, California (At the time, this was the worlds largest mac network),
and they had various Anti-Virus tools that they sent me for scanning and
removing virus via a network server from my user's systems.

Unfortunately, I do not have access to the code that I created back then, but
I did create it based on orders from my superiors.

Also, the concept was around long before that as can be proven by reading the
Cuckoo's Egg, by Cliff Stohl. For those not familiar with it, this was Cliff's
account of a computer intrusion (The Hannover Hacker incident) back in the '80s,
but near the end of the book he talks about Bob Morris jr's worm in '86 and
about the need to defend networks against that type of attack.

Finally for yet more prior art, I would recommend reading the now-declassified
'Operation Sun Devil' documents that actually explains how to create firewall /
gateway scanners. IIRC Operation Sun Devil was 89 - 91.

---
"Individuals are smart, people are stupid" -- Tommy Lee Jones as "K" from Men In
Black

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated
Authored by: tknarr on Tuesday, January 29 2008 @ 10:46 AM EST

Don't know about prior art, but back in the 80s it was standard practice for BBS systems that provided file upload/download areas to scan all uploaded files before moving them to the download area for users to see and download. There was even automated transfer of files between those BBSes in some cases where, if a file was made available on BBS A, BBS B would notice this and fetch it, scan it and make it available without any individual having uploaded it to B. Messages were similarly scanned (both when sent and when imported from another BBS in the network) for things like potentially-dangerous ANSI escape sequences. This sounds like exactly what's being patented here. And it also seems like someone with experiences with BBSes would consider it obvious, when setting up a file server (to let users retrieve files that they or others had uploaded) or mail server (to send and receive messages from other systems and let users send and view messages locally) would consider it obvious that the same sort of scanning would be needed for the same reasons it was needed on the BBS.

[ Reply to This | # ]

Patent number: 5511163
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:56 AM EST
Filing date: Dec 19, 1994
Issue date: Apr 23, 1996
Inventors: Michael Lerche, Carsten Howitz
Assignee: Multi-Inform A/S

Network adaptor connected to a computer for virus signature recognition...

Abstract
A data processing system comprising a plurality of computers interconnected
through a local network, preferably in the form of a ring. The network being
connected to a network adapter which is able to receive all information on the
network. The network adaptor is connected to a computer which together with the
adaptor can perform an assembling and scanning of substantially all files on the
network and carry out a recognition of virus signatures. The individual file
packets circulation in the network are assembled, said file packets being
assembled in a file and scanned for virus signatures. When a virus signature is
detected in the file, information is simultaneously provided on the transmitting
stations and the receiving stations, whereafter it is possible to transmit the
vaccine to the stations in question.

1. A data processing system comprising a plurality of computers interconnected
through a local network in the form of a ring network, said network being
connected to a network adaptor which is able to receive all information on the
network, characterized in that the network adaptor (7) is connected to a
computer (8), which together with the adaptor (7) can perform an assembling and
scanning of substantially all files on the network (1) and carry out a
recognition of virus signatures, if any, in the files, the computer (8) being
adapted to provide information on the place of origin of infected data, if any,
as well as on the position to which said infected data has been transmitted, and
comprising a neural network having program means for recognizing the usual
interchange of data on the local network (1) and for activating an alarm if an
unusual interchange of data resembling a virus, such as an unknown virus
signature, is recognized.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated
Authored by: hamstring on Tuesday, January 29 2008 @ 10:57 AM EST
Prior Art (most of which are anti-virus). Someone with more time would have to
go fishing for actual release dates, and some I am not too sure the timeframe.

Big Brother - Remote and local scan and status of devices and computers. Even
handled email and modem paging, and I know we used this around 1995, maybe
earlier.

NFS/RPC - Server scans files for errors, creates locks per client requests, has
ACL's to keep out unwanted hosts (NFS version 2).

NIS/NIS Plus - Server controlled account management and shared information
system.

Snoop - remote port sniffing/scanning of systems.

netwatch? I am not sure if this was pre 95, but has to be in that range.
Allowed full scanning of hosts and routers for all network activity and
protocols and viewing from a single station.

HP OpenView Network Node Manager? I think this was pre 1995, but may be post.

Snort - IDS in a client server model.

TCP Wrappers - Server based TCP controls

McCaffee Anti-Virus - we used this pre-1995 on Novell servers to scan messages
and files.

---
# echo "Mjdsptpgu Svdlt" | tr [b-z] [a-y]
# IANAL and do not like Monopoly

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:59 AM EST
<a href="http://all.net/books/virus/part6.html">Fred Cohen
1984</a>

"To be perfectly secure against viral attacks, a system must protect
against incoming information flow, while to be secure against leakage of
information a system must protect against outgoing information flow."

Seems kinda obvious that the earliest point in the network (gateway) is the
place to do incoming information flow protection. He does mention that
"Several of the techniques suggested in this paper which could offer
limited viral protection are in limited use at this time."

I'd think that's where to investigate for the earliest prior art.

[ Reply to This | # ]

  • Clicky Link - Authored by: Anonymous on Tuesday, January 29 2008 @ 11:01 AM EST
Patent number: 5319776
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:59 AM EST
Filing date: Sep 29, 1992
Issue date: Jun 7, 1994
Inventors: John K. Hile, Matthew H. Gray, Donald L. Wakelin
Assignee: Hilgraeve Corporation
Primary Examiner: Ly V. Hua

In transit detection of computer virus with safeguard

Abstract
Data is tested in transit between a source medium and a destination medium, such
as between two computer communicating over a telecommunications link or network.
Each character of the incoming data stream is tested using a finite state
machine which is capable of testing against multiple search strings representing
the signatures of multiple known computer viruses. When a virus is detected the
incoming data is prevented from remaining on the destination storage medium.
Both hardware and software implementations are envisioned.

[ Reply to This | # ]

What is the "Linux System" according to the OIN?
Authored by: Anonymous on Tuesday, January 29 2008 @ 11:14 AM EST
The Open Invention Network (OIN) says here:
Op en Invention NetworkSM acquires patents and makes them available royalty-free to any company, institution or individual that agrees not to assert its patents against the Linux System.

Which begs the questions:

1) What is the Linux System?

2) Can Barracuda Networks, as a member of the OIN, counter sue Trend Micro for violating any of OIN's patents?

3) Can Barracuda Networks file a complaint with the International Trade Commission against Trend Micro to prevent it from importing products that violate OIN patents? Trend Micro has international offices. They probably have international developers.

[ Reply to This | # ]

Patent number: 5550984
Authored by: Anonymous on Tuesday, January 29 2008 @ 11:14 AM EST
Filing date: Dec 7, 1994
Issue date: Aug 27, 1996
Inventor: Edward J. Gelb
Assignee: Matsushita Electric Corporation of America
Primary Examiner: Moustafa Mohamed Meky

Security system for preventing unauthorized communications between networks

[ Reply to This | # ]

Norman antivirus firewall released early 1995
Authored by: Anonymous on Tuesday, January 29 2008 @ 11:25 AM EST
Looks spot on prior art. They're still in business too... Link1 Link2 Link3 They were also called Arcen DATA prior to renaming as Norman around the same time as the firewall and have been working on antivirii since the 80s.

[ Reply to This | # ]

E-Mail Virus Scanning
Authored by: Anonymous on Tuesday, January 29 2008 @ 11:31 AM EST
A. Padgett Peterson, P.E. Information Security (padgett@tccslr.dnet.mmc.com)
Wed, 26 Apr 95 15:43:46 -0400

* Messages sorted by: [ date ][ thread ][ subject ][ author ]
* Next message: Adam Shostack: "Re: Secure Modem Pool"
* Previous message: Carl Jolley: "Re: Secure Modem Pool"

>Theoretically shouldn't it be possible to scan all email at the gateway for
a
>virus inside a mail message?

Sure, in theory. Problem is that there are so many ways of encoding an
archive (PKZIP, LZEXE, PKLITE, ARJ) even in self-extracting form that it
would be difficult. Add to that the fact that many of today's viruses
are using self-encryption/decryption with multiple seeds and algorithms

True there has to be a unencode decrypter section up front but you would
be amazed how many ways there are to write the same thing in assembly.
In 1990 Mark Washburn demonstrated a virus that never had more than two
bytes in a row that were the same.

For this reason, just about all of the best scanners today use partial
emulation to try to develop common patterns when all else fails (and are
becoming ever slower in the process).

Further, E-Mail comes in multiple packets so first you need a proxy host to
reassemble the message, then it must examine it to determine if it contains
an executable, and then to determine what it is (and it may have multiple
layers).

Now what might be feasible would be for such a proxy host to examine the
E-Mail to determine if it is English text (that is not too hard) and to reject
anything that is not. This means that uuencode and PGP protected messages
would be rejected also. You *might* be able to pass documents in WORD or
WORDPERFECT so long as ccMail was not using its encryption. Yer pays yer
money and yer takes yer chancet.

The other factor is that it would have to be dynamic and able to respond to
new attacks very quickly. What it won't be is cheap.

Note that nowhere have I said it could not be done. It could but would be
a decidedly non-trivial effort. Personally I doubt that the market is there
to justify the development expense. *And that would just be for PCs*.

Now if someone thinks they have the money to burn, just send a nice Facel-Vega
HK-500 with a/c to show you are serious...

Semper caliente,
Padgett

http://www.control.auc.dk/~magnus/Mailboxe/firewall-archive/0521.html

[ Reply to This | # ]

Other directions....
Authored by: Marc Mengel on Tuesday, January 29 2008 @ 11:32 AM EST
There is a good review of the state of the art of that time period:

Cheswick, W. R., and Bellovin, S. M., Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley, New York, 1994.

and eariler:

William Cheswick and Steven M. Bellovin. How computer security works: Firewalls. Scientific American, pages 106–107, October 1998.

These folks talk a lot about application layer firewalls, where various protocols are proxied and filtered. And virus scanning on a gateway is just a fancy protocol-specific proxy. In fact, you might want to see if Cheswick pr Bellovin would be willing to be an expert witness; I'm guessing Bill Cheswick would have a bone to pick with someone trying to patent firewall/proxy combinations; If he thought that was patentable, I suspect he would have done so at the time...

Also from this history:

The next security firewalls were more elaborate and more tunable. There were firewalls built on so called bastion hosts. Probably the first commercial firewall of this type, using filters and application gateways (proxies), was from Digital Equipment Corporation, and was based on the DEC corporate firewall. Brian Reid and the engineering team at DEC's Network Systems Lab in Palo Alto originally invented the DEC firewall. The first commercial firewall was configured for and delivered to the first customer, a large East Coast-based chemical company, on June 13, 1991. During the next few months, Marcus Ranum at Digital invented security proxies and rewrote much of the rest of the firewall code. The firewall product was produced and dubbed DEC SEAL (for Secure External Access Link). The DEC SEAL was made up of an external system, called Gatekeeper, the only system the Internet could talk to, a filtering gateway, called Gate, and an internal Mailhub (see Figure 1).
So thats a commercial firewall product integrating email in 1991. Now distinguishing virus scanning from the filtering done at that time (i.e. to prevent things like the Morris Worm using protocol bugs to spread) is an interesting distinction, one which I'm not sure holds up to scrutiny -- you're simply watching for patterns in the protocol conversation; whether those patterns are in the mail data portion of that conversation or the control portion is largely irrelevant. Virus filtering only the mail body is a subset of that behavior, not a superset.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Tuesday, January 29 2008 @ 11:34 AM EST
Is prior art be restricted to computer networks only? For prior art on the
concept of scanning at the point of entry there are plenty of examples.
Prisons, for example, check all incoming mail for contraband. They also check
visitors for contraband as well. In this scenario, the mail room and visitor's
entrance are "gateways". Prisons sure as heck don't install scanners
in each cell (desktop computer).

I use LSoft's Listserv and it looks like they introduced scanning incoming mail
albeit for spam, not viruses, but they concepts are similar - unwanted content.

[ Reply to This | # ]

A secure Email gateway
Authored by: Anonymous on Tuesday, January 29 2008 @ 11:44 AM EST
Secure Email Gateway (Building an. RCAS. External Interface). Randall. E. Smith.
The. Boeing Company.

ieeexplore.ieee.org/iel2/2967/8410/00367307.pdf

[ Reply to This | # ]

Searching usenet yields results
Authored by: Anonymous on Tuesday, January 29 2008 @ 12:04 PM EST

I figured I'd go back and look for somebody who'd installed a virus scanner on their firewall. Results were quick and easy. (Google groups is your friend.) For instance, here's a March 21, 1995 announcement that pretty much blows away the "gateway" claim and probably the "proxy" claim and maybe others.

NORMAN DATA DEFENSE SYSTEMS UNVEILS THE NORMAN FIREWALL.

This was found using the advanced search for periods prior to the patent date on key keywords "firewall" and "virus" searching in comp.*.

I've not read the claims in detail and don't have time for more searching now. Perhaps others can pick up the ball and run with it. The comp.security.firewalls group might be particularly fertile ground.

Regards,
Karl O. Pinc <kop@meme.com>

[ Reply to This | # ]

Signatures
Authored by: Anonymous on Tuesday, January 29 2008 @ 12:10 PM EST
The 'file' command has been around on UN*X for a long time, and it does all its
work on the basis of signatures. Standard UN*X philosophy is that a file is a
stream of bytes, hence regular files, pipes, named pipes and sockets all appear
to be the same to users. To look for a signature in a file is the same thing as
to look for a signature in a pipe, a named pipe, or a network socket.

If you want to go outside of computers for signatures, the science of detecting,
whether by physics or by chemistry, is full of work in looking for signatures.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Tuesday, January 29 2008 @ 12:38 PM EST
There is an excellent AV timeline at

http://www.research.ibm.com/antivirus/timeline.htm

In particular, the Israeli IRIS AntiVirus Plus was licensed to Cheyenne Software
(for their Inoculan product) prior to 1991, and was converted into a server
product implementing at laest some of the mentioned features (filename extension
lookup, signature scanning, ...)

Regards,

AW

[ Reply to This | # ]

No Coverage for the WIAV Case???
Authored by: prpplague on Tuesday, January 29 2008 @ 12:50 PM EST
strange that no one is covering the WIAV case! the patent troll WIAV/SPH America is claiming that ALL 802.11 implementations are in violation of their patents and they intend on getting license fees from anyone with a mobile device that uses 802.11:
troll tracker blog
Texas Legal Journal

[ Reply to This | # ]

  • No Coverage for the WIAV Case??? - Authored by: Anonymous on Tuesday, January 29 2008 @ 06:18 PM EST
    • No Coverage for the WIAV Case??? - Authored by: Anonymous on Wednesday, January 30 2008 @ 08:24 AM EST
      • See - Authored by: Anonymous on Wednesday, January 30 2008 @ 09:47 AM EST
        • See - Authored by: prpplague on Wednesday, January 30 2008 @ 11:57 AM EST
          • See - Authored by: Anonymous on Friday, February 01 2008 @ 03:34 AM EST
FIDO Net
Authored by: fritzs on Tuesday, January 29 2008 @ 12:55 PM EST
Has anyone looked at the ways FIDOnet from the old BBS days did virus
protection? I was never very involved with FIDOnet, but it could be a possible
form of prior art. Just a thought.

[ Reply to This | # ]

prior art: TIS Firewall Toolkit?
Authored by: Anonymous on Tuesday, January 29 2008 @ 01:11 PM EST
As for application gateways as a concept, have a look at the TIS FWTK, released 1993.

It does not include virus scanning, but it does enforce protocol compliance for the gatewayed applications protocols.

(I'm pretty shure someone hacked in virus scanning on the smap queue, but I don't have an example for that at hand...)

[ Reply to This | # ]

Here's some of what I digged up
Authored by: designerfx on Tuesday, January 29 2008 @ 01:13 PM EST
Of interest, specifically slashdot's article here - http://yro.slashd ot.org/article.pl?sid=08/01/29/1313206
links a businesswire article here - http://www.businesswire.com/portal /site/google/index.jsp?ndmViewId=news_view&newsId=20080129005353&newsLan g=en Interesting to see some quotes from Barracuda, although they're pretty accurate.

Even CNET suprisingly has a fairly unbiased interpretation: http://blogs.cnet.com/ 8301-13505_1-9856170-16.html.

Irregardless, thats just so you have some links of reference. Here's what seemed to me like it might be a possible defense of the antivirus situation: Wiki- Gottschalk vs Benson (here's the original ruling - http://supreme.justia.com/us/409/63/case.html ). Can this still be argued? That software, is at its best, mathematical and non patentable? Especially the capability of an antivirus to use heuristics and/or that antivirus itself is mathematics at its base?


Also, clearswift.com has the sweeper program of its latest version linked right on their website.
Plus, there's a slashdot link from a comment about a 1995 press article relating to this this stuff - something called norman firewall http://yr o.slashdot.org/comments.pl?sid=434088&cid=22221654 is the slashdot link to this article: google computer security groups

Due to that, I searched and found this article saying the first antivirus was in 1987 according to this wiki article - Wikipedia - Antivirus Software from the last one: "Perhaps the first publicly known neutralization of a wild PC virus was performed by European Bernt Fix (also Bernd) in early 1987. Fix neutralized an infection of the Vienna virus.[7] [8] First edition of Polish antivirus software mks_vir started in 1987" Sorry for the horrible formatting.

[ Reply to This | # ]

Why should we help a spammer?
Authored by: goz on Tuesday, January 29 2008 @ 01:17 PM EST
Barracuda ships their firewall configured to send spam. What it does is send
email to whoever is named in the From field in the email (always forged in spam)
containing the spam message. Spammers use this to send spam by generating
thousands of messages with differing From and bouncing it back to innocent
victims. I get tons of spam from their firewall.

[ Reply to This | # ]

ssys.de and MimeSweeper
Authored by: mdarmistead on Tuesday, January 29 2008 @ 01:28 PM EST
The person who reported it worked for SySS a german computer security firm. His
name is Pierre Kroma and his contact e-mail was kroma_at_syss_dot_de however,
he is no longer listed on their site as an employee. Maybe somebody should
contact Sebastian Schreiber at SySS and see if he can be helpful.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Tuesday, January 29 2008 @ 01:32 PM EST
Sounds as if the security discussion in the MIME RFCs
might be relevant to this. It first appeared in RFC 1341
(June 1992) and later in RFC 1521 (September 1993).

FWIW, this discussion is also an effective recipe for
writing an Outlook/IE virus, as used most famously by some
of the most famous late-1990s examples. It describes what
*could* happen if someone were foolish enough to violate
the relevant aspects of the RFC in an agent accepting MIME
messages from untrusted sources ...

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Tuesday, January 29 2008 @ 01:40 PM EST
How about mainframes running any sort of antivirus and firewall/gateway
software?

I'm thinking the old UNICOS Crays with Sun workstations hooked up to them. I
used one at LANL from 91-93.

The workstations ran Solaris and did an x11 connection to the Cray. I would
assume the admins there would be smart enough to know to do the filtering/etc on
the Cray and it would also cover the workstations. :) (it might have been x8
or x9 or something else back then, heh)

[ Reply to This | # ]

Send a message with your wallets
Authored by: rsmith on Tuesday, January 29 2008 @ 02:15 PM EST
Don't buy trend micro products, and don't recommend them to your non-geek
friends.

---
Intellectual Property is an oxymoron.

[ Reply to This | # ]

Why not sue the ClamAV developers? Perhaps another reason.
Authored by: cventers on Tuesday, January 29 2008 @ 02:17 PM EST
I can't help but note that Trend Micro didn't go after ClamAV developers directly; it zeroed in on a business using ClamAV instead. Why might that be? I think it's patent pragmatism at work. Litigation often starts with a "who has the deep pockets?" analysis, because most litigation is about money.
PJ, if I recall correctly, didn't Microsoft v. AT&T reaffirm that software code itself is not subject to patent protection since it is just an algorithm, but that patent protection applies to a "device" that includes software? Thus, the computer running ClamAV would be a patent violation, but ClamAV itself could not be?

[ Reply to This | # ]

Obviousness ...
Authored by: Anonymous on Tuesday, January 29 2008 @ 02:53 PM EST
FWIW, in the late '90s, I was doing some Linux support,
and my neighbour in the office downstairs was a Netware
man.

Novell didn't at the time have an email product meeting
the needs of four or five of his clients. This included
scanning and filtering incoming and outgoing email. One
function was to attach a warning where an attachment could
potentially be hazardous. I installed Linux boxes running
a version of qmail enhanced to do the job (yes - qmail's
license permits that, where I'm the person supporting it).

Seems to me to be just one little anecdote supporting
obviousness. But then, not having read the patent, I
couldn't say how relevant it might be.

[ Reply to This | # ]

"Tax" is more like protection money
Authored by: Anonymous on Tuesday, January 29 2008 @ 02:54 PM EST
force those using such software to pay the proprietary dudes a tax.
I think it's more like protection money than a tax. A tax can be applied and used for legitimate purposes that at least sometimes promote the common good.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Tuesday, January 29 2008 @ 02:56 PM EST
What is the difference between scannig an email and a mail (post service)

Think about the bomb-letter scanning process that happens at "the
gateway" in many goverment offices, instead of email it works with mail,
just remove the "e" and you have the same thing basically, stop the
damage at "the gateway".

I also come to think about the metal detectors many many buildings have at their
entrances, sort of same thing, only for people and not packages, sort of a
non-electronic ftp system maybe?

The only "innovative" thing of this wonderful patent is putting an
internet/electronic means to do the same thing that has been done for decades
before.

When was the first bomb-letter send?


Ivan

[ Reply to This | # ]

Security, DRM too is the topic, bring in all the "bigger questions". So, "ALL IN" Texas holdem!
Authored by: Anonymous on Tuesday, January 29 2008 @ 03:16 PM EST

Since they are going to court on "computer security" then why hold back, let's let the whole truth flow here (and so let us go "ALL IN" (Texas Hold-em style, like on TV), let's cover the "patent" world, and it's relationship to math, as virus detection is a pure form of that, and let's bring in some other parties besides the 2 antivirus ones to the case as well, it is time to go "ALL IN"!

After -all, when you think of this case in broader terms, isn't DRM is filtered at a GATE the same way as a virus is, and Creative commons meta-tags too? So, more is at stake here than first meets the eye!

Now, where shall we start?

Somewhere in the below links... is an article by Jennifer Lapell at Security Focus, that is about a fellow named Cohen, that coined the term virus in the first place. There is some very good reference material here, that in effect, no anti-virus company wants to see the light of day in court with, and testimony regarding this information.... as it would not be healthy for their business model.

There is a history of viruses somewhere explained in this (can't point it out, but it is found in these links)! Oh, regarding patents and software, the digital future series Library of Congress one with Professor Smith, is worth bringing out, as he points out a question as to if any of this stuff that is digital is real anyway (Prof. Or "Dean" Smith, who once worked at PARC, Zerox Labs, and might even have managed the affair for a while, so he knows what he is talking about). Should software patents even exist in the first place? Hmmm, if you look at everything in the links below, and from a shifting sands metaphor, you will understand that everything digital is not solid, and when looking for a blue print, as it is all math anyway, well, Trend Micro, a patent holder, really does not want to go here either, in court. If the Socratic method is used to examine it all, well... you know who won that case in Greece, don't you. Trend Micro should lose this. Clam AV, for what it does, is worthy of doing an independent version of what it does (what do they do anyway,

Also - we need to examine the other "Digital Future" C-SPAN video, the one that is listed as such: "Monday, January 31 Brian Cantwell Smith, dean of the Faculty of Information Studies at the University of Toronto Smith, the author of " On the Origin of Objects," combines degrees in computer science and philosophy and is an expert on the interdisciplinary convergence brought about by digitization. His talk is titled, "And Is All This Stuff Really Digital After All?";

... when we examine the message that Brian Cantwell Smith is driving toward, we need to UNDERSTAND what digital really is, and what it is not. My take on the Brian Cantwell Smith video is that he is saying that the only real stuff is the analog of the creation (in it's pure form) and that analog of the experience (in it's pure form), both at the creator/user experience point. AND that this is not digital and the digital is not that! What is digital? It is a middle layer of non-perfect, and distorting, tech that we use simply as a tool (CPU, RAM, electricity)... and that tool is not a Noun, it is not an entity by itself, it is an illusion that has been marketed to us that it is a Noun.

So - where does Smith lead us? He does not know? Only time will tell. Because digitial is so new to use, we think of it as being something that it is not. To the point where we look at it as being a Noun.

So - The inventions, that are digital, need to not be looked at as "unique", in a "noun" sort of way. As they are not. The CPU, the RAM, the electricity, the computer is a noun, and as an idea it can be protected. The digital data, the software, it is just a new version of the smoke signal (in a way, the smoke signal, is analog), where it is now wrapped in something else. Never a noun.

If it is a noun, then it is something. Time will prove out over the long haul that digital is nothing, really it is just something on a wire, and the only thing, again someday, that will be important, and protect-able, is what is analog (at both ends, the human creation, and the human experience).

What we create that is digital, has it's origins as something else something that is real, that we can see, taste, hear, smell, etc, (all analog), THEN, we make it then a mixture of 0's and 1's, process it in, process it out, (we can not taste, see, hear, smell, this at all), and then, out it comes again as something we again can taste, see, hear, smell (it is real again, and again it is analog).

Much of IP these days is just something that we have been doing for a long time, but suddenly because it is "marketed as this illusion, this digital middle", we imagine it to be real... we imagine it to be a noun, when it is not.

So - patents on software should not be. Copyright is something that can be real to the code that is the assembly of the 0's and 1's, and that we can fingerprint, and that we can filter, and that we can audit, and that we can protect in the world of "Lessig's internet COPY sensitive creative commons type of model". Not a business model, but as we know, can be.

If the digital meta-tag is search-able, it can be audited for theft as well, and numbers can be assigned to what is fair use and not fair use. Public Domain can be public domain, proprietary can be proprietary, however, the confusion as to digital being protected because we imagine it to be a noun, is an impossible feat. Socrates would have agreed... as that was the essence of his argument a long time ago, was it not?

Is digital being looked at as being something that it is not, or after all is much that is public domain, being repackaged and reprotected simply because it is now digital, and how many of use are being fooled by this "digital illusion" into thinking that digital is suddenly so unique, when it is not!

When we use the socratic method and examine this logic (the logic of Mr Smith above, and the logic of Lessig as well), and accept the obvious conclusions that there are still questions, then we KNOW that if questions still exist, then no patents on software can exist (math is that unpredictable, and in a way, math is that unique). However, then we still have copyright. And Creative Commons, and the free to use "digital metatag idea", can be expanded world wide to "create an system where artists are not stolen from at the speed of light in a massive way".

Then, as well - when you have theft of stuff of value, you have laws regarding theft, as when you walk out of a store with a CD under your shirt, that you did not pay for, when you are caught, you are not prosecuted for "infringement" you r have prosecuted for theft. Massive theft of digital works, or creating a method to do this, is in effect at some point "conspiracy" and there are laws against that as well (don't need new copyright laws). We do need an electronic gate, but a patent on it, should never be allowed to exist (because it is, digital, and we have been building locks and gates for thousands of years). The digital middle, the metatag filtering gate, is nothing new, it is only a digital representation of the long time used analog concept, the gate, allowing some in, some can not pass by! No new idea there!

And not a business model, just thousands of years old already, analog-wise. A "Digital" is real mindset, is the illusion that we must free ourselves from, first, in order to then be able to address our current debate with our feet firmly in reality. Analog is reality. Digital is not.

Since they put so much into this pot, then let us go "ALL IN" with everything else, BECAUSE it is all related and the suit relates as well to any filtering of anything at any level, at an ISP level for DRM or even free content filtering of Creative Commons content on P2P networks.

This case, if won by the bad guys, has the power to "freeze all FOSS and non-commercial CC content" that the internet, and even science as it colaborates "sharing" in everything from emails to PSP, all about the future of our environment and the future of the universe, ...ALL that we think of as "normal" file transer or freely shared content, if the bad guys win, would be forever proprietary and owned by these types of patent holders!

Folks, it is time to go ALL IN, in defense of freedom, for our digital futures!

[ Reply to This | # ]

vacation
Authored by: capt.Hij on Tuesday, January 29 2008 @ 03:34 PM EST
My first thought was that we used to do this kind of thing with the vacation
command from way back in the dark ages. You pipe your mail through a filter that
then determines whether or not to send a reply based on the headers. We did this
back in the day before we used firewalls so it was done on computers facing the
"internet." (Even though we did not call it that.)

Taking the step to have the filter check for "bad things" is really a
small step in logic. Even now days it is done with procmail which again is a
small step away from the front end.



[ Reply to This | # ]

fwtk was blocking malware in 1993
Authored by: Anonymous on Tuesday, January 29 2008 @ 04:29 PM EST
it's not a direct match, but it shows the obviousness of blocking malware at the
gateway

the firewall toolkit was written in 1993 and one of the features of it's http-gw
proxy is that it could block Java, Javascript, or ActiveX from getting through
and strip them out of the HTML.

history of the FWTK is available at
http://www.fwtk.org/fwtk/docs/documentation.html#1.2

[ Reply to This | # ]

Note to Trend
Authored by: Anonymous on Tuesday, January 29 2008 @ 04:34 PM EST
Not only are the readers of this site going to find prior art to stop your
trolling, but I have, in my capacity as a consultant, had my customers purchase
dozens of copies of your product.
No more. Ever.
I will also find a replacement product so that as the updates end so does your
money.
It will probably not cause you to go out of business, but if there are enough
like me you will see the difference in your bottom line.

[ Reply to This | # ]

Any packet inspection invalidates the patent...
Authored by: Anonymous on Tuesday, January 29 2008 @ 04:52 PM EST
I assert that any form of packet inspection on a network connection regardless
of whether viruses are the scan model invalidates the patent. The only
difference between packet inspection and virus inspection is the signature you
are looking for in the packets.

In fact I'll go a step further and say any form of file inspection on any server
invalidates the patent, especially in the case of unix like systems because
files and network pipes are treated almost identically by the system.

[ Reply to This | # ]

The file(1) command fits the bill
Authored by: Anonymous on Tuesday, January 29 2008 @ 05:27 PM EST

"determining whether the data is of a type that is likely to contain a virus .." - That sounds like something you could (at least partially) determine based on the result of running the file(1) program on a file.

For example, on my Linux box here :

$ /usr/bin/file myapp.msi
myapp.msi: Microsoft Installer

$ /usr/bin/file cfg1030
cfg1030: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, statically linked, stripped

$ /usr/bin/file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01

$ /usr/bin/file foo.txt
foo.txt: UTF-8 Unicode text

The first two could be said to be "likely to contain a virus" simply since they are executable file types.
The last two are unlikely to contain a virus since they are an image and a text document respectively.
The really good bit is that file(1) doesn't just determine these things from the file name. It actually inspects the contents of the file.

Current versions of file(1) source code can be found at ftp://ftp.astron.com/pub/file/
Where older (pre 1995) versions can be found I don't know, but they must be possible to dig up, since the man page for find "man 1 find" says this in the HISTORY section:

There has been a file command in every UNIX since at least Research Version 4 (man page dated November, 1973). The System V version introduced one significant major change: the external list of magic number types. This slowed the program down slightly but made it a lot more flexible. This program, based on the System V version, was written by Ian Darwin without looking at anybody else’s source code. John Gilmore revised the code extensively, making it better than the first version. Geoff Collyer found several inadequacies and provided some magic file entries. Con‐ tributions by the ‘&’ operator by Rob McMahon, cudcv@warwick.ac.uk, 1989. Guy Harris, guy@netapp.com, made many changes from 1993 to the present. Primary development and maintenance from 1990 to the present by Christos Zoulas (christos@astron.com). Altered by Chris Lowth, chris@lowth.com, 2000: Handle the −i option to output mime type strings and using an alternative magic file and internal logic. Altered by Eric Fischer (enf@pobox.com), July, 2000, to identify character codes and attempt to identify the languages of non‐ASCII files. The list of contributors to the "Magdir" directory (source for the /usr/share/misc/file/magic file) is too long to include here. You know who you are; thank you.

Perhaps emailing some of those authors of early file(1) versions could turn up some early source code.

[ Reply to This | # ]

Prior art Norton Administrator V 1.0
Authored by: Anonymous on Tuesday, January 29 2008 @ 05:51 PM EST
Reviewed in PC Magazine, vol 12 number 22 Dec 21 1993 pages NE15 to NE18 (NE section starts after page 290)

This is a client installed network administration tool. It provides licencing, performance, and other management tools to the network administrator.

However, towards the end of the article, it refers to another Norton product that might invalidate some of the claims:

"The application also offers tight integration with other Norton utilities including Norton Anti-Virus for NetWare and Norton pcAnywhere. Anti-Virus is a NetWare Loadable Module that scans all incoming and outgoing files on a NetWare server, profiding unobtrusive virus protection by identifying all of the 2,000 known virus signatures in the National Computer Security Association libraries while detecting the activity of previously unknown viruses"

Wow, only 2,000 known viruses.
Chuck Sheehan
(at shaw.ca)

[ Reply to This | # ]

Look up some old computer magazines
Authored by: Anonymous on Tuesday, January 29 2008 @ 07:12 PM EST
I read umpteen reviews of anti virus products in PC magazines in the late
eighties and early nineties. I would try Byte magazine, PC Magazine and from the
UK, PCW and perhaps Computer Shopper.

JeffV

[ Reply to This | # ]

Does it have to be electronic?
Authored by: tqft on Tuesday, January 29 2008 @ 07:38 PM EST
Haven't actual human (& canine) security guards at doors - even cave
entrances done most of this since time immemorial?

Checked that things trying to come in are allowed?
Checking for hidden things?
Leaving them outside pending investigation?

---
anyone got a job good in Brisbane Australia for a problem solver? Currently
under employed in one job.

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: grokrocks on Tuesday, January 29 2008 @ 08:08 PM EST
Patent 5319776 'In transit detection of computer virus with safeguard' which
is cited by the Trend Mico patent seems like it should be reviewed in more
detail as it seems to cover a lot without referencing a gateway.

There were many pre-existing Firewall proxy servers/gateways in the 1991-1993
time frame that I am not aware of doing the job of filtering virus but if you
combined an ANS Interlock or a DEC SEAL with patent 5319776 it should be obvious
next step so I don't see how this patent passes the test for obviousness.



[ Reply to This | # ]

simtel
Authored by: Anonymous on Tuesday, January 29 2008 @ 09:42 PM EST
standard practice in 1995 at the simtel ftp repository was to scan all files for
viruses. The ftp repository was also accessable via an email gateway, so the
software system will also incorporate gateway features. See e.g.
http://www.internettourbus.com/arch/1995/TB072595.TXT

[ Reply to This | # ]

Bay Area Bulletin Board Advisor
Authored by: Anonymous on Tuesday, January 29 2008 @ 10:57 PM EST
http://www.markshapiro.com/Issue3.html

Those of us still old enough to remember BBS's should all have copies or links
to our old BBS articles about scanning uploads and such as part of the
transactions. A mail gateway takes a file, looks at it, and stores it for later
IMAP/POP/redelivery. A BBS used to take a file, look at it, and store it for
later download/FTP/redelivery to another BBS.

[ Reply to This | # ]

My (potential) prior art
Authored by: Matthew Mastracc on Tuesday, January 29 2008 @ 11:13 PM EST
I just sent this off. Virus scanning was important in the BBS/Fidonet days.
There was a lot of automated mail and file (.TIC) exchange going on and many of
the computers were scanning automatically...

------------------------

BBS software from the early 90's contained a significant amount of
infrastructure that mirror Trend Micro's claim. I have two potential pieces of
prior art. The first one might be good for claim #4. The second one seems to
be good prior art for claim #18 in the patent.

1. The Maximum BBS software (source code available on Sourceforge.net) contains
functionality that:

- allow operators to specify virus scanners to run after each upload
- identify the type of uploaded archive based on its filename (to display its
contents after upload and check for corruption)
- display customizable screens (and run customizable actions) depending on
whether an upload was valid or was rejected because of virus detection.

While Maximus BBS software wasn't FTP, it performed effectively the same service
(providing directory lists, organization and upload/download).

From "max_mast.pdf" in the distribution:

http://sourceforge.net/project/downloading.php?group_id=63593&use_mirror=int
ernap&filename=max-3.03-etc.tar.gz&62448602

The batch file can process the uploads as desired, including scanning for
vi-
ruses, refusing files with bad extensions, and so on. After the batch file
returns,
Maximus will check again to see if the uploaded file still exists.
If the file still exists, Maximus displays maxmiscfile_ok.bbs. Normally,
this
file contains a message informing the user that the file contained no
viruses.
Maximus will then ask for an upload description and credit the user's
account.
If the uploaded file no longer exists, presumably because it was removed by
vircheck.bat, Maximus will display maxmiscfile_bad.bbs. This file pre-
sumably mentions that the virus check failed.
This feature was designed for automated virus-checking programs, but other
tricks can also be done with batch files. The uploaded file's extension can
be
tested as a separate argument, so it can be used to block uploads of files
with
certain extensions.

1b- This is an example (from 1993) of a package that processed BBS uploads
automatically from Maximum and performed actions based on the result:

http://cd.textfiles.com/cream02/VIRUS/VIRCHK2A.ZIP

VirusCheck (Called VIRCHECK from herein), when called from Maximus,
will
determine what archive type an upload is, unpack it, scan it for virus
infection, then add your personal BBS comment to the archive. (If it's
a ARJ or ZIP archive.) Should an upload fail due to SCAN error or
infection, VIRCHECK will notify the sysop via netmail/localmail, and
move the file into a private directory for later review by the sysop.
(See SAMPLE.MSG for an example of the warning letter sent to the
sysop.)


2. In the early 90's, Fidonet operators automatically transferred files around
through Netmail. There were a number of automatic "tossers" that
would process the incoming files, make sure they were clean and fire them off to
a virus scanner. This was referred to as "TIC", as described in this
document:

http://www.ftsc.org/docs/fsc-0087.001

2a - On this page:
http://archives.thebbs.org/ra76a.htm

I found an example of a file tosser from early '95 that supported automatic
virus scanning (it extracts a file list that is later passed to a virus
scanner):
ftp://archives.thebbs.org/tic_file_processors/ftoss102.zip

2b- In addition, this program on the same site from 1993/94 contains automated
virus scanning of incoming files:
ftp://archives.thebbs.org/tic_file_processors/tic2ra15.zip

TicToRa was designed to automate the importation of files received
via File Distribution Networks, or, from other sources which support
"TIC, AllFix and FileMgr". To allow maximum security/safety for
the
SysOp, each file can be 'scanned' for viruses. In addition to this -
many of the more time-consuming maintenance tasks can be fully
automated!

The documentation illustrated that preset actions may occur on virus detection:

* TicToRa will rename the file(s) and .TIC's whenever a virus is found.
(This feature can be disabled)


[ Reply to This | # ]

O'Reilly Building Internet Firewalls
Authored by: Anonymous on Wednesday, January 30 2008 @ 03:29 AM EST
I only have the second edition from 2000, which describes email sweeping for
virus at the gateway (p427-429).

The first edition was from April 1995, which presumably makes it prior art.

Could someone have a look?

Peter von Kaehne

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Wednesday, January 30 2008 @ 03:31 AM EST
I found this in french about the death's ping
"Exemple très connu bien que maintenant purement historique et certainement
pas des plus subtils, le PING de la mort. (La fonction PING est une fonction du
protocole ICMP, un protocole sous-jacent à TCP/IP qui permet de savoir si un
noeud de réseau est joignable). Le ping de la mort est lui un datagramme IP de
taille arbitraire supérieure à 65536 octets, soit plus que la taille maximale
théorique pour les concepteurs initiaux d'IP. La machine qui reçoit un tel
"ping" ne sait pas le traiter, tourne en boucle et fini par crasher.
Le ping de la mort est une attaque en déni de service."
http://www.3sip.fr/main.php?page=.%2Fcauses

If there has been some kind of detection of so called "ping de la
mort" then you get you prior art of a virus detection
on the network

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: phantomjinx on Wednesday, January 30 2008 @ 04:02 AM EST
I happened to read the article about barracuda on the Reg and it gives a very
different slant to this story. Now I know the Reg tends to be a tabloid of the
Tech world but it did mention this:

"One early holdout, however, was Fortinet. In its own proceedings before
the ITC, it asserted the same prior art included on Barracuda's website, but the
ITC was unimpressed. In 2005, Fortinet got slapped with a permanent injunction
prohibiting the importation of its products."

Wonder if there is anymore information on Fortinet's attempt and how they went
wrong?

Regards

phantomjinx

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: podge on Wednesday, January 30 2008 @ 04:51 AM EST
References to software called CONNECT2 implementing a new concept called "passthru gateway".
They go onto explain filtering sent and received messages of dirty words and viruses - 9th May 1995.

http://groups.google.com/group/bit.listserv.pmail/browse_thread/thread/6272d4cd 88cecc6f/b0834a8f732e46d1?lnk=st&q=virus+scan+gateway#b0834a8f732e46d1

[ Reply to This | # ]

Australia's DSTO
Authored by: John Dalton on Wednesday, January 30 2008 @ 06:47 AM EST
Way back in the early 90's Australia's Defence Science and technology
Organisation did a lot of work on connecting secure and unsecure networks. I
think there is a chance of finding prior art there. Here are a couple of links
to get you started:

http://dspace.dsto.defence.gov.au/dspace/handle/1947/3990
http://www.agimo.gov.au/publications/2003/06/transform/defence

Perhaps do a search of the scientific press for papers by the authors named in
the above links during the early 90's. Also look for authors affiliated with
the Information Technology Division of DSTO.

[ Reply to This | # ]

virus just data, spam just data and...
Authored by: Anonymous on Wednesday, January 30 2008 @ 08:14 AM EST
bad (obscene) words are just data.

i dont know how far back they go, but an email publication
i run constantly runs into corporate gateways rejecting
my publication due to detected "bad words" in the content.

my last name matches one of the commonly prohibited bad words.

but basically, they are blocking undesireable data right at
their email gateway without any recourse or action on the part
of the actual individual recipient.


[ Reply to This | # ]

What About KSR?
Authored by: Anonymous on Wednesday, January 30 2008 @ 11:22 AM EST
Looking at the patent shows that Trend is claiming nothing more than an assembly
of known components and techniques that gives the expected result. There's no
novelty in this patent at all.

If you replace "SMTP" with "Pedal" and "Scanner"
with "Sensor" it becomes obvious that they are in exactly the same
position that the plaintiffs in KSR were.

Virus scanning was known prior to 1995.
SMTP and FTP were known prior to 1995.

The patent claims that assembling these well-known components and techniques and
yielding the predictable result is somehow novel. This is invalid upon its
face.

Prior to the KSR ruling, this claim might have worked, but now the bar of
obviousness has been raised substantially, and it's necessary to show that there
is true novelty in the patent such that the net assembly does not merely give
the result that an assembly of known techniques would predictably yield.

[ Reply to This | # ]

A pertinent question
Authored by: Anonymous on Wednesday, January 30 2008 @ 11:33 AM EST
Does BArracuda's product line HAVE to be on the edge of the network? If not,
does it not have to infringe the patent, because where the customer (not
barracuda) put it make it infringing or not.

E.g. you have a DMZ and that's part of your network. On the edge of the DMZ and
your LAN, you have your scanner/firewall.

[ Reply to This | # ]

An email is actually a file in a directory
Authored by: Anonymous on Wednesday, January 30 2008 @ 02:48 PM EST
Virus scanners scanned files in directories before 1995. It hardly seems
patentable to claim "inventing" scanning files in a particular
subdirectory.

If the Trend patent is restated describing the physical artifacts being
processed in the patent claims it should be obvious that there is nothing new
being described. The patent rests upon obfuscation by calling it
"email" rather than a "file".

rhb

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV
Authored by: Anonymous on Wednesday, January 30 2008 @ 04:08 PM EST
The text search function of the "Byte On CD-ROM" covering 1990-1995,
searching for "virus" + "server" gives 24 hits from Jan 1990
to June 1995.

March 1993:
"Antivirus Utility for NetWare

Fifth Generation Systems' Untouchable Network NLM (NetWare loadable module)
detects and recovers viruses on NetWare 386-based file servers. The package
employs integrity checking on the file server to detect viruses without
relying on frequent virus signature updates.

A patented virus-removal technique guarantees safe restoration of
recoverable infected files, including those hit by new, unknown viruses. The
package also features on-line scanning of compressed and archived files and
seamless integration of Untouchable Network NLM for detection and recovery
of viruses at individual nodes.

Price: $995 per server.

Contact: Fifth Generation Systems, Inc., Baton Rouge, LA, [phone, fax]
"

(Note: the removal technique is said to be patented)


December 1993:
" Netware Virus Detector

A NetWare loadable module, Norton AntiVirus for NetWare ($995 per server)
provides unobtrusive virus protection for your server without affecting
network performance. LAN administrators can configure the program from
Symantec (Santa Monica, CA) so that when it's hunting down viruses, key
applications will continue to operate efficiently while remaining protected.
The NLM scans DOS, Windows, and Mac files. The customizable real-time
monitoring feature lets you send out alerts over a pager or via E-mail.
"


June 1995:
" Software Sentry 2.0

Software Sentry 2.0, a network-independent license-metering and
software-asset management tool, comes with a virus checker and the ability
to automatically load the TSR into expanded memory. Alerts notify the LAN
administrator of low-license conditions and help-desk requests. Multilingual
client support provides international user-intercept messages and end-user
help text in English, French, German, Italian, or Spanish. Per server: 50
users, $295; 100 users, $595; 250 users, $895.

Contact: Microsystems Software, Framingham, MA, [phone, email]
"


June 1995:
" Track Down 6000 Viruses

Dr. Solomon's Anti-Virus Toolkit 7 (single-user Windows ver-sion, $125;
single-user OS/2 version, $149) detects more than 6000 computer viruses,
including complex encrypted and polymorphic viruses. The program scans
inside files you've archived and compressed with PKZip, ARJ, PKLite, and
LZExe. A NetWare NLM version offers NetWare 4 compatibility, optional
server-based scanning, and administration from either the server console or
a Windows client on a workstation.

Contact: S&S Software International, Burlington, MA, [phone]
"

[ Reply to This | # ]

munpack/mpack
Authored by: Anonymous on Wednesday, January 30 2008 @ 05:34 PM EST
One place to look would be the mpack suite written by
John Gardiner Myers. See:
http://groups.google.com/group/comp.mail.mime/browse_thread/thread/8a07d8f766a39
795/927e4c069364e036?hl=en&lnk=st&q=munpack+group%3Acomp.mail.*#927e4c06
9364e036

One of the mpack programs is munpack. It takes as input an email message and
outputs each attachment into a separate text file. Just the sort of thing that
you'd do if you then wanted to scan the attachments for viruses.

Mpack long predates 1995.

Karl O. Pinc <kop@meme.com>

[ Reply to This | # ]

BorderWare
Authored by: Anonymous on Wednesday, January 30 2008 @ 05:37 PM EST
Back in 1997, I started at my job. At the time, our firewall was from
Borderware, a Toronto based firm. The firewall was basically a PC running unix.
On top of forwarding IP packets through after checking if the conversation was
allowed, it had a funky SMTP setup. Basically, it accepted all SMTP on the
outside interface, and saved it to a queue directory, and then a second SMTP
instance would walk the queue, make security decisions (deliver it or dump it)
and then act on it. This way, external mail sources never spoke to an smtpd that
could talk to anyone internal. I don`t think that borderware had an anti-virus,
but certainly any system that proxies mail and uses any security-related
criteria to decide to forward the mail or not is good prior-art.

As I recall, the firewall was version 3.something back then, and we`d had it for
a year or so at the time. Borderware says on their website that they are 13
years old.

[ Reply to This | # ]

Prior Art?
Authored by: Anonymous on Wednesday, January 30 2008 @ 08:33 PM EST
A Pathology of Computer Viruses, David Ferbrache, Springer-Verlag Germany, 1992. 5.3.4.1 Identification of Access Controls, Page 99:
"A gateway or gateways should be established which represent the interface between the outside world, external corporate sites and local networks .... Such systems tend to implement enhances security ... including auditing and monitoring of network traffic."

[ Reply to This | # ]

History of Clearswift/NET-TEL & Content Technologies
Authored by: Sandtreader on Thursday, January 31 2008 @ 04:52 AM EST

Clearswift was NET-TEL (legacy site) of Cambridge, UK until 2001. I contracted for them on and off in the early 90's, when it was mostly X.400/X.25 MTAs/MUAs - no virus stuff as far as I remember then. However they migrated to SMTP/IP and started doing content filtering in the late 90's. It looks like that MailGuard product line died at some point; however there might be some latent prior art there.

The MIMESweeper product came from Content Technologies that Clearswift bought from Baltimore in 2002. Baltimore was an early player in PKI infrastructure from Dublin, but after several sales and mergers and takeovers the PKI business ended up being owned by Verizon.

Previously,Baltimore bought Content Technologies in September 2000. The earliest archive page I can find is 199 8, which has news going back to 1996, including a Secure Computing review from September 1996, at which point it was version 2.3beta.

Hope this helps point others on the trial!

Paul

[ Reply to This | # ]

Prior art - 16 bit Computers
Authored by: Anonymous on Thursday, January 31 2008 @ 08:11 AM EST
Just have a look at the Antivirus products that were
around for the Commodore Amiga and Atari ST. Here are a
few links, but they are all over the net and they date
from the 1980's.

http://www.dstoecker.eu/antivirus.html
http://catless.ncl.ac.uk/Risks/6.49.html#subj5

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Thursday, January 31 2008 @ 08:13 AM EST
I scanned through a lot of the posts and did not see this question asked and
maybe it should in Off-topic. Has anyone ever actually payed barracuda $100 for
a source CD? What about the source rpm's available from their site being from
June of 2006? Doesn't that seem strange to anyone? How about this line from
their waranty and license page?

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED ZERO COST
LICENSE TO BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS
UTILIZED IN THE BARRACUDA SOFTWARE WHICH YOU EITHER OWN OR CONTROL.<p>

Huh???????

Knocking out a bogus patent is great and all but some have a reasonably good
case in considering Barracuda Networks a parasite on the Free Software and Open
Source communities back.

[ Reply to This | # ]

OS X Server/ClamAV "Apple crouches in the corner?"
Authored by: Anonymous on Thursday, January 31 2008 @ 11:09 AM EST
From the "Don't get me involved" department?

On ClamAV's site:

http://www.clamav.org/about/w ho-use-clamav/


On that page is (as of this writing) a link to:

The MacOSX server features page.

Which, NOW points to a dead end page (again as of this writing)...

...but the Wayback Machine has:

http://web.archive.org/web/20070524151914/http:// www.apple.com/server/macosx/features/mailservices.html

Come on, Apple, where are you now?

Now is the time for all good companies to come to the aid of ClamAV/Barracuda Networks

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Thursday, January 31 2008 @ 09:07 PM EST
This from IBM is mostly useful.

http://www.research.ibm.com/antivirus/timeline.htm

[ Reply to This | # ]

MailGuard SMTP
Authored by: Anonymous on Friday, February 01 2008 @ 05:15 PM EST
We used MimeSweeper in the mid-1990s. The first product we received in our lab was called MailGuard SMTP. It was during our pilot that the name changed. This was definitely prior to 1995. I doubt I can find any of the original software though. It's been a long time.

The Internet way-back machine shows product propaganda dating back to 1991 for the Mailguard products. This link is from 1991:

MailGuard SMTP

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Saturday, February 02 2008 @ 07:36 AM EST
Possible reading (don't have access to it):
Anti-Virus Tools and Techniques for Computer Systems, W. Timothy Polk, Lawrence
E Bassham III, John P. Wack, Lisa J. Carnahan

[ Reply to This | # ]

Barracuda Networks Asks For Help Finding Prior Art to Defend ClamAV - Updated 3Xs
Authored by: Anonymous on Saturday, February 02 2008 @ 05:43 PM EST
Trend Micro tried this once before, about 10 years or so ago. Can't remember who
they sued, but I do remember being deposed for the better part of a day. My
position was 1) we did it way back when, and 2) we didn't bother to patent it
because it was such a butt-obvious thing. There should be a videotape and a
transcript somewhere in Trend Micro's files that Barracuda's lawyers should be
able to get them to cough up.

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )