Re: Vulnerability-based IPS Patent

[Valdis.Kletnieks () vt edu]

On Wed, 29 Mar 2006 15:13:16 PST, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said:

> > Data is tested in transit between a source medium and a destination medium, such
> > as between two computer communicating over a telecommunications link or network.
> > Each character of the incoming data stream is tested using a finite state
> > machine which is capable of testing against multiple search strings representing
> > the signatures of multiple known computer viruses.

> Following the CHRISTMA exec of 1987, many of the affected systems 
> implemented "filters" that would have done pretty much exactly that

Being one of the guys who implemented said filters, it would be a *real* stretch
to call the filter implemented a "state machine", unless you take the stance
that *anything* implemented on a S/370 architecture is a state machine because
the underlying hardware is done as a state machine.

For the most part, the "filter" consisted of mods to 2 places (RSCS and DMSDDL,
the innards of the 'sendfile' command), that basically said either:

'if ftype='EXEC' then ftype='EXEC$'  or 'if ftype='EXEC' then dest='BITBUCKT'

Also, the test implemented was more akin to the current 'Nuke all executable
extensions' often practiced at Windows sites, than 'known viruses'.  When IBM's
version came out as an RPQ, its documentation specifically addressed defanging
all malicious executables, whether known or not.

Sorry, the CHRISTMA filters don't count as prior art for *that* particular claim.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.