US20210044601A1 - Malicious data scan service - Google Patents
Malicious data scan service Download PDFInfo
- Publication number
- US20210044601A1 US20210044601A1 US17/083,910 US202017083910A US2021044601A1 US 20210044601 A1 US20210044601 A1 US 20210044601A1 US 202017083910 A US202017083910 A US 202017083910A US 2021044601 A1 US2021044601 A1 US 2021044601A1
- Authority
- US
- United States
- Prior art keywords
- content
- security
- cloud platform
- malicious data
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
Abstract
A communication network may scan data to identify and prevent the spread of malicious data, such as viruses, worms, trojans, malware, and the like, transmitted through the communication network. As scanning content for malicious data within an application program or an application node hosted on the communication network may limit the performance of the application program, a server in a load balanced datacenter environment may host a malicious data scan as a service. Accordingly, the malicious data scan service may scale effectively to accommodate an increasing number of application nodes in the network, and by retrieving updated definitions of malicious data at suitable times, the server may identify malicious data with increasing reliability.
Description
- This application is a continuation of U.S. patent application Ser. No. 15/969,580, filed May 2, 2018, and entitled, “MALICIOUS DATA SCAN SERVICE,” which is herein incorporated by reference in its entirety for all purposes.
- The present disclosure relates generally to scanning content, such as a digital file, for malicious data. More particularly, the present disclosure relates to hosting a malicious data scanning service on a centralized server.
- This section is intended to introduce the reader to various aspects of art that may be related to aspects of the present disclosure, which are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding aspects of the present disclosure. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
- Communication networks are a tool for sharing information and processing capacity among many computers or other network-capable devices. These networks, however, may receive and/or spread malicious data, such as viruses, malware, worms, and/or the like, between devices on the network if data transmitted over the network becomes infected with malicious data. Further, as the number of users and/or devices in the communication network increases, the potential for malicious data may increase. However, scanning data for malicious data may involve significant time and resources, limiting the efficiency of the communication network, and as the size of the network grows (e.g., the number of unauthenticated users increases), the time and resources involved with scanning data to protect the communication network from malicious data may increase.
- A summary of certain embodiments disclosed herein is set forth below. It should be understood that these aspects are presented merely to provide the reader with a brief summary of these certain embodiments and that these aspects are not intended to limit the scope of this disclosure. Indeed, this disclosure may encompass a variety of aspects that may not be set forth below.
- The disclosed techniques include hosting, using one or more security severs in a load balanced datacenter environment, a service to scan for malicious data (e.g., viruses, malware, worms, and/or the like) within a communication network. In the communication network, an application program hosted within a platform may receive a request from a client computing device to upload and/or download content (e.g., a digital file) to the application program. As such content may contain malicious data, to identify and to limit the spread of the malicious data throughout the communication network, the content may be scanned for malicious data. However, scanning content within the application program may consume the limited resources of the application, resulting in decreased application program performance. Accordingly, by offloading the scan for malicious data to run as a service of the one or more security servers, the application program may communicate with the client computing device more efficiently. Further, by hosting the one or more security servers in a load balanced datacenter, the number of security servers may efficiently be scaled based on load to more effectively handle a changing demand for malicious data scans within the communication network
- Various refinements of the features noted above may exist in relation to aspects of the present disclosure. Further features may also be incorporated in these various aspects as well. These refinements and additional features may exist individually or in any combination. For instance, various features discussed below in relation to one or more of the illustrated embodiments may be incorporated into any of the above-described aspects of the present disclosure alone or in any combination. The brief summary presented above is intended only to familiarize the reader with certain aspects and contexts of embodiments of the present disclosure without limitation to the claimed subject matter.
- Various aspects of this disclosure may be better understood upon reading the following detailed description and upon reference to the drawings in which:
-
FIG. 1 is a block diagram of a distributed computing system utilizing a platform and a database (DB), in accordance with an embodiment; -
FIG. 2 is a block diagram of a computing device utilized in the distributed computing system ofFIG. 1 , in accordance with an embodiment; -
FIG. 3 is a dataflow diagram of content uploads and downloads in the distributed computing system ofFIG. 1 , in accordance with an embodiment; -
FIG. 4 is a dataflow diagram of scanning clean content uploads in an application for malicious data, in accordance with an embodiment; -
FIG. 5 is a dataflow diagram of scanning infected content uploads in an application for malicious data, in accordance with an embodiment; -
FIG. 6 is a dataflow diagram of scanning clean content requested for download from an application for malicious data, in accordance with an embodiment; -
FIG. 7 is a dataflow diagram of scanning infected content requested for download from an application for malicious data, in accordance with an embodiment; -
FIG. 8 is a flow diagram of a method to upload content to an application, in accordance with an embodiment; -
FIG. 9 is a flow diagram of a method to scan content uploaded to and/or requested for download from an application for malicious data, in accordance with an embodiment; -
FIG. 10 is a flow diagram of a method to download content from an application, in accordance with an embodiment; -
FIG. 11 is a block diagram of a distributed computing system utilizing a load balancer and a datacenter, in accordance with an embodiment; and -
FIG. 12 is a block diagram of a server in the datacenter ofFIG. 11 configured to scan content for malicious data, in accordance with an embodiment. - One or more specific embodiments will be described below. In an effort to provide a concise description of these embodiments, not all features of an actual implementation are described in the specification. It should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and enterprise-related constraints, which may vary from one implementation to another. Moreover, it should be appreciated that such a development effort might be complex and time consuming, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure.
- A communication network may be utilized to share information with computing devices directly or indirectly connected to the network. For example, an application program (e.g., Community application hosting forums or discussion groups, a human resources application for accepting and processing applications and resumes, an accounting application for processing invoices and bills, and so forth) hosted by an application server in a platform maintained on the communication network may allow the computing devices to upload content (e.g., a file) to and/or download content from a database within the platform. As such, a first computing device may access (e.g., download) content uploaded to the database from a second computing device. However, as the number of users, potentially including unauthorized or unsecure users, uploading and/or downloading content via the computing devices increases, the number of potential sources for transmitting malicious data, such as viruses, worms, trojans, malware, and the like, between components (e.g., computing devices) in the communication network may increase. Accordingly, the communication network may scan an increased amount of data (e.g., uploaded content and/or downloaded content) for malicious data to identify and prevent the spread of such malicious data transmitted through the communication network. As scanning content for malicious data within the application program or an application node running the application program (e.g., an instance of the application program) may limit the performance of the application program by consuming limited resources, in some embodiments, a security server (e.g., a ServiceNow antivirus program (SNAP) server) in a load balanced datacenter environment may host the malicious data scan as a service. Accordingly, the application program or node may utilize less time and/or resources to communicate with a computing device, as the malicious data scan may be offloaded to the security server. Further, because the security server(s) may be implemented in a load balanced datacenter, the number of security servers may be scaled based on load to more effectively handle an increasing (or decreasing) number of computing devices communicating and/or application nodes running in the network. Further, by retrieving updated definitions of malicious data (e.g., malware signatures) at suitable times, the security server may identify malicious data with increasing reliability.
- With the preceding in mind,
FIG. 1 is a block diagram of asystem 100 that utilizes distributed computing and that may be used in conjunction with the approaches discussed herein. As illustrated, one ormore client devices 102 communicate with a platform (e.g., a cloud service) 104 over acommunication channel 106. Eachclient device 102 may include any suitable computing system. For instance, theclient device 102 may include one or more computing devices, such as a mobile phone, a tablet computer, a laptop computer, a notebook computer, a desktop computer, or any other suitable computing device or combination of computing devices. Eachclient device 102 may include client or access application programs running on the computing devices. Eachclient device 102 can be implemented using a single physical unit or a combination of physical units (e.g., distributed computing) running one or more client application programs. Furthermore, in some embodiments, a single physical unit (e.g., server) may run multiple client application programs simultaneously. - The platform (e.g., cloud service) 104 may include any suitable number of computing devices (e.g., computers) in one or more locations that are connected together using one or more networks. For instance, the
platform 104 may include various computers acting as servers in datacenters at one or more geographic locations where the computers are connected together using network and/or Internet connections. Thecommunication channel 106 may include any suitable communication mechanism for electronic communication between eachclient device 102 and theplatform 104. Thecommunication channel 106 may incorporate local area networks (LANs), wide area networks (WANs), virtual private networks (VPNs), cellular networks (e.g., long term evolution networks), and/or other network types for transferring data between theclient device 102 and theplatform 104. For example, thecommunication channel 106 may include an Internet connection when theclient device 102 is not on a local network common with thecloud service 104. Additionally or alternatively, thecommunication channel 106 may include network connection sections when the client and thecloud service 104 are on different networks or entirely using network connections when theclient device 102 and thecloud service 104 share a common network. Although only fourclients 102 are shown connected to theplatform 104 in the depicted example, it should be noted thatplatform 104 may connect to any number of clients 102 (e.g., tens, hundreds, or thousands of clients 102). - Through the
platform 104, theclient device 102 may connect to various devices with various functionality, such as gateways, routers, load balancers, databases, application servers running application programs on one or more nodes, or other devices that may be accessed via theplatform 104. For example, theclient device 102 may connect to anapplication server 107 and/or a database (DB) 108 via theplatform 104. Theapplication server 107 may include any computing system, such as a desktop computer, laptop computer, server computer, and/or any other computing device capable of providing functionality from an application program to theclient device 102. Theapplication server 107 may include one or more application nodes running application programs whose functionality is provided to the client via theplatform 104. The application nodes may be implemented using processing threads, virtual machine instantiations, or other computing features of theapplication server 107. Moreover, the application nodes may store, evaluate, or retrieve data from a database and/or a database server (e.g., the DB 108). For example, theDB 108 may store tables of information (e.g., content, content types, user permissions, user profile data, user subscription data, notification preferences, etc.) relevant to the application supported by an application node. - Additional to or in place of the
DB 108, theplatform 104 may include one or more other database servers. The database servers are configured to store, manage, or otherwise provide data for delivering services to theclient device 102 over thecommunication channel 106. The database server includes one or more databases (e.g., DB 108) that are accessible by theapplication server 107, theclient device 102, and/or other devices external to the databases. The databases may be implemented and/or managed using any suitable implementations, such as a relational database management system (RDBMS), an object database, an extensible markup language (XML) database, a configuration management database (DB), a management information base (MIB), one or more flat files, and/or or other suitable non-transient storage structures. In some embodiments, more than a single database server may be utilized. Furthermore, in some embodiments, theplatform 104 may have access to one or more databases external to theplatform 104 entirely. - Access to the
platform 104 is enabled via aserver 126 via acommunication channel 128. Theserver 126 may include an application program (e.g., Java application) that runs as a service (e.g., Windows service or UNIX daemon) that facilitates communication and movement of data between theplatform 104 and external applications, data sources, and/or services. Theserver 126 may be implemented using a computing device (e.g., server or computer) on the network 112 that communicates with theplatform 104. - The
communication channel 128 may be a database table that is typically queried, updated, and inserted into by other systems. In such an implementation, each record in thecommunication channel 128 is a message from an instance in theplatform 104 to a system (e.g., server 126) external to theplatform 104 that connects to theplatform 104 or a specific instance running in theplatform 104 or a message to the instance from the external system. The fields of acommunication channel 128 record include various data about the external system or the message in the record. - The
application servers 107 may store content accessible by one or more users via one of theclients 102. For example, theapplication server 107 may facilitate user interaction to upload content to and/or download content from an application, such as a Community application. As a result, users may share content such as files, attachments, data, and the like via theapplication servers 107. - As discussed herein, users may be allowed to upload content to and/or download content from an application. In such circumstances, the content transmitted via the
application servers 107 has the potential to contain malicious data. Accordingly, the content transmitted via theapplication servers 107 may be scanned for malicious data before the content is made available toadditional clients 102 and/or components (e.g.,application server 107,database 108,server 126, and the like) of thesystem 100. Further, to improve the performance of theapplication server 107, which may host an application node running the respective application for eachclient device 102 interacting with the application, a security server may host the malicious data scan as a service, as will be described in further detail below. Accordingly, the time and resources involved with scanning data in thesystem 100 for malicious data may be reduced or offloaded so as to reduce impact on application services. -
FIG. 2 generally illustrates a block diagram of an internal configuration of acomputing device 200, such as a computing device suitable for utilizing or providing access to an application or database or for performing scans for malicious data, as discussed herein. With respect toFIGS. 1 and 2 , thecomputing device 200 may be an embodiment of theclient device 102, theapplication server 107, a database server (e.g., DB 108), other servers in the platform 104 (e.g., server hosting the communication channel 128) or a security server as discussed herein, and/or a device running theserver 126. As previously noted, these devices may include a computing system that includes multiple computing devices and/or a single computing device, such as a mobile phone, a tablet computer, a laptop computer, a notebook computer, a desktop computer, a server computer, and/or other suitable computing devices. - As illustrated, the
computing device 200 may include various hardware components. For example, the device includes one ormore processors 202, one ormore buses 204,memory 206,input structures 208, apower source 210, anetwork interface 212, auser interface 214, and/or other computer components useful in performing the functions described herein. - The one or
more processors 202 may include a processor capable of performing instructions stored in thememory 206. For example, the one or more processors may include microprocessors, system on a chips (SoCs), or any other circuitry capable of performing functions by executing instructions, such as instructions stored in thememory 206. Additionally or alternatively, the one ormore processors 202 may include application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), and/or other devices that may perform the functions discussed herein without calling instructions from thememory 206. Moreover, the functions of the one ormore processors 202 may be distributed across multiple processors in a single physical device or in multiple processors in more than one physical device. The one ormore processors 202 may also include specialized processors, such as a graphics processing unit (GPU). - The one or
more buses 204 includes suitable electrical channels to provide data and/or power between the various components of the computing device. For example, the one ormore buses 204 may include a power bus from thepower source 210 to the various components of the computing device. Additionally, in some embodiments, the one ormore buses 204 may include a dedicated bus among the one ormore processors 202 and/or thememory 206. - The
memory 206 may include any tangible, non-transitory, and computer-readable storage media. For example, thememory 206 may include volatile memory, non-volatile memory, or any combination thereof. For instance, thememory 206 may include read-only memory (ROM), randomly accessible memory (RAM), disk drives, solid state drives, external flash memory, or any combination thereof. Although shown as a single block inFIG. 2 , thememory 206 can be implemented using multiple physical units in one or more physical locations. The one ormore processor 202 accesses data in thememory 206 via the one ormore buses 204. - The
input structures 208 provide structures to input data and/or commands to the one ormore processor 202. For example, theinput structures 208 may include a positional input device, such as a mouse, touchpad, touchscreen, and/or the like. Theinput structures 208 may also include a manual input, such as a keyboard and the like. Theseinput structures 208 may be used to input data and/or commands to the one ormore processors 202 via the one ormore buses 204. Theinput structures 208 may alternative or additionally include other input devices. - The
power source 210 can be any suitable source for power of the various components of thecomputing device 200. For example, thepower source 210 may include line power and/or a battery source to provide power to the various components of thecomputing device 200 via the one ormore buses 204. - The
network interface 212 is also coupled to theprocessor 202 via the one ormore buses 204. Thenetwork interface 212 includes one or more transceivers capable of communicating with other devices over one or more networks (e.g., the communication channel 106). The network interface may provide a wired network interface, such as Ethernet, or a wireless network interface, such an 802.11, Bluetooth, cellular (e.g., LTE), or other wireless connections. Moreover, thecomputing device 200 may communicate with other devices via thenetwork interface 212 using one or more network protocols, such as Transmission Control Protocol/Internet Protocol (TCP/IP), power line communication (PLC), Wi-Fi, infrared, and/or other suitable protocols. - A
user interface 214 may include a display that is configured to display graphics transferred to it from the one ormore processors 202. In addition and/or alternative to the display, theuser interface 214 may include other devices for interfacing with a user. - As discussed herein, an application program and/or application node in the
platform 104 may host an application that allows a user to upload content to and/or download content from, for example, thedatabase 108. In some embodiments, content suitable to be uploaded and/or downloaded via the application may include any suitable file format, such as a text file (e.g., a file with the extension .txt), a document (e.g., a file with the extension .doc, .docx, or .pdf) an image (e.g., a file with the extension .jpeg, .png, or the like), a media file (e.g., a file with the extension .mp4), and/or the like. Accordingly, a user may use thecomputing device 200 to upload and/or download such content to and/or from the application. - Further, in some embodiments, before a user may transmit content to and/or receive content from (e.g., upload and/or receive, respectively) the application, the identity and/or credentials associated with the user may be determined. Additionally or in the alternative, the user may request authorization to access and interact with the application, which may involve an approval process. As such, access to the application may be limited to a set of suitable users, and threatening users, such as programs designed to disperse malicious data, may be blocked from accessing the application. In some embodiments, however, the user may upload and/or download content from the application without any authorization and/or validation of credentials. As such, the content flowing into and out of the application may originate from a wider variety of sources (e.g., users). Accordingly, to protect each of the users, the application, and any other systems that may communicate with the application, the content may be scanned to search for malicious data (e.g., malware, virus, trojan, worm, and the like).
- Turning now to
FIG. 3 and with reference toFIG. 1 , an embodiment of adataflow 300 used to exchange content between an application and a user is illustrated. In such embodiments, the user may interact with aclient device 102 via acomputing device 200, for example, to access a client application. As shown in the illustrated embodiment, the client application may include an interface allowing the user to upload to and/or download content (shown at block 302) from a certain location, such as theplatform 104. The client application may, in turn, interact with anapplication server 107, which may host an application 304 (e.g., the depicted Community application). More specifically, in some embodiments, the client application may interact with an application node of theapplication 304 hosted by theapplication server 107. Further, as described above, acommunication channel 106 may facilitate the interaction (e.g., communication) between theclient device 102 and the application node hosted by theapplication server 107. In the illustrated embodiment, thecommunication channel 106 may facilitate file streaming to upload and/or download content, and, as illustrated, communication may be supported using hypertext transfer protocol (HTTP) or hypertext transfer protocol secure (HTTPS). - Further, the
application server 107 hosting theapplication 304 may interact with and/or within aplatform 104, such as theGlide Platform 306 illustrated inFIG. 3 . Through this interaction, data, such as content requested or received from the user, may respectively be retrieved from or stored in adatabase 108, such as the illustratedGlide Database 308, which may be included in or accessible via theGlide Platform 306. - To monitor the content moving into and out of the database 108 (e.g., Glide database 308), the platform 104 (e.g., Glide Platform 306) may also communicate with a security server 310 (here denoted as a ServiceNow Antivirus Program (SNAP) Server). As will be described in further detail below, the
security server 310 may provide a service that may scan the content included in the platform 104 (e.g., in the database 108) for malicious data. Accordingly, functions involved with scanning the content may be hosted externally to theapplication 304 and/or theGlide platform 306. - While the
application 304 is illustrated separately from theGlide Platform 306, in some embodiments, the application node hosting the application may be included in thesame platform 104 as theGlide Platform 306 and/or as theGlide Database 308. That is, the dataflow diagram 300 is intended to be illustrative, and not limited to the embodiments disclosed. - Turning to
FIG. 4 , a second dataflow diagram 400 provides a more detailed depiction of the processes involved with uploading clean content (e.g., content that lacks malicious data) to the application. While the second dataflow diagram 400 is described in the context of a particular embodiment, it should be noted that the processes included in the second dataflow diagram 400 may be performed in any suitable order. Further, certain processes may be skipped altogether, and additional processes may be included in the second dataflow diagram 400. - A user, via a
client device 102, may upload content (e.g., a file) to the application. To do so, theclient device 102 may interact with a client application that, as described with reference toFIG. 3 , may communicate with an application node hosted by anapplication server 107. In some embodiments, the client application may interface with anattachment processor 402, which may represent an application program or a portion of an application program running in the application node. Theattachment processor 402 may receive the content uploaded (e.g., uploadFile) by theclient device 102 and may transmit the content to an encoder/decoder 405 (e.g., encode). The encoder/decoder 405 may represent an application program or a portion of an application program (e.g., a function) running in the same application node as theattachment processor 402. Further, the encoder/decoder 405 may encode the content according to base64 encoding and/or any suitable encoding scheme for the attachment table 408. Additionally or in the alternative, theattachment processor 402 may encode the content according to base64 and/or a suitable encoding scheme for the attachment table 408. In any case, theattachment processor 402 may insert the encoded content into an attachment table 408 (e.g., insert), which may reside in adatabase 108, such as theGlide Database 308. Further, theattachment processor 402 and/or thedatabase 108 may flag (e.g., mark) the inserted content to indicate that it has not been scanned for malicious data. In some embodiments, the flagged content may not be accessible toother clients 102 interacting with theplatform 104. Accordingly, the flagged content may be inactive until the flag is removed, and as such, malicious data, if present in the content, may not be accessed and/or spread throughout thesystem 100. In the illustrated embodiment, to flag the content, theattachment processor 402 may insert the encoded content with the state pending (e.g., insert (state=pending)) and/or may update the state of the encoded content to pending after inserting it in the attachment table 408. - The
attachment processor 402 may further transmit the uploaded content and/or information related to the uploaded content to an antivirus scanner 410 (e.g., Async scan) to request an asynchronous scan for malicious data in the content. Theantivirus scanner 410 may be a plug-in or a portion of a plug-in available in theplatform 104 and/or on theapplication server 107. Accordingly, before transmitting the uploaded content to theantivirus scanner 410, theattachment processor 402 may determine whether theantivirus scanner 410 is active (e.g., enabled) in theplatform 104. In some embodiments, if the plug-in is enabled, theattachment processor 402 may send a message to theantivirus scanner 410 so that theantivirus scanner 410 may interact with a security client 412 (depicted here as a SNAP client), which may be another portion of the plug-in. In such embodiments, theantivirus scanner 410 may determine, based on the interaction with thesecurity client 412, whether the content is eligible (e.g., suitable) to be scanned by the security server (e.g., isEligible==true). Eligible content may include content with a certain format, file size, and/or the like. If the content is eligible, theantivirus scanner 410 may then determine whether thesecurity server 310 and its antivirus scanning service are available to scan the uploaded content. As such, thesecurity client 412 may determine whether thesecurity server 310 is powered on, able to communicate with thesecurity client 412, and/or the like. - If the
security server 310 is available (e.g., isAvailable==true), thesecurity client 412 may transmit the uploaded content to be scanned for malicious data and/or may transmit a request to thesecurity server 310 to scan the uploaded content. Thesecurity server 310 may then process, using a service, the uploaded content to search for malicious content. More specifically, in some embodiments, thesecurity server 310 may contain a number of malicious data definitions (e.g., descriptors of viruses, trojans, worms, and the like) or non-signature base heuristics to compare the uploaded content against. If, as illustrated inFIG. 4 , no portion of the uploaded content contains data matching a malicious data definition, thesecurity server 310 may mark the uploaded content as clean to indicate that it does not contain malicious data. Accordingly, thesecurity server 310 may transmit a message (e.g., a response) back to thesecurity client 412 indicating that the uploaded content is clean. The message may further include information, such as a message identifier, a name of the file and/or content scanned, a content type of the file, and/or the like, related to thesecurity server 310, the scan for malicious data, the file, or a combination thereof. Further, as the message may be an asynchronous response, the message may be transmitted to thesecurity client 412 in real-time. Accordingly, thesecurity client 412 and subsequently, theapplication 304 may perform other tasks while thesecurity server 310 scans content for malicious data. Thesecurity client 412 may relay this message to theantivirus scanner 410, which may relay the message to theattachment processor 402. - In such cases, because the uploaded content is clean, the flag may be removed from the uploaded content in the attachment table 408. That is, the uploaded content may be made accessible to
other clients 102 and/or components of thesystem 100. Accordingly, theantivirus scanner 410 and/or theattachment processor 402 may remove the flag on the uploaded content in the attachment table 408. As illustrated, to do so, theantivirus scanner 410 may update the state of the uploaded content in the attachment table from pending to available (e.g., update (state=Available)). Theattachment processor 402 may additionally communicate back to theclient device 102 that the content was uploaded successfully (e.g., Success) to theplatform 104, and theattachment processor 402 may communicate to theclient device 102 the results of the scan performed by thesecurity server 310. - Further, in some embodiments, the
attachment processor 402 and/or theantivirus scanner 410 may update a history (e.g., a table and/or a table entry) of scans performed by thesecurity server 310 based on the message transmitted from thesecurity server 310. For example, theantivirus scanner 410 may add an entry (e.g., insertScanRecords) to a scan history table andrule engine 407, which may be stored in thedatabase 108 and/or in a separate database, to record the results of the scan for malicious data on the uploaded content. Additionally or alternatively, theattachment processor 402 and/or theantivirus scanner 410 may update an entry in the attachment table 408 to reflect the results of the scan. - If, as illustrated in the third dataflow diagram 500 of
FIG. 5 , any suitable portion of the uploaded content contains data matching a malicious data definition, thesecurity server 310 may mark the uploaded content as infected to indicate that it does contain malicious data. Accordingly, thesecurity server 310 may transmit a message (e.g., a response) back to thesecurity client 412 indicating that the uploaded content is infected (e.g., INFECTED). Thesecurity client 412 may relay this message to theantivirus scanner 410. Upon receiving a message indicating that the uploaded content is infected, theantivirus scanner 410 may raise an event at thesecurity client 412. The raised event may be a service level event that, for example, the security client may subscribe and/or respond to. Further, in some embodiments, theantivirus scanner 410 may quarantine the infected content that was uploaded. That is, for example, theantivirus scanner 410 may ensure that the infected content remains inaccessible so that the malicious data is not spread to additional components (e.g.,clients 102,servers 126, and the like) in thesystem 100. Accordingly, theantivirus scanner 410 may interact with the attachment table 408 to flag the infected content in the attachments table 408 to mark it as unavailable (e.g., quarantined). As illustrated, to do so, theantivirus scanner 410 may update the state of the uploaded content in the attachment table 408 from pending to not available (e.g., update (state=Not Available)). However, in some embodiments, users with suitable privileges, such as an application administrator, may later access the stored infected content to verify and/or address (e.g., remove) the presence of malicious data in the content. Additionally or in the alternative, theantivirus scanner 410 and/or theattachment processor 402 may move the infected content from the attachment table 408 into a separate quarantine table, which may reside in thesame database 108 holding the attachment table 408 or anotherdatabase 108. - As discussed above with reference to the second dataflow diagram 400, the
attachment processor 402 and/or theantivirus scanner 410 may also update a history (e.g., a table and/or a table entry) of scans performed by thesecurity server 310 based on the message transmitted from thesecurity server 310. Accordingly, theantivirus scanner 410 may add an entry (e.g., insertScanRecords) to the scan history table andrule engine 407 to record the results of the scan for malicious data on the uploaded content. Additionally or alternatively, theattachment processor 402 and/or theantivirus scanner 410 may update an entry in the attachment table 408 to reflect the results of the scan. - In any case, the
antivirus scanner 410 may communicate to theattachment processor 402 that the content was infected (e.g., infected) and/or that the infected content was quarantined and/or flagged to be quarantined. Accordingly, theattachment processor 402 may send a response to theclient device 102 to inform theclient device 102 that the uploaded content was infected and/or that the content upload failed (e.g., error). That is, theclient device 102 may be informed that the content is not available toother clients 102 and/or components in thesystem 100. - While the third dataflow diagram 500 is described in the context of a particular embodiment, it should be noted that the processes included in the third dataflow diagram 500 may be performed in any suitable order. Further, certain processes may be skipped altogether, and additional processes may be included in the third dataflow diagram 500.
- Turning now to
FIG. 6 , a fourth dataflow diagram 600 illustrates the processes that may be involved in downloading content from the application. While the fourth dataflow diagram 600 is described in the context of a particular embodiment, it should be noted that the processes included in the fourth dataflow diagram 600 may be performed in any suitable order. Further, certain processes may be skipped altogether, and additional processes may be included in the fourth dataflow diagram 600. - To download (e.g., retrieve) content from the application, the
client device 102 may interact with the client application to request content for downloading. The client application, which may be hosted on the client device 102 (e.g., on a computing device 200), may interface with the application hosted by anapplication server 107. As discussed above with reference toFIGS. 4-5 , theattachment processor 402, which may be a portion of the application node running the application, may receive the request from theclient device 102. In this case, the request (e.g., downloadFile) may include details related to the content that theclient device 102 is attempting to download from the application. Theattachment processor 402 may then send a read request (e.g., read) to the attachment table 408 to retrieve the content requested for downloading. Further, theattachment processor 402 may determine whether the requested content is available (e.g., isAvailable?), which may involve determining the state, such as pending, available, available conditionally, or not available, of the content in the attachment table 408. Theattachment processor 402 may determine whether the requested content is available separately from or concurrently with sending the request to retrieve the content from the attachment table 408. Further, as the content stored in the attachment table 408 may be encoded (e.g., base64 encoded), theattachment processor 402 may request the encoder/decoder 405 to decode (e.g., base64 decode) the content retrieved from the attachment table 408 into a suitable (e.g., human readable) format. - In some embodiments, based on the state of the requested content, the
attachment processor 402 may determine whether the requested content will be scanned for malicious data prior to delivering the content to the user. For example, if the state of the requested content is available, theattachment processor 402 may deliver the content to the user without scanning the content for malicious data, while theattachment processor 402 may request a scan for malicious data when the state of the requested content is pending or conditionally available. Additionally or in the alternative, theattachment processor 402 may communicate with thesecurity client 412 and/or theantivirus scanner 410 to determine whether the retrieved content will be scanned for malicious data prior to delivering the content to the user. The retrieved content may be scanned prior to its delivery to the user if, for example, the content predates the use of the malicious data scan service provided by thesecurity server 310 in thesystem 100. Further, if the content predates any changes (e.g., additions, deletions, edits, and/or the like) to the malicious data definitions included in thesecurity server 310, the retrieved content may be scanned and/or re-scanned for malicious data prior to its delivery to the user. Accordingly, theantivirus scanner 410 and/or thesecurity client 412 may determine a date the retrieved content was uploaded to the attachment table 408 to determine whether to scan the retrieved content for malicious data. If the retrieved content will not be scanned for malicious data, as determined by theantivirus scanner 410, theantivirus scanner 410 may send a response to theattachment processor 402 communicating that the retrieved content is ready for the user to download. In response, theattachment processor 402 may transmit the retrieved content to the user by, for example, file streaming the data (e.g., StreamFile). - If, however, the
antivirus scanner 410 and/or thesecurity client 412 determines that the retrieved content will be scanned for malicious data and/or in embodiments where the retrieved content is always scanned for malicious data, thesecurity client 412 may proceed to communicate with thesecurity server 310. As described above with reference toFIGS. 4 and 5 , thesecurity server 310, if available (e.g., isAvailable==true), may scan the retrieved content for malicious data and thesecurity client 412 may communicate the results of the scan. If, as illustrated inFIG. 6 , the results of the scan are clean (e.g., no malicious data was identified), thesecurity client 412 may update, in the scan history table andrule engine 407, the history of malicious data scans performed by thesecurity server 310, as described above. Further, in some embodiments, thesecurity client 412 may instruct the attachment table 408 to update the state of the requested content to available (e.g., update (state=available)). Thesecurity client 412 may also instruct to theattachment processor 402 to transmit the retrieved content to the user (e.g., StreamFile). - As discussed above, in some embodiments, the retrieved content may be scanned before delivery to the user regardless of the date the content was uploaded to the attachment table 408 and/or regardless of any updates to the types (e.g., definitions) of malicious data the security sever 310 scans for. As such, the
security server 310, if available, may always scan suitable retrieved content before the content is delivered to the user. - If the
security server 310 detects malicious data in the retrieved content during a scan, thesecurity server 310 may transmit a message (e.g., a response) to thesecurity client 412 indicating that the content the user requested for download is infected (e.g., INFECTED), as illustrated in the fifth dataflow diagram 700 inFIG. 7 . Thesecurity client 412 and/or theantivirus scanner 410 may then raise an event, as described above. Thesecurity client 412 may also update (e.g., insertScanRecord), in the scan history table andrule engine 407, the history of malicious data scans performed by thesecurity server 310. Further, thesecurity client 412 may quarantine (e.g., move and/or flag) the infected content that was requested for download. Accordingly, thesecurity client 412 update the state of the requested content (e.g., update (state=not available)) in the attachment table 408 to mark the requested content unavailable. Further, thesecurity client 412 may communicate to theattachment processor 402 that the infected content was quarantined and/or flagged to be quarantined. Accordingly, theattachment processor 402 may send a response to theclient device 102 to inform theclient device 102 that the requested content was infected and/or that the content download failed (e.g., Error). - While the processes included in
FIGS. 4-7 are described as being performed by specific components (e.g.,attachment processor 402, encoder/decoder 405, scan history table andrule engine 407, attachment table 408,antivirus scanner 410,security client 412,security server 310, and/or the like), any suitable process may be performed by any suitable component or combination of components. Further, the components may be hosted by any suitable element (e.g.,client device 102,platform 104,application server 107,database 108,security server 310,server 126, and/or the like) within thesystem 100. - Turning now to
FIG. 8 , amethod 800 provides a general depiction of the steps involved with uploading content to the application. While themethod 800 is described in the context of a particular embodiment, it should be noted that the steps included in themethod 800 may be performed in any suitable order. Further, certain steps may be skipped altogether, and additional processes may be included in themethod 800. Additionally, while the following is described as being performed by certain components within or hosted within thesystem 100, each step may be performed by any suitable component or combination of components, which may be hosted by any suitable element or combination of elements within thesystem 100. - In some embodiments, a
client device 102 may initiate themethod 800 by uploading an attachment (e.g., a file) to an application (process block 802). As described above, this step may involve theattachment processor 402 receiving a request (e.g., upload application programming interface (API) request) from theclient device 102 to upload a file. Then, theattachment processor 402 may determine whether theantivirus scanner 410 and/or the security server 310 (e.g., scan attribute) is activated and/or enabled (decision block 804). Further theattachment processor 402 and/or theantivirus scanner 410 may determine whether the file theclient device 102 requested for upload is a supported content type (decision block 804). To determine whether theantivirus scanner 410 and/or thesecurity server 310 are enabled, theattachment processor 402 may attempt to communicate with theantivirus scanner 410. In some embodiments, if theantivirus scanner 410 is activated, the communication received by theantivirus scanner 410 from theattachment processor 402 may prompt theantivirus scanner 410 to determine whether the file theclient device 102 requested for upload is eligible for scanning (e.g., a supported content type). In any case, to determine whether the file is a supported content type, theantivirus scanner 410 may determine whether the file is a suitable size (e.g., less than 25 Megabytes (MB)) and/or whether the file is a suitable format. - If the
attachment processor 402 determines that theantivirus scanner 410 is not enabled, theantivirus scanner 410 determines that the attachment is not a suitable size, theantivirus scanner 410 determines that the attachment is not a suitable file format, or thesecurity client 412 determines that thesecurity server 310 is unavailable, theantivirus scanner 410 may update the state of the file, which may be inserted in the attachment table 408, to not available (process block 806). In such cases, thesecurity server 310 may not perform a scan for malicious data in the uploaded content. Yet, in some embodiments, even though the content was not scanned for malicious data, a response may still be returned to theclient device 102. In such cases, the response may originate from the portion of the system 100 (e.g., theattachment processor 402, theantivirus scanner 410, thesecurity client 412 and/or the like) responsible for determining that a scan may be ignored (e.g., at decision block 804). For example, if theattachment processor 402 determines that theantivirus scanner 410 is unavailable (decision block 804), theattachment processor 402 may transmit a response to theclient device 102 conveying that theantivirus scanner 410 is unavailable. Further, if theantivirus scanner 410 determines that the attachment requested for uploading is an unsuitable size (e.g., too large), theantivirus scanner 410 may transmit a response to theclient device 102 to inform theclient device 102 that the upload may not be completed successfully due to the size of the attachment. In any case, after a response is returned to theclient device 102, themethod 800 may conclude. - If, on the other hand, the file is eligible for scanning, the
attachment processor 402 may update the state of the file, which may be inserted in the attachment table 408, to pending (process block 808). Further, theattachment processor 402 may trigger (e.g., request) an asynchronous (async) scan for malicious data in the uploaded content (process block 810). - Turning now to
FIG. 9 , amethod 812 provides a general depiction of the steps involved with scanning content for malicious data. While themethod 812 is described in the context of a particular embodiment, it should be noted that the steps included in themethod 812 may be performed in any suitable order. Further, certain steps may be skipped altogether, and additional processes may be included in themethod 812. Additionally, while the following is described as being performed by certain components within or hosted within thesystem 100, each step may be performed by any suitable component or combination of components, which may be hosted by any suitable element or combination of elements within thesystem 100. - In response to receiving the
attachment processor 408 triggering the asynchronous scan for malicious data (process block 810) and/or receiving an API call to scan for malicious data (e.g., scan API call), themethod 812 may be initiated (process block 822). Accordingly, in some embodiments, theantivirus scanner 410 may then transmit instructions to thesecurity client 412 to determine whether thesecurity server 310 is available to perform the scanning service on the file. Further, themethod 812 may involve determining whether the content has already been scanned for malicious data (decision block 824). Determining whether the content has already been scanned may involve theantivirus scanner 410, thesecurity client 412, and/or the like determining whether the scan history table andrule engine 407 includes a scan record corresponding to the content. If the content has already been scanned for malicious data, advice (e.g., a response), which may correspond to the state of the content resulting from the previous scan may be returned to, for example, the attachment processor (process block 826). If, on the other hand, the content has not been scanned for malicious data or the state (e.g., pending) of the previous scan indicates that the content will be re-scanned, a new scan record corresponding to the content may be inserted into the scan history table and rule engine 407 (process block 828). In some embodiments, a status of this scan record may be set to in progress to indicate that the scan for malicious data is pending. - In some embodiments, if the
security server 310 is available to perform a scan for malicious data, thesecurity server 310 may then scan the file (e.g., attachment) to identify malicious data, if present, in the file (process block 830). Thesecurity server 310 may perform this scan for malicious data within a certain duration, and after this duration elapses, the scan operation may time out, which may result in an error or a warning, as described below. After thesecurity server 310 has attempted to scan the file, thesecurity server 310 may determine whether the scan was successful (decision block 832). If, for example, no malicious data and/or threat was discovered during the scan, the scan record corresponding to the content in the scan history table andrule engine 407 may be updated with a status of no threat detected (process block 834). Further, advice (e.g., a response) indicating that the content is clean and/or available may be returned (process block 836). That is, for example, the results of the scan may be returned in a response, which may be relayed to theclient device 102. However, if the scan of the content failed to scan, timed out after the duration elapsed, and/or provided an invalid response, advice indicating that the content scan was unsuccessful and/or that the content's state is pending and/or conditionally available may be returned (process block 838). - On the other hand, if malicious data and/or a threat was discovered during the scan, the scan record corresponding to the content in the scan history table and
rule engine 407 may be updated with a status of infected (process block 840). An event corresponding (e.g., service level event) to the identification of infected content may also be raised (process block 842). Further, advice (e.g., a response) indicating that the content is infected and/or not available may be returned (process block 844). - While the
method 812 is described above as being initiated by theattachment processor 408 triggering the asynchronous scan, which may result from content upload to and/or requested for download from the application, in some embodiments, themethod 812 may additionally or alternatively run periodically (e.g., once every 5 minutes, hour, day, or week) in order to scan for malicious data in the content included in the attachment table 408. Further, themethod 812 may be initiated in response to an input from theclient device 102 that is unrelated to a request to upload and/or download an attachment. For example, an administrator in the system 100 (e.g., a user with suitable privileges) may request themethod 812 to scan for malicious data in the content included in the attachment table 408. Additionally or alternatively, in response to a new definition of malicious data in thesecurity server 310, themethod 812 may be initiated to scan the content included in the attachment table 408 according to the most recent definitions of malicious data included in thesecurity server 310. In any of these cases, themethod 812 may be run on particular content or a set of content included in the attachment table 408. As such, themethod 812 may be iterated over for content related to each file in the attachment table 408, and/or themethod 812 may be used to simultaneously scan content related to a group of files in the attachment table 408. - Returning now to
FIG. 8 , after themethod 812 has concluded, which may involve advice (e.g., a response) being returned (e.g., atprocess block 826,process block 836,process block 838, or process block 844), the state returned in the advice may be determined (decision block 814). In some embodiments, for example, thesecurity client 412 may receive the response from thesecurity server 310 and may then relay these results to theantivirus scanner 410. Theantivirus scanner 410 may additionally or alternatively transmit the results to theattachment processor 402. - In any case, if the state of the advice is available, the state of content, which may be stored in the attachment table 408, may be updated to available (process block 816). Accordingly, the content may be available to
additional client devices 102 and/or other components in thesystem 100. Additionally or in the alternative, theattachment processor 402 may indicate to theclient device 102 that the attachment was uploaded successfully. Further, if the state of the advice is determined to be pending, the state of the content in the attachment table 408 may be updated to pending. In such cases, the attachment may be re-scanned by thesecurity server 310 before it is made available toadditional client devices 102 and/or components in thesystem 100. Further, if the state of the advice is determined to be not available, the state of the content in the attachment table 408 may be updated to not available (process block 820). With a state of not available, the content may be unavailable toadditional client devices 102 and/or components of thesystem 100. In such cases, theattachment processor 402 may indicate to theclient device 102 that the attachment was not uploaded successfully and/or that there was an error with the upload. - Turning now to
FIG. 10 , amethod 850 provides a general depiction of the steps involved with downloading content from the application. While themethod 850 is described in the context of a particular embodiment, it should be noted that the steps included in themethod 850 may be performed in any suitable order. Further, certain steps may be skipped altogether, and additional processes may be included in themethod 850. Additionally, while the following is described as being performed by certain components within or hosted within thesystem 100, each step may be performed by any suitable component or combination of components, which may be hosted by any suitable element or combination of elements within thesystem 100. - In some embodiments, the
method 850 may be initiated by a request (e.g., download API request) to download an attachment (e.g., a file) from the application (process block 852). As described above, this step may involve theattachment processor 402 receiving a request from theclient device 102 to download a file. Then, theattachment processor 402, for example may determine the state of the file (e.g., content) (process block 854), which may be stored in the attachment table 408. If the state of the content is available or the content has no state (e.g., empty), the content may be downloaded (process block 856). That is, for example, because the content has been previously scanned and marked as available, the content may be downloaded to aclient device 102 without re-scanning the content for malicious data. If, however, the state of the content is not available, the download request may be blocked (e.g., ignored) (process block 858). In some embodiments, for example, because the content was previously scanned and was identified as infected with malicious data, the download request may be blocked without re-scanning the content for malicious data. Further, if the state of the content is pending or available conditionally, a request may trigger an asynchronous scan for malicious data in content requested for download (process block 812). - As described above with reference to
FIG. 9 , this scan for malicious data may followmethod 812 and may return advice (e.g., atprocess block 826,process block 836,process block 836,process block 838, or process block 844). Accordingly, themethod 850 may then involve determining the state returned in this advice (decision block 860). If the state of the advice is determined to be available, the state of the content in the attachment table 408 may be updated to available (process block 862). Further, the download of the content at, for example, aclient device 102 may be triggered (process block 856). Accordingly, the content may, be downloaded onto theclient device 102 via, for example, a file stream. If, however, the state of the advice is determined to be not available, the state of the content in the attachment table 408 may be updated to not available (process block 864). Further, downloads of the content from the attachment table 408 may be blocked (process block 858). Accordingly, theclient device 102 may be prevented from downloading the content. - If, on the other hand, the state of the advice is determined to be pending, the
method 850 may involve determining whether the content may be downloaded if thesecurity server 310 is unavailable, the scan was interrupted (e.g., timeout), the content failed to scan, the scan produced an invalid response, and/or the like (decision block 866). Whether the content may be downloaded under such conditions may be based in part on one or more attributes (e.g., file format, file size, and/or the like) of the content, one or more settings in thesystem 100, and/or the like. - If, under such conditions, the content may be downloaded, the state of the content in the attachment table 408 may be updated to available conditionally (process block 868) and the downloading process of the content may be triggered (856). Accordingly, in such cases, the content may be re-scanned for malicious data upon an additional request to download the content (process block 852). However, if, under such conditions, the content may not be downloaded, the state of the content in the attachment table 408 may be updated to pending (process block 870) and downloads of the content from the attachment table 408 may be blocked (process block 858). Again, in such cases, the content may be re-scanned for malicious data upon an additional request to download the content (process block 852).
- As described above, the
security server 310 may scan for malicious data based on one or more definitions of malicious data. Accordingly,FIG. 11 is a block diagram ofsecond system 900 in which thesecurity server 310 may communicate with a definitions server 902 in order to obtain and/or update these definitions of malicious data. Thesecond system 900 may be included within and/or in communication with thesystem 100. Further, thesecond system 900 may include application nodes 904 (e.g., 904A, 904B, and 904C) that are hosted by anapplication server 107 and that each run an application program. In some embodiments, for example, theseapplication nodes 904 may host any combination of theattachment processor 402, the attachment table 408, the encoder/decoder 408, the scan history table andrule engine 407, theantivirus scanner 410, and thesecurity client 412 described inFIGS. 4-7 . Further, theseapplication nodes 904 may communicate with thesecurity server 310 via, for example, theirsecurity client 412. - In some embodiments, the
second system 900 may include aload balancer 906, such as an HTTPS load balancer, that may route communications, such as requests, from anapplication node 904 to asuitable security server 310 in adatacenter 908. For example, theload balancer 906 may receive a first request from afirst application node 904A to scan first content for malicious data and may route the first request to afirst security server 310A. If theload balancer 906 receives a second request from asecond application node 904B to scan second content for malicious data while thefirst security server 310A is handling the first request, theload balancer 906 may route the second request to asecond security server 310B in order to distribute the processing load between thefirst security server 310A and thesecond security server 310B. As a result, the second request may be handled more efficiently (e.g., more rapidly) than if the second request was routed to thefirst security server 310A to be handled after the first request. - In some embodiments, to communicate with a
security server 310, theapplication nodes 904 and/or thesecurity client 412 may send a request to theload balancer 906 via a communication channel (e.g., communication channel 106). While the illustrated request may be sent over the communication channel with scripted representational state transfer (REST) application programming interfaces (APIs) (e.g., REST on https), any suitable communication protocol and/or format may be utilized. - As illustrated, the security servers (e.g., the
first security server 310A and thesecond security server 310B) may reside in adatacenter 908. While the illustrateddatacenter 908 includes thefirst security server 310A and thesecond security server 310B, embodiments may include any suitable number ofsecurity servers 310 within adatacenter 908. Further, while asingle datacenter 908 is illustrated in thesecond system 900, thesecond system 900 may include any suitable number ofdatacenters 908. Thesedatacenters 908 may be distributed in geographically distinct locations. As such afirst datacenter 908 may more efficiently service a first location, while asecond datacenter 908 may more efficiently service a second location that is different from the first location. - Further, in order to obtain malicious data definitions the
security servers 310 may communicate with a definitions server 902, such as a vendor server and/or a different server. As thedatacenter 908 and/or thesecurity servers 310 may include a firewall, such asdatacenter firewall 910, the communications sent between thesecurity servers 310 and the definitions server 902 may adhere to a suitable security protocol. For example, the communications sent between thesecurity servers 310 and the definitions server 902 may utilize a specific channel and/or port number and/or may be authenticated prior to their submission and/or receipt. - In any case, with communication established between the
security servers 310 and the definitions server 902, thesecurity servers 310 may obtain definitions of malicious data that may include criteria to identify viruses, worms, malware, and/or the like. Accordingly, in some embodiments, asecurity server 310 may retrieve definitions of malicious data from the definitions server 902 during a scan of content for malicious data to ensure the content is scanned against the most recent definitions of malicious data. Additionally or alternatively, thesecurity server 310 may retrieve definitions of malicious data from the definitions server 902 and may store the retrieved definitions of malicious data locally (e.g., in adatabase 108 associated with the security server 310). In such cases, when thesecurity server 310 communicates with the definitions server 902, the definitions server 902 may return new and/or updated definitions of malicious data compared to the definitions stored locally. As such, an initial upload of malicious data definitions to thesecurity server 310 may utilize a certain amount of time and memory space, while subsequent updates to the locally stored malicious data definitions may utilize significantly less time and memory space, as fewer data changes may be made. Additionally or alternatively, thesecurity server 310 may replace all of its locally stored definitions with the definitions in the definitions server 902. Further, in some embodiments, the definitions of malicious data may be retrieved with a certain periodicity (e.g., once an hour, once every six hours, once a day, once a week, or the like) so as to reduce the frequency with which thesecurity server 310 communicates with the definitions server 902. Such embodiments may reduce processing time and resources involved in servicing a request received from anapplication node 904. - By hosting the
security servers 310 at the loadbalanced datacenter 908 level, the time and resources involved with performing the malicious data scan may be centralized at the malicious data scan service. As a result, the rest of thesystem 100 may be more available in terms of time and resources. That is, for example, instead of running a blocking, time-consuming process to scan content for malicious data at eachapplication node 904, which may limit the performance of the application program, thesecurity server 310 may handle the malicious data scan and may return an asynchronous response to theapplication node 904 at the completion of the malicious data scan. Accordingly while thesecurity server 310 handles the malicious data scan, theapplication node 904 may process other tasks. Further, hosting the malicious data scan as a service in thesecurity servers 310 may provide scalable (e.g., elastic) throughput. That is, because thesecond system 900 may includemultiple security servers 310 across a suitable number ofdatacenters 908 associated with one ormore load balancers 906, an increased number of requests received fromapplication nodes 904 may be handled by redistributing requests to one or moresuitable security servers 310 via the one ormore load balancers 906 and/or by bringingadditional security servers 310 online as needed. As such, a number of requests fromapplication nodes 904 may be handled in thesecond system 900 with and/or without adding resources (e.g., hardware) to thesecond system 900. Additionally, as the one ormore datacenters 908 in thesecond system 900 may be geographically distributed, the malicious data scan service may be optimized for differences in geographic locations. For example, an application request received from afirst application node 904A via aclient device 102 in a first location may be handled more rapidly by asecurity server 310 in adatacenter 908 in a first location than by asecurity server 310 in adatacenter 908 in a second location. - While the
security server 310 may implement malicious data scanning and/or receive the definitions of malicious data from any number of antivirus providers (e.g., third party and/or custom implementations) and/or vendors,FIG. 12 illustrates a block diagram of thesecurity server 310 configured to implement antivirus scanning functionality, such as theclamD scanning function 1002 of CLAMAV® by CISCO SYSTEMS, INC. In some embodiments, thesecurity server 310 may include a commons-servlet basedcomponent 1004 which may communicate with anapplication node 904 using, for example, REST API. Accordingly, the commons-servlet basedcomponent 1004 may receive a request from anapplication node 904 to scan content for malicious data after theload balancer 906 has routed the request to thesecurity server 310. The commons-servlet basedcomponent 1004 may additionally communicate with theantivirus scanning function 1002 using, for example, a localhost transport communication protocol port. Accordingly, the commons-servlet basedcomponent 1004 may transmit content to theantivirus scanning function 1002 so that theantivirus scanning function 1002 may scan the content for malicious data. - The
antivirus scanning function 1002 may serve as a daemon function (e.g., background function) that may be stored inmemory 206 of thesecurity server 310. Accordingly, theantivirus scanning function 1002 may scan data (e.g., content and/or files) automatically. As such, theantivirus scanning function 1002 may scan content upon receiving it from the commons-servlet basedcomponent 1004. Further, to accommodate theantivirus scanning function 1002 thesecurity server 310 may locally store (e.g., in memory 206) the malicious data definitions that theantivirus scanning function 1002 may utilize to perform scans of the content. Thus, to update the malicious data definitions, thesecurity server 310 may regularly (e.g., periodically) run a freshclam function (not shown) or its equivalent in order to communicate with a CLAMAV® server (e.g., a definitions server 902) that may contain malicious data definitions and to retrieve updated and/or new malicious data definitions. - The specific embodiments described above have been shown by way of example, and it should be understood that these embodiments may be susceptible to various modifications and alternative forms. It should be further understood that the claims are not intended to be limited to the particular forms disclosed, but rather to cover all modifications, equivalents, and alternatives falling within the spirit and scope of this disclosure.
- The techniques presented and claimed herein are referenced and applied to material objects and concrete examples of a practical nature that demonstrably improve the present technical field and, as such, are not abstract, intangible or purely theoretical. Further, if any claims appended to the end of this specification contain one or more elements designated as “means for [perform]ing [a function] . . . ” or “step for [perform]ing [a function] . . . ”, it is intended that such elements are to be interpreted under 35 U.S.C. 112(f). However, for any claims containing elements designated in any other manner, it is intended that such elements are not to be interpreted under 35 U.S.C. 112(f).
Claims (20)
1. A distributed computing system, comprising:
one or more memory structures storing instructions; and
one or more processors, that when executing the instructions,
implement a cloud platform comprising or in communication with one or more security servers, wherein the cloud platform is configured to;
receive an upload of content from a client computing device to the cloud platform;
set a table field controlling availability of the content to a first state that prevents distribution of the content to a plurality of additional client computing devices remote from the cloud platform;
transmit a request to a load balancer to cause one or more security servers of a plurality of security servers to analyze the content to identify malicious data in the content, wherein the load balancer directs the request to a respective security server of the plurality of security servers based on one or more load balancing criteria;
receive a result of analyzing the content from the respective security server; and
in response to the result, updating the table field to a second state that makes available the content to the plurality of additional client computing devices remote from the cloud platform.
2. The distributed computing system of claim 1 , wherein the cloud platform comprises an application server configured to communicate with the one or more security servers.
3. The distributed computing system of claim 1 , wherein the one or more load balancing criteria comprises a count of additional client computing devices in use.
4. The distributed computing system of claim 3 , wherein the load balance is configured to direct the content to a recently activated security server of the one or more security servers based at least in part on the count.
5. The distributed computing system of claim 1 , wherein the first state comprises a pending state where the content is unavailable until the content is analyzed.
6. The distributed computing system of claim 1 , wherein the cloud platform is configured to transmit a message concerning the result of analyzing the content to the additional client computing devices.
7. The distributed computing system of claim 6 , wherein the cloud platform is configured to transmit the message in real-time to the additional client computing devices.
8. The distributed computing system of claim 1 , wherein the table field comprises a scan history, wherein the scan history comprises a set of entries indicating statuses of attachments uploaded to the cloud platform.
9. The distributed computing system of claim 8 , wherein the scan history is stored in a database separate from a database used to store the table field.
10. A method to prevent intrusion from malicious data attached to a digital file, comprising:
receiving, from a remote client computing device, a request to upload the digital file to a cloud platform;
determining availability of a service configured to detect the presence of malicious data in the digital file;
in response to determining that the service is available;
setting a table field controlling availability of the digital file to a first state that prohibits distribution of the digital file to additional client computing devices through the cloud platform; and
transmitting an additional request to a load balancer, wherein the load balancer directs the additional request to a security server based on one or more load balancing criteria, wherein the additional request comprises instructions configured to cause the respective security server to run the service on the digital file; and
receiving, at the cloud platform, a response from the security server, wherein the response is at least partially based on a result of running the service, wherein receiving the response causes the cloud platform to update the table field to a second state that specifies availability of the digital file to the additional remote client computing devices.
11. The method of claim 10 , wherein directing the additional request to the security server comprises bringing the security server online based at least in part on the one or more load balancing criteria.
12. The method of claim 10 , wherein the one or more load balancing criteria comprises a count of pieces of content being scanned.
13. The method of claim 10 , wherein the one or more load balancing criteria comprises a count of additional client computing devices in use.
14. The method of claim 10 , wherein, in response to the request, the cloud platform is configured to perform a check determining the availability of the digital file.
15. The method of claim 10 , wherein the cloud platform is configured to perform a quarantine on the digital file based at least in part on the response indicating that the digital file comprises a security vulnerability.
16. Tangible, non-transitory, and computer-readable medium having instructions stored thereon, wherein the instructions, when executed by one or more processors, are configured to cause the one or more processors to:
receive an upload of content from a client computing device to a cloud platform implemented using the one or more processors;
set a table field to a pending state to control availability of the content to prevent distribution of the content to a plurality of additional client computing devices communicatively coupled to the cloud platform;
transmit a request to a load balancer, wherein the request is to have the content analyzed by one or more security servers of a plurality of security servers to identify malicious content, and the load balancer is configured to transmit the request to the one or more security servers of the plurality of security servers based on one or more load balancing criteria;
receive a response from the one or more security servers; and
based on the response, update the table field to an available state that makes the content available to the plurality of additional client computing devices via the cloud platform.
17. The tangible, non-transitory, and computer-readable medium of claim 16 , wherein the instructions are configured to cause the one or more processors to implement an application server to implement an application node and to transmit the request to the load balancer.
18. The tangible, non-transitory, and computer-readable medium of claim 16 , wherein the one or more load balancing criteria comprises a count of application nodes in use in the cloud platform.
19. The tangible, non-transitory, and computer-readable medium of claim 16 , wherein the one or more load balancing criteria comprises a count of the additional client computing devices in use that are communicatively coupled to the cloud platform.
20. The tangible, non-transitory, and computer-readable medium of claim 16 , wherein the request comprises a check to determine the availability of the one or more security servers.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/083,910 US20210044601A1 (en) | 2018-05-02 | 2020-10-29 | Malicious data scan service |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/969,580 US10826917B2 (en) | 2018-05-02 | 2018-05-02 | Malicious data scan service |
US17/083,910 US20210044601A1 (en) | 2018-05-02 | 2020-10-29 | Malicious data scan service |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/969,580 Continuation US10826917B2 (en) | 2018-05-02 | 2018-05-02 | Malicious data scan service |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210044601A1 true US20210044601A1 (en) | 2021-02-11 |
Family
ID=68385621
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/969,580 Active 2039-01-03 US10826917B2 (en) | 2018-05-02 | 2018-05-02 | Malicious data scan service |
US17/083,910 Abandoned US20210044601A1 (en) | 2018-05-02 | 2020-10-29 | Malicious data scan service |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/969,580 Active 2039-01-03 US10826917B2 (en) | 2018-05-02 | 2018-05-02 | Malicious data scan service |
Country Status (1)
Country | Link |
---|---|
US (2) | US10826917B2 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110545541B (en) * | 2019-09-20 | 2023-06-23 | 百度在线网络技术(北京)有限公司 | Method, device, equipment, terminal and medium for defending attack behaviors |
KR102090911B1 (en) * | 2019-12-16 | 2020-03-19 | 주식회사 케이비시스 | System for providing cloud service based on container |
US11971989B2 (en) * | 2021-02-02 | 2024-04-30 | Predatar Ltd | Computer recovery system |
US11971979B2 (en) * | 2021-11-30 | 2024-04-30 | Bmc Software, Inc. | Integrity violation detection for system services |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090287653A1 (en) * | 2008-05-13 | 2009-11-19 | Bennett James D | Internet search engine preventing virus exchange |
Family Cites Families (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6321229B1 (en) | 1999-02-26 | 2001-11-20 | Hewlett-Packard Company | Method and apparatus for using an information model to organize an information repository into a hierarchy of information |
US6816898B1 (en) | 2000-08-16 | 2004-11-09 | Proactivenet, Inc. | Interfacing external metrics into a performance management system |
US7159036B2 (en) * | 2001-12-10 | 2007-01-02 | Mcafee, Inc. | Updating data from a source computer to groups of destination computers |
US7020706B2 (en) | 2002-06-17 | 2006-03-28 | Bmc Software, Inc. | Method and system for automatically updating multiple servers |
US7194728B1 (en) | 2002-11-18 | 2007-03-20 | Bmc Software, Inc. | System and method for packaging updates |
US7925981B2 (en) | 2003-05-14 | 2011-04-12 | Hewlett-Packard Development Company, L.P. | Systems and methods for managing web services via a framework of interfaces |
US7133884B1 (en) | 2003-11-26 | 2006-11-07 | Bmc Software, Inc. | Unobtrusive point-in-time consistent copies |
EP1834294A2 (en) | 2004-12-21 | 2007-09-19 | BMC Software, Inc. | System and method for business service management and building business service model |
US7716353B2 (en) | 2005-12-21 | 2010-05-11 | Bmc Software, Inc. | Web services availability cache |
US8555287B2 (en) | 2006-08-31 | 2013-10-08 | Bmc Software, Inc. | Automated capacity provisioning method using historical performance data |
US8756683B2 (en) | 2006-12-13 | 2014-06-17 | Microsoft Corporation | Distributed malicious software protection in file sharing environments |
US9654833B2 (en) | 2007-06-26 | 2017-05-16 | Broadband Itv, Inc. | Dynamic adjustment of electronic program guide displays based on viewer preferences for minimizing navigation in VOD program selection |
US9350755B1 (en) | 2009-03-20 | 2016-05-24 | Symantec Corporation | Method and apparatus for detecting malicious software transmission through a web portal |
US8646093B2 (en) | 2009-03-31 | 2014-02-04 | Bmc Software, Inc. | Method and system for configuration management database software license compliance |
US9805322B2 (en) | 2010-06-24 | 2017-10-31 | Bmc Software, Inc. | Application blueprint and deployment model for dynamic business service management (BSM) |
US9122536B2 (en) | 2009-12-30 | 2015-09-01 | Bmc Software, Inc. | Automating application provisioning for heterogeneous datacenter environments |
US8832652B2 (en) | 2010-03-26 | 2014-09-09 | Bmc Software, Inc. | Method for customizing software applications |
US8402127B2 (en) | 2010-06-28 | 2013-03-19 | Bmc Software, Inc. | System and method for offering virtual private clouds within a public cloud environment |
US9122552B2 (en) | 2012-06-29 | 2015-09-01 | Bmc Software, Inc. | Hybrid cloud infrastructures |
US9819729B2 (en) | 2012-12-21 | 2017-11-14 | Bmc Software, Inc. | Application monitoring for cloud-based architectures |
US9645833B2 (en) | 2012-12-31 | 2017-05-09 | Bmc Software, Inc. | Additive independent object modification |
US9317327B2 (en) | 2013-02-28 | 2016-04-19 | Bmc Software, Inc. | Computing infrastructure planning |
US9098322B2 (en) | 2013-03-15 | 2015-08-04 | Bmc Software, Inc. | Managing a server template |
US9378370B2 (en) * | 2013-06-17 | 2016-06-28 | Microsoft Technology Licensing, Llc | Scanning files for inappropriate content during synchronization |
WO2015047432A1 (en) | 2013-09-27 | 2015-04-02 | Mcafee, Inc. | Digital protection that travels with data |
US20150172304A1 (en) * | 2013-12-16 | 2015-06-18 | Malwarebytes Corporation | Secure backup with anti-malware scan |
US20150188949A1 (en) * | 2013-12-31 | 2015-07-02 | Lookout, Inc. | Cloud-based network security |
US9535737B2 (en) | 2015-01-30 | 2017-01-03 | Bladelogic, Inc. | Dynamic virtual port provisioning |
US10091214B2 (en) * | 2015-05-11 | 2018-10-02 | Finjan Mobile, Inc. | Malware warning |
US11265347B2 (en) * | 2017-09-18 | 2022-03-01 | Fortinet, Inc. | Automated testing of network security policies against a desired set of security controls |
-
2018
- 2018-05-02 US US15/969,580 patent/US10826917B2/en active Active
-
2020
- 2020-10-29 US US17/083,910 patent/US20210044601A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090287653A1 (en) * | 2008-05-13 | 2009-11-19 | Bennett James D | Internet search engine preventing virus exchange |
Also Published As
Publication number | Publication date |
---|---|
US20190342305A1 (en) | 2019-11-07 |
US10826917B2 (en) | 2020-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210044601A1 (en) | Malicious data scan service | |
US20220116778A1 (en) | System and method for controlling mobile device access to a network | |
US10474448B2 (en) | Method and system for providing software updates to local machines | |
EP2680541B1 (en) | System and method for sending, delivery and receiving of digital content | |
US9609460B2 (en) | Cloud based mobile device security and policy enforcement | |
CN106716404B (en) | Proxy server in computer subnet | |
US9473537B2 (en) | Cloud based mobile device management systems and methods | |
US8595794B1 (en) | Auditing communications | |
US7886341B2 (en) | External authentication against a third-party directory | |
JP5429912B2 (en) | Authentication system, authentication server, service providing server, authentication method, and program | |
US9251317B2 (en) | Network video messaging | |
JP2017509936A (en) | Facilitating third-party execution of batch processing of requests that require authorization from resource owners for repeated access to resources | |
US20150046716A1 (en) | Policy-based signature authentication system and method | |
US11582261B2 (en) | Cloud access security broker systems and methods via a distributed worker pool | |
US10841389B2 (en) | Increasing reliability of push notification-based authentication or authorization | |
CN111680328A (en) | Data processing method and device, server and computer readable storage medium | |
KR101310631B1 (en) | System and method for controlling access to network | |
US10037322B2 (en) | System and method for document driven actions | |
US8504401B2 (en) | Address request and correction system | |
US20230156041A1 (en) | Cloud access security broker systems and methods via a distributed worker pool | |
US11968238B2 (en) | Policy management system to provide authorization information via distributed data store | |
US11188242B2 (en) | Information processing apparatus and non-transitory computer readable medium storing program | |
CN114513500A (en) | Method, device and system for batch installation of browser plug-ins and computing device | |
CN111290862A (en) | Message processing method and device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |