Register or Login To Download This Patent As A PDF
|United States Patent Application
;   et al.
April 11, 2002
Software virus protection
A method of protecting a wireless device against viruses, comprising
maintaining a database of virus signatures on the device, updating the
database by downloading virus signatures in a Short Message Service (SMS)
Message, and searching for virus signatures in the memory of or files
stored on the wireless device by comparison with the database.
Lahti, Pasi; (Helsinki, FI)
; Bergroth, Ismo; (Helsinki, FI)
; Huopio, Simo; (Helsinki, FI)
ARENT FOX KINTNER PLOTKIN & KAHN
1050 CONNECTICUT AVENUE, N.W.
August 28, 2001|
|Current U.S. Class:
|Class at Publication:
Foreign Application Data
|Aug 31, 2000||GB||0021281.1|
1. A method of updating a virus signature database used by anti-virus
software operating on a mobile wireless platform, comprising sending
update data via a signalling channel of a mobile telecommunications
network to the mobile wireless platform.
2. A method according to claim 1, wherein the update data sent to the
mobile wireless platform is a virus signature database update.
3. A method as claimed in claim 1 or 2, wherein the network is GSM or
enhanced GSM network.
4. A method as claimed in claim 3, wherein the update data is carried by
one or more Short Message Service (SMS) messages.
5. A method as claimed in claim 1, 2 or 3, wherein the update data is
carried by one or more Unstructured Supplementary Services Data (USSD)
6. A method as claimed in any preceding claim, wherein the message
carrying the update data is cryptographically signed.
7. A method as claimed in any preceding claim, wherein the mobile platform
comprises a mobile telephone, communicator, PDA, palmtop or laptop
8. A method as claimed in any preceding claim, and comprising sending the
update data in response to a request from the mobile platform.
9. A method as claimed in claim 8, wherein said request identifies the
current status of a virus signature database.
10. A method of protecting a wireless device against viruses, comprising:
maintaining a database of virus signatures on the device; updating the
database by receiving data containing virus signatures in one or more
Short Message Service (SMS) or Unstructured Supplementary Services Data
(USSD) messages; and searching for virus signatures contained in the
 The present invention relates to software virus protection, and in
particular to virus protection for wireless devices.
 Viruses are a serious problem to users of computers. In order to
combat the problem, there are a variety of anti-virus software products
available which are able to identify viruses resident in the files or
memory of a computer. Modem anti-virus software, such as for example
F-Secure Anti-Virus for Windows NT, uses a virus signature comparison in
order to identify viruses. Each virus contains code which can be analysed
and recorded on a database. The database need not record all of the code
contained in a virus if a unique "digital fingerprint" or signature can
be recorded instead. This may be for example the overall pattern of the
code, or two or three particular lines. When a signature comparison is
made, the anti-virus program searches for viruses by scanning a file for
the presence of a virus signature such as are present in the database.
 Clearly, if effective protection is to be maintained, the database
used by the anti-virus software must contain signatures for all known
viruses. Unfortunately, new viruses are detected all the time, currently
at the rate of one per day. Once a newly detected virus has been analysed
by the anti-virus software provider and a signature created, the database
must be updated on all of the computers which are using the anti-virus
software. There have been various methods up until now for carrying out
 The earliest method used by virus software providers was to send a
diskette through the mail to registered users of the anti-virus software,
this diskette containing the required updates to the database. Another
method has been to make the virus updates available on-line, so that they
can be obtained by connecting to a remote server maintained by the
anti-virus software provider. Updates have also been provided in the form
of attachments to e-mail.
 Increasingly, mobile phones
are being used to connect to the
Internet. Mobile Internet access is being facilitated by new networks
(incorporating HSCSD and GPRS) as well as other protocols such as WAP. As
mobile "platforms" with wireless
modems and internet connections become
more powerful, Internet connections will be as easy to obtain as for a
desktop PC. This increase in the usage and capacity of mobile platforms
renders them susceptible to attack by viruses. The methods outlined above
for updating anti-virus software can also be used for mobile platforms.
However, in general they will not be permanently connected to the
Internet, and indeed may only connect to the Internet occasionally. This
can lead to the signature database used by anti-virus software becoming
out of date, rendering protection incomplete. Out of date protection can
be worse than no protection at all, as it can engender a false sense of
security in a user.
 It is, therefore, an object of the present invention to provide a
means for updating anti-virus signature databases on mobile platforms.
 According to a first aspect, the present invention provides a
method of updating a virus signature database used by anti-virus software
operating on a mobile wireless platform, the method comprising sending
update data via a signalling channel of a mobile telecommunications
network to the mobile wireless platform.
 The update data sent to the mobile wireless platform may be a virus
signature database update, or may be a software update such as a software
 Preferably, the network is a GSM based network or an evolved GSM
network such as GSM phase 2 (including GPRS) or UMTS (3GPP).
 Preferably, the update data is obtained in one or more Short
Message Service (SMS) messages. The SMS protocol, as set out for example
in the ETSI GSM 03.40 specification, is a protocol which is well known
and widely used for data transfer between mobile devices. For example,
programs executing on top of the EPOC operating system have access to SMS
 Alternatively, the update data may be carried by one or more
Unstructured Supplementary Services Data (USSD) messages.
 In order to prevent the update information from attack, the payload
of the message carrying the update data is preferably cryptographically
 The mobile platform may be a mobile telephone, communicator, PDA,
palmtop or laptop computer, or any other suitable platform.
 The mobile platform may send a report to a management centre
following the successful receipt and installation of the update data.
More preferably, this is returned to a management centre using an SMS
 In a preferred embodiment, the present invention provides a method
of protecting a wireless device against viruses, comprising maintaining a
database of virus signatures on the device, updating the database by
receiving data containing virus signatures in one or more Short Message
Service (SMS) or Unstructured Supplementary Services Data (USSD)
messages, and searching for viruses contained in the database.
 Some preferred embodiments of the invention will now be described
by way of example only and with reference to the accompanying drawings,
 FIG. 1 is a schematic diagram showing a system according to a
preferred embodiment of the invention; and
 FIG. 2 is a flow diagram of a method of protecting a mobile device
from attack by viruses according to a preferred embodiment of the present
 FIG. 1 illustrates a UMTS Mobile Network comprising a UMTS
Terrestrial Radio Access Network (UTRAN) consisting of Base Stations (BS)
1 and Radio Network Controllers (RNCs) 2, and a core network consisting
of MSCs (and SGSNs) 3 and a transmission network 4 (RNCs of the UTRAN may
be supplemented with BSCs to facilitate interworking with the GSM
standard). Also present in the core network are a Short Message Service
(SMS) centre 5 and a GPRS Gateway Support Node (GGSN) 6. For the sake of
simplicity, FIG. 1 shows only a single RNC 2 and MSC (SGSN) 3. It will be
appreciated that further nodes will be present in a UMTS network in
practice. A mobile wireless device 7 can connect to other
telecommunication devices (e.g. mobile tele
phones, fixed line tele
etc) via the UTRAN and the core network (of course other networks
including "foreign" mobile networks and PSTN networks may be involved in
such connections). Using the GGSN 6, the device 7 is able to connect to
the Internet 8. A user of the mobile wireless device 1 may thus contact
for example a remote web server 9 by entering the URL of the web server
into his device's Internet browser. The mobile device 1 may also
communicate with a bluetooth device 10 and a Local Area Network (LAN) 11.
By way of example, the mobile device 1 may use the EPOC.TM. operating
 In view of the risk that viruses could be downloaded from another
mobile device, from the remote server 9 via the Internet 8, from the
bluetooth device 10, or from another node of the LAN 11, the device 1 is
provided with an anti-virus software application which may check any
files downloaded from an external source, together with files already
resident on the device's system. As explained above, this software
searches files for virus "signatures" so that, in order to be fully
effective, it requires its database of virus signatures to be updated
 There are various known methods for obtaining updates to a database
of virus signatures. One method is to periodically receive media (e.g.
floppy disks, compact discs) with the updates recorded thereon. However,
this is a cumbersome and expensive method and will result in fewer
updates being made, with the database never being fully up to date. A
better method is for the user of the mobile device to contact a remote
web server operated by the provider of the anti-virus software. The
necessary data to update the anti-virus database can then be downloaded
from that server. As explained above however, very few mobile devices are
permanently connected to the Internet, and in may cases users will only
connect to the Internet infrequently. This method also relies on the user
remembering to connect to the remote anti-virus server periodically in
order to obtain the update data. Thus there will again be periods of time
during which the database is not fully up to date.
 In order to overcome these problems use may be made of the SMS
centre 5 within the UMTS core network. SMS is a service provided by
current GSM networks for sending short messages over a signalling
channel, and is expected to be provided also by UMTS networks.
 The SMS centre 5 is located in the core network part of the UMTS
network and is coupled to the Internet 8 via an anti-virus server 12
which is operated and controlled by the UMTS network operator. The
anti-virus server 12 receives regular updates (e.g. every morning) from
an update server 13 maintained by the anti-virus software provider. The
SMS server 12 maintains a record of all subscribers to the anti-virus
service in a database 13, and initiates virus signature database updates
by sending a Short Message Service (SMS) request for each of the
registered subscribers (including the user of the mobile device 1) to the
SMS centre 5. Upon receipt of a request, the SMS centre 5 generates a
corresponding SMS message and send this to the destination mobile device
via the Mobile Switching Centre 3 of the core network and the UTRAN. The
SMS message contains virus signature data enabling the mobile device 1 to
update the anti-virus database to include signatures for those viruses
discovered since the last update was made.
 As SMS messages can carry only relatively small quantities of
information, it may be necessary for the SMS centre 5 to send a
"concatenated message", (i.e. several SMS messages) to convey all the
necessary information to perform a database update. For the same reason
it is desirable to be able to reduce the volume of information sent as
part of a virus signature database upgrade. Thus, whilst SMS updates may
be sent automatically to all subscribers from the network, it is
preferable to send an SMS message to the server 12 from a device 1 (via
the SMS centre 5), containing details of which virus signatures are
currently stored in the device's signature database. On receipt of such
an SMS request, the anti-virus server 12 needs only to issue an SMS
request to the SMS centre 5 containing virus signatures not currently on
the signature database of the mobile device 1.
 As noted in the preceding paragraph, SMS updates may be sent
automatically from the network to subscribers, or may be triggered by
requests from subscribers. FIG. 2 is a flow diagram illustrating the
sequence of steps involved in a subscriber initiated updating process.
The mobile device executes the anti-virus software 21. This is usually
done when the device is switched on. The anti-virus software, which uses
a database of virus signatures, checks to determine when the database was
last updated 22. If the last update took place more than a pre-defined
period ago, e.g. one week, the software causes the device to send an SMS
message 23 to the server anti-virus 12 via the SMS centre 5. This message
contains data regarding the current status of the database.
 In reply to this SMS message, the anti-virus server 12 returns an
SMS request 24 (or several SMS messages forming a "concatenated message")
to the SMS centre 5, the request containing signatures for viruses
discovered and analysed since the previous update. The SMS centre 5
generates a corresponding SMS message 25 and sends this to the mobile
device 1, which receives the message 26 and causes the new signature(s)
to be incorporated into the anti-virus signature database for future use
 When next requested, or otherwise triggered (e.g. by a scanning
scheduler), the anti-virus software scans the files and memory of the
mobile device in order to determine the presence of any of the virus
signatures in its database 28. If an infected file is discovered 29, the
user is warned 30 and given an opportunity to delete or clean that file.
Otherwise, once all files have been scanned, the software informs the
user that his system is "clean" 31.
 It will be appreciated that there are other embodiments which fall
within the scope of the invention. For example, the method of the present
invention may be used to update the anti-virus software itself, e.g. by
sending software patches.
* * * * *