Skip to main content

A series of patent lawsuits is challenging the history of malware detection

Cybersecurity firm Webroot claims that competitors’ software infringes on a decades-old patent

Share this story

Illustration by Beatrice Sala

In early March, cybersecurity firm Webroot and its parent company OpenText launched a series of patent litigation containing some eye-opening claims. Filed March 4th in the famously patentholder-friendly Western District of Texas court, the four lawsuits claim that techniques fundamental to modern malware detection are based on patented technology — and that the company’s competitors are infringing on intellectual property rights with their implementation of network security software.

The defendants named in the suits are a who’s who of security companies: CrowdStrike, Kaspersky, Sophos, and Trend Micro are all named. According to OpenText, the companies are using patented technology in their anti-malware applications, specifically in the endpoint security systems that protect specific devices on a network. It’s a sweeping lawsuit that puts much of the security industry in immediate danger. And, for critics, it’s a bitter reminder of how much damage a patent troll can still do.

“We invite Webroot and OpenText to join the ranks of serious cybersecurity companies”

So far, endpoint security companies have shown fierce opposition to the very idea of the case. A Kaspersky spokesperson said that the company is “reviewing the issue” but did not offer any further comment on the case. 

Sara Eberle, vice president of global public relations at Sophos, was more forthcoming, telling The Verge that the company would fight the lawsuit: “Sophos prefers to compete in the marketplace rather than in the courtroom, but we will vigorously defend ourselves in this litigation,” Eberle said. “We invite Webroot and OpenText to join the ranks of serious cybersecurity companies that are trying to solve problems rather than create them.”

Responses from Trend Micro COO Kevin Simzer and CrowdStrike’s senior director of corporate communications Kevin Benacci went further: both accused OpenText of “patent trolling” in statements sent to The Verge.

Made notorious by companies like Intellectual Ventures, “patent trolling” refers to the practice of buying up patents for use in litigation rather than research and development. The end result is a drag on anyone building technology — but it can be quite lucrative for companies who can play the game well.

“OpenText intends to vigorously enforce its intellectual property rights.”

But OpenText insists the lawsuits are about protecting intellectual property. In response to the defendants’ comments, OpenText’s chief communications officer Jennifer Bell said that the lawsuits were being brought to defend the company against unfair and unlawful actions from its competitors. “OpenText brings these lawsuits to protect its intellectual property investments and to hold these parties accountable for their infringement and unlawful competition,” Bell said. “These lawsuits allege that defendants infringe and unlawfully compete against aspects of the OpenText family of companies’ endpoint security products and platforms. OpenText intends to vigorously enforce its intellectual property rights.”

Charles Duan, a postdoctoral fellow at Cornell University and specialist in intellectual property law, described possible outcomes that could range from financial redress to an effective ban on the infringing software should the plaintiff win the case.

“The court can issue a number of remedies here,” Duan said. “One of them is an injunction: they could say that all these other companies who are using the patented technology have to stop doing so. They can also issue money damages, basically saying that these companies have to compensate the company for using their patented technology.”

But simple economics suggest that the most likely outcome is a settlement: a fact that points to the incentives for bringing even flimsy patent suits and highlights the material basis for patent trolling.

“As a practical matter, a lot of these cases never actually get to that point [of judgment] just because the cost of litigation makes it not worth going through a whole trial, even if the patent is very questionable or it seems likely that the companies don’t infringe,” Duan said.

Though the lawsuit is being brought in 2022, a judgment would hinge in part on whether the techniques described in the patent were widely known at the time that the patent application was filed. One of the patents at the heart of the suit — US Patent No. 8,418,250, referred to as “the ‘250 patent” in the lawsuit — was granted in the United States in 2013 but first issued by the British patent office in 2005. Another, US Patent No. 8,726,389 or the ‘389 patent, was also issued in the UK in 2005 and granted in the US in 2014. 

“The cost of litigation makes it not worth going through a whole trial, even if the patent is very questionable”

Even taking into account the age of the patents, some experts are clear that the techniques described in them are overly broad. Joe Mullin, senior policy analyst at Electronic Frontier Foundation (EFF), told The Verge that some of the features in the patent were potentially too abstract to be unpatentable:

“The ‘389 patent claims very basic behavior that could be performed with a pen and paper,” Mullin said. “It simply describes ‘receiving data’ then ‘correlating’ and ‘classifying’ the data, ‘comparing’ the data to other computer objects, and then classifying something as malware (or not) based on that comparison.”

 “A core principle of patent law is that you can’t get a monopoly on an ‘abstract idea,’ because that would take away too much from the public and not represent a real invention by the patent holder. This patent should be found invalid because it concerns ‘abstract ideas,’” Mullin said.

But where critics see a broad patent, OpenText paints the case as an argument about the evolution of network security itself. In its complaint filed against Trend Micro, OpenText argues that where malware detection used to rely on a categorization of what a program is, the patented technology is based on analysis of what a program does. Instead of matching file data to a library of known viruses, modern endpoint security looks at actions performed within a computer system. As a result, this kind of malware detection can flag and contain previously unseen examples of malicious software. It’s a real shift in the way companies approach endpoint security. And, according to OpenText, the shift traces back to the patents listed in the case.

“The ‘389 patent claims very basic behavior that could be performed with a pen and paper.”

Opponents to these claims — including not only the defendants but also cybersecurity researchers who have criticized the lawsuits online — take issue with the broadness of the argument, alleging that the patented technology reflects general developments in the evolution of malware detection over time. (As a strategy, patent trolling relies on this kind of generality: according to EFF, an overworked US Patent and Trademark Office has issued “a flood of bad patents on so-called inventions that are unoriginal, vague, overbroad, and/or so unclear that bad actors can easily use them to threaten all kinds of innovators.”)

What’s more, opposition to the lawsuits may be based on the fact that OpenText was not involved in the research that created the patent: instead, through acquisition of Carbonite, which had previously acquired Webroot, OpenText came to own a number of patents that were assigned to the smaller cybersecurity firm. Having bought the company that controlled the original patents, OpenText now has valuable IP and a chance to extract value from it — regardless of skepticism over whether the techniques described in the patents can really be traced back to innovations developed by one group of researchers.

There are still some protections for defendants. Where patents are overly vague, the fight against them can happen in venues other than the courtroom — with one other option being an appeal to the patent office, Charles Duan explained. “There are proceedings that were created about 10 years ago, they go by the name of inter partes review or post-grant review, and these give companies the chance to argue to the patent office that when the office granted the patents they made a mistake,” Duan said. “That is probably an avenue that some of these security companies will be interested in pursuing.”

In a post-grant review process, companies attempt to convince the patent office that the techniques described in the patent should actually be considered unpatentable. If that argument is successful — and the patent office returns a decision before the trial date — then the basis for the lawsuit falls apart. But, since any delay could prove extremely costly, some companies can’t take the risk of waiting for that decision. 

“They’re signaling they will put up a fight before settling at some point”

In the meantime, critics of the current patent system will see the OpenText lawsuits as exemplary of an intellectual property framework that stifles innovation rather than promoting it. 

“What may be going on here is that [OpenText] is not really trying to stop these companies, and more that they’re signaling they will put up a fight before settling at some point,” said Duan.

Today’s Storystream

Feed refreshed 8:35 PM UTC Not just you

Emma Roth8:35 PM UTC
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.

Emma Roth8:01 PM UTC
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.

External Link
Emma Roth5:52 PM UTC
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.