Content filtering of remote file-system access protocols

US 10,148,687 B2
Filed: 09/29/2017
Issued: 12/04/2018
Est. Priority Date: 05/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprisingtransparently proxying, by a gateway device, (i) a first plurality of Apple Filing Protocol (AFP) requests originated by a first process running on a client and relating to a file associated with a share of a server and (ii) a second plurality of AFP protocol requests originated by a second process running on the client and relating to the file;

anddetermining, by the gateway device, the existence or non-existence of malicious, dangerous or unauthorized content contained within the file byidentifying data being read from or written to the file as a result of the first plurality of AFP requests and the second plurality of AFP requests;

buffering the identified data into a single shared file buffer within a memory of the gateway device; and

when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the shared file buffer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a proxy, implemented within a network gateway device of a private network, monitors remote file-system access protocol sessions involving client computer systems and a server computer system associated with the private network. For each file on a share of the server computer system being accessed by one or more of the client computer systems: (i) a shared holding buffer corresponding to the file is created within a shared memory of the network gateway device; (ii) data being read from or written to the file by the monitored remote file-system access protocol sessions is buffered into the shared holding buffer; and (iii) responsive to a predetermined event, content filtering is performed on the shared holding buffer to determine whether malicious, dangerous or unauthorized content is contained within the shared holding buffer.

47 Citations

20 Claims

1. A method comprisingtransparently proxying, by a gateway device, (i) a first plurality of Apple Filing Protocol (AFP) requests originated by a first process running on a client and relating to a file associated with a share of a server and (ii) a second plurality of AFP protocol requests originated by a second process running on the client and relating to the file;
- anddetermining, by the gateway device, the existence or non-existence of malicious, dangerous or unauthorized content contained within the file byidentifying data being read from or written to the file as a result of the first plurality of AFP requests and the second plurality of AFP requests;
  
  buffering the identified data into a single shared file buffer within a memory of the gateway device; and
  
  when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the shared file buffer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising tracking, by the gateway device, references to the single shared file buffer by maintaining a reference table containing file identifiers.
  - 3. The method of claim 1, further comprising tracking, by the gateway device, usage and modification of the single shared file buffer with a usage table.
  - 4. The method of claim 3, wherein the usage table contains information indicative of free and filled sections of the single shared file buffer.
  - 5. The method of claim 1, wherein a first scanning condition of the plurality of scanning conditions comprises the single shared file buffer having reached a predetermined level of fullness.
  - 6. The method of claim 1, wherein a second scanning condition of the plurality of scanning conditions comprises observation, by the gateway, of one or more behaviors commonly exhibited by file-infecting viruses.
  - 7. The method of claim 6, wherein the one or more behaviors include an attempt to append data to the file.

8. A network gateway device comprising:
- a content processor implementing one or more filters configured to detect the presence of malicious code in data being scanned;
  
  a transparent Apple Filing Protocol (AFP) proxy, coupled to the content processor, configured to be logically interposed between a client and a server and to cause content filtering to be performed by the content processor on data transferred between the client and server as a result of one or more of a plurality of scanning conditions being triggered by (i) a first plurality of AFP requests originated by a first process running on the client and relating to a file associated with a share of the server and (ii) a second plurality of AFP requests originated by a second process running on the client and relating to the file; and
  
  a memory containing therein a single shared file buffer into which data identified as being read from or written to the file as a result of the first plurality of AFP requests and the second plurality of AFP requests is buffered.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The network gateway device of claim 8, further comprising a usage table to facilitate tracking of usage and modification of the single shared file buffer.
  - 10. The network gateway device of claim 9, wherein the usage table includes entries indicative of free and filled sections of the single shared file buffer.
  - 11. The network gateway device of claim 8, wherein a first scanning condition of the plurality of scanning conditions comprises the single shared file buffer having reached a predetermined level of fullness.
  - 12. The network gateway device of claim 8, wherein a second scanning condition of the plurality of scanning conditions comprises observation of one or more behaviors commonly exhibited by file-infecting viruses.
  - 13. The method of claim 12, wherein the one or more behaviors include an attempt to append data to the file.

14. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network gateway device logically interposed between a client and a server, cause the one or more processors to perform a method of content filtering comprising:
- transparently proxying (i) a first plurality of Apple Filing Protocol (AFP) requests originated by a first process running on the client and relating to a file associated with a share of the server and (ii) a second plurality of AFP requests originated by a second process running on the client and relating to the file; and
  
  determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file byidentifying data being read from or written to the file as a result of the first plurality of AFP requests and the second plurality of AFP requests;
  
  buffering the identified data into a single shared file buffer within a memory of the gateway device; and
  
  when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the single shared file buffer.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-readable storage medium of claim 14, wherein the method further comprises tracking references to the single shared file buffer by maintaining a reference table containing file identifiers.
  - 16. The computer-readable storage medium of claim 14, wherein the method further comprises tracking usage and modification of the single shared file buffer with a usage table.
  - 17. The computer-readable storage medium of claim 16, wherein the usage table contains information indicative of free and filled sections of the single shared file buffer.
  - 18. The computer-readable storage medium of claim 15, wherein a first scanning condition of the plurality of scanning conditions comprises the single shared file buffer having reached a predetermined level of fullness.
  - 19. The computer-readable storage medium of claim 14, wherein a second scanning condition of the plurality of scanning conditions comprises observation, by the gateway, of one or more behaviors commonly exhibited by file-infecting viruses.
  - 20. The computer-readable storage medium of claim 19, wherein the one or more behaviors include an attempt to append data to the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William Jeffrey
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US15/720,435
Publication Number

US 20180034829A1
Time in Patent Office

431 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 49/90   Buffering arrangements

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/145   the attack involving the pr...

H04L 65/102   Gateways arrangements for c...

H04L 67/06   specially adapted for file ...

H04L 67/289   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

Content filtering of remote file-system access protocols

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Content filtering of remote file-system access protocols

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others