Antivirus scanning in a hard-linked environment

US 20040083381A1
Filed: 10/24/2002
Published: 04/29/2004
Est. Priority Date: 10/24/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious computer code in a file associated with a computer, said method comprising the steps of:

determining whether there is more than one hard link to the file; and

when there is more than one hard link;

ascertaining the identities of all the hard links; and

performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods, apparati, and computer-readable media for detecting malicious computer code in a file (2) associated with a computer (10). A method of the present invention comprises the steps of determining whether there is more than one hard link (1) to the file (2); and when there is more than one hard link (1), ascertaining the identities of all the hard links (1), and performing an antivirus scan on the file (2) based upon the hard link(s) (1) having the most restrictive scanning criteria of all the hard links (1), or upon the union of scanning criteria amongst all the hard links (1).

103 Citations

View as Search Results

40 Claims

1. A computer-implemented method for detecting malicious computer code in a file associated with a computer, said method comprising the steps of:
- determining whether there is more than one hard link to the file; and
  
  when there is more than one hard link;
  
  ascertaining the identities of all the hard links; and
  
  performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 39, 40)
- - 2. The method of claim 1 wherein each hard link comprises a file name.
  - 3. The method of claim 1 wherein each hard link comprises a full path name including a file name.
  - 4. The method of claim 1 wherein the scanning criteria are based upon a file name in combination with other information.
  - 5. The method of claim 4 wherein said other information comprises information contained in a header of the file.
  - 6. The method of claim 1 wherein the ascertaining comprises accessing a backpointer table associated with the file.
  - 7. The method of claim 6 wherein the backpointer table comprises full path names for all hard links to the file.
  - 8. The method of claim 6 wherein the backpointer table is an alternate data stream in a New Technology File System.
  - 9. The method of claim 6 wherein the backpointer table has been constructed by a backpointer table construction module.
  - 10. The method of claim 6 wherein the backpointer table is updated every time a file is subjected to an operation from the group of operations comprising addition of a file, deletion of a file, and renaming of a file.
  - 11. The method of claim 6 wherein a search module associated with the computer is modified to access the backpointer table.
  - 12. The method of claim 6 wherein the backpointer table is created when the computer is initialized.
  - 13. The method of claim 6 wherein the backpointer table is re-initialized when there is reason to believe that the backpointer table may have become inconsistent.
  - 14. The method of claim 6 further comprising the step of:
    - performing an integrity check on the backpointer table.
  - 15. The method of claim 14 wherein the step of performing the integrity check comprises the substeps of:
    - for each file on the computer, determining whether a first value stored within the file representative of a number of hard links associated with the file is equal to a second value representative of the number of entries in the backpointer table associated with the file; and
      
      when the first value is unequal to the second value, updating the backpointer table.
  - 16. The method of claim 1 wherein the determining step is performed every time the file is opened.
  - 17. The method of claim 1 wherein the ascertaining is performed by a file system filter driver that is always running on the computer.
  - 39. The computer-implemented method of claim 1 wherein an antivirus scanner identifies the hard link(s) having the most restrictive scanning criteria.
  - 40. The computer-implemented method of claim 1 wherein a file system filter driver identifies the hard link(s) having the most restrictive scanning criteria.

18. Apparatus for detecting malicious computer code in a file associated with a computer, said apparatus comprising:
- a backpointer table construction module coupled to the file, said module adapted to construct a backpointer table for the file when the file has more than one hard link;
  
  an antivirus scanner coupled to the file and adapted to scan the file for the presence of malicious computer code; and
  
  a file system filter driver coupled to the file and to the antivirus scanner, said driver instructing the antivirus scanner to examine the backpointer table when the file has more than one hard link.

19. A computer-readable medium containing computer program instructions for detecting malicious computer code in a file associated with a computer, said instructions performing the steps of:
- determining whether there is more than one hard link to the file; and
  
  when there is more than one hard link;
  
  ascertaining the identities of all the hard links; and
  
  performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 20. The computer-readable medium of claim 19 wherein each hard link comprises a file name.
  - 21. The computer-readable medium of claim 19 wherein each hard link comprises a full path name including a file name.
  - 22. The computer-readable medium of claim 19 wherein the scanning criteria are based upon a file name in combination with other information.
  - 23. The computer-readable medium of claim 22 wherein said other information comprises information contained in a header of the file.
  - 24. The computer-readable medium of claim 19 wherein the ascertaining comprises accessing a backpointer table associated with the file.
  - 25. The computer-readable medium of claim 24 wherein the backpointer table comprises full path names for all hard links to the file.
  - 26. The computer-readable medium of claim 24 wherein the backpointer table is an alternate data stream in a New Technology File System.
  - 27. The computer-readable medium of claim 24 wherein the backpointer table has been constructed by a backpointer table construction module.
  - 28. The computer-readable medium of claim 24 wherein the backpointer table is updated every time a file is subjected to an operation from the group of operations comprising addition of a file, deletion of a file, and renaming of a file.
  - 29. The computer-readable medium of claim 24 wherein a search module associated with the computer is modified to access the backpointer table.
  - 30. The computer-readable medium of claim 24 wherein the backpointer table is created when the computer is initialized.
  - 31. The computer-readable medium of claim 24 wherein said instructions further comprise the step of:
    - performing an integrity check on the backpointer table.
  - 32. The computer-readable medium of claim 31 wherein the step of performing the integrity check comprises the substeps of:
    - for each file on the computer, determining whether a first value stored within the file representative of a number of hard links associated with the file is equal to a second value representative of the number of entries in the backpointer table associated with the file; and
      
      when the first value is unequal to the second value, updating the backpointer table.
  - 33. The computer-readable medium of claim 19 wherein the determining step is performed every time the file is opened.
  - 34. The computer-readable medium of claim 19 wherein the ascertaining is performed by a file system filter driver that is always running on the computer.

35. A computer-implemented method for accessing a computer file, said method comprising the steps of:
- determining whether there is more than one hard link to the file;
  
  when there is more than one hard link, creating a backpointer table storing all the hard links to the file; and
  
  accessing the file via one of the hard links, wherein any changes made to the file during said accessing are present during any subsequent accessing of the file via any of the hard links.

36. A computer-implemented method for detecting malicious computer code in a file associated with a computer, said method comprising the steps of:
- determining whether there is more than one hard link to the file; and
  
  when there is more than one hard link;
  
  ascertaining the identities of all the hard links; and
  
  performing an antivirus scan on the file based upon the union of scanning criteria amongst all the hard links.
- View Dependent Claims (37, 38)
- - 37. The computer-implemented method of claim 36 wherein the union of scanning criteria are determined by an antivirus scanner.
  - 38. The computer-implemented method of claim 36 wherein the union of scanning criteria are determined by a file system filter driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce

Granted Patent

US 7,260,847 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/562 Static detection

Antivirus scanning in a hard-linked environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Antivirus scanning in a hard-linked environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links