Filter driver for identifying disk files by analysis of content

US 20050234866A1
Filed: 06/09/2005
Published: 10/20/2005
Est. Priority Date: 04/27/2001
Status: Active Grant

First Claim

Patent Images

1-13. -13. (canceled)

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for excluding certain types of files from being saved to a system by examining file data. The file data is examined by: mapping the circular queue to memory; reading the file identifiers from the circular queue (a named mutex is locked until all file identifiers have been read from the queue); using the file identifier to open the file; scanning the opened file to create a file signature; comparing the file signature to each entry on a list of signature criteria; and performing a storage policy if there is a match.

Citations

33 Claims

1-13. -13. (canceled)

14. A method, comprising:
- intercepting an operation to save a file to a system;
  
  determining whether a file signature corresponding to said file matches one or more signatures stored in a signature database;
  
  in response to determining that said file signature matches one or more signatures stored in said signature database, executing a storage policy with respect to said file;
  
  in response to determining that said file signature matches no signatures stored in said signature database, allowing said file to be saved to said system.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method as recited in claim 14, wherein said file signature is indicative of a type of data stored within said file.
  - 16. The method as recited in claim 15, wherein said file signature includes a pattern of information located within the first 1,024 bytes of said file, and wherein said pattern of information is common to all files of the same type as said file.
  - 17. The method as recited in claim 14, wherein executing said storage policy includes at least one of:
    - deleting said file, quarantining said file, notifying a system administrator of said operation to save said file, or notifying a user who initiated said operation that said file is not allowed to be saved.
  - 18. The method as recited in claim 14, further comprising saving said file to said system prior to said determining, wherein executing said storage policy with respect to said file includes deleting said file from said system, and wherein allowing said file to be saved to said system includes preserving said previously-saved file within said system.
  - 19. The method as recited in claim 14, wherein said determining is performed by a signature processing user mode service.

20. A method, comprising:
- intercepting an operation to save a file to a system;
  
  determining whether a file identifier of said file satisfies specified file identifier criteria, wherein said file identifier criteria indicate disallowed types of files;
  
  in response to determining that said file identifier satisfies said file identifier criteria, executing a storage policy with respect to said file;
  
  in response to determining that said file identifier does not satisfy said file identifier criteria, determining whether a file signature corresponding to said file matches one or more signatures stored in a signature database;
  
  in response to determining that said file signature matches one or more signatures stored in said signature database, executing said storage policy with respect to said file;
  
  in response to determining that said file signature matches no signatures stored in said signature database, allowing said file to be saved to said system.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The method as recited in claim 20, wherein said file identifier includes a file name.
  - 22. The method as recited in claim 20, wherein said file identifier includes a file extension.
  - 23. The method as recited in claim 20, wherein said file signature is indicative of a type of data stored within said file.
  - 24. The method as recited in claim 23, wherein said file signature includes a pattern of information located within the first 1,024 bytes of said file, and wherein said pattern of information is common to all files of the same type as said file.
  - 25. The method as recited in claim 20, wherein executing said storage policy includes at least one of:
    - deleting said file, quarantining said file, notifying a system administrator of said operation to save said file, or notifying a user who initiated said operation that said file is not allowed to be saved.
  - 26. The method as recited in claim 20, wherein said determining whether said file identifier of said file satisfies said specified file identifier criteria is performed by a kernel-mode filter driver.
  - 27. The method as recited in claim 20, wherein said determining is performed by a signature processing user mode service.
  - 28. The method as recited in claim 20, wherein said determining whether said file signature corresponding to said file matches one or more signatures stored in said signature database is performed by a signature processing user mode service.

29. A system, comprising:
- an input/output filter driver;
  
  a signature processing user mode service;
  
  a signature database; and
  
  a policy database;
  
  wherein said input/output filter driver is configured to intercept an attempt to save a file to the system;
  
  wherein said signature processing user mode service is configured to determine whether a file signature corresponding to said file matches one or more signatures stored in said signature database;
  
  wherein in response to determining that said file signature matches one or more signatures stored in said signature database, said signature processing user mode service is further configured to execute a storage policy stored within said policy database with respect to said file; and
  
  wherein in response to determining that said file signature matches no signatures stored in said signature database, said signature processing user mode service is further configured to allow said file to be saved to said system.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The system as recited in claim 29, wherein said file signature is indicative of a type of data stored within said file.
  - 31. The system as recited in claim 30, wherein said file signature includes a pattern of information located within the first 1,024 bytes of said file, and wherein said pattern of information is common to all files of the same type as said file.
  - 32. The system as recited in claim 29, wherein executing said storage policy includes at least one of:
    - deleting said file, quarantining said file, notifying a system administrator of said operation to save said file, or notifying a user who initiated said operation that said file is not allowed to be saved.
  - 33. The system as recited in claim 29, wherein said input/output filter driver is further configured to save said file to said system prior to said signature processing user mode service determining whether said file signature corresponding to said file matches one or more signatures stored in said signature database, wherein said signature processing user mode service executing said storage policy with respect to said file includes said signature processing user mode service deleting said file from said system, and wherein said signature processing user mode service allowing said file to be saved to said system includes said signature processing user mode service preserving said previously-saved file within said system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Operating Corporation (Gen Digital Inc.)
Inventors
Kyler, Daniel B.

Granted Patent

US 8,346,805 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/564   by virus signature recognition

G06F 21/6281   at program execution time, ...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 9/52   Program synchronisation; Mu...

H04L 63/123   received data contents, e.g...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99945   Object-oriented database st...

Filter driver for identifying disk files by analysis of content

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Filter driver for identifying disk files by analysis of content

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links