Secure storage tracking for anti-virus speed-up

US 20060021032A1
Filed: 07/20/2004
Published: 01/26/2006
Est. Priority Date: 07/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

querying a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan, wherein the security subsystem includes a trusted variable and wherein the determination avails trust through a reference to the trusted variable by the security subsystem; and

scanning the area for an identifier of undesirable code in response to a trusted determination from said query that the area has been written to since the last scan.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system includes a security subsystem which is able to trustfully track which files or storage areas of a storage device have been altered since a last virus scan. The trusted information can then be used to accelerate scans for undesirable code or data such as viruses and invalid or corrupt registry entries. In the case of viruses, files or storage areas which have been altered are scanned against a super-set of virus definitions. Unaltered files or storage areas are scanned against a subset of virus definitions.

Citations

36 Claims

1. A method comprising:
- querying a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan, wherein the security subsystem includes a trusted variable and wherein the determination avails trust through a reference to the trusted variable by the security subsystem; and
  
  scanning the area for an identifier of undesirable code in response to a trusted determination from said query that the area has been written to since the last scan.

2. A method comprising:
- querying a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan, wherein the security subsystem includes a trusted variable and wherein the determination avails trust through a reference to the trusted variable by the security subsystem;
  
  determining whether a prior identifier of undesirable code was included in the last scan; and
  
  bypassing a scan of the area for the prior identifier of undesirable code in response to a determination from said query that the area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan.

3. A method comprising:
- querying a security subsystem to trustfully determine whether a first area of a storage device has been written to since a last scan, wherein the security subsystem includes a memory which is inaccessible to code executing from an operating system and wherein the determination avails trust through a reference to the inaccessible memory by the security subsystem;
  
  scanning the first area for known identifiers of undesirable code in response to a trusted determination from said query that the first area has been written to since the last scan;
  
  determining whether a prior identifier of undesirable code was included in the last scan; and
  
  bypassing a scan of the first area for the prior identifier of undesirable code in response to a determination from said query that the first area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan, the scan bypass resulting in a bypassed area.
- View Dependent Claims (4, 5, 6)
- - 4. The method of claim 3 wherein the prior identifier and the known identifiers are identifiers of malicious code and wherein the last scan is a prior scan for malicious code.
  - 5. The method of claim 4 wherein the identifiers are selected from the group consisting of a signature, a code fragment, a data fragment, a hash, and a registry entry in the registry of the operating system.
  - 6. The method of claim 4, further comprising:
    - requesting from the security subsystem a trusted scan timestamp which is related to the time when the prior scan for malicious code was executed and which is trusted by virtue of the inaccessible memory; and
      
      scanning said bypassed area against a new identifier which is associated with malicious code known to have come into existence on a new identifier date, wherein the scanning of said bypassed area occurs in response to a determination that a new identifier timestamp, which is related to the new identifier date, is earlier than the trusted scan timestamp.

7. A method comprising:
- scanning files in a scan area of a storage device for malicious code wherein the storage device is subdivided into a first area and the scan area, the first area being securely configurable between a normal read-only state and a writeable state wherein the configuration is under the control of a security system having a secure memory which is inaccessible to code executed under an operating system;
  
  upon successfully scanning at least one file in which no malicious code is found, activating and authenticating a first security measure of the security system to configure the first area to the writeable state, wherein the authentication executes out of the secure memory;
  
  writing successfully scanned files in the scan area to the first area; and
  
  configuring the first area to the read-only state after said writing of successfully scanned files.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7 further comprising:
    - deleting the successfully scanned files from the scan area after said writing of successfully scanned files.
  - 9. The method of claim 8 wherein the authentication for the first security measure is an authentication selected from the group consisting of a password, a digital signature, and a biometric.
  - 10. The method of claim 7 wherein the first and scan areas are subdivided logically.
  - 11. The method of claim 7 wherein the first and scan areas are subdivided physically.
  - 12. The method of claim 11 wherein the physically subdivided areas are respectively contiguous areas on the storage device.
  - 13. The method of claim 7 wherein said authentication of the first security measure is executed under the control of a virtual machine monitor.
  - 14. The method of claim 7 wherein the security system is implemented in hardware such that the secure memory is additionally inaccessible to a main processor that executes the operating system, wherein the hardware is physically located at a location selected from the group consisting of a storage controller, a storage device cable, and the storage device.

15. Apparatus comprising:
- a processor and a main memory for storing code which is executed under an operating system by the processor;
  
  a security system having a secure memory which is inaccessible to the code which is executed under the operating system by said processor; and
  
  a storage device which is operatively coupled to said processor and said security system and which is subdivided into a first area and a read-write area, the first area being securely configurable under the control of said security system between a normal read-only state and a writeable state;
  
  wherein said security system maintains in the secure memory at least one trusted variable which identifies the occurrence of a last scan for malicious code on said storage device and responds to a request for status related to the last scan by referencing the trusted variable and reporting a related result and wherein said security system invokes an authentication procedure in response to a provided request to configure the first area to the writeable state, wherein the authentication executes out of the secure memory.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. Apparatus of claim 15 wherein the authentication is selected from the group consisting of a password, a digital signature, and a biometric.
  - 17. Apparatus of claim 15 wherein the first and read-write areas are subdivided logically.
  - 18. Apparatus of claim 15 wherein the first and read-write areas are subdivided physically.
  - 19. Apparatus of claim 18 wherein the physically subdivided areas are respectively contiguous areas on said storage device.
  - 20. Apparatus of claim 15 wherein said security system is implemented as a virtual machine monitor.
  - 21. Apparatus of claim 15 wherein the security system is implemented in hardware such that the secure memory is additionally inaccessible to said processor and wherein the hardware is physically located at a location selected from the group consisting of a storage controller, a storage device cable, and the storage device.

22. A method comprising:
- subdividing a storage device into a first area and a read-write area, the first area being securely configurable between a normal read-only access mode and a writeable access mode, wherein the storage device imposes a security measure in response to an attempt to configure the mode of access to the first area;
  
  caching accesses to the storage device by;
  
  directing read accesses to the first area if the data being accessed is missing from the read-write area;
  
  directing read accesses to the read-write area if the data being accessed is in the read-write area;
  
  directing write accesses to the read-write area;
  
  scanning files in the read-write area for malicious code;
  
  upon successfully scanning at least one file in which no malicious code is found, activating a first security measure on the storage device to configure the first area in the writeable access mode;
  
  writing successfully scanned files in the read-write area to the first area;
  
  activating a second security measure on the storage device to configure the first area in the read-only access mode; and
  
  deleting the successfully scanned files from the read-write area.
- View Dependent Claims (23)
- - 23. The method of claim 22 wherein the writeable access mode is a read-write mode.

24. A product comprising:
- a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
  
  query a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan; and
  
  scan the area for an identifier of undesirable code in response to a trusted determination from the query that the area has been written to since the last scan;
  
  wherein the computer readable program code is unable to access a secure variable which avails trust to the determination.

25. A product comprising:
- a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
  
  query a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan;
  
  determine whether a prior identifier of undesirable code was included in the last scan; and
  
  bypass a scan of the area for the prior identifier of undesirable code in response to a determination from the query that the area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan;
  
  wherein the computer readable program code is unable to access a secure variable which avails trust to the trusted determination.

26. A product comprising:
- a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
  
  query a security subsystem to trustfully determine whether a first area of a storage device has been written to since a last scan;
  
  scan the first area for known identifiers of undesirable code in response to a trusted determination from the query that the first area has been written to since the last scan;
  
  determine whether a prior identifier of undesirable code was included in the last scan; and
  
  bypass a scan of the first area for the prior identifier of undesirable code in response to a determination from the query that the first area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan, the scan bypass resulting in a bypassed area;
  
  wherein the computer readable program code is unable to directly access a secure memory which avails trust to the trusted determination.
- View Dependent Claims (27, 28, 29)
- - 27. The product of claim 26 wherein the prior identifier and the known identifiers are identifiers of malicious code and wherein the last scan is a prior scan for malicious code.
  - 28. The product of claim 27 wherein the identifiers are selected from the group consisting of a signature, a code fragment, a data fragment, a hash, and a registry entry in the registry of the operating system.
  - 29. The product of claim 27, wherein the code is further effective to:
    - request from the security subsystem a trusted scan timestamp which is related to the time when the prior scan for malicious code was executed and which is trusted by virtue of the inaccessible memory; and
      
      scan the bypassed area against a new identifier which is associated with malicious code known to have come into existence on a new identifier date, wherein the scan of the bypassed area occurs in response to a determination that a new identifier timestamp, which is related to the new identifier date, is earlier than the trusted scan timestamp.

30. A product comprising:
- a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
  
  scan files in a scan area of a storage device for malicious code wherein the storage device is subdivided into a first area and the scan area, the first area being securely configurable between a normal read-only state and a writeable state wherein the configuration is under the control of a security system having a secure memory which is inaccessible to code executed under an operating system;
  
  upon successfully scanning at least one file in which no malicious code is found, activate and authenticate a first security measure of the security system to configure the first area to the writeable state, wherein the authentication executes out of the secure memory;
  
  write successfully scanned files in the scan area to the first area; and
  
  configure the first area to the read-only state after the code writes the successfully scanned files.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. The product of claim 30 wherein the code is further effective to:
    - delete the successfully scanned files from the scan area after the code writes the successfully scanned files.
  - 32. The product of claim 31 wherein the authentication for the first security measure is an authentication selected from the group consisting of a password, a digital signature, and a biometric.
  - 33. The product of claim 30 wherein the first and scan areas are subdivided logically.
  - 34. The product of claim 30 wherein the first and scan areas are subdivided physically.
  - 35. The product of claim 34 wherein the physically subdivided areas are respectively contiguous areas on the storage device.
  - 36. The product of claim 30 wherein the authentication of the first security measure is executed under the control of a virtual machine monitor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo PC International Limited (Lenovo Group Ltd.)
Original Assignee
International Business Machines Corporation
Inventors
Karidis, John Peter, Challener, David Carroll

Granted Patent

US 7,581,253 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/80 in storage media based on m...

Secure storage tracking for anti-virus speed-up

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Secure storage tracking for anti-virus speed-up

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links