Secure storage tracking for anti-virus speed-up
First Claim
Patent Images
1. A method comprising:
- querying a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan, wherein the security subsystem includes a trusted variable and wherein the determination avails trust through a reference to the trusted variable by the security subsystem; and
scanning the area for an identifier of undesirable code in response to a trusted determination from said query that the area has been written to since the last scan.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system includes a security subsystem which is able to trustfully track which files or storage areas of a storage device have been altered since a last virus scan. The trusted information can then be used to accelerate scans for undesirable code or data such as viruses and invalid or corrupt registry entries. In the case of viruses, files or storage areas which have been altered are scanned against a super-set of virus definitions. Unaltered files or storage areas are scanned against a subset of virus definitions.
-
Citations
36 Claims
-
1. A method comprising:
-
querying a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan, wherein the security subsystem includes a trusted variable and wherein the determination avails trust through a reference to the trusted variable by the security subsystem; and
scanning the area for an identifier of undesirable code in response to a trusted determination from said query that the area has been written to since the last scan.
-
-
2. A method comprising:
-
querying a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan, wherein the security subsystem includes a trusted variable and wherein the determination avails trust through a reference to the trusted variable by the security subsystem;
determining whether a prior identifier of undesirable code was included in the last scan; and
bypassing a scan of the area for the prior identifier of undesirable code in response to a determination from said query that the area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan.
-
-
3. A method comprising:
-
querying a security subsystem to trustfully determine whether a first area of a storage device has been written to since a last scan, wherein the security subsystem includes a memory which is inaccessible to code executing from an operating system and wherein the determination avails trust through a reference to the inaccessible memory by the security subsystem;
scanning the first area for known identifiers of undesirable code in response to a trusted determination from said query that the first area has been written to since the last scan;
determining whether a prior identifier of undesirable code was included in the last scan; and
bypassing a scan of the first area for the prior identifier of undesirable code in response to a determination from said query that the first area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan, the scan bypass resulting in a bypassed area. - View Dependent Claims (4, 5, 6)
-
-
7. A method comprising:
-
scanning files in a scan area of a storage device for malicious code wherein the storage device is subdivided into a first area and the scan area, the first area being securely configurable between a normal read-only state and a writeable state wherein the configuration is under the control of a security system having a secure memory which is inaccessible to code executed under an operating system;
upon successfully scanning at least one file in which no malicious code is found, activating and authenticating a first security measure of the security system to configure the first area to the writeable state, wherein the authentication executes out of the secure memory;
writing successfully scanned files in the scan area to the first area; and
configuring the first area to the read-only state after said writing of successfully scanned files. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. Apparatus comprising:
-
a processor and a main memory for storing code which is executed under an operating system by the processor;
a security system having a secure memory which is inaccessible to the code which is executed under the operating system by said processor; and
a storage device which is operatively coupled to said processor and said security system and which is subdivided into a first area and a read-write area, the first area being securely configurable under the control of said security system between a normal read-only state and a writeable state;
wherein said security system maintains in the secure memory at least one trusted variable which identifies the occurrence of a last scan for malicious code on said storage device and responds to a request for status related to the last scan by referencing the trusted variable and reporting a related result and wherein said security system invokes an authentication procedure in response to a provided request to configure the first area to the writeable state, wherein the authentication executes out of the secure memory. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method comprising:
-
subdividing a storage device into a first area and a read-write area, the first area being securely configurable between a normal read-only access mode and a writeable access mode, wherein the storage device imposes a security measure in response to an attempt to configure the mode of access to the first area;
caching accesses to the storage device by;
directing read accesses to the first area if the data being accessed is missing from the read-write area;
directing read accesses to the read-write area if the data being accessed is in the read-write area;
directing write accesses to the read-write area;
scanning files in the read-write area for malicious code;
upon successfully scanning at least one file in which no malicious code is found, activating a first security measure on the storage device to configure the first area in the writeable access mode;
writing successfully scanned files in the read-write area to the first area;
activating a second security measure on the storage device to configure the first area in the read-only access mode; and
deleting the successfully scanned files from the read-write area. - View Dependent Claims (23)
-
-
24. A product comprising:
-
a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
query a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan; and
scan the area for an identifier of undesirable code in response to a trusted determination from the query that the area has been written to since the last scan;
wherein the computer readable program code is unable to access a secure variable which avails trust to the determination.
-
-
25. A product comprising:
-
a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
query a security subsystem to trustfully determine whether an area of a storage device has been written to since a last scan;
determine whether a prior identifier of undesirable code was included in the last scan; and
bypass a scan of the area for the prior identifier of undesirable code in response to a determination from the query that the area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan;
wherein the computer readable program code is unable to access a secure variable which avails trust to the trusted determination.
-
-
26. A product comprising:
-
a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
query a security subsystem to trustfully determine whether a first area of a storage device has been written to since a last scan;
scan the first area for known identifiers of undesirable code in response to a trusted determination from the query that the first area has been written to since the last scan;
determine whether a prior identifier of undesirable code was included in the last scan; and
bypass a scan of the first area for the prior identifier of undesirable code in response to a determination from the query that the first area has not been written to since the last scan and in response to a determination that the prior identifier was included in the last scan, the scan bypass resulting in a bypassed area;
wherein the computer readable program code is unable to directly access a secure memory which avails trust to the trusted determination. - View Dependent Claims (27, 28, 29)
-
-
30. A product comprising:
-
a computer usable medium having computer readable program code stored therein, the computer readable program code in said product being effective to;
scan files in a scan area of a storage device for malicious code wherein the storage device is subdivided into a first area and the scan area, the first area being securely configurable between a normal read-only state and a writeable state wherein the configuration is under the control of a security system having a secure memory which is inaccessible to code executed under an operating system;
upon successfully scanning at least one file in which no malicious code is found, activate and authenticate a first security measure of the security system to configure the first area to the writeable state, wherein the authentication executes out of the secure memory;
write successfully scanned files in the scan area to the first area; and
configure the first area to the read-only state after the code writes the successfully scanned files. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
Specification