Scanning data in an access restricted file for malware

US 20060272021A1
Filed: 05/27/2005
Published: 11/30/2006
Est. Priority Date: 05/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method of scanning a file stored on a computer that maintains a restrictive access attribute that limits access to the file, the method comprising:

(a) identifying the restrictive access attribute that limits access to the file;

(b) bypassing the restrictive access attribute to access data in the file; and

(c) analyzing the data in the file for malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.

Citations

20 Claims

1. A method of scanning a file stored on a computer that maintains a restrictive access attribute that limits access to the file, the method comprising:
- (a) identifying the restrictive access attribute that limits access to the file;
  
  (b) bypassing the restrictive access attribute to access data in the file; and
  
  (c) analyzing the data in the file for malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, wherein identifying the restrictive access attribute that limits access to the file includes:
    - (a) attempting to access data in the file;
      
      (b) in response to the attempt to access data in the file, receiving an error message that originates from the file system; and
      
      (c) identifying the type of error message that was received.
  - 3. The method as recited in claim 2, further comprising if the error message received is an access violation that originates from the file system:
    - (a) determining whether the file is encrypted;
      
      (b) if the file is encrypted, impersonating a user who may access the file in order to bypass the restrictive access attribute access data in the file; and
      
      (c) if the file is not encrypted, using a backup service to obtain a handle for the file in order to bypass the restrictive access attribute and access data in the file.
  - 4. The method as recited in claim 3, wherein impersonating a user who may access the file in order to bypass the restrictive access attribute to access data in the file, includes:
    - (a) obtaining an access token associated with the user who may access the file; and
      
      (b) issuing a function call to the operating system installed on the computer that identifies the access token of the user.
  - 5. The method as recited in claim 2, further comprising if the error message is a sharing violation that originates from the file system, determining whether the file is currently open:
    - (a) if the file is currently open, duplicating a handle associated with the file in a memory location accessible to antivirus software in order to bypass the restrictive access attribute and access data in the file; and
      
      (b) conversely, if the file is not currently open, obtaining data in the file directly from a hardware device where the file is stored.
  - 6. The method as recited in claim 5, wherein duplicating a handle associated with the file includes searching a table maintained by the operating system installed on the computer that tracks all open files on the computer.
  - 7. The method as recited in claim 5, wherein obtaining data in the file directly from a hardware device where the file is stored includes identifying data clusters associated with the file using a defragmentation system.
  - 8. The method as recited in claim 5, wherein obtaining data in the file directly from a hardware device where the file is stored includes (a) identifying the locations where data clusters associated with the file are stored on the hardware device by parsing a database maintained by the operating system that tracks file attributes;
    - (b) determining whether the data clusters are encrypted; and
      
      (c) if the data clusters are encrypted, impersonating a user who may access the file in order to access the decrypted data.

9. A computer-readable medium bearing computer-executable instructions that, when executed on a computer that includes a file that maintains a restrictive access attribute that limits access to the file, carries out a method for scanning the file for malware, the method comprising:
- (a) identifying the restrictive access attribute that limits access to the file;
  
  (b) bypassing the restrictive access attribute to access data in the file; and
  
  (c) analyzing the data in the file for malware.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium as recited in claim 9, wherein identifying the restrictive access attribute that limits access to the file includes:
    - (a) attempting to access data in the file;
      
      (b) in response to the attempt to access data in the file, receiving an error message that originates from the file system; and
      
      (c) identifying the type of error message that was received.
  - 11. The computer-readable medium as recited in claim 10, further comprising if the error message received is an access violation that originates from the file system:
    - (a) determining whether the file is encrypted;
      
      (b) if the file is encrypted, impersonating a user who may access the file in order to bypass the restrictive access attribute to access data in the file; and
      
      (c) if the file is not encrypted, using a backup service to obtain a handle for the file in order to bypass the restrictive access attribute and access data in the file.
  - 12. The computer-readable medium as recited in claim 11, wherein impersonating a user who may access the file in order to bypass the restrictive access attribute to access data in the file, includes:
    - (a) obtaining an access token associated with the user who may access the file; and
      
      (b) issuing a function call to the operating system installed on the computer that identifies the access token of the user.
  - 13. The computer-readable medium as recited in claim 10, further comprising if the error message is a sharing violation that originates from the file system, determining whether the file is currently open:
    - (a) if the file is currently open, duplicating a handle associated with the file in a memory location accessible to antivirus software in order to bypass the restrictive access attribute and access data in the file; and
      
      (b) conversely, if the file is not currently open, obtaining data in the file directly from a hardware device where the file is stored.
  - 14. The computer-readable medium as recited in claim 13, wherein duplicating a handle associated with the file includes searching a table maintained by the operating system installed on the computer that tracks open files on the computer.
  - 15. The computer-readable medium as recited in claim 13, wherein obtaining data in the file directly from a hardware device where the file is stored includes identifying data clusters associated with the file using a defragmentation system.
  - 16. The computer-readable medium as recited in claim 13, wherein obtaining data in the file directly from a hardware device where the file is stored includes:
    - (a) identifying the locations where data clusters associated with the file are stored on the hardware device by parsing a database maintained by the operating system that tracks file attributes;
      
      (b) determining whether the data clusters are encrypted; and
      
      (c) if the data clusters are encrypted, impersonating a user who may access the file in order to access the decrypted data.

17. A software system for scanning a file for malware that maintains a restrictive access attribute that limits access to the file, the software system comprising:
- (a) a scan engine for identifying data characteristic of malware; and
  
  (b) an access module for bypassing the restrictive access attribute that limits access to the file.
- View Dependent Claims (18, 19, 20)
- - 18. The software system as recited in claim 17, further comprising (a) a hardware device that stores data in the file;
    - and (b) a low-level access system from which data on the hardware device may be obtained.
  - 19. The software system as recited in claim 18, wherein the low-level access system maintains a defragmentation interface operative to identify the locations on the hardware device where data clusters associated with the file are stored;
    - and wherein the access module is further configured to query the defragmentation interface in order to bypass the restrictive access attribute to gain access to the file.
  - 20. The software system as recited in claim 17, further comprising a backup system operative to provide a handle for the file to the access module when data in an Access Control List prohibits a privileged program from accessing the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Marinescu, Adrian M., Field, Scott A., Gheorghescu, Marius Gheorghe, Chicioreanu, George C.

Granted Patent

US 7,660,797 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

Scanning data in an access restricted file for malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scanning data in an access restricted file for malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links