Whitelist and Blacklist Identification Data

US 20090083852A1
Filed: 09/26/2007
Published: 03/26/2009
Est. Priority Date: 09/26/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions, which when executed perform actions, comprising:

starting a scan of files included on a storage device;

creating a data structure that indicates at least one directory included on the storage device;

sending the data structure to a first server and an indication of a last successful communication with the first server;

receiving information for files that have been added to the at least one directory after the last successful communication with the first server; and

using the information to determine whether one or more of the files are designated as good or malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the subject matter described herein relate to identifying good files and malware based on whitelists and blacklists. In aspects, a node starts a scan of files on a data store. In conjunction with starting the scan, the node creates a data structure that indicates the directories on the data store. The node sends the data structure to a whitelist server and a blacklist server and an indication of a last successful time of communication. The whitelist and blacklist servers respond to the node with information about any new files that have been added to the directories since the last successful communication. The node may subsequently use the information to identify known good files and malware.

Citations

20 Claims

1. A computer-readable medium having computer-executable instructions, which when executed perform actions, comprising:
- starting a scan of files included on a storage device;
  
  creating a data structure that indicates at least one directory included on the storage device;
  
  sending the data structure to a first server and an indication of a last successful communication with the first server;
  
  receiving information for files that have been added to the at least one directory after the last successful communication with the first server; and
  
  using the information to determine whether one or more of the files are designated as good or malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable medium of claim 1, further comprising sending the data structure to a second server and an indication of a last successful communication with the second server, the second server including information about files that are designated as malware.
  - 3. The computer-readable medium of claim 1, wherein the information comprises an identifier of a file.
  - 4. The computer-readable medium of claim 3, wherein the identifier is calculated by computing a hash of the file.
  - 5. The computer-readable medium of claim 1, wherein using the information to determine whether one or more of the files are designated as good or malware comprises:
    - computing a hash of a file stored on the storage device;
      
      comparing the hash of the file to a hash included in the information; and
      
      comparing a directory in which the file resides to a directory that the information indicates includes the file.
  - 6. The computer-readable medium of claim 1, wherein using the information to determine whether one or more of the files are designated as good or malware comprises:
    - receiving, at a proxy, a hash of a file stored on the storage device, the hash being computed by a node;
      
      comparing the hash of the file to a hash included in the information; and
      
      sending, to the node, an indication of whether the one or more files are designated as good or malware.
  - 7. The computer-readable medium of claim 1, further comprising sending a hash of a file to a proxy and receiving a response from the proxy as to whether the file is designated as good or malware, wherein at least creating a data structure that indicates at least one directory included on the storage device, sending the data structure to a first server and an indication of a last successful communication with the first server, and receiving information for files that have been added to the at least one directory after the last successful communication with the first server are performed by the proxy.
  - 8. The computer-readable medium of claim 1, wherein the malware comprises computer code designed to infiltrate a computer system.
  - 9. The computer-readable medium of claim 8, wherein the computer code comprises one or more of a virus, worm, Trojan horse, and adware.
  - 10. The computer-readable medium of claim 1, further comprising continuing the scan while waiting to receive the information, the scan using previously received information to determine whether one or more of the files are designated as good or malware.

11. A method implemented at least in part by a computer, the method comprising:
- receiving a directory structure that indicates a least one directory included on a storage device;
  
  receiving an indication of a last successful communication regarding the at least one directory; and
  
  providing information about at least one new file in the at least one directory, the information indicating that the at least one new file is good or malware, the at least one new file being added since the last successful communication regarding the at least one directory.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising:
    - authenticating an entity that seeks to update a whitelist that includes the information;
      
      determining that the entity is authorized to update the whitelistreceiving data from the entity, the data indicating new information to add to the whitelist; and
      
      updating the whitelist with the data.
  - 13. The method of claim 11, further comprising:
    - determining that the at least one directory has been received a number of times that is greater than or equal to a threshold;
      
      obtaining information about files included in the at least one directory;
      
      storing the information about the files in a database to use in providing in response to subsequent requests related to files that are designated as good or malware.
  - 14. The method of claim 13, wherein storing the information about the files in a database to use in providing in response to subsequent requests related to files that designated good or malware comprises automatically storing the information when the number of times is greater than or equal to a configurable threshold.
  - 15. The method of claim 14, further comprising seeding the database with information about an initial set of files.
  - 16. The method of claim 11, further comprising identifying identifiers for files in the at least one directory that have been added since the last successful communication regarding the at least one directory, each identifier being a hash of its corresponding file.
  - 17. The method of claim 11, wherein the information comprises one or more of a name of the file, a hash of the file, the directory in which the file is installed, a software product that includes the file, a vendor that produced the file, and a date the information about the file was placed in a list.

18. In a computing environment, an apparatus, comprising:
- a communications mechanism operable to send a request for information about a directory and receive a response thereto, the information indicating whether a file in the directory is designated as good or malware, the request including a data structure that includes the directory;
  
  a directory structure builder operable to generate the data structure;
  
  a list component operable to send the request to the communications mechanism, to receive the response from the communications mechanism, and to update a database based on the response; and
  
  a scanning engine operable to scan with or without use of the information and to indicate, when the information applies, whether a file is designated as good or malware.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, wherein the list component comprises a whitelist component operable to request information about files that are known to be good and that are new to the list component since a last successful response was received.
  - 20. The apparatus of claim 18, wherein the list component comprises a blacklist component operable to request information about files that are known to be malware and that are new to the list component since a last successful response was received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Mody, Jigar J., Kuo, Chengi Jimmy

Granted Patent

US 8,214,895 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

Whitelist and Blacklist Identification Data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Whitelist and Blacklist Identification Data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links