Fast virus scanning using session stamping

US 6,735,700 B1
Filed: 01/11/2000
Issued: 05/11/2004
Est. Priority Date: 01/11/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computerized method for scanning files for viruses comprising:

generating a current session key upon an execution of the method;

obtaining a session stamp associated with a directory entry for a file, wherein the session stamp is sorted in an extended attributes section of the directory entry for the file;

scanning the file if the session stamp was created using a previous session key; and

updating the session stamp as a result of the scan.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unique session key is created for each execution of anti-virus software and is used to create a session stamp for each file scanned during that execution. The session stamp is stored in the directory entry for the file. When a request for the file is made, the anti-virus software uses the current session key to validate the session stamp. An invalid or absent session stamp indicates that the file needs to be scanned.

118 Citations

38 Claims

1. A computerized method for scanning files for viruses comprising:
- generating a current session key upon an execution of the method;
  
  obtaining a session stamp associated with a directory entry for a file, wherein the session stamp is sorted in an extended attributes section of the directory entry for the file;
  
  scanning the file if the session stamp was created using a previous session key; and
  
  updating the session stamp as a result of the scan.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
3. The method of claim 1, wherein updating the session stamp comprises invalidating the session stamp if the file is infected with a virus.
4. The method of claim 1, wherein the session stamp comprises an infection indicator and updating the session stamp comprises modifying the infection indicator when the file is infected with a virus.
5. The method of claim 1, wherein the session stamp comprises a signature and updating the session stamp comprises encrypting a known value with the current session key to create the signature.
6. The method of claim 1, wherein the session stamp comprises a signature and updating the session stamp comprises replacing a previous session key with the current session key.
7. The method of claim 1, wherein the session stamp comprises context information and updating the session stamp comprises replacing previous context information with current context information.
8. The method of claim 1, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed when the file is accessed.
9. The method of claim 1, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed upon the file as a result of a user command.
10. The method of claim 1, further comprising:
- loading a pre-determined set of file identifiers, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed on each file identified by the file identifiers.
11. The method of claim 10, wherein the pre-determined set of file identifiers is most-recently-used cache of identifiers for the files that have been most recently used, and further comprising:
- adding an identifier for the file to the most-recently-used cache when the file is accessed; and
  
  storing the most-recently-used cache to non-volatile storage upon termination of the execution.
12. The method of claim 10, wherein the predetermined set of file identifiers is created from user input.
13. The method of claim 10, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed as a background task on each file identified by the file identifiers.

14. A computer-readable medium having stored thereon executable instructions to cause a computer to perform a method comprising:
- generating a current session key upon an execution of the instructions;
  
  obtaining a session stamp associated with a directory entry for a file, wherein the session stamp is stored in an extended attributes section of the directory entry for the file;
  
  scanning the file if the session stamp was created using a previous session key; and
  
  updating the session stamp as a result of the scan.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer-readable medium of claim 14, further comprising:
16. The computer-readable medium of claim 14, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed when the file is accessed.
17. The computer-readable medium of claim 14, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed when the file is accessed.
18. The computer-readable medium of claim 14, further comprising:
- loading a pre-determined set of file identifiers, wherein obtaining the session stamp, scanning the file, and updating the session stamp are performed on each file identified by the file identifier.

19. A computer-readable medium having stored thereon a session stamp data structure comprising:
- a file identifier field containing data representing an identifier for a file in a file system; and
  
  a signature field containing data created by an execution of an anti-virus process that last scanned the file identified by the file identifier field.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computer-readable medium of claim 19, wherein the data in the signature field represents a pre-determined value encrypted by a session key associated with the execution of the anti-virus process.
  - 21. The computer-readable medium of claim 19, wherein the data in the signature field represents a session key associated with the execution of the anti-virus process.
  - 22. The computer-readable medium of claim 19, further comprising:
23. The computer-readable medium of claim 19, further comprising:
- a scan result field containing data representing an infection status returned by the anti-virus process that last scanned the file identified by the file identifier field.
24. The computer readable medium of claim 19, further comprising:
- a time and date stamp field containing data representing a time and date the file identified by the file identifier field was last modified.
25. The computer-readable medium of claim 19, further comprising:
- a size field containing data representing a size for the file identified by the file identifier field.

26. A computer system comprising:
- a processor coupled to a system bus;
  
  a memory coupled to the processor through the system bus;
  
  a computer-readable medium coupled to the processor through the system bus;
  
  a virus scanning process executed from the computer-readable medium by the processor, wherein the scanning process causes the processor to generate a current session key when the scanning process is executed from the computer-readable medium, and further to obtain a session stamp associated with a directory entry for a file from the computer-readable medium, to scan the file if the session stamp was created using a previous session key, and to update the session stamp on the computer-readable medium as a result of the scan.
- View Dependent Claims (27, 28, 29)
- - 27. The computer system of claim 26, wherein the virus scanning process further causes the processor to scan the file if there is no session stamp associated with the directory entry for the file on the computer-readable medium, to create a session stamp using the current session key as a result of the scan, and to store the session stamp in the directory entry for the file on the computer-readable medium.
  - 28. The computer system of claim 26, further comprising a user input device coupled to the processor through the system bus, wherein input from the user input device instructs the virus scanning process to scan the file.
  - 29. The computer system of claim 26, further comprising an application process executed from the computer-readable medium by the process, wherein a request from the application process for the file causes the processor to scan the file.

30. A method for communicating between an anti-virus process and a session stamping process comprising:
- issuing, by the anti-virus process, an enable-session-key call;
  
  receiving, by the session stamping process, the enable-session-key call and, in response thereto, initializing a stamping session and generating a session key;
  
  issuing, by the anti-virus process, a disable-session-key call; and
  
  receiving, by the session stamping process, the disable-session-key call and, in response thereto, disabling the stamping session.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. The method of claim 30, further comprising:
32. The method of claim 31, wherein the stamp-file-with-session-stamp call further has an engine parameter identifying context information used to generate the session stamp.
33. The method of claim 31, wherein the stamp-file-with-session-stamp call further has an iam parameter identifying the anti-virus process currently calling the session stamping process.
34. The method of claim 30, further comprising:
- issuing, by the anti-virus process, a delete-session-stamp call having a file parameter; and
  
  receiving, by the session stamping process, the delete-session-stamp call and, in response thereto, deleting any session stamp associated with the file identified by the file parameter.
35. The method of claim 30, further comprising:
- issuing, by the anti-virus process, a has-file-got-valid-session-stamp call having a file parameter;
  
  receiving, by the session stamping process, the has-file-got-valid-session-stamp call and, in response thereto, determining a validity for any session stamp associated with the file identified by the file parameter; and
  
  returning, by the session stamping process, the validity to the anti-virus process.
36. The method of claim 35, wherein the has-file-got-valid-session-stamp call further has an engine parameter identifying context information used to determine the validity of the session stamp.
37. The method of claim 35, wherein the has-file-got-valid-session-stamp call further has an iam parameter identifying the anti-virus process currently calling the session stamping process.
38. The method of claim 35, wherein the has-file-got-valid-session-stamp call further has a signer parameter, and further comprising:
- returning, by the session stamping process, an identifier for the anti-virus process that last called the session stamping process as the signer parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Network Associates Technology, Inc.
Inventors
Hughes, Michael, Flint, Barney
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/481,060
Time in Patent Office

1,582 Days
Field of Search

713/188, 713/189, 713/193, 713/200, 713/201
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 2221/2151 Time stamp

Fast virus scanning using session stamping

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Fast virus scanning using session stamping

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links