Priority-based virus scanning with priorities based at least in part on heuristic prediction of scanning risk
First Claim
1. A method for scanning data comprising:
- receiving an electronic document;
determining the electronic document is an archive file;
applying risk-assessment heuristics to the electronic document to determine a risk factor for scanning the electronic document;
assigning a scanning priority to the electronic document based at least in part on the risk factor, said scanning priorities including low scanning priority, normal scanning priority, and discard without scanning;
selecting a scanning thread, from plural scanning threads having associated thread execution priorities, having an execution priority at least as high as said assigned scanning priority;
assigning performance of scanning the electronic document to said selected scanning thread;
scanning the electronic document according to the scanning priority.
10 Assignments
0 Petitions
Accused Products
Abstract
Anti-virus scanners can be deliberately disabled, inadvertently disabled, or simply slowed down to a point where the scanner becomes ineffective and the primary function of the scanning host device is disrupted when a suitably complex file is received by the scanning system for scanning. Archive files pose particular problems for scanners, since archives may contain very complex data structures, and require time consuming analysis. Virus scanners typically scan each element of an archive. Some virus scanners decompress each archive component for scanning. Virus developers have taken advantage of this scanning approach by creating complex archives designed to overwhelm a scanner, leaving a system unprotected or in a denial of service state. To counter such measures, when an archive (or other file) is passed to a scanner, various heuristics are applied to the archive so as to determine a risk-based scanning priority for the archive. Priorities can include normal priority, low priority for archives having suspicious characteristics, and discard without scanning for archives appearing to be constructed so as to overwhelm a scanner. Normal priority scans can occur immediately, while low priority scans can be relegated to only occurring while the scanning system is otherwise idle.
55 Citations
28 Claims
-
1. A method for scanning data comprising:
-
receiving an electronic document;
determining the electronic document is an archive file;
applying risk-assessment heuristics to the electronic document to determine a risk factor for scanning the electronic document;
assigning a scanning priority to the electronic document based at least in part on the risk factor, said scanning priorities including low scanning priority, normal scanning priority, and discard without scanning;
selecting a scanning thread, from plural scanning threads having associated thread execution priorities, having an execution priority at least as high as said assigned scanning priority;
assigning performance of scanning the electronic document to said selected scanning thread;
scanning the electronic document according to the scanning priority. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus comprising:
-
means for receiving an electronic document;
means for determining the electronic document is an archive file;
means for applying risk-assessment heuristics to the electronic document to determine a risk factor for scanning the electronic document;
means for assigning a scanning priority to the electronic document based at least in part on the risk factor, said scanning priorities including low scanning priority, normal scanning priority, and discard without scanning;
means for selecting a scanning thread, from plural scanning threads having associated thread execution priorities, having an execution priority at least as high as said assigned scanning priority;
means for assigning performance of scanning the electronic document to said selected scanning thread; and
means for scanning the electronic document according to the scanning priority. - View Dependent Claims (26, 27, 28)
-
Specification