Priority-based virus scanning with priorities based at least in part on heuristic prediction of scanning risk

US 6,851,058 B1
Filed: 07/26/2000
Issued: 02/01/2005
Est. Priority Date: 07/26/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for scanning data comprising:

receiving an electronic document;

determining the electronic document is an archive file;

applying risk-assessment heuristics to the electronic document to determine a risk factor for scanning the electronic document;

assigning a scanning priority to the electronic document based at least in part on the risk factor, said scanning priorities including low scanning priority, normal scanning priority, and discard without scanning;

selecting a scanning thread, from plural scanning threads having associated thread execution priorities, having an execution priority at least as high as said assigned scanning priority;

assigning performance of scanning the electronic document to said selected scanning thread;

scanning the electronic document according to the scanning priority.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anti-virus scanners can be deliberately disabled, inadvertently disabled, or simply slowed down to a point where the scanner becomes ineffective and the primary function of the scanning host device is disrupted when a suitably complex file is received by the scanning system for scanning. Archive files pose particular problems for scanners, since archives may contain very complex data structures, and require time consuming analysis. Virus scanners typically scan each element of an archive. Some virus scanners decompress each archive component for scanning. Virus developers have taken advantage of this scanning approach by creating complex archives designed to overwhelm a scanner, leaving a system unprotected or in a denial of service state. To counter such measures, when an archive (or other file) is passed to a scanner, various heuristics are applied to the archive so as to determine a risk-based scanning priority for the archive. Priorities can include normal priority, low priority for archives having suspicious characteristics, and discard without scanning for archives appearing to be constructed so as to overwhelm a scanner. Normal priority scans can occur immediately, while low priority scans can be relegated to only occurring while the scanning system is otherwise idle.

55 Citations

View as Search Results

28 Claims

1. A method for scanning data comprising:
- receiving an electronic document;
  
  determining the electronic document is an archive file;
  
  applying risk-assessment heuristics to the electronic document to determine a risk factor for scanning the electronic document;
  
  assigning a scanning priority to the electronic document based at least in part on the risk factor, said scanning priorities including low scanning priority, normal scanning priority, and discard without scanning;
  
  selecting a scanning thread, from plural scanning threads having associated thread execution priorities, having an execution priority at least as high as said assigned scanning priority;
  
  assigning performance of scanning the electronic document to said selected scanning thread;
  
  scanning the electronic document according to the scanning priority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, further comprising:
    - receiving an E-mail having the electronic document as an attachment;
      
      inspecting, as part of said scanning the electronic document, message text in the E-mail for viruses.
  - 3. The method of claim 1, further comprising:
    - disposing the method within a multi-processor computing device;
      
      designating a first processor to process at least low scanning priority threads; and
      
      assigning said selected scanning thread to the first processor.
  - 4. The method of claim 1, wherein risk-assessment comprises:
    - determining if the electronic document is an archive containing files; and
      
      if so, then selecting for execution at least one of determining if the archive contains a sub-archive, determining if an aggregate de-archived size for said files exceeds a first threshold, determining if a file count of said files exceeds a second threshold, and determining if a file-type count of said files exceeds a third threshold.
  - 5. The method of claim 4, wherein the first threshold is 10 megabytes, the second threshold is 50 files, and the third threshold is 10 file types.
  - 6. The method of claim 1, further comprising:
    - determining if electronic document is an archive containing files;
      
      if so, then determining if an aggregate de-archived size for said files exceeds a first threshold;
      
      if so, then determining if the aggregate de-archived size exceeds a disk space threshold; and
      
      if so, then setting the scanning priority of the electronic document to low scanning priority.
  - 7. The method of claim 1, further comprising:
    - determining if electronic document is an archive containing files;
      
      if so, then determining if an aggregate de-archived size for said files exceeds a first threshold;
      
      if so, then determining if a volatile memory requirement for scanning the archive exceeds a memory requirement threshold; and
      
      if so, then setting the scanning priority of the electronic document to low scanning priority.
  - 8. The method of claim 1, further comprising:
    - first determining if the electronic document is an archive containing files;
      
      second determining if at least one file of the archive is a sub-archive;
      
      third determining if an aggregate de-archived size for the archive exceeds a disk space threshold;
      
      fourth determining if a file count for the archive of said files exceeds a file count threshold; and
      
      if each of said first, second, third and fourth determining evaluate true, then setting the scanning priority of the electronic document to discard without scanning.
  - 9. The method of claim 1, in which the electronic document either is an archive, or contains the archive, the method further comprising:
    - determining the archive contains at least one sub-archive therein;
      
      determining if the archive contains a large number of files; and
      
      determining if an un-archived size for the archive exceeds a predetermined size limit; and
      
      assigning the scanning priority to be discard without scanning if the archive contains a large number of files, and the un-archived size for the archive exceeds the predetermined size limit.
  - 10. The method of claim 9, wherein if the un-archived size for the archive does not exceed the predetermined size limit, or the archive does not contain the large number of files, the method further comprising:
    - assigning the scanning priority to be low scanning priority.
  - 11. The method of claim 1, in which the electronic document either is an archive, or contains the archive, the method further comprising:
    - determining if an un-archived size for the archive exceeds a size limit;
      
      determining if a memory requirement for performing said scanning the electronic document exceeds a memory limit; and
      
      assigning the scanning priority to be discard without scanning if the un-archived size for the archive exceeds the size limit, and the memory requirement for performing said scanning the electronic document exceeds the memory limit.
  - 12. The method of claim 11, wherein if the memory requirement for performing said scanning the electronic document does not exceed the memory limit, the method further comprising:
    - assigning the scanning priority to be low scanning priority.
  - 13. An article of manufacture comprising a readable medium having programming instructions encoded thereon, which when executed by a processor, are capable of directing the processor to perform the operations of claim 1.
  - 14. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 3.
  - 15. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 8.
  - 16. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 9.
  - 17. The medium of claim 16, said programming instructions including further instructions to direct the processor to perform the operations of claim 10.
  - 18. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 11.
  - 19. The medium of claim 18, said programming instructions including further instructions to direct the processor to perform the operations of claim 12.
  - 20. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 4.
  - 21. The medium of claim 20, said programming instructions including further instructions to direct the processor to perform the operations of claim 5.
  - 22. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 2.
  - 23. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 6.
  - 24. The medium of claim 13, said programming instructions including further instructions to direct the processor to perform the operations of claim 7.

25. An apparatus comprising:
- means for receiving an electronic document;
  
  means for determining the electronic document is an archive file;
  
  means for applying risk-assessment heuristics to the electronic document to determine a risk factor for scanning the electronic document;
  
  means for assigning a scanning priority to the electronic document based at least in part on the risk factor, said scanning priorities including low scanning priority, normal scanning priority, and discard without scanning;
  
  means for selecting a scanning thread, from plural scanning threads having associated thread execution priorities, having an execution priority at least as high as said assigned scanning priority;
  
  means for assigning performance of scanning the electronic document to said selected scanning thread; and
  
  means for scanning the electronic document according to the scanning priority.
- View Dependent Claims (26, 27, 28)
- - 26. The apparatus of claim 25 further comprising:
    - means for designating a first processor to process at least low scanning priority threads within a multi-processor computing device; and
      
      means for assigning said selected scanning thread to the first processor.
  - 27. The apparatus of claim 25, wherein risk-assessment comprises:
    - means for determining if the electronic document is an archive containing files; and
      
      if so, selecting for operation at least one of means for determining if the archive contains a sub-archive, means for determining if an aggregate de-archived size for said files exceeds a first threshold, means for determining if a file count of said files exceeds a second threshold, and means for determining if a file-type count of said files exceeds a third threshold.
  - 28. The apparatus of claim 25, wherein the electronic document either is an archive, or contains the archive, and further comprising:
    - means for determining the archive contains at least one sub-archive therein;
      
      means for determining if the archive contains a large number of files;
      
      means for determining if an un-archived size for the archive exceeds a predetermined size limit; and
      
      means for assigning the scanning priority to be discard without scanning if the archive contains a large number of files, and the un-archived size for the archive exceeds the predetermined size limit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Gartside, Paul
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/625,534
Time in Patent Office

1,651 Days
Field of Search

713/200, 713/201
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/577 Assessing vulnerabilities a...

Priority-based virus scanning with priorities based at least in part on heuristic prediction of scanning risk

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Priority-based virus scanning with priorities based at least in part on heuristic prediction of scanning risk

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links