Method and apparatus for minimizing file scanning by anti-virus programs

US 6,928,555 B1
Filed: 09/18/2000
Issued: 08/09/2005
Est. Priority Date: 09/18/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for optimizing the operation of an anti-virus computer program for use with an operating system, comprising the steps of:

detecting a request for closure of an opened computer file;

determining in response to and after a closure request, but before file closure, if the opened computer file has been modified since being opened;

scanning said opened file for viruses before closure only if said opened file has been modified; and

closing said file if unmodified, and closing said file after scanning for viruses if found virus free.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Scanning time for a computer anti-virus program is minimized by eliminating scanning of a file for viruses before closure, in response to the absence of a modification flag being raised in an associated operating system, the flag being indicative of the file having been modified between the time the file was opened to the time of a close request.

73 Citations

View as Search Results

15 Claims

1. A method for optimizing the operation of an anti-virus computer program for use with an operating system, comprising the steps of:
- detecting a request for closure of an opened computer file;
  
  determining in response to and after a closure request, but before file closure, if the opened computer file has been modified since being opened;
  
  scanning said opened file for viruses before closure only if said opened file has been modified; and
  
  closing said file if unmodified, and closing said file after scanning for viruses if found virus free.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further including before said detecting step, the steps of:
    - determining whether said operating system includes a “
      
      dirty cache buffer”
      
      to raise or set a modification flag relative to a file being modified during the time it has been open, a computer code being indicative of said flag; and
      
      using the computer code for a raised or set modification flag, if available, for carrying out said modification determining step by checking for the presence of a raised modification for said file.
  - 3. The method of claim 2, wherein if it is determined that said operating system does not provide a file modification flag, said method further includes the steps of:
    - establishing a “
      
      dirty cache buffer”
      
      ; and
      
      raising a modification flag in said “
      
      dirty cache buffer”
      
      if an opened file associated with said flag has been modified by a write operation.
  - 4. The method of claim 1, wherein said operating system includes a “
    - dirty cache buffer”
      
      for providing a computer code for a modification flag indicative of the modification of an open file, said method further including in said modification determining step, the step of;
      
      detecting the presence of said modification flag to determine if the associated opened file has been modified.
  - 5. The method of claim 4, further including the steps of:
    - scanning a file for viruses in response to a request for opening the file;
      
      opening said file if virus free;
      
      establishing a cache buffer memory for storing upon opening of a file only a virus vulnerable portion of that file that a virus must use to enter and infect said file;
      
      said modification determining step including the steps of;
      
      indicating an open file is unmodified in the absence of an associated modification flag;
      
      responding to the presence of a modification flag by comparing a portion of said open file to the associated unmodified virus vulnerable portion of said file in said cache buffer memory to determine if the portion of the open file has been modified since the opening of the file;
      
      indicating the opened file is unmodified if the virus vulnerable portion is unmodified; and
      
      indicating the opened file is modified if the virus vulnerable portion is modified.
  - 6. The method of claim 1, wherein said step of determining in response to a closing request if the opened computer file has been modified since being opened includes the step of:
    - monitoring network protocols to determining if a write packet was initiated for a given open file.

7. A method for optimizing operation of an anti-virus program in an operating system, said operating system including programming for raising a flag indicative of modification of an open file during the time the file has been open, said method including the steps of:
- detecting the event of a request for closing said file being made to said operating system;
  
  after said detecting, but before file closure, determining whether said modification flag has been raised by said operating system for said open file;
  
  scanning said open file, in response to said modification flag, for viruses before permitting said operating system to close said file; and
  
  skipping said step of scanning for viruses before closure of said open file, whenever said modification flag is not present.

8. A method for optimizing the operation of an anti-virus program in use in an operating system, said operating system including programming for raising a flag indicative of modification of an open file during the time the file has been open, said method including the steps of:
- scanning a file for viruses in response to a request from an associated computer user to open and gain access to said file;
  
  permitting said file to be opened if virus free;
  
  storing upon opening a virus vulnerable unmodified portion of said open file;
  
  detecting the event of a request for closing said open file being made to said operating system;
  
  after said detecting, but before file closure, determining whether said modification flag has been raised by said operating system for said open file;
  
  scanning said open file, in response to said modification flag, for viruses before permitting said operating system to close said file;
  
  skipping said step of scanning for viruses before closure of said open file, whenever said modification flag is not present;
  
  responding to the presence of a modification flag by comparing the stored unmodified virus vulnerable portion of said file to the associated portion of said open file to determine if that portion has been modified during the time the file has been open; and
  
  skipping said step of scanning for viruses before closure of said open file if the virus vulnerable portion of said open file is unmodified.

9. A computer program product embodied on a computer readable medium for detecting computer viruses on a file server, the file server providing file storage and retrieval services for at least one client computer over a network, said computer program product comprising:
- computer code for detecting an open request from a client computer, the open request asking for a requested file from the file server;
  
  computer code for scanning said requested file for computer viruses, whereby the file server is permitted to provide said requested file to the client computer if no computer viruses are found therein;
  
  computer code for detecting a close request from the client computer associated with said requested file;
  
  computer code for, after said detecting, but before file closure, accessing operating system flag that indicates whether the requested file was changed prior to said close request;
  
  computer code for scanning said requested file for computer viruses if said requested file was changed prior to said close request; and
  
  computer code for skipping scanning said requested file if it was not changed prior to said close request.
- View Dependent Claims (10, 11)
- - 10. The computer program product of claim 9, wherein said operating system flag is generated externally to said computer program product by the operating system in order to reduce redundant disk writes, whereby said computer code for scanning is invoked upon closing of the requested file only when actual disk writes are made by the operating system for the requested file.
  - 11. The computer program product of claim 10, wherein said computer code for accessing uses a file handle generated by the operating system to identify the operating system flag corresponding to the requested file, said handle having been generated when the file was opened.

12. A computer program product embodied on a computer readable medium for detecting computer viruses on a file server, the file server providing file storage and retrieval services for at least one client computer over a network, said computer program product comprising:
- computer code for detecting an open request from a client computer, the open request asking for a requested file from the file server;
  
  computer code for scanning said requested file for computer viruses, whereby the file server is permitted to provide said requested file to the client computer if no computer viruses are found therein;
  
  computer code for detecting a close request from the client computer associated with said requested file;
  
  computer code for, after said detecting, but before file closure, accessing an operating system flag that indicates whether the requested file was changed prior to said close request;
  
  computer code for skipping scanning said requested file if it was not changed prior to said close request;
  
  computer code responsive to said requested file having been changed prior to said close request for determining whether a virus vulnerable portion of said file was changed;
  
  computer code for skipping scanning said requested file if a virus vulnerable portion of said file was not changed prior to said close request; and
  
  computer code for scanning said requested file if a virus vulnerable portion of said file was changed prior to said close request.
- View Dependent Claims (13, 14)
- - 13. The computer program product of claim 12, wherein said operating system flag is generated externally to said computer program product by the operating system in order to reduce redundant disk writes, whereby said computer code for scanning is invoked upon closing of the requested file only when actual disk writes are made by the operating system for the requested file.
  - 14. The computer program product of claim 13, wherein said computer code for accessing uses a file handle generated by the operating system to identify the operating system flag corresponding to the requested file, said handle having been generated when the file was opened.

15. A method for optimizing the operation of an anti-virus computer program for use with an operating system, comprising the steps of:
- detecting a request for closure of an opened computer file;
  
  determining in response to and after a closure request, but before file closure, if the opened computer file has been modified since being opened;
  
  scanning said opened file for viruses before closure only if said opened file has been modified; and
  
  closing said file if unmodified, and closing said file after scanning for viruses if found virus free;
  
  wherein said operating system includes a “
  
  dirty cache buffer”
  
  for providing a computer code for a modification flag indicative of the modification of an open file, said method further including in said modification determining step, the step of detecting the presence of said modification flag to determine if the associated opened file has been modified;
  
  wherein further included are the steps of;
  
  scanning a file for viruses in response to a request for opening the file,opening said file if virus free, andestablishing a cache buffer memory for storing upon opening of a file only a virus vulnerable portion of that file that a virus must use to enter and infect said file;
  
  wherein said modification determining step includes the steps of;
  
  indicating an open file is unmodified in the absence of an associated modification flag,responding to the presence of a modification flag by comparing a portion of said open file to the associated unmodified virus vulnerable portion of said file in said cache buffer memory to determine if the portion of the open file has been modified since the opening of the file,indicating the opened file is unmodified if the virus vulnerable portion is unmodified, andindicating the opened file is modified if the virus vulnerable portion is modified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Drew, Jeffrey M.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Colin, Carl G.

Application Number

US09/664,919
Time in Patent Office

1,786 Days
Field of Search

707/1, 713/200, 713/201, 711/163, 714/38, 395/183.15, 395/186, 395/575, 364/580
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 51/212 using filtering or selectiv...

Method and apparatus for minimizing file scanning by anti-virus programs

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for minimizing file scanning by anti-virus programs

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links