File protection service for a computer system

US 6,971,018 B1
Filed: 04/28/2000
Issued: 11/29/2005
Est. Priority Date: 04/28/2000
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system, a method comprising:

receiving information indicative of a possible change to a protected file; and

determining whether the possible change is valid by verifying the file, the verifying performed by a verification mechanism, and if not valid, preventing the possible change from being implemented including discarding the information indicative of the possible change and returning a success to a component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system that protects selected system and other files, by preventing changes to those files. In an asynchronous alternative, the change is prevented by copying back the original file when a protected file is changed, as known via an asynchronous notification. In an alternative synchronous embodiment, the change to the file is prevented from occurring. In the asynchronous notification alternative, a directory change notification notifies a file protection service whenever a file that has possibly changed is closed, providing the file identity as part of the notification. The file protection service determines from the file identify whether the file has been deemed protected. If protected, the file protection service prevents any actual change by verifying whether the protected file changed, such as by analyzing the file'"'"'s contents against known valid contents. If not valid, the file protection service restores a saved copy that is itself verified.

204 Citations

39 Claims

1. In a computer system, a method comprising:
- receiving information indicative of a possible change to a protected file; and
  
  determining whether the possible change is valid by verifying the file, the verifying performed by a verification mechanism, and if not valid, preventing the possible change from being implemented including discarding the information indicative of the possible change and returning a success to a component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein receiving information indicative of a possible change includes receiving notification indicative of a change to a protected file.
  - 3. The method of claim 1 wherein receiving information indicative of a possible change includes receiving notification of a change to a file, and accessing information to determine whether the file is protected.
  - 4. The method of claim 1 wherein preventing the change includes overwriting a changed copy of the file with a valid copy of the protected file.
  - 5. The method of claim 1 wherein determining whether the possible change is valid by verifying the file includes obtaining cryptographic hash information of the changed file and comparing the cryptographic hash information against cryptographic hash information associated with the protected file.
  - 6. The method of claim 5 wherein comparing the cryptographic hash information includes accessing a catalog of information for protected files.
  - 7. The method of claim 1 wherein determining whether the possible change is valid includes determining whether the file includes a signature.
  - 8. The method of claim 1 further comprising, monitoring files in a file system.
  - 9. The method of claim 1 wherein preventing the possible change includes copying a valid copy of the protected file to a former location of the protected file.
  - 10. The method of claim 9 wherein copying a valid copy of the protected file includes finding a file having the same identity as the protected file.
  - 11. The method of claim 10 wherein finding the file having the same identity as the protected file includes accessing a cache.
  - 12. The method of claim 11 further comprising verifying the file having the same identity.
  - 13. The method of claim 10 wherein finding the file having the same identity as the protected file includes accessing a network.
  - 14. The method of claim 13 further comprising verifying the file having the same identity.
  - 15. The method of claim 14 wherein finding the file having the same identity as the protected file includes accessing a recorded medium.
  - 16. The method of claim 15 further comprising verifying the file having the same identity.
  - 17. The method of claim 1 further comprising receiving information indicating that a protected file is about to be changed, preserving a copy of the protected file, and wherein preventing the possible change includes overwriting a changed copy of the file with a copy of the protected file that was preserved.

18. A computer-readable medium having computer-executable instructions, comprising:
- (1) selecting a plurality of files as protected files;
  
  (2) receiving information indicative of a possible change to a protected file;
  
  (3) determining whether the file is an exception case, and(a) if an exception case, allowing the change, or(b) if not an exception case, determining whether the possible change is valid by verifying the file, the verifying performed by a verification mechanism, and(i) if valid, allowing the possible change to be implemented; and
  
  (ii) if not valid, preventing the possible change from being implemented; and
  
  (4) returning information indicative of a success.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The computer-readable medium of claim 18 wherein receiving information indicative of a possible change includes receiving notification indicative of a change to a protected file.
  - 20. The computer-readable medium of claim 18 wherein receiving information indicative of a possible change includes receiving notification of a change to a file, and accessing information to determine whether the file is protected.
  - 21. The computer-readable medium of claim 18 wherein preventing the possible change includes overwriting a changed copy of the file with a valid copy of the protected file.
  - 22. The computer-readable medium of claim 18 wherein preventing the possible change includes discarding change data.
  - 23. The computer-readable medium of claim 18 wherein allowing the possible change includes writing data saved via a copy-on-write process to the file.
  - 24. The computer-readable medium of claim 18 wherein determining whether the file is an exception case includes checking a security descriptor of the file.
  - 25. The computer-readable medium of claim 18 further comprising providing a prompt before allowing a possible change.
  - 26. The computer-readable medium of claim 18 wherein determining whether the possible change is valid includes obtaining cryptographic hash information of the changed file, and comparing the cryptographic hash information against cryptographic hash information associated with the protected file.
  - 27. The computer-readable medium of claim 18 wherein determining whether the possible change is valid includes determining whether the file includes a signature.

28. A computer system, comprising,a protected file,a detection mechanism configured to determine when the protected file may be changed by a possible change,a verification mechanism;
- anda file protection service, the file protection service configured to receive a determination from the detection mechanism that the protected file may be changed, and further configured to communicate with the verification mechanism to verify whether the possible change is valid, and to prevent the possible change from being implemented by discarding the possible change when the possible change is not valid.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The computer system of claim 28 wherein the detection mechanism includes a mechanism for monitoring at least one directory for changes to at least one file therein.
  - 30. The computer system of claim 28 wherein the detection mechanism provides a notification to the file protection service as the determination mechanism that the protected file may be changed.
  - 31. The computer system of claim 28 wherein the file protection service accesses a data structure to determine whether the notification received from the detection mechanism corresponds to a protected file.
  - 32. The computer system of claim 28 wherein the file protection service is incorporated into a file system.
  - 33. The computer system of claim 28 wherein the file protection service returns information indicative of a success.
  - 34. The computer system of claim 28 wherein the verification mechanism verifies whether the possible change to a file is valid by comparing a cryptographic hash of the file contents against a cryptographic hash associated with a valid file.
  - 35. The computer system of claim 34 wherein the cryptographic hash associated with a valid file is maintained in a data structure including a cryptographic hash of the contents of at least one other protected file.

36. A computer system, comprising,a protected file,a detection mechanism configured to determine when the protected file may be changed by a possible change;
- a verification mechanism; and
  
  a file protection service, the file protection service configured to receive a determination from the detection mechanism that the protected file may be changed, and further configured to communicate with the verification mechanism to verify whether the possible change is valid, and to prevent the possible change from being implemented by locating valid data in a system cache and copying the valid data over changed data when the possible change is not valid.
- View Dependent Claims (37)
- - 37. The computer system of claim 36 further comprising a scanning mechanism for causing a plurality of files to trigger the detection mechanism.

38. A computer system, comprising,a protected file,a detection mechanism configured to determine when the protected file may be changed by a possible change;
- a verification mechanism; and
  
  a file protection service, the file protection service configured to receive a determination from the detection mechanism that the protected file may be changed, and further configured to communicate with the verification mechanism to verify whether the possible change is valid, and to prevent the possible change from being implemented by locating valid data at a network share and copying the valid data over changed data when the possible change is not valid.

39. A computer system, comprising,a protected file,a detection mechanism configured to determine when the protected file may be changed by a possible change;
- a verification mechanism; and
  
  a file protection service, the file protection service configured to receive a determination from the detection mechanism that the protected file may be changed, and further configured to communicate with the verification mechanism to verify whether the possible change is valid, and to prevent the possible change from being implemented by locating valid data in a recorded medium and copying the valid data over changed data when the possible change is not valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Witt, Wesley A., Zbikowski, Mark J., McMichael, Lonny D.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/560,788
Time in Patent Office

2,041 Days
Field of Search

713/165, 713/194, 713/150, 713/164, 713/168, 713/176, 713/181, 713/189, 713/193, 713200-202, 713/187, 380/201, 707200-204, 707/1, 707/9, 707/100, 717168-173, 705/50, 705/75, 705/80, 705 64- 69, 705/51, 705/57, 705/58
US Class Current

713/187
CPC Class Codes

G06F 21/52   during program execution, e...

Y10S 707/99953   Recoverability

Y10S 707/99954   Version management

File protection service for a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

204 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

File protection service for a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links