Filter driver for identifying disk files by analysis of content

US 7,024,403 B2
Filed: 04/29/2002
Issued: 04/04/2006
Est. Priority Date: 04/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method to limit files that can be saved to a system, comprising:

intercepting an operation to save a file to the system;

comparing a signature of the file to a list of signature criteria, executing a storage policy if there is a match; and

if there is no match, saving the file to the system;

wherein comparing the signature of the file to the list of signature criteria includes;

performing a content scan of the file;

wherein said performing includes;

setting a named event;

writing a file identifier of the file to a circular queue; and

completing the intercepted operation to save the file to the system, the circular queue being read to memory by a system thread; and

processing the file using a signature processing user mode service, wherein said processing includes;

using the file identifier to open the file;

scanning the file to create the file signature; and

comparing the file signature to each entry on the list of signature criteria.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for excluding certain types of files from being saved to a system by examining file data. The file data is examined by: mapping the circular queue to memory; reading the file identifiers from the circular queue (a named mutex is locked until all file identifiers have been read from the queue); using the file identifier to open the file; scanning the opened file to create a file signature; comparing the file signature to each entry on a list of signature criteria; and performing a storage policy if there is a match.

Citations

8 Claims

1. A method to limit files that can be saved to a system, comprising:
- intercepting an operation to save a file to the system;
  
  comparing a signature of the file to a list of signature criteria, executing a storage policy if there is a match; and
  
  if there is no match, saving the file to the system;
  
  wherein comparing the signature of the file to the list of signature criteria includes;
  
  performing a content scan of the file;
  
  wherein said performing includes;
  
  setting a named event;
  
  writing a file identifier of the file to a circular queue; and
  
  completing the intercepted operation to save the file to the system, the circular queue being read to memory by a system thread; and
  
  processing the file using a signature processing user mode service, wherein said processing includes;
  
  using the file identifier to open the file;
  
  scanning the file to create the file signature; and
  
  comparing the file signature to each entry on the list of signature criteria.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the writing of the file identifier to the circular queue and the reading of the circular queue is synchronized by the named event and a named mutex, the signature processing user mode service waiting on the named event and locking the named mutex for reading from the queue until the queue is empty.
  - 3. The method of claim 1, wherein the writing of the file identifier to the circular queue is done in an input/output completion routine that sets a bit indicating a write has occurred.
  - 4. The method of claim 1, wherein the storage policy is any policy a user has set that controls which files should be saved to the system, and which files should not be saved to the system.
  - 5. The method of claim 1, wherein the storage policy comprises at least one of the group consisting of:
    - deleting the file;
      
      quarantining the file;
      
      notifying a system administrator; and
      
      notifying a user that the file is not allowed to be saved.
  - 6. The method of claim 1, wherein network administrators have an ability to implement the storage policy based on file signatures.

7. A system to limit files that can be saved to a system, comprising:
- an input/output filter driver;
  
  a signature processing user mode service;
  
  a signature database;
  
  a policy database; and
  
  a circular queue for holding a list of file identifiers;
  
  wherein the input/output filter driver intercepts an attempt to save a file to the system;
  
  wherein the signature processing user mode service compares a signature of the file to a list of signature criteria from the signature database, executing a storage policy from the policy database if there is a match, and if there is no match, saving the file to the system;
  
  wherein comparing the signature of the file to the list of signature criteria includes;
  
  performing a content scan of the file, wherein said performing includes;
  
  writing a file identifier of the file to the circular queue;
  
  setting a named event; and
  
  completing the intercepted attempt to save the file to the system, the circular queue being mapped to memory by a system thread; and
  
  processing the file using the signature processing user mode service, wherein said processing includes;
  
  using the file identifier to open the file;
  
  scanning the file to create a file signature; and
  
  comparing the file signature to each entry on the list of signature criteria.
- View Dependent Claims (8)
- - 8. The system of claim 7, further comprising:
    - user applications for generating write file commands intercepted by the input/output filter driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Operating Corporation (Gen Digital Inc.)
Inventors
Kyler, Daniel B.
Primary Examiner(s)
Rones, Charles
Assistant Examiner(s)
Betit, Jacob F.

Application Number

US10/133,370
Publication Number

US 20020174102A1
Time in Patent Office

1,436 Days
Field of Search

707/104, 707/100, 707/101, 707/103, 707/10, 707/104.1, 709/224, 709/200
US Class Current

1/1
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/564   by virus signature recognition

G06F 21/6281   at program execution time, ...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 9/52   Program synchronisation; Mu...

H04L 63/123   received data contents, e.g...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99945   Object-oriented database st...

Filter driver for identifying disk files by analysis of content

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Filter driver for identifying disk files by analysis of content

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links