Antivirus scanning in a hard-linked environment

US 7,260,847 B2
Filed: 10/24/2002
Issued: 08/21/2007
Est. Priority Date: 10/24/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious computer code in a file associated with a computer, said method comprising the steps of:

determining whether there is more than one hard link to the file; and

when there is more than one hard link;

ascertaining the identities of all the hard links; and

performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links to detect malicious computer code.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods, apparati, and computer-readable media for detecting malicious computer code in a file (2) associated with a computer (10). A method of the present invention comprises the steps of determining whether there is more than one hard link (1) to the file (2); and when there is more than one hard link (1), ascertaining the identities of all the hard links (1), and performing an antivirus scan on the file (2) based upon the hard link(s) (1) having the most restrictive scanning criteria of all the hard links (1), or upon the union of scanning criteria amongst all the hard links (1).

96 Citations

View as Search Results

36 Claims

1. A computer-implemented method for detecting malicious computer code in a file associated with a computer, said method comprising the steps of:
- determining whether there is more than one hard link to the file; and
  
  when there is more than one hard link;
  
  ascertaining the identities of all the hard links; and
  
  performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links to detect malicious computer code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein each hard link comprises a file name.
  - 3. The method of claim 1 wherein each hard link comprises a full path name including a file name.
  - 4. The method of claim 1 wherein the scanning criteria are based upon a file name in combination with other information.
  - 5. The method of claim 4 wherein said other information comprises information contained in a header of the file.
  - 6. The method of claim 1 wherein the ascertaining comprises accessing a backpointer table associated with the file.
  - 7. The method of claim 6 wherein the backpointer table comprises full path names for all hard links to the file.
  - 8. The method of claim 6 wherein the backpointer table is stored as an alternate data stream associated with the file.
  - 9. The method of claim 6 wherein the backpointer table has been constructed by a backpointer table construction module.
  - 10. The method of claim 6 wherein the backpointer table is updated every time a file is subjected to an operation from the group of operations comprising addition of a file, deletion of a file, and renaming of a file.
  - 11. The method of claim 6 wherein a search module associated with the computer is modified to access the backpointer table.
  - 12. The method of claim 6 wherein the backpointer table is created when the computer is initialized.
  - 13. The method of claim 6 wherein the backpointer table is re-initialized when there is reason to believe that the backpointer table may have become inconsistent.
  - 14. The method of claim 6 further comprising the step of:
    - performing an integrity check on the backpointer table.
  - 15. The method of claim 14 wherein the step of performing the integrity check comprises the substeps of:
    - for each file on the computer, determining whether a first value stored within the file representative of a number of hard links associated with the file is equal to a second value representative of the number of entries in the backpointer table associated with the file; and
      
      when the first value is unequal to the second value, updating the backpointer table.
  - 16. The method of claim 1 wherein the determining step is performed every time the file is opened.
  - 17. The method of claim 1 wherein the ascertaining is performed by a file system filter driver that is always running on the computer.

18. A computer-readable medium containing computer program instructions for detecting malicious computer code in a file associated with a computer, comprising:
- a backpointer table construction module coupled to the file, said module adapted to construct a backpointer table for the file when the file has more than one hard link;
  
  an antivirus scanner coupled to the file and adapted to scan the file for the presence of malicious computer code; and
  
  a file system filter driver coupled to the file and to the antivirus scanner, said driver instructing the antivirus scanner to examine the backpointer table when the file has more than one hard link.

19. A computer-readable medium containing computer program instructions for detecting malicious computer code in a file associated with a computer, said instructions performing the steps of:
- determining whether there is more than one hard link to the file; and
  
  when there is more than one hard link;
  
  ascertaining the identities of all the hard links; and
  
  performing an antivirus scan on the file based upon the hard link(s) having the most restrictive scanning criteria of all the hard links to detect malicious computer code.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 20. The computer-readable medium of claim 19 wherein each hard link comprises a file name.
  - 21. The computer-readable medium of claim 19 wherein each hard link comprises a fUll path name including a file name.
  - 22. The computer-readable medium of claim 19 wherein the scanning criteria are based upon a file name in combination with other information.
  - 23. The computer-readable medium of claim 22 wherein said other information comprises information contained in a header of the file.
  - 24. The computer-readable medium of claim 19 wherein the ascertaining comprises accessing a backpointer table associated with the file.
  - 25. The computer-readable medium of claim 24 wherein the backpointer table comprises full path names for all hard links to the file.
  - 26. The computer-readable medium of claim 24 wherein the backpointer table is stored as an alternate data stream associated with the file.
  - 27. The computer-readable medium of claim 24 wherein the backpointer table has been constructed by a backpointer table construction module.
  - 28. The computer-readable medium of claim 24 wherein the backpointer table is updated every time a file is subjected to an operation from the group of operations comprising addition of a file, deletion of a file, and renaming of a file.
  - 29. The computer-readable medium of claim 24 wherein a search module associated with the computer is modified to access the backpointer table.
  - 30. The computer-readable medium of claim 24 wherein the backpointer table is created when the computer is initialized.
  - 31. The computer-readable medium of claim 24 wherein said instructions further comprise the step of:
    - performing an integrity check on the backpointer table.
  - 32. The computer-readable medium of claim 31 wherein the step of performing the integrity check comprises the substeps of:
    - for each file on the computer, determining whether a first value stored within the file representative of a number of hard links associated with the file is equal to a second value representative of the number of entries in the backpointer table associated with the file; and
      
      when the first value is unequal to the second value, updating the backpointer table.
  - 33. The computer-readable medium of claim 19 wherein the determining step is performed every time the file is opened.
  - 34. The computer-readable medium of claim 19 wherein the ascertaining is performed by a file system filter driver that is always running on the computer.

35. A computer-implemented method for detecting malicious computer code in a computer, the method comprising:
- identifying a file on a storage device associated with the computer, the file having a plurality of hard links, each hard link associated with a file name;
  
  determining a plurality of file names associated with the plurality of hard links;
  
  ascertaining a set of scanning criteria responsive at least in part to the plurality of file names, where ascertaining the set of scanning criteria comprises;
  
  ascertaining scanning criteria for each of the plurality of file names, andforming the set of scanning criteria from the most restrictive scanning criteria of the scanning criteria for each of the plurality of file names; and
  
  scanning the file responsive to the set of scanning criteria to detect the presence of malicious computer code in the file.
- View Dependent Claims (36)
- - 36. The method of claim 35, wherein a file name of the plurality of file names comprises a file name extension, and wherein ascertaining scanning criteria for each of the plurality of file names ascertains the criteria responsive to the file name extension.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
McCorkendale, Bruce, Sobel, William
Primary Examiner(s)
Jung; David Y
Assistant Examiner(s)
Powers; William S.

Application Number

US10/280,663
Publication Number

US 20040083381A1
Time in Patent Office

1,762 Days
Field of Search

726/1, 726/24, 707200- 2, 713/188, 713165-167
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

Antivirus scanning in a hard-linked environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Antivirus scanning in a hard-linked environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links