Method and apparatus for minimizing file scanning by anti-virus programs

US 7,441,274 B1
Filed: 03/30/2005
Issued: 10/21/2008
Est. Priority Date: 09/18/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising:

determining whether an operating system includes a “

dirty cache buffer”

to raise or set a modification flag relative to a file being modified during a time it has been open, a computer code being indicative of said flag;

using said computer code for a raised or set modification flag, if available, for carrying out said modification determining by checking for the presence of said raised modification flag for said file;

detecting a request for closure of said opened computer file;

determining in response to and after the closure request, if said opened computer file has been modified since being opened;

indicating that said opened computer file is unmodified if said opened computer file has not been modified, based on the determination; and

scanning said opened computer file only if said opened computer file has been modified, based on the determination.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Scanning time for a computer anti-virus program is minimized by eliminating scanning of a file for viruses before closure, in response to the absence of a modification flag being raised in an associated operating system, the flag being indicative of the file having been modified between the time the file was opened to the time of a close request.

39 Citations

View as Search Results

14 Claims

1. A method, comprising:
- determining whether an operating system includes a “
  
  dirty cache buffer”
  
  to raise or set a modification flag relative to a file being modified during a time it has been open, a computer code being indicative of said flag;
  
  using said computer code for a raised or set modification flag, if available, for carrying out said modification determining by checking for the presence of said raised modification flag for said file;
  
  detecting a request for closure of said opened computer file;
  
  determining in response to and after the closure request, if said opened computer file has been modified since being opened;
  
  indicating that said opened computer file is unmodified if said opened computer file has not been modified, based on the determination; and
  
  scanning said opened computer file only if said opened computer file has been modified, based on the determination.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein if it is determined that said operating system does not provide said file modification flag, said method further including:
    - establishing said “
      
      dirty cache buffer”
      
      ; and
      
      raising said modification flag in said “
      
      dirty cache buffer”
      
      if said opened computer file associated with said flag has been modified by a write operation.
  - 3. The method of claim 1, wherein said operating system includes said “
    - dirty cache buffer”
      
      for providing said computer code for said modification flag indicative of the modification of said opened computer file, said method further including in said modification determining;
      
      detecting the presence of said modification flag to determine if said associated opened computer file has been modified.
  - 4. The method of claim 3, further including:
    - scanning said file for viruses in response to a request for opening said file;
      
      opening said file if virus free;
      
      establishing a cache buffer memory for storing upon opening of said file only a virus vulnerable portion of said file that a virus must use to enter and infect said file;
      
      said modification determining including;
      
      indicating said opened computer file is unmodified in the absence of an associated modification flag;
      
      responding to the presence of said modification flag by comparing a portion of said opened computer file to the associated unmodified virus vulnerable portion of said file in said cache buffer memory to determine if the portion of aid opened computer file has been modified since the opening of said file;
      
      indicating said opened computer file is unmodified if the virus vulnerable portion is unmodified; and
      
      indicating said opened computer file is modified if the virus vulnerable portion is modified.
  - 5. The method of claim 1, wherein said determining in response to a closing request if said opened computer file has been modified since being opened includes:
    - monitoring network protocols to determine if a write packet was initiated for a given open file.

6. A computer program product embodied on a computer readable storage medium for carrying out a method, the method comprising:
- determining whether an operating system includes a “
  
  dirty cache buffer”
  
  to raise or set a modification flag relative to a file being modified during a time it has been open, a computer code being indicative of said flag;
  
  using said computer code for a raised or set modification flag, if available, for carrying out said modification determining by checking for the presence of said raised modification flag for said file;
  
  detecting a request for closure of said opened computer file;
  
  determining in response to and after the closure request, if said opened computer file has been modified since being opened;
  
  indicating that said opened computer file is unmodified if said opened computer file has not been modified, based on the determination; and
  
  scanning said opened computer file only if said opened computer file has been modified, based on the determination.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product of claim 6, wherein if it is determined that said operating system does not provide said file modification flag, said method further including:
    - establishing said “
      
      dirty cache buffer”
      
      ; and
      
      raising said modification flag in said “
      
      dirty cache buffer”
      
      if said opened computer file associated with said flag has been modified by a write operation.
  - 8. The computer program product of claim 6, wherein said operating system includes said “
    - dirty cache buffer”
      
      for providing said computer code for said modification flag indicative of the modification of said opened computer file, said method further including in said modification determining;
      
      detecting the presence of said modification flag to determine if said associated opened computer file has been modified.
  - 9. The computer program product of claim 8, further including:
    - scanning said file for viruses in response to a request for opening said file;
      
      opening said file if virus free;
      
      establishing a cache buffer memory for storing upon opening of said file only a virus vulnerable portion of said file that a virus must use to enter and infect said file;
      
      said modification determining including;
      
      indicating said opened computer file is unmodified in the absence of an associated modification flag;
      
      responding to the presence of said modification flag by comparing a portion of said opened computer file to the associated unmodified virus vulnerable portion of said file in said cache buffer memory to determine if the portion of said opened computer file has been modified since the opening of said file;
      
      indicating said opened computer file is unmodified if the virus vulnerable portion is unmodified; and
      
      indicating said opened computer file is modified if the virus vulnerable portion is modified.
  - 10. The computer program product of claim 6, wherein said determining in response to a closing request if said opened computer file has been modified since being opened includes:
    - monitoring network protocols to determine if a write packet was initiated for a given open file.

11. A system, comprising:
- means for determining whether an operating system includes a “
  
  dirty cache buffer”
  
  to raise or set a modification flag relative to a file being modified during a time it has been open, a computer code being indicative of said flag;
  
  means for using said computer code for a raised or set modification flag, if available, for carrying out said modification determining by checking for the presence of said raised modification flag for said file;
  
  means for detecting a request for closure of said opened computer file;
  
  means for determining in response to and after the closure request, if said opened computer file has been modified since being opened;
  
  means for indicating that said opened computer file is unmodified if said opened computer file has not been modified, based on the determination; and
  
  means for scanning said opened computer file only if said opened computer file has been modified, based on the determination.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein said system further includes:
    - means for establishing said “
      
      dirty cache buffer”
      
      ; and
      
      means for raising said modification flag in said “
      
      dirty cache buffer”
      
      if said opened computer file associated with said flag has been modified by a write operation.
  - 13. The system of claim 11, wherein said operating system includes said “
    - dirty cache buffer”
      
      for providing said computer code for said modification flag indicative of the modification of said opened computer file, said system further including;
      
      means for detecting the presence of said modification flag to determine if said associated opened computer file has been modified.
  - 14. The system of claim 13, further including:
    - means for scanning said file for viruses in response to a request for opening said file;
      
      means for opening said file if virus free;
      
      means for establishing a cache buffer memory for storing upon opening of said file only a virus vulnerable portion of said file that a virus must use to enter and infect said file;
      
      means for indicating said opened computer file is unmodified in the absence of an associated modification flag;
      
      means for responding to the presence of said modification flag by comparing a portion of said opened computer file to the associated unmodified virus vulnerable portion of said file in said cache buffer memory to determine if the portion of said opened computer file has been modified since the opening of said file;
      
      means for indicating said opened computer file is unmodified if the virus vulnerable portion is unmodified; and
      
      means for indicating said opened computer file is modified if the virus vulnerable portion is modified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Drew, Jeffrey M.
Primary Examiner(s)
COLIN, CARL G

Application Number

US11/095,247
Time in Patent Office

1,301 Days
Field of Search

713/188, 713/187, 726/24, 726/22, 726/26
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 51/212 using filtering or selectiv...

Method and apparatus for minimizing file scanning by anti-virus programs

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for minimizing file scanning by anti-virus programs

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others