Scanning data in an access restricted file for malware

US 7,660,797 B2
Filed: 05/27/2005
Issued: 02/09/2010
Est. Priority Date: 05/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method for scanning a file stored on a computer that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:

attempting to scan a file on a computer with a malware scanner that has administrator privileges to access files on the computer;

receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following;

the file being encrypted using a key that is associated with a particular user of the computer;

the file being associated with an access control list that does not allow a program with administrator privileges to access the file;

orthe file being locked for exclusive access by the malware;

bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following;

if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned;

if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;

orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and

scanning the file to identify the malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.

28 Citations

View as Search Results

15 Claims

1. A method for scanning a file stored on a computer that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
- attempting to scan a file on a computer with a malware scanner that has administrator privileges to access files on the computer;
  
  receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following;
  
  the file being encrypted using a key that is associated with a particular user of the computer;
  
  the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
  
  orthe file being locked for exclusive access by the malware;
  
  bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following;
  
  if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned;
  
  if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
  
  orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and
  
  scanning the file to identify the malware.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, wherein receiving an indication that the file cannot be scanned comprises receiving an error message.
  - 3. The method as recited in claim 1, wherein the key is included in an access token associated with the particular user and wherein impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned comprises:
    - obtaining the access token associated with the particular user; and
      
      issuing a function call to the operating system installed on the computer where the access token associated with the user is located.
  - 4. The method as recited in claim 1, wherein determining whether the file is currently open comprises searching a table that tracks all open files on the computer.
  - 5. The method as recited in claim 1, wherein obtaining the file from the hardware device where the file is stored includes identifying data clusters associated with the file using a defragmentation interface.
  - 6. The method as recited in claim 1, wherein obtaining the data in the file from the hardware device where the file is stored further includes:
    - (a) determining whether the data clusters are encrypted; and
      
      (b) if the data clusters are encrypted, obtaining the access rights of a user who can access the data clusters and using the access rights for accessing the data clusters.

7. A computer-readable storage medium storing computer executable instructions, which when executed by a processor, perform a method for scanning a file stored on a computer that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
- attempting to scan a file on a computer with a malware scanner that has administrator privileges to access files on the computer;
  
  receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following;
  
  the file being encrypted using a key that is associated with a particular user of the computer;
  
  the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
  
  orthe file being locked for exclusive access by the malware;
  
  bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following;
  
  if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned;
  
  if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
  
  orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and
  
  scanning the file to identify the malware.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium as recited in claim 7, wherein receiving an indication that the file cannot be scanned comprises receiving an error message.
  - 9. The computer-readable storage medium as recited in claim 7, wherein the key is included in an access token associated with the particular user and wherein impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned comprises:
    - obtaining the access token associated with the particular user; and
      
      issuing a function call to the operating system installed on the computer where the access token associated with the user is located.
  - 10. The computer-readable storage medium as recited in claim 7, wherein determining whether the file is currently open searching a table that tracks open files on the computer.
  - 11. The computer-readable storage medium as recited in claim 7, wherein obtaining the file from the hardware device where the file is stored includes identifying data clusters associated with the file using a defragmentation interface.
  - 12. The computer-readable storage medium as recited in claim 7, the data in the file from the hardware device where the file is stored further includes:
    - (a) determining whether the data clusters are encrypted; and
      
      (b) if the data clusters are encrypted, obtaining the access rights of a user who can access the data clusters and using the access rights for accessing the data clusters.

13. A computing device comprising a processor configured to execute instructions in memory to perform a method for scanning a file stored on the computing device that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
- attempting to scan a file on the computing device with a malware scanner that has administrator privileges to access files on the computing device;
  
  receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following;
  
  the file being encrypted using a key that is associated with a particular user of the computing device;
  
  the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
  
  orthe file being locked for exclusive access by the malware;
  
  bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following;
  
  if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned;
  
  if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
  
  orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and
  
  scanning the file to identify the malware.
- View Dependent Claims (14, 15)
- - 14. The computing device as recited in claim 13, wherein obtaining the file directly from the hardware device comprises accessing a low-level access system component that is communicatively connected to the hardware device to obtain the file.
  - 15. The computing device as recited in claim 14, wherein the low-level access system component maintains a defragmentation interface to identify locations on the hardware device component where data clusters comprising the file are stored;
    - andwherein the file is obtained by querying the defragmentation interface to bypass the one or more restrictive access attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gheorghescu, Marius Gheorghe, Field, Scott A, Chicioreanu, George C, Marinescu, Adrian M
Primary Examiner(s)
Alam; Hosain T
Assistant Examiner(s)
LIN, SHEW FEN

Application Number

US11/139,409
Publication Number

US 20060272021A1
Time in Patent Office

1,719 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

Scanning data in an access restricted file for malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Scanning data in an access restricted file for malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others