Scanning data in an access restricted file for malware
First Claim
1. A method for scanning a file stored on a computer that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
- attempting to scan a file on a computer with a malware scanner that has administrator privileges to access files on the computer;
receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following;
the file being encrypted using a key that is associated with a particular user of the computer;
the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
orthe file being locked for exclusive access by the malware;
bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following;
if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned;
if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and
scanning the file to identify the malware.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed toward a system, method, and computer-readable medium that scan a file for malware that maintains a restrictive access attribute that limits access to the file. In accordance with one aspect of the present invention, a method for performing a scan for malware is provided when antivirus software on a computer encounters a file with a restrictive access attribute that prevents the file from being scanned. More specifically, the method includes identifying the restrictive access attribute that limits access to the file; bypassing the restrictive access attribute to access data in the file; and using a scan engine to scan the data in the file for malware.
28 Citations
15 Claims
-
1. A method for scanning a file stored on a computer that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
-
attempting to scan a file on a computer with a malware scanner that has administrator privileges to access files on the computer; receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following; the file being encrypted using a key that is associated with a particular user of the computer; the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
orthe file being locked for exclusive access by the malware; bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following; if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned; if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and scanning the file to identify the malware. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-readable storage medium storing computer executable instructions, which when executed by a processor, perform a method for scanning a file stored on a computer that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
-
attempting to scan a file on a computer with a malware scanner that has administrator privileges to access files on the computer; receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following; the file being encrypted using a key that is associated with a particular user of the computer; the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
orthe file being locked for exclusive access by the malware; bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following; if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned; if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and scanning the file to identify the malware. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computing device comprising a processor configured to execute instructions in memory to perform a method for scanning a file stored on the computing device that has been infected by malware and that has restrictive access attributes that were set by the malware to prevent the file from being scanned, the method comprising:
-
attempting to scan a file on the computing device with a malware scanner that has administrator privileges to access files on the computing device; receiving an indication that the file cannot be scanned because of one or more restrictive access attributes of the file that were set by malware that has infected the file, the one or more restrictive access attributes preventing the malware scanner from scanning the file because of the malware scanner'"'"'s administrator privileges, wherein the one or more restrictive access attributes comprise at least one of the following; the file being encrypted using a key that is associated with a particular user of the computing device; the file being associated with an access control list that does not allow a program with administrator privileges to access the file;
orthe file being locked for exclusive access by the malware; bypassing the one or more restrictive access attributes to scan the file, wherein bypassing the one or more restrictive attributes comprises the following; if the file is encrypted, impersonating the particular user to obtain the key to decrypt the file such that the file may be scanned; if the file is associated with an access control list that does not allow a program with administrator privileges to access the file, bypassing the access control list by obtaining a handle to the file from a backup/restore service and using the handle to scan the file;
orif the file is locked for exclusive access by the malware, determining whether the file is currently open such that if the file is currently open, the malware scanner obtains and uses a duplicate handle to scan the file, and such that if the file is not currently open, the malware scanner obtains the file directly from a hardware device where the file is stored without using file system services provided by an operating system by identifying physical locations on the hardware device where data clusters associated with the file are stored by parsing a database maintained by the operating system that tracks file attributes; and scanning the file to identify the malware. - View Dependent Claims (14, 15)
-
Specification