Aggregation of the knowledge base of antivirus software
First Claim
1. A computer-implemented method for tracking a state of infection of a file in response to receiving notice that the state of infection of the file was identified, the method comprising:
- employing a processor to execute computer-executable instructions, stored in a computer-readable storage medium, to perform at least the following acts;
determining if a file index value for the file is contained in a database, wherein the database contains file index values associated with deleted files;
if a file index value for the file is not contained in the database;
obtaining a file index value for the file;
inserting the file index value in the database; and
setting a value of a variable associated with the file index value to represent the state of infection of the file, wherein the variable represents a state of infection with malware, the state of infection includes one of an infected state, a free-from-infection state, or an unknown state; and
if the state of infection of the file is unknown, analyzing the file with a set of antivirus software applications to determine if the file contains malware, wherein each antivirus software application in the set of antivirus software applications is registered with a security service application.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.
60 Citations
21 Claims
-
1. A computer-implemented method for tracking a state of infection of a file in response to receiving notice that the state of infection of the file was identified, the method comprising:
-
employing a processor to execute computer-executable instructions, stored in a computer-readable storage medium, to perform at least the following acts; determining if a file index value for the file is contained in a database, wherein the database contains file index values associated with deleted files; if a file index value for the file is not contained in the database; obtaining a file index value for the file; inserting the file index value in the database; and setting a value of a variable associated with the file index value to represent the state of infection of the file, wherein the variable represents a state of infection with malware, the state of infection includes one of an infected state, a free-from-infection state, or an unknown state; and if the state of infection of the file is unknown, analyzing the file with a set of antivirus software applications to determine if the file contains malware, wherein each antivirus software application in the set of antivirus software applications is registered with a security service application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable medium having computer-executable instructions stored thereon that, when executed by at least one computer, causes the computer to carry out acts for providing a user mode application with access to data in a file, the acts comprising:
-
determining if a file index value for the file is contained in a database disparate from a data structure that tracks attributes of files stored on a volume; if a file index value for the file is not contained in the database; obtaining a file index value for the file; inserting the file index value in the database, wherein inserting the file index value in the database includes copying entries in the database to a larger database that is allocated additional memory; setting a value of a variable associated with the file index value to represent the state of the file, wherein the variable is retained in the database and represents a state of infection with malware, the state of infection includes at least one of an infected state, a free-from-infection state, or an unknown state. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer system to track a malware condition of a file when a notice that the malware condition of the file has been identified, the computer system comprising:
-
a processor; and a computer-readable storage medium having stored computer-executable instructions stored thereon that, when executed by the computer system, causes the computer system to carry out acts for providing a user mode application with access to data in a file, the acts comprising; determining if a file index value for the file is contained in a database disparate from a data structure that tracks attributes of files stored on a volume; if a file index value for the file is not contained in the database; obtaining a file index value for the file; inserting the file index value in the database, wherein inserting the file index value in the database includes copying entries in the database to a larger database that is allocated additional memory; and setting a value of a variable associated with the file index value to represent a state of the file, wherein the variable is retained in the database and represents a state of infection with malware, the state of infection includes at least one of an infected state, a free-from-infection state, or an unknown state.
-
Specification