Aggregation of the knowledge base of antivirus software

US 7,765,400 B2
Filed: 11/08/2004
Issued: 07/27/2010
Est. Priority Date: 11/08/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for tracking a state of infection of a file in response to receiving notice that the state of infection of the file was identified, the method comprising:

employing a processor to execute computer-executable instructions, stored in a computer-readable storage medium, to perform at least the following acts;

determining if a file index value for the file is contained in a database, wherein the database contains file index values associated with deleted files;

if a file index value for the file is not contained in the database;

obtaining a file index value for the file;

inserting the file index value in the database; and

setting a value of a variable associated with the file index value to represent the state of infection of the file, wherein the variable represents a state of infection with malware, the state of infection includes one of an infected state, a free-from-infection state, or an unknown state; and

if the state of infection of the file is unknown, analyzing the file with a set of antivirus software applications to determine if the file contains malware, wherein each antivirus software application in the set of antivirus software applications is registered with a security service application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with this invention, a system, method, and computer-readable medium that aggregates the knowledge base of a plurality of antivirus software applications are provided. User mode applications, such as antivirus software applications, gain access to file system operations through a common information model, which obviates the need for antivirus software vendors to create kernel mode filters. When file system operations are available to antivirus software applications, the present invention may cause each antivirus software application installed on a computing device to perform a scan to determine if the data is malware.

60 Citations

View as Search Results

21 Claims

1. A computer-implemented method for tracking a state of infection of a file in response to receiving notice that the state of infection of the file was identified, the method comprising:
- employing a processor to execute computer-executable instructions, stored in a computer-readable storage medium, to perform at least the following acts;
  
  determining if a file index value for the file is contained in a database, wherein the database contains file index values associated with deleted files;
  
  if a file index value for the file is not contained in the database;
  
  obtaining a file index value for the file;
  
  inserting the file index value in the database; and
  
  setting a value of a variable associated with the file index value to represent the state of infection of the file, wherein the variable represents a state of infection with malware, the state of infection includes one of an infected state, a free-from-infection state, or an unknown state; and
  
  if the state of infection of the file is unknown, analyzing the file with a set of antivirus software applications to determine if the file contains malware, wherein each antivirus software application in the set of antivirus software applications is registered with a security service application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising returning the variable associated with the file index value in response to a query.
  - 3. The method of claim 1, further comprising:
    - if the set of antivirus software applications determine that the file contains malware, setting the value of the variable associated with the file index value in the database to a value that represents an infected state; and
      
      if the set of antivirus software applications determine that the file does not contain malware, setting the value of the variable associated with the file index value in the database to a value that represents a free-from-infection state.
  - 4. The method of claim 1, wherein the contents of the database are accessible to a user mode program.
  - 5. The method of claim 1, wherein obtaining a file index value for the file includes querying a data structure that tracks a set of attributes of files stored on a volume.
  - 6. The method of claim 5, wherein the data structure that tracks the attributes of files stored on the volume is a master file table.
  - 7. The method of claim 1, wherein inserting the file index value in the database includes copying entries in the database to a larger database that is allocated additional memory.
  - 8. The method of claim 7, wherein the additional memory allocated to the larger database is a percentage of the memory allocated to the database.
  - 9. The method of claim 1, wherein the variable associated with the file index value consists of two bits of information.
  - 10. The method of claim 1, wherein a variable associated with file index values of deleted files is changed to a value that represents a free-from-infection state in response to intercepting a command that causes a new file to be created.

11. A computer-readable medium having computer-executable instructions stored thereon that, when executed by at least one computer, causes the computer to carry out acts for providing a user mode application with access to data in a file, the acts comprising:
- determining if a file index value for the file is contained in a database disparate from a data structure that tracks attributes of files stored on a volume;
  
  if a file index value for the file is not contained in the database;
  
  obtaining a file index value for the file;
  
  inserting the file index value in the database, wherein inserting the file index value in the database includes copying entries in the database to a larger database that is allocated additional memory;
  
  setting a value of a variable associated with the file index value to represent the state of the file, wherein the variable is retained in the database and represents a state of infection with malware, the state of infection includes at least one of an infected state, a free-from-infection state, or an unknown state.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable medium as recited in claim 11, further comprising instructions that, when executed by at least one computer, cause the computer to carry out the act of returning the variable associated with the file index value in response to a query.
  - 13. The computer-readable medium as recited in claim 11, further comprising instructions that, when executed by at least one computer, cause the computer to carry out the act of causing a set of antivirus software applications to analyze the file and determine if the file contains malware when the state of the file is unknown.
  - 14. The computer-readable medium as recited in claim 13, further comprising instructions, that when executed by at least one computer, cause the computer to carry out the following act:
    - if the set of antivirus software applications determine that the file contains malware, setting the value of the variable associated with the file index value in the database to a value that represents an infected state; and
      
      if the set of antivirus software applications determine that the file does not contain malware, setting the value of the variable associated with the file index value in the database to a value a free-from-infection state.
  - 15. The computer-readable medium as recited in claim 11, wherein the contents of the database are accessible to a user mode program.
  - 16. The computer-readable medium as recited in claim 11, wherein obtaining a file index value for the file includes querying the data structure that tracks the attributes of files stored on the volume.
  - 17. The computer-readable medium as recited in claim 16, wherein the data structure that tracks the attributes of files stored on the volume is a master file table.
  - 18. The computer-readable medium as recited in claim 11, wherein the additional memory allocated to the larger database is a percentage of the memory allocated to the database.
  - 19. The computer-readable medium as recited in claim 11, wherein the variable associated with the file index value consists of two bits of information.
  - 20. The computer-readable medium as recited in claim 11, wherein the database includes file index values associated with deleted files and wherein a variable associated with a set of deleted files is changed to a value that represents a free-from-infection state in response to intercepting a command that causes a new file to be created.

21. A computer system to track a malware condition of a file when a notice that the malware condition of the file has been identified, the computer system comprising:
- a processor; and
  
  a computer-readable storage medium having stored computer-executable instructions stored thereon that, when executed by the computer system, causes the computer system to carry out acts for providing a user mode application with access to data in a file, the acts comprising;
  
  determining if a file index value for the file is contained in a database disparate from a data structure that tracks attributes of files stored on a volume;
  
  if a file index value for the file is not contained in the database;
  
  obtaining a file index value for the file;
  
  inserting the file index value in the database, wherein inserting the file index value in the database includes copying entries in the database to a larger database that is allocated additional memory; and
  
  setting a value of a variable associated with the file index value to represent a state of the file, wherein the variable is retained in the database and represents a state of infection with malware, the state of infection includes at least one of an infected state, a free-from-infection state, or an unknown state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Costea, Mihai, Thomas, Anil Francis, Marinescu, Adrian M, Goebel, David Allen
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US10/984,615
Publication Number

US 20060101264A1
Time in Patent Office

2,087 Days
Field of Search

713/165
US Class Current

713/165
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

Y10S 707/99931   Database or file accessing

Aggregation of the knowledge base of antivirus software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Aggregation of the knowledge base of antivirus software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links