Optimization of distributed anti-virus scanning

US 7,865,965 B2
Filed: 06/15/2007
Issued: 01/04/2011
Est. Priority Date: 06/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a computer readable message in a multi-node network;

determining an acceptable policy threshold representative of a plurality of individual policy configurations of a plurality of scanning tools distributed throughout the multi-node network;

determining whether the message has previously been scanned to the acceptable policy threshold to reduce duplicative scanning;

if previously scanned, allowing the message to be communicated to at least one component of the multi-node network;

if not previously scanned, performing scanning of the message at the acceptable policy threshold, wherein the performing the scanning includes;

if the scanning is successful, stamping the message as having been scanned, and allowing the message to be communicated to at least one component of the multi-node network; and

if the scanning is unsuccessful, stamping the message as having been scanned, and enforcing the acceptable policy threshold before allowing dissemination of the message within the multi-node network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for optimizing distributed anti-virus (AV) scanning are described. In one implementation, a message is received into a multi-node network that includes a plurality of distributed scanning tools. An acceptable scanning policy threshold is determined that is representative of a plurality of individual scanning policy configurations of the plurality of scanning tools. A determination is made whether the message has previously been scanned to the acceptable scanning policy threshold based on a single valued element. If the message has been previously scanned, the message is allowed to be communicated. Otherwise, the message is scanned at the acceptable scanning policy threshold. If the scanning is successful, then the message is marked as having been scanned, and is allowed to be communicated. If the scanning is unsuccessful, the message is prevented from being communicated.

37 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving a computer readable message in a multi-node network;
  
  determining an acceptable policy threshold representative of a plurality of individual policy configurations of a plurality of scanning tools distributed throughout the multi-node network;
  
  determining whether the message has previously been scanned to the acceptable policy threshold to reduce duplicative scanning;
  
  if previously scanned, allowing the message to be communicated to at least one component of the multi-node network;
  
  if not previously scanned, performing scanning of the message at the acceptable policy threshold, wherein the performing the scanning includes;
  
  if the scanning is successful, stamping the message as having been scanned, and allowing the message to be communicated to at least one component of the multi-node network; and
  
  if the scanning is unsuccessful, stamping the message as having been scanned, and enforcing the acceptable policy threshold before allowing dissemination of the message within the multi-node network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the scanning is successful if the scanning determines that the message is in conformance with the acceptable policy threshold, and wherein the scanning is unsuccessful if the scanning determines that the message is in non-conformance with the acceptable policy threshold.
  - 3. The method of claim 1, wherein the plurality of scanning tools includes at least one of a content scanning tool or an attribute scanning tool, and wherein the acceptable policy threshold includes at least one of an anti-virus protection, a file filter, a keyword filter, a content filter, or an attribute filter.
  - 4. The method of claim 1, wherein the determining whether the message has previously been scanned includes checking a single parameter having a first value if the message has previously been scanned, and having a second value if the message has not previously been scanned.
  - 5. The method of claim 1, wherein the determining the acceptable policy threshold includes determining an acceptable threshold that is sufficiently probabilistic of the message being in a known state.
  - 6. The method of claim 1, wherein the determining the acceptable policy threshold includes arbitrating between a plurality of policy criteria.
  - 7. The method of claim 1, wherein the determining the acceptable policy threshold includes arbitrating between a plurality of scanning software products having a plurality of scanning criteria.

8. One or more computer storage devices containing computer-readable instructions that, when executed by a processor, perform a method comprising:
- receiving an object into a multi-node network;
  
  determining an acceptable threshold representative of a plurality of individual configurations of a plurality of scanning tools distributed throughout the multi-node network;
  
  determining whether the object has previously been scanned to the acceptable threshold to eliminate duplicative scanning;
  
  if previously scanned, allowing the object to be communicated to at least one component of the multi-node network;
  
  if not previously scanned, performing scanning of the object at the acceptable threshold, wherein the performing the scanning includes;
  
  if the scanning determines that the object is in conformance with the acceptable threshold, stamping the object as having been scanned and allowing the object to be communicated to at least one component of the multi-node network;
  
  orif the scanning determines that the object is in violation of the acceptable threshold, stamping the object as having been scanned, and subsequently enforcing the acceptable threshold before allowing further dissemination of the object within the multi-node network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The one or more computer storage devices of claim 8, wherein the plurality of scanning tools includes at least one of a content scanning tool or an attribute scanning tool, and wherein the acceptable threshold includes at least one of an anti-virus protection, a file filter, a keyword filter, a content filter, or an attribute filter.
  - 10. The one or more computer storage devices of claim 8, wherein the determining the acceptable threshold includes determining the acceptable threshold that is not an absolute guarantee of the object being in a known state.
  - 11. The one or more computer storage devices of claim 8, wherein the determining the acceptable threshold includes arbitrating between a plurality of scanning criteria.
  - 12. The one or more computer storage devices of claim 11, wherein the arbitrating includes assimilating one or more different scanning configurations, one or more priorities, and one or more weighting factors to arrive at an acceptable minimum scanning threshold for a particular combination of circumstances existing within the multi-node network.
  - 13. The one or more computer storage devices of claim 8, wherein the determining the acceptable scanning threshold includes arbitrating between a plurality of scanning software products having a plurality of scanning criteria.
  - 14. The one or more computer storage devices of claim 13, wherein the arbitrating between a plurality of scanning software products includes arbitrating between at least one multi-valued scanning software product and at least one single-valued scanning software product.

15. A device, comprising:
- a processor;
  
  a memory operatively coupled to the processor;
  
  a communication component stored in the memory and configured to be operatively executed by the processor to receive an incoming message; and
  
  at least one scanning component stored in the memory and configured to be operatively executed by the processor to;
  
  determine an acceptable policy threshold representative of a plurality of individual scanning policy configurations of a plurality of scanning tools distributed throughout a multi-node network;
  
  determine whether the message has previously been scanned to the acceptable policy threshold to prevent duplicative scanning;
  
  if previously scanned, allow the message to be communicated by the communication component;
  
  if not previously scanned, perform scanning of the message at the acceptable policy threshold, wherein the scanning includes;
  
  if the scanning is successful, stamp the message as having been scanned, and allow the message to be communicated by the communication component; and
  
  if the scanning is unsuccessful, stamp the message as having been scanned, and prevent communication of the message by the communication component.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The device of claim 15, wherein the at least one scanning component is further configured to determine whether the scanning is successful based on whether the object is in conformance with the acceptable policy threshold.
  - 17. The device of claim 15, wherein the at least one scanning component is further configured to be operatively executed by the processor to determine the acceptable policy threshold that is sufficiently probabilistic of the message being in a known state.
  - 18. The device of claim 15, wherein the at least one scanning component is further configured to be operatively executed by the processor to determine the acceptable policy threshold by arbitrating between a plurality of scanning criteria.
  - 19. The device of claim 15, wherein the at least one scanning component is further configured to be operatively executed by the processor to determine the acceptable policy threshold that includes at least one of an anti-virus protection, a file filter, a keyword filter, a content filter, or an attribute filter.
  - 20. The device of claim 15, wherein the scanning component is further configured to be operatively executed by the processor to determine the acceptable policy threshold by arbitrating between at least one multi-valued scanning software product and at least one single-valued scanning software product.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kramer, Michael, Tanzer, Brett A., Schaefer, Edward W., De Luca, Christopher
Primary Examiner(s)
Hoffman; Brandon S

Application Number

US11/763,795
Publication Number

US 20080313733A1
Time in Patent Office

1,299 Days
Field of Search

None
US Class Current

726/30
CPC Class Codes

H04L 63/145 the attack involving the pr...

Optimization of distributed anti-virus scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Optimization of distributed anti-virus scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links