Efficient file scanning using secure listing of file modification times

US 7,895,654 B1
Filed: 06/27/2005
Issued: 02/22/2011
Est. Priority Date: 06/27/2005
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for efficiently scanning files for malicious code, the method comprising the steps of:

maintaining a non-tamperable record of modifications to files on a volume, the record of modifications to files indicating modification statuses of the files, a modification status indicating when an associated file was last modified, wherein maintaining the non-tamperable record further comprises;

responsive to a first file being modified, monitoring the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, andperforming a step from a group of steps comprising;

responsive to the first file not being deleted during the short period of time, recording the modification to the first file, andresponsive to the first file being deleted during the short period of time, not recording the modification to the first file;

receiving at least one malicious code signature;

establishing a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;

establishing a high priority for files last modified within the defined time period;

establishing a low priority for files last modified prior to the defined time period; and

scanning files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scanning optimization manager efficiently scans files for malicious code. The scanning optimization manager maintains a non-tamperable record of modifications to files on a volume. The scanning optimization manager receives at least one malicious code signature. Responsive to the receipt of the at least one malicious code signature, the scanning optimization manager scans at least some files on the volume for the at least one malicious code signature at a priority corresponding to an associated modification status.

95 Citations

View as Search Results

21 Claims

1. A computer implemented method for efficiently scanning files for malicious code, the method comprising the steps of:
- maintaining a non-tamperable record of modifications to files on a volume, the record of modifications to files indicating modification statuses of the files, a modification status indicating when an associated file was last modified, wherein maintaining the non-tamperable record further comprises;
  
  responsive to a first file being modified, monitoring the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, andperforming a step from a group of steps comprising;
  
  responsive to the first file not being deleted during the short period of time, recording the modification to the first file, andresponsive to the first file being deleted during the short period of time, not recording the modification to the first file;
  
  receiving at least one malicious code signature;
  
  establishing a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;
  
  establishing a high priority for files last modified within the defined time period;
  
  establishing a low priority for files last modified prior to the defined time period; and
  
  scanning files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.
- View Dependent Claims (2, 3, 4, 5, 6, 19)
- - 2. The method of claim 1 wherein maintaining a non-tamperable record of modifications to files on a volume further comprises:
    - detecting modifications being made to files on the volume; and
      
      storing a secure record of times at which modifications to files are made.
  - 3. The method of claim 1 wherein maintaining a non-tamperable record of modifications to files on a volume further comprises:
    - detecting deletion of at least one file in the record of modifications on the volume; and
      
      storing a secure record of the deletion.
  - 4. The method of claim 1 wherein receiving at least one malicious code signature further comprises:
    - receiving at least one new malicious code signature.
  - 5. The method of claim 1 wherein at least one of the steps is performed by at least one software component executing on at least one computing device from a group of computing devices consisting of:
    - a server;
      
      a client;
      
      a firewall;
      
      an intrusion detection system;
      
      a proxy;
      
      a gateway; and
      
      a switch.
  - 6. The method of claim 1 wherein maintaining a non-tamperable record of modifications to files on a volume further comprises:
    - maintaining a non-tamperable record of modifications to at least some files.
  - 19. The method of claim 1, wherein establishing priorities for scanning the files further comprises grouping the files responsive to the files'"'"' associated modification statuses and wherein the scanning comprises scanning the files within each group in the order in which the files occur on the volume.

7. A non-transitory computer readable storage medium containing executable program code for efficiently scanning files for malicious code, the computer program code comprising:
- program code for maintaining a non-tamperable record of modifications to files on a volume, the record of modifications to files indicating modification statuses of the files, a modification status indicating when an associated file was last modified, wherein the program code for maintaining the non-tamperable record further comprises;
  
  program code for, responsive to a first file being modified, monitoring the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, andprogram code for performing a step from a group of steps comprising;
  
  responsive to the first file not being deleted during the short period of time, recording the modification to the first file, andresponsive to the first file being deleted during the short period of time, not recording the modification to the first file;
  
  program code for receiving at least one malicious code signature;
  
  program code for establishing a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;
  
  program code for establishing a high priority for files last modified within the defined time period;
  
  program code for establishing a low priority for files last modified prior to the defined time period; and
  
  program code for scanning files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.
- View Dependent Claims (8, 9, 10, 11, 12, 20)
- - 8. The computer readable storage medium of claim 7 wherein the program code for maintaining a non-tamperable record of modifications to files on a volume further comprises:
    - program code for detecting modifications being made to files on the volume; and
      
      program code for storing a secure record of times at which modifications to files are made.
  - 9. The computer readable storage medium of claim 7 wherein the program code for maintaining a non-tamperable record of modifications to files on a volume further comprises:
    - program code for detecting deletion of at least one file in the record of modifications on the volume; and
      
      program code for storing a secure record of the deletion.
  - 10. The computer readable storage medium of claim 7 wherein the program code for receiving at least one malicious code signature further comprises:
    - program code for receiving at least one new malicious code signature.
  - 11. The computer readable storage medium of claim 7 wherein at least some of the program code comprises program code for executing as part of a software component on at least one computing device from a group of computing devices consisting of:
    - a server;
      
      a client;
      
      a firewall;
      
      an intrusion detection system;
      
      a proxy;
      
      a gateway; and
      
      a switch.
  - 12. The computer readable storage medium of claim 7 wherein the program code for maintaining a non-tamperable record of modifications to files on a volume further comprises:
    - program code for maintaining a non-tamperable record of modifications to at least some files.
  - 20. The computer readable storage medium of claim 7, wherein the program code for establishing priorities for scanning the files further comprises program code for grouping the files responsive to the files'"'"' associated modification statuses and wherein the program code for scanning comprises program code for scanning the files within each group in the order in which the files occur on the volume.

13. A computer system for efficiently scanning files for malicious code, the computer system comprising:
- a volume for storing files;
  
  a processor for executing software portions; and
  
  a computer readable storage medium containing executable software portions, the software portions comprising;
  
  a software portion configured to maintain a non-tamperable record of modifications to files on the volume, the record of modifications to files indicating modification statuses of files, a modification status indicating when an associated file was last modified, wherein the software portion configured to maintain the non-tamperable record further comprises;
  
  a software portion configured to, responsive to a first file being modified, monitor the first file for a short period of time after the modification to determine whether the first file is deleted during the short period of time, anda software portion configured to perform a step from a group of steps comprising;
  
  responsive to the first file not being deleted during the short period of time, recording the modification to the first file, andresponsive to the first file being deleted during the short period of time, not recording the modification to the first file;
  
  a software portion configured to receive at least one malicious code signature;
  
  a software portion configured to establish a defined time period measured as an amount of time prior to a current time at which scanning is to be performed;
  
  a software portion configured to establish a high priority for files last modified within the defined time period;
  
  a software portion configured to establish a low priority for files last modified prior to the defined time period; and
  
  a software portion configured to scan files on the volume for the at least one malicious code signature responsive to the established priorities, the scanning comprising scanning files having established high priorities prior to scanning files having established low priorities.
- View Dependent Claims (14, 15, 16, 17, 18, 21)
- - 14. The computer system of claim 13 wherein the software portion configured to maintain a non-tamperable record of modifications to files on the volume further comprises:
    - a software portion configured to detect modifications being made to files on the volume; and
      
      a software portion configured to store a secure record of times at which modifications to files are made.
  - 15. The computer system of claim 13 wherein the software portion configured to maintain a non-tamperable record of modifications to files on the volume further comprises:
    - a software portion configured to detect deletion of at least one file in the record of modifications on the volume; and
      
      a software portion configured to store a secure record of the deletion.
  - 16. The computer system of claim 13 wherein the software portion configured to receive at least one malicious code signature further comprises:
    - a software portion configured to receive at least one new malicious code signature.
  - 17. The computer system of claim 13 wherein at least one of the software portions comprises a software portion configured to execute as part of a software component on at least one computing device from a group of computing devices consisting of:
    - a server;
      
      a client;
      
      a firewall;
      
      an intrusion detection system;
      
      a proxy;
      
      a gateway; and
      
      a switch.
  - 18. The computer system of claim 13 wherein the software portion configured to maintain a non-tamperable record of modifications to files on the volume further comprises:
    - a software portion configured to maintain a non-tamperable record of modifications to at least some files.
  - 21. The computer system of claim 13 wherein the software portion to scan the files further comprises a software portion configured to group the files responsive to the files'"'"' associated modification statuses and wherein the software portion to scan comprises software portion to scan the files within each group in the order in which the files occur on the volume.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Millard, John
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/167,521
Time in Patent Office

2,066 Days
Field of Search

726/22, 726/24, 713/187, 709/229, 707/9, 707/203
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Efficient file scanning using secure listing of file modification times

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient file scanning using secure listing of file modification times

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links