Filter driver for identifying disk files by analysis of content
First Claim
Patent Images
1. A method, comprising:
- intercepting operations to save files to a system, wherein said intercepting is performed by a kernel mode input/output filter driver;
scanning contents of said files to generate file signatures respectively corresponding to said files, wherein said file signatures are dependent upon data stored within respective files, and wherein said scanning is performed by a signature processing user mode service;
for two or more of said files, determining whether individual ones of said file signatures respectively corresponding to said files match one or more signatures stored in a signature database;
for at least one file, in response to determining that said file signature respectively corresponding to said at least one file matches one or more signatures stored in said signature database, executing a storage policy with respect to said at least one file; and
for at least another file, in response to determining that said file signature respectively corresponding to said at least another file matches no signatures stored in said signature database, saving said at least another file to said system.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for excluding certain types of files from being saved to a system by examining file data. The file data is examined by: mapping the circular queue to memory; reading the file identifiers from the circular queue (a named mutex is locked until all file identifiers have been read from the queue); using the file identifier to open the file; scanning the opened file to create a file signature; comparing the file signature to each entry on a list of signature criteria; and performing a storage policy if there is a match.
9 Citations
15 Claims
-
1. A method, comprising:
-
intercepting operations to save files to a system, wherein said intercepting is performed by a kernel mode input/output filter driver; scanning contents of said files to generate file signatures respectively corresponding to said files, wherein said file signatures are dependent upon data stored within respective files, and wherein said scanning is performed by a signature processing user mode service; for two or more of said files, determining whether individual ones of said file signatures respectively corresponding to said files match one or more signatures stored in a signature database; for at least one file, in response to determining that said file signature respectively corresponding to said at least one file matches one or more signatures stored in said signature database, executing a storage policy with respect to said at least one file; and for at least another file, in response to determining that said file signature respectively corresponding to said at least another file matches no signatures stored in said signature database, saving said at least another file to said system. - View Dependent Claims (2, 3, 4)
-
-
5. A method, comprising:
-
intercepting operations to save files to a system, wherein said intercepting is performed by a kernel mode input/output filter driver; determining whether file identifiers respectively corresponding to said files satisfy specified file identifier criteria, wherein said file identifier criteria indicate disallowed types of files, and wherein said determining is performed by a signature processing user mode service; for at least a first file, in response to determining that said respectively corresponding file identifier satisfies said file identifier criteria, executing a storage policy with respect to said at least a first file; for at least a second and a third file, in response to determining that said respectively corresponding file identifier does not satisfy said file identifier criteria, determining whether a file signature generated dependent upon data stored within said at least a second file matches one or more signatures stored in a signature database, wherein determining whether said file signature matches is performed by a signature processing user mode service; for said at least a second file, in response to determining that said file signature matches one or more signatures stored in said signature database, executing said storage policy with respect to said at least a second file; and for said at least a third file, in response to determining that said respectively corresponding file signature matches no signatures stored in said signature database, saving said at least a third file to said system. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
an input/output filter driver configured to operate in kernel mode; a signature processing user mode service; a signature database; and a policy database; wherein said input/output filter driver is configured to intercept attempts to save files to the system; wherein said signature processing user mode service is configured to scan contents of said file to generate file signatures respectively corresponding to said files, wherein said file signatures are dependent upon data stored within respective files, and to determine whether individual ones of said file signatures respectively corresponding to said files match one or more signatures stored in said signature database; wherein for at least one file, in response to determining that said file signature respectively corresponding to said at least one file matches one or more signatures stored in said signature database, said signature processing user mode service is further configured to execute a storage policy stored within said policy database with respect to said at least one file; and wherein for at least another file, in response to said signature processing user mode service determining that said file signature respectively corresponding to said at least another file matches no signatures stored in said signature database, said input/output filter driver is further configured to save said at least another file to said system. - View Dependent Claims (13, 14, 15)
-
Specification