Filter driver for identifying disk files by analysis of content

US 8,346,805 B2
Filed: 06/09/2005
Issued: 01/01/2013
Est. Priority Date: 04/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting operations to save files to a system, wherein said intercepting is performed by a kernel mode input/output filter driver;

scanning contents of said files to generate file signatures respectively corresponding to said files, wherein said file signatures are dependent upon data stored within respective files, and wherein said scanning is performed by a signature processing user mode service;

for two or more of said files, determining whether individual ones of said file signatures respectively corresponding to said files match one or more signatures stored in a signature database;

for at least one file, in response to determining that said file signature respectively corresponding to said at least one file matches one or more signatures stored in said signature database, executing a storage policy with respect to said at least one file; and

for at least another file, in response to determining that said file signature respectively corresponding to said at least another file matches no signatures stored in said signature database, saving said at least another file to said system.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for excluding certain types of files from being saved to a system by examining file data. The file data is examined by: mapping the circular queue to memory; reading the file identifiers from the circular queue (a named mutex is locked until all file identifiers have been read from the queue); using the file identifier to open the file; scanning the opened file to create a file signature; comparing the file signature to each entry on a list of signature criteria; and performing a storage policy if there is a match.

9 Citations

View as Search Results

15 Claims

1. A method, comprising:
- intercepting operations to save files to a system, wherein said intercepting is performed by a kernel mode input/output filter driver;
  
  scanning contents of said files to generate file signatures respectively corresponding to said files, wherein said file signatures are dependent upon data stored within respective files, and wherein said scanning is performed by a signature processing user mode service;
  
  for two or more of said files, determining whether individual ones of said file signatures respectively corresponding to said files match one or more signatures stored in a signature database;
  
  for at least one file, in response to determining that said file signature respectively corresponding to said at least one file matches one or more signatures stored in said signature database, executing a storage policy with respect to said at least one file; and
  
  for at least another file, in response to determining that said file signature respectively corresponding to said at least another file matches no signatures stored in said signature database, saving said at least another file to said system.
- View Dependent Claims (2, 3, 4)
- - 2. The method as recited in claim 1, wherein for a given one of said files, said file signature is indicative of a type of data stored within said given file.
  - 3. The method as recited in claim 2, wherein said file signature includes a pattern of information located within the first 1,024 bytes of said given file, and wherein said pattern of information is common to all files of the same type as said given file.
  - 4. The method as recited in claim 1, wherein executing said storage policy includes at least one of:
    - deleting said at least one file, quarantining said at least one file, notifying a system administrator of said operation to save said at least one file, or notifying a user who initiated said operation that said at least one file is not allowed to be saved.

5. A method, comprising:
- intercepting operations to save files to a system, wherein said intercepting is performed by a kernel mode input/output filter driver;
  
  determining whether file identifiers respectively corresponding to said files satisfy specified file identifier criteria, wherein said file identifier criteria indicate disallowed types of files, and wherein said determining is performed by a signature processing user mode service;
  
  for at least a first file, in response to determining that said respectively corresponding file identifier satisfies said file identifier criteria, executing a storage policy with respect to said at least a first file;
  
  for at least a second and a third file, in response to determining that said respectively corresponding file identifier does not satisfy said file identifier criteria, determining whether a file signature generated dependent upon data stored within said at least a second file matches one or more signatures stored in a signature database, wherein determining whether said file signature matches is performed by a signature processing user mode service;
  
  for said at least a second file, in response to determining that said file signature matches one or more signatures stored in said signature database, executing said storage policy with respect to said at least a second file; and
  
  for said at least a third file, in response to determining that said respectively corresponding file signature matches no signatures stored in said signature database, saving said at least a third file to said system.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The method as recited in claim 5, wherein a given one of said file identifiers includes a file name.
  - 7. The method as recited in claim 5, wherein a given one of said file identifiers includes a file extension.
  - 8. The method as recited in claim 5, wherein for a given one of said files, said file signature is indicative of a type of data stored within said given file.
  - 9. The method as recited in claim 8, wherein said file signature includes a pattern of information located within the first 1,024 bytes of said given file, and wherein said pattern of information is common to all files of the same type as said given file.
  - 10. The method as recited in claim 5, wherein executing said storage policy includes at least one of:
    - deleting said at least a first file, quarantining said at least a first file, notifying a system administrator of said operation to save said at least a first file, or notifying a user who initiated said operation that said at least a first file is not allowed to be saved.
  - 11. The method as recited in claim 5, wherein said determining whether said file identifiers respectively corresponding to said files satisfy said specified file identifier criteria is performed by the kernel-mode input/output filter driver.

12. A system, comprising:
- an input/output filter driver configured to operate in kernel mode;
  
  a signature processing user mode service;
  
  a signature database; and
  
  a policy database;
  
  wherein said input/output filter driver is configured to intercept attempts to save files to the system;
  
  wherein said signature processing user mode service is configured to scan contents of said file to generate file signatures respectively corresponding to said files, wherein said file signatures are dependent upon data stored within respective files, and to determine whether individual ones of said file signatures respectively corresponding to said files match one or more signatures stored in said signature database;
  
  wherein for at least one file, in response to determining that said file signature respectively corresponding to said at least one file matches one or more signatures stored in said signature database, said signature processing user mode service is further configured to execute a storage policy stored within said policy database with respect to said at least one file; and
  
  wherein for at least another file, in response to said signature processing user mode service determining that said file signature respectively corresponding to said at least another file matches no signatures stored in said signature database, said input/output filter driver is further configured to save said at least another file to said system.
- View Dependent Claims (13, 14, 15)
- - 13. The system as recited in claim 12, wherein for a given one of said files, said file signature is indicative of a type of data stored within said file.
  - 14. The system as recited in claim 13, wherein said file signature includes a pattern of information located within the first 1,024 bytes of said given file, and wherein said pattern of information is common to all files of the same type as said given file.
  - 15. The system as recited in claim 12, wherein executing said storage policy includes at least one of:
    - deleting said at least one file, quarantining said at least one file, notifying a system administrator of said operation to save said at least one file, or notifying a user who initiated said operation that said at least one file is not allowed to be saved.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kyler, Daniel B.
Primary Examiner(s)
Boccio, Vincent

Application Number

US11/148,690
Publication Number

US 20050234866A1
Time in Patent Office

2,763 Days
Field of Search

707/781, 713/164
US Class Current

707/781
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/564   by virus signature recognition

G06F 21/6281   at program execution time, ...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 9/52   Program synchronisation; Mu...

H04L 63/123   received data contents, e.g...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99945   Object-oriented database st...

Filter driver for identifying disk files by analysis of content

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Filter driver for identifying disk files by analysis of content

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links