Content filtering of remote file-system access protocols

US 8,353,042 B2
Filed: 09/01/2008
Issued: 01/08/2013
Est. Priority Date: 05/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a request to make a partial file access to a file associated with a share of the server;

the proxy issuing the SMB/CIFS protocol request to the server on behalf of the client;

the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;

the proxy buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and

responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the single shared holding buffer by performing content filtering on the single shared holding buffer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, holding buffers in which data collected from a remote file-system access protocol is stored, a holding buffer context table, a file map table and a usage table corresponding to each holding buffer are created within one or more computer-readable media. References to each of the holding buffers are tracked within the holding buffer context table. References to a common file are mapped to a common holding buffer of the holding buffers with the file map table. Modified and unmodified portions of the holding buffers are tracked using the usage table corresponding to each holding buffer. Responsive to a predetermined event in relation to a holding buffer or the holding buffers, the existence of malicious, dangerous or unauthorized content contained within the holding buffer is determined by performing content filtering on the holding buffer.

13 Citations

View as Search Results

59 Claims

1. A method comprising:
- intercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a request to make a partial file access to a file associated with a share of the server;
  
  the proxy issuing the SMB/CIFS protocol request to the server on behalf of the client;
  
  the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  the proxy buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and
  
  responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the single shared holding buffer by performing content filtering on the single shared holding buffer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 41, 42, 43)
- - 2. The method of claim 1, wherein the network device comprises a gateway.
  - 3. The method of claim 1, wherein the proxy comprises a transparent proxy that implements handlers for only a subset of commands of the SMB/CIFS protocol.
  - 4. The method of claim 1, wherein the single shared holding buffer is stored in non-persistent storage of the network device.
  - 5. The method of claim 1, wherein the single shared holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 6. The method of claim 1, further comprising the proxy tracking references to the single shared holding buffer by maintaining a reference table containing file identifiers.
  - 7. The method of claim 6, further comprising the proxy tracking usage and modification of the single shared holding buffer with a usage table.
  - 8. The method of claim 7, wherein the usage table contains information indicative of free and filled sections of the single shared holding buffer.
  - 9. The method of claim 1, wherein the predetermined event comprises determining the single shared holding buffer is full.
  - 10. The method of claim 1, wherein the predetermined event comprises observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 11. The method of claim 10, wherein the one or more behaviors include an attempt to append data to the file.
  - 41. The computer-readable storage medium of claim 1, wherein the method further comprises tracking references to the single shared holding buffer by maintaining a reference table containing file identifiers.
  - 42. The computer-readable storage medium of claim 41, wherein the method further comprises tracking usage and modification of the single shared holding buffer with a usage table.
  - 43. The computer-readable storage medium of claim 42, wherein the usage table contains information indicative of free and filled sections of the single shared holding buffer.

12. A network device comprising:
- a content processor implementing one or more filters configured to detect the presence of malicious code in data being scanned;
  
  a remote file-system access protocol proxy, coupled to the content processor, configured to be logically interposed between a client and a server and to cause content filtering to be performed by the content processor on data transferred between the client and server via a remote file-system access protocol responsive to a predetermined event, wherein the remote file-system access protocol proxy is further configured to handle remote file-system access protocol requests each representing a request to make a partial file access to one of a plurality of files associated with a share of the server; and
  
  a memory containing therein a plurality of file buffer data structures, the file buffer data structures configured to buffer data being read from or written to the plurality of files as a result of the remote file-system access protocol requests and map multiple references, by a plurality of processes running on the client, to individual files of the plurality of files during a remote file-system access protocol session to a single holding buffer corresponding to each of the individual files by mapping different file IDs referring to each of the individual files to the single shared holding buffer.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The network device of claim 12, wherein the remote file-system access protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) protocol.
  - 14. The network device of claim 12, wherein the network device comprises a network gateway.
  - 15. The network device of claim 12, wherein the remote file-system access protocol proxy comprises a transparent proxy.
  - 16. The network device of claim 12, wherein the memory is a shared memory that is accessible by a plurality of processes running within the network device.
  - 17. The network device of claim 12, wherein the file buffer data structures include a usage table corresponding to each single holding buffer to facilitate tracking of usage and modification of each single holding buffer.
  - 18. The network device of claim 17, wherein each usage table includes entries indicative of free and filled sections of each corresponding single holding buffer.
  - 19. The network device of claim 12, wherein the predetermined event comprises determining one or more of the single holding buffers is full.
  - 20. The network device of claim 12, wherein the predetermined event comprises the remote file-system access protocol proxy observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 21. The network device of claim 20, wherein the one or more behaviors include an attempt to append data to a file of the plurality of files.

22. A method comprising:
- receiving a request to establish a network session at a network device, the request being characterized by a source network address, a destination network address and a remote file-system access protocol;
  
  collecting data associated with the network session by intercepting at a proxy associated with the network device, logically interposed between a client and server, a remote file-system access protocol request from the client, and a remote file-system access protocol response from the server, wherein the remote file-system access protocol request represents a request to make a partial file access to a file associated with a share of the server;
  
  the proxy issuing the remote file-system access protocol request to the server on behalf of the client, and forwarding the remote file-system access protocol response to the client on behalf of the server;
  
  the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  the proxy buffering the collected data into the single shared holding buffer data; and
  
  responsive to a predetermined event in relation to the remote file-system access protocol or the single shared holding buffer, performing content filtering on the collected data.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, wherein the network device comprises a gateway.
  - 24. The method of claim 22, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 25. The method of claim 22, wherein the proxy implements handlers for all or a subset of commands of the remote file-system access protocol.

26. A method comprising:
- intercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a random or sequential access to a portion of data of a file associated with a share of the server;
  
  the proxy issuing the SMB/CIFS protocol request to the server on behalf of the client;
  
  the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  the proxy buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and
  
  responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file buffer by performing content filtering on the single shared holding buffer.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 27. The method of claim 26, wherein the network device comprises a gateway.
  - 28. The method of claim 26, wherein the proxy comprises a transparent proxy that implements handlers for only a subset of commands of the SMB/CIFS protocol.
  - 29. The method of claim 26, wherein the single shared holding buffer is stored in non-persistent storage of the network device.
  - 30. The method of claim 26, wherein the single shared holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 31. The method of claim 26, further comprising the proxy tracking references to the single shared holding buffer by maintaining a reference table containing file identifiers.
  - 32. The method of claim 31, further comprising the proxy tracking usage and modification of the single shared holding buffer with a usage table.
  - 33. The method of claim 32, wherein the usage table contains information indicative of free and filled sections of the single shared holding buffer.
  - 34. The method of claim 26, wherein the predetermined event comprises determining the single shared holding buffer is full.
  - 35. The method of claim 26, wherein the predetermined event comprises observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 36. The method of claim 35, wherein the one or more behaviors include an attempt to append data to the file.

37. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method of proxying comprising:
- intercepting a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a request to make a partial file access to a file associated with a share of the server;
  
  issuing the SMB/CIFS protocol request to the server on behalf of the client;
  
  implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and
  
  responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the single shared holding buffer by performing content filtering on the single shared holding buffer.
- View Dependent Claims (38, 39, 40, 44, 45, 46)
- - 38. The computer-readable storage medium of claim 37, wherein the network device comprises a gateway.
  - 39. The computer-readable storage medium of claim 37, wherein the single shared holding buffer is stored in non-persistent storage of the network device.
  - 40. The computer-readable storage medium of claim 37, wherein the single shared holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 44. The computer-readable storage medium of claim 37, wherein the predetermined event comprises determining the single shared holding buffer is full.
  - 45. The computer-readable storage medium of claim 37, wherein the predetermined event comprises observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 46. The computer-readable storage medium of claim 45, wherein the one or more behaviors include an attempt to append data to the file.

47. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method of proxying comprising:
- receiving a request to establish a network session, the request being characterized by a source network address, a destination network address and a remote file-system access protocol;
  
  collecting data associated with the network session by intercepting a remote file-system access protocol request from the client, and a remote file-system access protocol response from the server, wherein the remote file-system access protocol request represents a request to make a partial file access to a file associated with a share of the server;
  
  issuing the remote file-system access protocol request to the server on behalf of the client and forwarding the remote file-system access protocol response to the client on behalf of the server;
  
  implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  buffering the collected data into the single shared holding buffer data; and
  
  responsive to a predetermined event in relation to the remote file-system access protocol or the single shared holding buffer, performing content filtering on the collected data.
- View Dependent Claims (48, 49)
- - 48. The computer-readable storage medium of claim 47, wherein the network device comprises a gateway.
  - 49. The computer-readable storage medium of claim 47, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).

50. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method of proxying comprising:
- intercepting a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a random or sequential access to a portion of data of a file associated with a share of the server;
  
  issuing the SMB/CIFS protocol request to the server on behalf of the client;
  
  implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and
  
  responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file buffer by performing content filtering on the single shared holding buffer.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 51. The computer-readable storage medium of claim 50, wherein the network device comprises a gateway.
  - 52. The computer-readable storage medium of claim 50, wherein the single shared holding buffer is stored in non-persistent storage of the network device.
  - 53. The computer-readable storage medium of claim 50, wherein the single shared holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 54. The computer-readable storage medium of claim 50, wherein the method further comprises tracking references to the single shared holding buffer by maintaining a reference table containing file identifiers.
  - 55. The computer-readable storage medium of claim 54, wherein the method further comprises tracking usage and modification of the single shared holding buffer with a usage table.
  - 56. The computer-readable storage medium of claim 55, wherein the usage table contains information indicative of free and filled sections of the single shared holding buffer.
  - 57. The computer-readable storage medium of claim 50, wherein the predetermined event comprises determining the single shared holding buffer is full.
  - 58. The computer-readable storage medium of claim 50, wherein the predetermined event comprises observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 59. The computer-readable storage medium of claim 58, wherein the one or more behaviors include an attempt to append data to the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William Jeffrey
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US12/202,427
Publication Number

US 20090006423A1
Time in Patent Office

1,590 Days
Field of Search

726/12, 726/24, 707/10
US Class Current

726/24
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 49/90   Buffering arrangements

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/145   the attack involving the pr...

H04L 65/102   Gateways arrangements for c...

H04L 67/06   specially adapted for file ...

H04L 67/289   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

Content filtering of remote file-system access protocols

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

Content filtering of remote file-system access protocols

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links