Content filtering of remote file-system access protocols
First Claim
1. A method comprising:
- intercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a request to make a partial file access to a file associated with a share of the server;
the proxy issuing the SMB/CIFS protocol request to the server on behalf of the client;
the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
the proxy buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and
responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the single shared holding buffer by performing content filtering on the single shared holding buffer.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, holding buffers in which data collected from a remote file-system access protocol is stored, a holding buffer context table, a file map table and a usage table corresponding to each holding buffer are created within one or more computer-readable media. References to each of the holding buffers are tracked within the holding buffer context table. References to a common file are mapped to a common holding buffer of the holding buffers with the file map table. Modified and unmodified portions of the holding buffers are tracked using the usage table corresponding to each holding buffer. Responsive to a predetermined event in relation to a holding buffer or the holding buffers, the existence of malicious, dangerous or unauthorized content contained within the holding buffer is determined by performing content filtering on the holding buffer.
-
Citations
59 Claims
-
1. A method comprising:
-
intercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a request to make a partial file access to a file associated with a share of the server; the proxy issuing the SMB/CIFS protocol request to the server on behalf of the client; the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer; the proxy buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the single shared holding buffer by performing content filtering on the single shared holding buffer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 41, 42, 43)
-
-
12. A network device comprising:
-
a content processor implementing one or more filters configured to detect the presence of malicious code in data being scanned; a remote file-system access protocol proxy, coupled to the content processor, configured to be logically interposed between a client and a server and to cause content filtering to be performed by the content processor on data transferred between the client and server via a remote file-system access protocol responsive to a predetermined event, wherein the remote file-system access protocol proxy is further configured to handle remote file-system access protocol requests each representing a request to make a partial file access to one of a plurality of files associated with a share of the server; and a memory containing therein a plurality of file buffer data structures, the file buffer data structures configured to buffer data being read from or written to the plurality of files as a result of the remote file-system access protocol requests and map multiple references, by a plurality of processes running on the client, to individual files of the plurality of files during a remote file-system access protocol session to a single holding buffer corresponding to each of the individual files by mapping different file IDs referring to each of the individual files to the single shared holding buffer. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method comprising:
-
receiving a request to establish a network session at a network device, the request being characterized by a source network address, a destination network address and a remote file-system access protocol; collecting data associated with the network session by intercepting at a proxy associated with the network device, logically interposed between a client and server, a remote file-system access protocol request from the client, and a remote file-system access protocol response from the server, wherein the remote file-system access protocol request represents a request to make a partial file access to a file associated with a share of the server; the proxy issuing the remote file-system access protocol request to the server on behalf of the client, and forwarding the remote file-system access protocol response to the client on behalf of the server; the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer; the proxy buffering the collected data into the single shared holding buffer data; and responsive to a predetermined event in relation to the remote file-system access protocol or the single shared holding buffer, performing content filtering on the collected data. - View Dependent Claims (23, 24, 25)
-
-
26. A method comprising:
-
intercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a random or sequential access to a portion of data of a file associated with a share of the server; the proxy issuing the SMB/CIFS protocol request to the server on behalf of the client; the proxy implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer; the proxy buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file buffer by performing content filtering on the single shared holding buffer. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method of proxying comprising:
-
intercepting a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a request to make a partial file access to a file associated with a share of the server; issuing the SMB/CIFS protocol request to the server on behalf of the client; implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer; buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the single shared holding buffer by performing content filtering on the single shared holding buffer. - View Dependent Claims (38, 39, 40, 44, 45, 46)
-
-
47. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method of proxying comprising:
-
receiving a request to establish a network session, the request being characterized by a source network address, a destination network address and a remote file-system access protocol; collecting data associated with the network session by intercepting a remote file-system access protocol request from the client, and a remote file-system access protocol response from the server, wherein the remote file-system access protocol request represents a request to make a partial file access to a file associated with a share of the server; issuing the remote file-system access protocol request to the server on behalf of the client and forwarding the remote file-system access protocol response to the client on behalf of the server; implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer; buffering the collected data into the single shared holding buffer data; and responsive to a predetermined event in relation to the remote file-system access protocol or the single shared holding buffer, performing content filtering on the collected data. - View Dependent Claims (48, 49)
-
-
50. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method of proxying comprising:
-
intercepting a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client, the SMB/CIFS protocol request representing a random or sequential access to a portion of data of a file associated with a share of the server; issuing the SMB/CIFS protocol request to the server on behalf of the client; implementing a single shared holding buffer for the file during a particular SMB/CIFS protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer; buffering into the single shared holding buffer data being read from or written to the file as a result of the SMB/CIFS protocol request; and responsive to a predetermined event in relation to the SMB/CIFS protocol or the single shared holding buffer, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file buffer by performing content filtering on the single shared holding buffer. - View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59)
-
Specification