System and method for analyzing locked files

US 8,452,744 B2
Filed: 06/06/2005
Issued: 05/28/2013
Est. Priority Date: 06/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method for scanning files located on a storage device of a protected computer for pestware, the method comprising:

identifying, using an application, a file on the storage device that is inaccessible to the application via an operating system of the protected computer, wherein the file is made inaccessible to the application by the operating system before the identifying, the application being separate from the operating system;

locating, on the storage device while the file remains inaccessible to the application via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations;

accessing, using the application while the file remains inaccessible to the application via the operating system, at least one of the plurality of portions of data;

analyzing, while the file remains inaccessible to the application via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and

altering the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system;

wherein altering the listing of a plurality of pointers comprises at least one of;

(i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and

(ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for scanning files for pestware on a protected computer are described. In one variation, when a file on a storage device is inaccessible via an operating system of the protected computer, a listing of a plurality of pointers for the file is located on the storage device. Each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations. One or more of the plurality of portions for the data are accessed and analyzed, while the operating system continues to limit access to the file via the operating system, so as to determine whether the file is a pestware file.

95 Citations

View as Search Results

18 Claims

1. A method for scanning files located on a storage device of a protected computer for pestware, the method comprising:
- identifying, using an application, a file on the storage device that is inaccessible to the application via an operating system of the protected computer, wherein the file is made inaccessible to the application by the operating system before the identifying, the application being separate from the operating system;
  
  locating, on the storage device while the file remains inaccessible to the application via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations;
  
  accessing, using the application while the file remains inaccessible to the application via the operating system, at least one of the plurality of portions of data;
  
  analyzing, while the file remains inaccessible to the application via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and
  
  altering the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system;
  
  wherein altering the listing of a plurality of pointers comprises at least one of;
  
  (i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
  
  (ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, including copying the at least one of the plurality of portions of data to a second file on the storage device, and wherein the analyzing information includes analyzing information from the second file.
  - 3. The method of claim 1, wherein the analyzing includes placing the information in volatile memory and analyzing the information from the volatile memory.
  - 4. The method of claim 1, wherein the listing of the plurality of pointers is located in a data bitmap, and wherein files on the storage device are organized in accordance with a New Technology File System (NTFS).
  - 5. The method of claim 1, wherein the listing of the plurality of pointers are entries in a file allocation table (FAT).
  - 6. The method of claim 1, wherein the locating includes locating a directory entry for the file.

7. A system for detecting pestware files on a file storage device of a protected computer, the protected computer including an operating system, the system comprising:
- a processor; and
  
  a memory containing a plurality of program instructions, the plurality of program instructions including;
  
  a pestware detection module configured to cause the processor to;
  
  identify, using the pestware detection module, a file on the storage device that is inaccessible to the pestware detection module via an operating system of the protected computer, wherein the file is made inaccessible to the pestware detection module before the file is identified, the application being separate from the operating system;
  
  locate, on the storage device while the file remains inaccessible to the pestware detection module via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations;
  
  access, using the pestware detection module while the file remains inaccessible to the pestware detection module via the operating system, at least one of the plurality of portions for the data;
  
  analyze, while the file remains inaccessible to the pestware detection module via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and
  
  a pestware removal module configured to cause the processor to alter the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system, wherein altering the listing of a plurality of pointers comprises at least one of;
  
  (i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
  
  (ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the pestware detection module is configured to cause the processor to copy the at least one of the plurality of portions of data to a second file on the storage device, and wherein the analyzing information includes analyzing information from the second file.
  - 9. The system of claim 7, wherein the pestware detection module is configured to cause the processor to place the information in volatile memory and analyze the information from the volatile memory.
  - 10. The system of claim 7, wherein the listing of the plurality of pointers is located in a data bitmap, and wherein files on the storage device are organized in accordance with a New Technology File System (NTFS).
  - 11. The system of claim 7, wherein the listing of the plurality of pointers are entries in a file allocation table (FAT).
  - 12. The system of claim 7, wherein the pestware detection module is configured to cause the processor to locate a directory entry for the file.

13. A non-transitory computer-readable storage medium comprising a plurality of program instructions executable by a processor for scanning pestware files on a storage device of a protected computer, the plurality of program instructions including instructions for:
- identifying, using a portion of the plurality of program instructions a file on the storage device that is inaccessible to the plurality of program instructions via an operating system of the protected computer, wherein the file is made inaccessible to the plurality of program instructions by the operating system before the identifying, the application being separate from the operating system;
  
  locating, on the storage device while the file remains inaccessible via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations;
  
  accessing, while the file remains inaccessible to the plurality of program instructions via the operating system, at least one of the plurality of portions for the data;
  
  analyzing, while the file remains inaccessible to the plurality of program instructions via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and
  
  altering the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system;
  
  wherein altering the listing of a plurality of pointers comprises at least one of;
  
  (i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
  
  (ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the plurality of program instructions include instructions for copying the at least one of the plurality of portions of data to a second file on the storage device, and wherein the analyzing information includes analyzing information from the second file.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the instructions for analyzing include instructions for placing the information in volatile memory and analyzing the information from the volatile memory.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the listing of the plurality of pointers is located in a data bitmap, and wherein files on the storage device are organized in accordance with a New Technology File System (NTFS).
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the listing of the plurality of pointers are entries in a file access table (FAT).
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the instructions for locating include instructions for locating a directory entry for the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Nichols, Tony, Burtscher, Michael
Primary Examiner(s)
Uddin, Mohammed R

Application Number

US11/145,592
Publication Number

US 20060277182A1
Time in Patent Office

2,913 Days
Field of Search

707/205, 707/8, 707/2, 707/101, 707/705, 707/999.001, 726/24, 713/187, 713/188
US Class Current

707/705
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

System and method for analyzing locked files

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for analyzing locked files

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links