System and method for analyzing locked files
First Claim
1. A method for scanning files located on a storage device of a protected computer for pestware, the method comprising:
- identifying, using an application, a file on the storage device that is inaccessible to the application via an operating system of the protected computer, wherein the file is made inaccessible to the application by the operating system before the identifying, the application being separate from the operating system;
locating, on the storage device while the file remains inaccessible to the application via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations;
accessing, using the application while the file remains inaccessible to the application via the operating system, at least one of the plurality of portions of data;
analyzing, while the file remains inaccessible to the application via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and
altering the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system;
wherein altering the listing of a plurality of pointers comprises at least one of;
(i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
(ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for scanning files for pestware on a protected computer are described. In one variation, when a file on a storage device is inaccessible via an operating system of the protected computer, a listing of a plurality of pointers for the file is located on the storage device. Each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations. One or more of the plurality of portions for the data are accessed and analyzed, while the operating system continues to limit access to the file via the operating system, so as to determine whether the file is a pestware file.
-
Citations
18 Claims
-
1. A method for scanning files located on a storage device of a protected computer for pestware, the method comprising:
-
identifying, using an application, a file on the storage device that is inaccessible to the application via an operating system of the protected computer, wherein the file is made inaccessible to the application by the operating system before the identifying, the application being separate from the operating system; locating, on the storage device while the file remains inaccessible to the application via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations; accessing, using the application while the file remains inaccessible to the application via the operating system, at least one of the plurality of portions of data; analyzing, while the file remains inaccessible to the application via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and altering the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system; wherein altering the listing of a plurality of pointers comprises at least one of;
(i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
(ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for detecting pestware files on a file storage device of a protected computer, the protected computer including an operating system, the system comprising:
-
a processor; and a memory containing a plurality of program instructions, the plurality of program instructions including; a pestware detection module configured to cause the processor to; identify, using the pestware detection module, a file on the storage device that is inaccessible to the pestware detection module via an operating system of the protected computer, wherein the file is made inaccessible to the pestware detection module before the file is identified, the application being separate from the operating system; locate, on the storage device while the file remains inaccessible to the pestware detection module via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations; access, using the pestware detection module while the file remains inaccessible to the pestware detection module via the operating system, at least one of the plurality of portions for the data; analyze, while the file remains inaccessible to the pestware detection module via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and a pestware removal module configured to cause the processor to alter the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system, wherein altering the listing of a plurality of pointers comprises at least one of;
(i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
(ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium comprising a plurality of program instructions executable by a processor for scanning pestware files on a storage device of a protected computer, the plurality of program instructions including instructions for:
-
identifying, using a portion of the plurality of program instructions a file on the storage device that is inaccessible to the plurality of program instructions via an operating system of the protected computer, wherein the file is made inaccessible to the plurality of program instructions by the operating system before the identifying, the application being separate from the operating system; locating, on the storage device while the file remains inaccessible via the operating system, a listing of a plurality of pointers for the file, wherein each of the plurality of pointers in the listing points to a corresponding one of a plurality of locations on the storage device, and the storage device stores each of a plurality of portions of data for the file at a corresponding one of each of the plurality of locations; accessing, while the file remains inaccessible to the plurality of program instructions via the operating system, at least one of the plurality of portions for the data; analyzing, while the file remains inaccessible to the plurality of program instructions via the operating system, information from the at least one of the plurality of portions of data so as to determine whether the file is a potential pestware file; and altering the listing of a plurality of pointers in response to the file being identified as a pestware file and while the operating system continues to limit access to the file via the operating system; wherein altering the listing of a plurality of pointers comprises at least one of;
(i) reading the file allocation table (FAT) into memory and zeroing out the FAT entries associated with the locked file; and
(ii) deleting the locked file name from a file entry and removing at least a portion of the listing of pointers to the data for the locked file. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification