Device detection system for monitoring use of removable media in networked computers
First Claim
1. A system for monitoring use of removable devices in client computers that are linked to a network, comprising:
- a device detection, server application running on a first computer linked to a communications network;
a second computer linked to the communications network, the second computer being configured for attachment and removal of removable media; and
a device detection client application running on the second computer to detect presence of the removable media on the second computer and in response to the detection of the presence to transmit a message to the device detection server application, wherein the device detection client application detects the removable media using both a message interceptor intercepting messages in the second computer and a drive detector detecting existing drives in the second computer,wherein the intercepted messages are processed by the device detection client application, on an outgoing basis during operation of the second computer to detect the media based on events indicating a media change including addition or removal of the removable media from the second computer, wherein the drive detector operates periodically to detect the existing drives in the second computer without processing the intercepted messages, whereby the drive detector is configured to detect ones of the removable media undetectable by the message interceptor;
wherein the intercepted messages are generated by one or more messaging mechanisms in an operating system environment of the second computer and wherein the message interceptor comprises a sub-classed function of a program running in the operating system environment.
10 Assignments
0 Petitions
Accused Products
Abstract
A device detection system for detecting use of removable media such as flash drives, portable storage, disks, and digital cameras in computers. From each monitored client, messages are sent by a client device detection application to a server application running on a central or administrator computer or node. The messages include relevant information for the client computer such as IP address, computer name, and user name along with the device. Generally, a message will be sent when the device is first detected such as when it is attached to the client computer or connected to a port and when the device is later changed such as when the device is removed, and detection is achieved by a function intercepting event messages in the operating system environment combined with a drive detector. The messages are stored in system memory so as to log the attachment or use of removable media.
-
Citations
22 Claims
-
1. A system for monitoring use of removable devices in client computers that are linked to a network, comprising:
- a device detection, server application running on a first computer linked to a communications network;
a second computer linked to the communications network, the second computer being configured for attachment and removal of removable media; and
a device detection client application running on the second computer to detect presence of the removable media on the second computer and in response to the detection of the presence to transmit a message to the device detection server application, wherein the device detection client application detects the removable media using both a message interceptor intercepting messages in the second computer and a drive detector detecting existing drives in the second computer,wherein the intercepted messages are processed by the device detection client application, on an outgoing basis during operation of the second computer to detect the media based on events indicating a media change including addition or removal of the removable media from the second computer, wherein the drive detector operates periodically to detect the existing drives in the second computer without processing the intercepted messages, whereby the drive detector is configured to detect ones of the removable media undetectable by the message interceptor; wherein the intercepted messages are generated by one or more messaging mechanisms in an operating system environment of the second computer and wherein the message interceptor comprises a sub-classed function of a program running in the operating system environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 17)
- a device detection, server application running on a first computer linked to a communications network;
-
8. A method for monitoring use of removable data storage media comprising a physical device adapted to be attached and removed from an externally-accessible drive or port of a computer, comprising:
- opening communications over a network between a client application on a first computer and a server application on second computer;
with the client application, transmitting a name of the first computer and login information for a user of the first computer to the server application;
determining a set of drives on the first computer with the client application;
generating a device list for the first computer that includes the determined set of drives;transmitting the device list to the sewer application;
monitoring for changes in the removable data storage media in the first computer by intercepting with the client application messages generated by programs running on the first computer;when one of the messages relates to one of the changes in the removable data storage media, updating the device list for the first computer based on the messages relating to the changes; transmitting a message defining a change in the removable data storage media for the first computer based on the one of the messages to the server application; and with the server application, determining if the change in the removable data storage media is a permitted use of the first computer, wherein the permitted use includes removal or removal of removable media from the first computer; wherein the server application detects the removable media using both a message interceptor intercepting messages in the second computer and a drive detector detecting existing drives in the second computer; wherein the intercepted messages are generated by one or more messaging mechanisms in an operating system environment of the second computer and wherein the message interceptor comprises a sub-classed function of a program running in the operating system environment. - View Dependent Claims (9, 10, 11, 12, 22)
- opening communications over a network between a client application on a first computer and a server application on second computer;
-
13. A device detection system, comprising:
- periodically determining a subset of existing drives on a computer, wherein the subset of existing drives comprises drives on the computer configured for use with removable media;
detecting a status change for removable media in the computer;
updating a list of devices for the computer to include a most recent one of the subset of the existing drives and each of the detected status changes;
transferring the list of devices to an administrator computer linked to the computer by a network; andtransferring a message to the administrator computer in response to each of the detected status changes, wherein the computer comprises a message pump generating messages in response to OS-detected events associated with the status changes in the removable media and wherein the detecting means comprises intercepting the generated messages from the message pump; wherein the intercepted messages are generated by one or more messaging mechanisms in an operating system environment of the computer and wherein the message interceptor comprises a sub-classed function of a program running in the operating system environment. - View Dependent Claims (14, 15, 16)
- periodically determining a subset of existing drives on a computer, wherein the subset of existing drives comprises drives on the computer configured for use with removable media;
-
18. A method for monitoring authorized use of media in a computer, comprising:
- opening communications over a network between a client application on a first computer and a server application on a second computer;
with the client application, intercepting event messages generated by at least one message generator running on the first computer; with the client application, detecting addition or removal of a removable device in the first computer by processing the intercepted event messages;
based on the detecting, transmitting a message defining a change in the removable media for the first computer to the server application on the second computer;with the server application, classifying the defined change as a permitted use of the first computer or an unauthorized use of the first computer; and
when the defined change is determined to be an unauthorized use, generating an alert indicting the defined change on the first computer;wherein the intercepted messages are generated by one or more messaging mechanisms in an operating system environment of the second computer and wherein the message interceptor comprises a sub-classed function of a program running in the operating system environment. - View Dependent Claims (19, 20, 21)
- opening communications over a network between a client application on a first computer and a server application on a second computer;
Specification