Content filtering of remote file-system access protocols

US 8,671,450 B2
Filed: 12/22/2012
Issued: 03/11/2014
Est. Priority Date: 05/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprisingtransparently proxying, by a gateway device, (i) a first plurality of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and (ii) a second plurality of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file;

anddetermining, by the gateway device, the existence or non-existence of malicious, dangerous or unauthorized content contained within the file byidentifying data being read from or written to the file as a result of the first plurality of SMB/CIFS protocol requests and the second plurality of SMB/CIFS protocol requests;

buffering the identified data into a single shared file buffer within a memory of the gateway device; and

when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the shared file buffer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a first set of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and a second set of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file are transparently proxied by a gateway device. The existence or non-existence of malicious, dangerous or unauthorized content contained within the file is determined by the gateway device by (i) buffering data being read from or written to the file as a result of the first and second set of SMB/CIFS protocol requests into a shared file buffer; and (ii) performing content filtering on the shared file buffer when a scanning condition is satisfied.

14 Citations

View as Search Results

23 Claims

1. A method comprisingtransparently proxying, by a gateway device, (i) a first plurality of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and (ii) a second plurality of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file;
- anddetermining, by the gateway device, the existence or non-existence of malicious, dangerous or unauthorized content contained within the file byidentifying data being read from or written to the file as a result of the first plurality of SMB/CIFS protocol requests and the second plurality of SMB/CIFS protocol requests;
  
  buffering the identified data into a single shared file buffer within a memory of the gateway device; and
  
  when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the shared file buffer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising tracking, by the gateway device, references to the single shared file buffer by maintaining a reference table containing file identifiers.
  - 3. The method of claim 1, further comprising tracking, by the gateway device, usage and modification of the single shared file buffer with a usage table.
  - 4. The method of claim 3, wherein the usage table contains information indicative of free and filled sections of the single shared file buffer.
  - 5. The method of claim 1, wherein a first scanning condition of the plurality of scanning conditions comprises the single shared file buffer having reached a predetermined level of fullness.
  - 6. The method of claim 5, wherein the predetermined level of fullness comprises completely filled.
  - 7. The method of claim 1, wherein a second scanning condition of the plurality of scanning conditions comprises observation, by the gateway, of one or more behaviors commonly exhibited by file-infecting viruses.
  - 8. The method of claim 7, wherein the one or more behaviors include an attempt to append data to the file.

9. A network gateway device comprising:
- a content processor implementing one or more filters configured to detect the presence of malicious code in data being scanned;
  
  a transparent Server Message Block/Common Internet File System (SMB/CIFS) protocol proxy, coupled to the content processor, configured to be logically interposed between a client and a server and to cause content filtering to be performed by the content processor on data transferred between the client and server as a result of one or more of a plurality of scanning conditions being triggered by (i) a first plurality of SMB/CIFS protocol requests originated by a first process running on the client and relating to a file associated with a share of the server and (ii) a second plurality of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file; and
  
  a memory containing therein a single shared file buffer into which data identified as being read from or written to the file as a result of the first plurality of SMB/CIFS protocol requests and the second plurality of SMB/CIFS protocol requests is buffered.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The network gateway device of claim 9, further comprising a usage table to facilitate tracking of usage and modification of the single shared file buffer.
  - 11. The network gateway device of claim 10, wherein the usage table includes entries indicative of free and filled sections of the single shared file buffer.
  - 12. The network gateway device of claim 9, wherein a first scanning condition of the plurality of scanning conditions comprises the single shared file buffer having reached a predetermined level of fullness.
  - 13. The network gateway device of claim 12, wherein the predetermined level of fullness comprises completely filled.
  - 14. The network gateway device of claim 9, wherein a second scanning condition of the plurality of scanning conditions comprises observation of one or more behaviors commonly exhibited by file-infecting viruses.
  - 15. The method of claim 14, wherein the one or more behaviors include an attempt to append data to the file.

16. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network gateway device logically interposed between a client and a server, cause the one or more processors to perform a method of content filtering comprising:
- transparently proxying (i) a first plurality of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on the client and relating to a file associated with a share of the server and (ii) a second plurality of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file; and
  
  determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file byidentifying data being read from or written to the file as a result of the first plurality of SMB/CIFS protocol requests and the second plurality of SMB/CIFS protocol requests;
  
  buffering the identified data into a single shared file buffer within a memory of the gateway device; and
  
  when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the single shared file buffer.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The computer-readable storage medium of claim 16, wherein the method further comprises tracking references to the single shared file buffer by maintaining a reference table containing file identifiers.
  - 18. The computer-readable storage medium of claim 16, wherein the method further comprises tracking usage and modification of the single shared file buffer with a usage table.
  - 19. The computer-readable storage medium of claim 18, wherein the usage table contains information indicative of free and filled sections of the single shared file buffer.
  - 20. The computer-readable storage medium of claim 16, wherein a first scanning condition of the plurality of scanning conditions comprises the single shared file buffer having reached a predetermined level of fullness.
  - 21. The computer-readable storage medium of claim 20, wherein the predetermined level of fullness comprises completely filled.
  - 22. The computer-readable storage medium of claim 16, wherein a second scanning condition of the plurality of scanning conditions comprises observation, by the gateway, of one or more behaviors commonly exhibited by file-infecting viruses.
  - 23. The computer-readable storage medium of claim 22, wherein the one or more behaviors include an attempt to append data to the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William Jeffrey
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US13/726,019
Publication Number

US 20130125238A1
Time in Patent Office

444 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

726/24
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 49/90   Buffering arrangements

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/145   the attack involving the pr...

H04L 65/102   Gateways arrangements for c...

H04L 67/06   specially adapted for file ...

H04L 67/289   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

Content filtering of remote file-system access protocols

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Content filtering of remote file-system access protocols

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links