Virtual machine file system restriction system and method

US 9,450,960 B1
Filed: 11/05/2008
Issued: 09/20/2016
Est. Priority Date: 11/05/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

executing a host operating system on a host computing system;

creating a first virtual machine within the host operating system, the first virtual machine comprising;

a remote file system;

a file system service; and

a security application between said remote file system and said file system service;

creating a second virtual machine within the host operating system of the host computing system, the second virtual machine comprising a Uniform Naming Convention (UNC) file system driver of the second virtual machine configured to cause all input/output operations processed in a kernel mode from said second virtual machine to be redirected to said remote file system of the first virtual machine via the security application of the first virtual machine, wherein the input/output operations are processed in a user mode in said remote file system;

booting said second virtual machine, wherein said booting said second virtual machine comprises loading a boot block from said first virtual machine and redirecting booting of said second virtual machine to said remote file system;

determining, upon an outbreak of unknown malicious code, at least one unknown malicious code characteristic, wherein the unknown malicious code characteristic comprises at least one file attribute comprising at least one of an outbreak time period, a file type, a source, a file name, and a file size; and

restricting, by the security application of the first virtual machine, access of said second virtual machine to said remote file system, wherein the restricting is performed based on the determined unknown malicious code characteristic, wherein the restricting is further performed based on configured rules relating the at least one file attribute and the unknown malicious code characteristic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes creating a virtual machine including a remote file system, a file system service, and a security application. Access to the remote file system is restricted with the security application upon an unknown malicious code outbreak. The more that is known about the threat, the more precise are the restrictions placed upon the file system thus reducing the impact on users of the file system to an absolute minimum.

28 Citations

View as Search Results

6 Claims

1. A computer-implemented method comprising:
- executing a host operating system on a host computing system;
  
  creating a first virtual machine within the host operating system, the first virtual machine comprising;
  
  a remote file system;
  
  a file system service; and
  
  a security application between said remote file system and said file system service;
  
  creating a second virtual machine within the host operating system of the host computing system, the second virtual machine comprising a Uniform Naming Convention (UNC) file system driver of the second virtual machine configured to cause all input/output operations processed in a kernel mode from said second virtual machine to be redirected to said remote file system of the first virtual machine via the security application of the first virtual machine, wherein the input/output operations are processed in a user mode in said remote file system;
  
  booting said second virtual machine, wherein said booting said second virtual machine comprises loading a boot block from said first virtual machine and redirecting booting of said second virtual machine to said remote file system;
  
  determining, upon an outbreak of unknown malicious code, at least one unknown malicious code characteristic, wherein the unknown malicious code characteristic comprises at least one file attribute comprising at least one of an outbreak time period, a file type, a source, a file name, and a file size; and
  
  restricting, by the security application of the first virtual machine, access of said second virtual machine to said remote file system, wherein the restricting is performed based on the determined unknown malicious code characteristic, wherein the restricting is further performed based on configured rules relating the at least one file attribute and the unknown malicious code characteristic.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1 further comprising:
    - determining whether there has been a request to access a file of said remote file system from said second virtual machine, wherein upon a determination that there has been said request to access said file; and
      
      comparing file attributes of said file to unknown malicious code characteristics of said unknown malicious code, wherein upon a match between said file attributes and said unknown malicious code characteristics, said method further comprising taking protective action.
  - 3. The computer-implemented method of claim 1 further comprising:
    - determining whether there has been a request to access a file of said remote file system from said second virtual machine, wherein upon a determination that there has been said request to access said file; and
      
      comparing file attributes of said file to unknown malicious code characteristics of said unknown malicious code, wherein upon a mismatch between said file attributes and said unknown malicious code characteristics, said method further comprising allowing said access to said file.
  - 4. The computer-implemented method of claim 1 further comprising:
    - determining whether there has been a request to write a file to said remote file system from said second virtual machine, wherein upon a determination that there has been said request to write said file; and
      
      comparing file attributes of said file to unknown malicious code characteristics of said unknown malicious code, wherein upon a match between said file attributes and said unknown malicious code characteristics, said method further comprising taking protective action.
  - 5. The computer-implemented method of claim 1 further comprising:
    - determining whether there has been a request to write a file to said remote file system from said second virtual machine, wherein upon a determination that there has been said request to write said file; and
      
      comparing file attributes of said file to unknown malicious code characteristics of said unknown malicious code, wherein upon a mismatch between said file attributes and said unknown malicious code characteristics, said method further comprising allowing said writing of said file.

6. A computer-program product comprising a nontransitory computer readable storage medium containing computer program code which when executed by one or more computing processors performs a process comprising:
- executing a host operating system on a host computing system;
  
  creating a first virtual machine within the host operating system, the first virtual machine comprising;
  
  a remote file system;
  
  a file system service; and
  
  a security application between said remote file system and said file system service;
  
  creating a second virtual machine within the host operating system of the host computing system, the second virtual machine comprising a Uniform Naming Convention (UNC) file system driver of the second virtual machine configured to cause all input/output operations processed in a kernel mode from said second virtual machine to be redirected to said remote file system of the first virtual machine via the security application of the first virtual machine, wherein the input/output operations are processed in a user mode in said remote file system;
  
  booting said second virtual machine, wherein said booting said second virtual machine comprises loading a boot block from said first virtual machine and redirecting booting of said second virtual machine to said remote file system;
  
  determining, upon an outbreak of unknown malicious code, at least one unknown malicious code characteristic, wherein the unknown malicious code characteristic comprises at least one file attribute comprising at least one of an outbreak time period, a file type, a source, a file name, and a file size; and
  
  restricting, by the security application of the first virtual machine, access of said second virtual machine to said remote file system, wherein the restricting is performed based on the determined unknown malicious code characteristic, wherein the restricting is further performed based on configured rules relating the at least one file attribute and the unknown malicious code characteristic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
McCorkendale, Bruce, Sobel, William E.
Primary Examiner(s)
Goodchild, William

Application Number

US12/265,157
Time in Patent Office

2,876 Days
Field of Search

726/3
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/568   eliminating virus, restorin...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

Virtual machine file system restriction system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual machine file system restriction system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links