System and method to secure a computer system by selective control of write access to a data storage medium
DCFirst Claim
1. A method of controlling write access to a mass data storage device by:
- running a first process that operates in conjunction with an operating system that manages access to a data storage device, said process operating in kernel mode monitoring data storage device accesses;
detecting by use of the process an attempt by an application distinct from the first process to write data to said data storage device;
in response to such detection, interrogating a rules database wherein said rules database is comprised of a plurality of references to a corresponding plurality of applications, each reference further comprised of at least one access level associated with the corresponding application; and
controlling write access to the data storage device by the application attempting the write in dependence on a result of said interrogation;
wherein said interrogation result is comprised of the value of the access level associated with said application.
7 Assignments
Litigations
0 Petitions
Accused Products
Abstract
The present invention relates to a method and system of controlling the writing of data to a computer storage medium such as a hard drive in a computer system in order to prevent viruses or similar program code from being saved on such medium. Upon the computer system initiating a request to write data to the medium, the application embodying the method and system checks the identity of the running application requesting to perform the write. The method and system then checks a rule database to determine if such requesting application has permission to write to the medium. The system can also check that the data file type that the application seeks to write is a permitted type for that application. In response to the output of the database check, the requested write is allowed to proceed or is blocked. In the absence of a rule, the system presents the request to the computer user. The user can either grant permission or block, and such response can be included in the rule database. User responses can be collected from many instances of the invention and the collective response of users presented to a user.
22 Citations
58 Claims
-
1. A method of controlling write access to a mass data storage device by:
-
running a first process that operates in conjunction with an operating system that manages access to a data storage device, said process operating in kernel mode monitoring data storage device accesses;
detecting by use of the process an attempt by an application distinct from the first process to write data to said data storage device;in response to such detection, interrogating a rules database wherein said rules database is comprised of a plurality of references to a corresponding plurality of applications, each reference further comprised of at least one access level associated with the corresponding application; and controlling write access to the data storage device by the application attempting the write in dependence on a result of said interrogation;
wherein said interrogation result is comprised of the value of the access level associated with said application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. In a computer comprising a mass data storage device and an application running on said computer in conjunction with an operating system that manages access to said data storage device, a method of controlling write access to said data storage device by said application comprising:
-
detecting using a process operating in kernel mode monitoring file system access an attempt by the application to write data of a designated file type to said data storage device; in response to said attempt, retrieving a permission value from a database comprised of data elements encoding at least one permission value associated with the application; and controlling write access to the data storage device by the application in dependence on said permission value. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A system for controlling write access to a first mass data storage device by at least one application running on a first computer system operatively connected to said first data storage device comprising:
-
A first rules database stored on the first computer system comprised of at least one application identifier and at least one corresponding permission value; and An interceptor module operating as a kernel mode process monitoring file system access on the first computer system that monitors the at least one application operating distinct from the interceptor process, where upon a write access attempt to the first mass data storage device by the at least one running application, the interceptor module controlling the write access in dependency on a permission value corresponding to the at least one application attempting the write access, where the permission value is independent of the destination directory of the attempted write. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A system for maintaining from a central server a plurality of remote rule databases running on a plurality of corresponding remote computers operatively connected by a data communication network to the central server, each remote rule database comprised of at least one permission value designating permission to write to a mass data storage device associated with at least one application comprising:
-
A central rule database residing on the central server, said central rule database comprised of at least one data element, said element comprised of at least two entries, the first being an application identifier and the second at least one permission value associated with said application designating permission to write to a mass data storage device; A module that receives from the plurality of remote computers requests for permission values corresponding to application identifiers, said request being comprised of at least one application identifier, where the owners of at least two of the plurality of remote computers are different; and A module that transmits the requested permission values retrieved from the central rule database to the requesting remote computers in order to cause a process operating on the requesting remote computer in kernel mode that monitors file system access to permit or deny access based on the transmitted permission values. - View Dependent Claims (57, 58)
-
Specification