CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS

US 20090006423A1
Filed: 09/01/2008
Published: 01/01/2009
Est. Priority Date: 05/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprisingintercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client;

the proxy issuing the remote file-system access protocol request to the server on behalf of the client;

the proxy buffering into a file buffer associated with the network device data being read from or written to a file associated with a share of the server; and

responsive to a predetermined event in relation to the SMB/CIFS protocol or the file buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file buffer by performing content filtering on the file buffer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, holding buffers in which data collected from a remote file-system access protocol is stored, a holding buffer context table, a file map table and a usage table corresponding to each holding buffer are created within one or more computer-readable media. References to each of the holding buffers are tracked within the holding buffer context table. References to a common file are mapped to a common holding buffer of the holding buffers with the file map table. Modified and unmodified portions of the holding buffers are tracked using the usage table corresponding to each holding buffer. Responsive to a predetermined event in relation to a holding buffer or the holding buffers, the existence of malicious, dangerous or unauthorized content contained within the holding buffer is determined by performing content filtering on the holding buffer.

Citations

28 Claims

1. A method comprisingintercepting by a proxy associated with a network device, logically interposed between a client and a server, a Server Message Block/Common Internet File System (SMB/CIFS) protocol request from the client;
- the proxy issuing the remote file-system access protocol request to the server on behalf of the client;
  
  the proxy buffering into a file buffer associated with the network device data being read from or written to a file associated with a share of the server; and
  
  responsive to a predetermined event in relation to the SMB/CIFS protocol or the file buffer, the proxy determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the file buffer by performing content filtering on the file buffer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the network device comprises a gateway
  - 3. The method of claim 1, wherein the proxy comprises a transparent proxy that implements handlers for only a subset of commands of the SMB/CIFS protocol.
  - 4. The method of claim 1, wherein the file buffer comprises a plurality of holding buffers for each open file in the share.
  - 5. The method of claim 1, wherein the file buffer comprises a single holding buffer for each open file in the share.
  - 6. The method of claim 1, wherein the file buffer is stored in non-persistent storage of the network device.
  - 7. The method of claim 5, wherein the single holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 8. The method of claim 5, further comprising the proxy tracking references to the single holding buffer by maintaining a reference table containing file identifiers.
  - 9. The method of claim 8, further comprising the proxy tracking usage and modification of the single holding buffer with a usage table.
  - 10. The method of claim 9, wherein the usage table contains information indicative of free and filled sections of the single holding buffer.
  - 11. The method of claim 1, wherein the predetermined event comprises determining the single holding buffer is full.
  - 12. The method of claim 1, wherein the predetermined event comprises observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 13. The method of claim 12, wherein the one or more behaviors include an attempt to append data to the file.

14. A network device comprising:
- a content processor implementing one or more filters configured to detect the presence of malicious code in data being scanned;
  
  a remote file-system access protocol proxy, coupled to the content processor, configured to be logically interposed between a client and a server and to cause content filtering to be performed by the content processor on data transferred between the client and server via a remote file-system access protocol responsive to a predetermined event; and
  
  a memory containing therein a plurality of file buffer data structures, the file buffer data structures configured to buffer data being read from or written to a plurality of files associated with a share of the server and map multiple references to individual files of the plurality of files during a remote file-system access protocol session to a single holding buffer corresponding to each of the individual files.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The network device of claim 14, wherein the remote file-system access protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) protocol.
  - 16. The network device of claim 14, wherein the network device comprises a network gateway.
  - 17. The network device of claim 14, wherein the remote file-system access protocol proxy comprises a transparent proxy.
  - 18. The network device of claim 14, wherein the memory is a shared memory that is accessible by a plurality of processes running within the network device.
  - 19. The network device of claim 14, wherein the file buffer data structures include a usage table corresponding to each single holding buffer to facilitate tracking of usage and modification of each single holding buffer.
  - 20. The network device of claim 19, wherein each usage table includes entries indicative of free and filled sections of each corresponding single holding buffer.
  - 21. The network device of claim 14, wherein the predetermined event comprises determining one or more of the single holding buffers is full.
  - 22. The network device of claim 14, wherein the predetermined event comprises the remote file-system access protocol proxy observing one or more behaviors commonly exhibited by file-infecting viruses.
  - 23. The network device of claim 22, wherein the one or more behaviors include an attempt to append data to a file of the plurality of files.

24. A method comprising:
- receiving a request to establish a network session at a network device, the request being characterized by a source network address, a destination network address and a remote file-system access protocol;
  
  collecting data associated with the network session by intercepting at a proxy associated with the network device, logically interposed between a client and server, a remote file-system access protocol request from the client, or a remote file-system access protocol response from the server;
  
  the proxy issuing the remote file-system access protocol request to the server on behalf of the client, or forwarding the remote file-system access protocol response to the client on behalf of the server; and
  
  performing content filtering on the collected data.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24, wherein the network device comprises a gateway.
  - 26. The method of claim 24, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 27. The method of claim 24, wherein the proxy implements handlers for all or a subset of commands of the remote file-system access protocol.
  - 28. The method of claim 24, wherein a holding buffer is used to store the collected data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William Jeffrey

Granted Patent

US 8,353,042 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 49/90   Buffering arrangements

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/145   the attack involving the pr...

H04L 65/102   Gateways arrangements for c...

H04L 67/06   specially adapted for file ...

H04L 67/289   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links