Content tracking in a network security system
First Claim
Patent Images
1. A method for use in a system with a server and one or more associated host computers (hosts), the method comprising:
- maintaining on a server, for a plurality of files, a set of server meta-information including, for each unique file content signature, a signature of the contents of the file, a date the file or the signature is first reported by one of the hosts to the server, and state data indicating whether and with what conditions certain file operations can be performed by hosts on the file;
maintaining on the hosts, for a plurality of files, a set of meta-information in a host cache including, for each file the state data and the signature of the file contents;
detecting on the host possible changes to file content or name, and updating host and/or server meta-information;
the server providing to the hosts changes in the server meta-information;
for each host, maintaining a separate name cache with a file name and state data; and
wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.
3 Assignments
0 Petitions
Accused Products
Abstract
A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted or unknown software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system maintains file meta-information in the hosts and in the server. A host detects file operations which can cause changes to file content or file name, and updates the host and/or server meta-information as a result. Changes in server meta-information are made available to hosts.
648 Citations
45 Claims
-
1. A method for use in a system with a server and one or more associated host computers (hosts), the method comprising:
-
maintaining on a server, for a plurality of files, a set of server meta-information including, for each unique file content signature, a signature of the contents of the file, a date the file or the signature is first reported by one of the hosts to the server, and state data indicating whether and with what conditions certain file operations can be performed by hosts on the file; maintaining on the hosts, for a plurality of files, a set of meta-information in a host cache including, for each file the state data and the signature of the file contents; detecting on the host possible changes to file content or name, and updating host and/or server meta-information; the server providing to the hosts changes in the server meta-information; for each host, maintaining a separate name cache with a file name and state data; and wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method for use in a system with a server and associated host computers (hosts), the method comprising:
-
maintaining on a server, for a plurality of files, a set of meta-information including, for each unique file content signature, a signature of the contents of the file, state data indicating whether and with what conditions certain file operations can be performed by hosts on the file, and a time when the file or the signature was first seen; maintaining on the hosts, for a plurality of files, a set of meta-information including, for each file the state data, the signature of the file contents and the file pathname; a host detecting possible changes to file content or name, and updating server meta-information; and the server providing to the hosts changes in the server meta-information; for each host, maintaining a separate name cache with a file name and state data; and in response to server providing to the hosts changes in the server meta-information, the host accesses name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed. - View Dependent Claims (29, 30, 31)
-
-
32. A method for use in a system with a server and associated host computers (hosts), the method comprising:
-
maintaining on a server for a plurality of files a set of meta-information including, for each unique file content signature, state data indicating whether and with what conditions certain operations associated with the file are banned, allowed, or not yet fully determined; maintaining on the hosts for a plurality of files a set of meta-information including, for each file, the state data; detecting on the host possible changes to file content or name, and updating host and/or server meta-information; the server providing to the hosts changes in the server meta-information; in response to there being no entry for the file in the server or state not yet fully determined, the server performing analyses of the file; and for each host, maintaining a separate name cache with a file name and state data; and wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed. - View Dependent Claims (33, 34, 35)
-
-
36. A system comprising:
-
a server; a plurality of host computers (hosts) associated with the server; the server having a server memory for maintaining a plurality of files a set of meta-information including, for each file, data regarding the name of the file, a signature of the contents of the file, and state data indicating whether and with what conditions certain operations associated with the file are banned, allowed, or not yet determined; each of the hosts having a local memory for maintaining for a plurality of files a set of meta-information including, for each file, the state data and the signature; detecting on the host possible changes to file content or name, and updating host and/or server meta-information; the server causing changes in the server meta-information to be provided to the hosts; for each host, maintaining a separate name cache with a file name and state data; and wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
-
-
45. A method for use in a system with a server and one or more associated host computers (hosts), the method comprising:
-
maintaining on a server, for a plurality of files, a set of server meta-information including, for each unique file content signature, a signature of the contents of the file, a date the file or the signature is first identified, and state data indicating whether and with what conditions certain file operations can be performed on the file; and maintaining on the hosts, for a plurality of files, a set of meta-information in a host cache including, for each file the state data and the signature of the file contents; the server detecting possible changes to file content or name in the system, and updating server meta-information; the server providing to the hosts changes in the server meta-information; for each host, maintaining a separate name cache with a file name and state data; and wherein, in response to a request for a file operation of the file, the host accesses the name cache to determine whether the file operation is allowed, and if there is no indication in the name cache whether the file operation is allowed, causing the contents of the file to be hashed, and comparing the hash of the file to the meta-information in the host cache to determine whether the file operation is allowed.
-
Specification