1. Field of the Invention
This invention pertains in general to protecting a computer from malicious software and in particular to techniques for anti-malware scanning in a virtualized file system environment.
2. Description of the Related Art
A modern computer can be used by multiple users. The operating system running on the computer provides a file system that stores files for the users. The file system stores files in both shared and per-user locations. Some of these files can contain malicious software (“malware”) such as viruses and worms that can harm the computer. An anti-malware scanning program, such as an antivirus scanner, can inspect the files to determine whether any of the files contain malware. If a file with malware is detected, a remedial action is taken such as removing the malware or alerting a user of the computer.
It is often desirable to scan only some of the files in the file system because a scan of the entire file system can require significant time and consume significant system resources. As a result, certain portions of the file system can be scanned that are likely to contain files that will be accessed or executed. These portions of the file system can include per-user locations, such as the home directories of each user, and various shared locations that are accessed by multiple users. Scanning only such portions is referred to as a “quick scan.”
The operating system can provide the multiple users with varying permissions or privileges. Applications running under the control of a user generally have the same permissions as the user. A user has full read and write access to files in that user's dedicated locations but has limited access to certain files in shared locations. An administrator is a type of privileged user that has full access to all files maintained by the file system.
The operating system may support file system virtualization where files are multiplexed by the operating system. A user application attempting to access a file may be provided with a different version of the file based on the user, the rights of the user, or the type of application making the request. For example, if an application running under a user attempts to write to a shared file without having the necessary permissions to do so, the file system can make a copy of the file at another location and write to the copy, creating a different version. An application of the user that subsequently attempts to read or write to the shared file is redirected to user's version of the file. Several such per-user versions of a single shared file can exist under file system virtualization. File system virtualization enables a user application to apparently modify shared files without affecting the shared files as seen by other users of the system.
The per-user versions of shared files are stored in a particular area of the file system defined by the operating system. This area of the file system is not normally scanned during a quick scan, and as a result a quick scan may miss the per-user versions of shared files and any malware contained therein. Therefore, there is a need in the art for a way to locate and scan per-user versions of shared files in a virtualized file system environment when doing a quick scan.