1. Field of the Invention
This invention relates to the field of data processing. More particularly, this invention relates to the field of scanning computer files for unwanted properties, such as, for example, the presence of computer viruses or characteristics indicative of spam e-mail.
2. Description of the Prior Art
It is known to provide computer systems that computer files for computer viruses or properties indicative of spam e-mail. These known systems have settings which control which files are scanned (e.g. for virus protection, all files or possibly just executable files) and which tests are applied.
As the volume of computer data files requiring scanning for unwanted properties increases, this task requires more processing resources. This is further compounded by the fact that the number of computer viruses for which it is desired to scan or the number of characteristics of spam e-mail for which it is desired to test are also ever increasing. In this context, measures which can make the scanning of computer files for unwanted properties more efficient are strongly advantageous.
Viewed from one aspect the present invention provides a method of detecting computer files having one or more unwanted properties, said method comprising the steps of:
receiving requests to scan respective computer files together with data indicative of a computer user associated with respective requests to scan;
storing within a store of pending scan requests data identifying said requests to scan together with data indicative of respective scan request priority levels for respective requests to scan, scan request priority level being dependent upon a computer user associated with a request to scan;
selecting from said store of pending scan requests in dependence upon said data indicative of scan request priority level a next pending request to scan to be serviced; and
scanning said next pending request to scan to be serviced to detect said one or more unwanted properties.
The invention recognises that as well as simply increasing the performance of the computer hardware for conducting such scanning for unwanted properties, advantages in overall effciency can be gained by a more active approach to prioritising the scans to be conducted. In particular, there is a useful correlation between the computer user associated with a particular request to scan and a priority level that may be associated with that request to scan. As an example, a computer user such as the administrator of a computer network may be given higher priority to their scan jobs in order that their tasks may be completed more quickly and the overall efficiency of the computer network thereby improved. A further example might be a worker who depended upon having the most up to date information to perform their work and accordingly scanning their inbound e-mails should be given a high priority in order that they can receive any information these contain as rapidly as possible.
It will be appreciated that the store of pending scan requests could merely store data indicative of the computer user associated with a scan request and each time calculate the highest priority scan that should be selected from those pending in dependence upon the different computer users specified. However, this could result in a need to determine the priority levels on each occasion, which would be inefficient. Accordingly, in preferred embodiments of the invention a priority level associated with each request to scan is stored together with that request to scan within the store of pending scan requests.
One major field of application of the present invention is the scanning of file access requests to check the files concerned for computer viruses. Checking file access requests for computer viruses can consume large amounts of processing resource and delays in file access requests due to backlogs of pending scan requests can significantly degrade the performance of a computer system. Accordingly, the manner in which scan requests are prioritised can be highly significant.
A computer user who performs relatively processing non-intensive tasks, such as word processing, may be given a relatively low scan request priority as they access relatively few files and accordingly an extra delay upon each file access request they make has relatively little impact upon their efficiency. Conversely, a network administrator who may access many hundreds or thousands of computer files during their normal work may have their overall efficiency significantly degraded if each of those accesses is subjected to a significant delay to allow for scanning. Accordingly, preferred embodiments of the invention may prioritise the scanning to be performed subsequent to file access requests upon the basis of the computer user who originated that file access request.
Another type of request for scan can originate as a result of an on-demand scan. An on-demands scan may typically be ran on a periodic basis to check all of the computer files stored on a system for unwanted properties, such as the presence of computer viruses, damage or corruption, or other characteristics indicative of undesirable material. In this context, the originator of the on-demand task will typically be the system administrator, but the files being examined will relate to all the different users. In practice, gains in effectiveness may be made by prionitising the on-demand scan requests in dependence upon who is the creator or owner of the files being scanned. In this way, files owned or created by users in highly critical roles may be given higher priority, as may users in roles with a high priority of suffering from files with unwanted properties, such as being infected by computer viruses.
As previously mentioned, the technique of the present invention may be applied to the detection of e-mails having unwanted characteristics, such as characteristics indicative of spam e-mails or e-mails containing words or content indicative of activity that is prohibited on the computer systems concerned, e.g. accessing pornographic or illegal material.
In this context of scanning e-mails, the invention may be equally utilised on both inbound and outbound e-mail messages to a system. It is possible that in different circumstances either inbound e-mail messages or outbound e-mail messages may be given generally higher priority in the allocation of the processing resources available for scanning.
In the context of scanning for spam e-mail, receipt within a predetermined period of more than a threshold level of e-mail messages having one or more common characteristics, such as a common sender, a common recipient, a common message title, a common message size, a common attachment, a common attachment type or a common message content, may be used as a trigger to identify spam e-mail and then place an appropriate filter in place to block further receipt of such spam e-mail.
In order to allocate priority to the servicing of scan requests that would otherwise be given equal priority by the associated computer users, the store of pending scan requests may also include time stamp data indicative of the time at which a particular request to scan was issued. In this way, the oldest high priority pending scan request can be selected for service at each stage.
It is also possible that mechanisms may be used to promote in priority pending scan requests that have been unserviced for too long in order that a maximum level of latency is not exceeded.
Viewed from another aspect the present invention provides an apparatus for detecting computer files having one or more unwanted properties, said apparatus comprising:
a receiver operable to receive requests to scan respective computer files together with data indicative of a computer user associated with respective requests to scan;
a store of pending scan requests operable to store data identifying said requests to scan together with data indicative of respective scan request priority levels for respective requests to scan, scan request priority level being dependent upon a computer user associated with a request to scan;
selecting logic operable to select from said store of pending scan requests in dependence upon said data indicative of scan request priority level a next pending request to scan to be serviced; and
scanning logic operable to scan said next pending request to scan to be serviced to detect said one or more unwanted properties.
Viewed from a further aspect the present invention provides a computer program product carrying a computer program for controlling a computer to detect computer files having one or more unwanted properties, said computer program comprising:
receiver code operable to receive requests to scan respective computer files together with data indicative of a computer user associated with respective requests to scan;
storage code operable to store in a store of pending scan requests data identifying said requests to scan together with data indicative of respective scan request priority levels for respective requests to scan, scan request priority level being dependent upon a computer user associated with a request to scan;
selecting code operable to select from said store of pending scan requests in dependence upon said data indicative of scan request priority level a next pending request to scan to be serviced; and
scanning code operable to scan said next pending request to scan to be serviced to detect said one or more unwanted properties.
The above, and other objects, features and advantages of this invention will be apparent from the following detailed description of illustrative embodiments which is to be read in connection with the accompanying drawings.