This invention relates generally to computer virus detection, and more particularly to virus scanning.
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawings hereto: Copyright (copyright) 1999, Network Associates, Inc., All Rights Reserved.
Anti-virus (AV) programs are, by design, fairly intrusive applications. They must sit between a userxe2x80x94or the user""s applicationsxe2x80x94and the computer""s file system, to ensure that infected files are not written to the file system. If infected files already reside on the file system, the AV program must ensure that they are not executed or copied to other computers.
AV programs scan computer files for known viruses by comparing each file to a list of xe2x80x9cvirus signaturesxe2x80x9d that are stored in xe2x80x9cvirus signature files.xe2x80x9d The scanning can be done upon request of a user, when the file is accessed on a mass storage device such as by an application, or on a scheduled basis. Virus scanning is, therefore, a resource intensive (CPU and disk I/O) and time-consuming task, especially in the case of access scanning. Oftentimes, a user""s file-open request must be delayed until the file can be scanned and possibly cleaned. This resource consumption can lead to a degradation of a computer""s overall performance and slower response times for users.
Various techniques are currently used to reduce the amount of time and computer resources required by AV scanning. The techniques share the concept of saving set of parameters, an AV xe2x80x9cstate,xe2x80x9d for the file as of the last scan so that once a file has been scanned and found free of infection, it should not need to be scanned again unless the file is modified. The parameters chosen for the AV state are indicative of virus infection if changed, such as the file""s length, checksum, and date of last file write operation.
One common technique is to create an in-memory or on-disk cache containing the AV state for files that have been scanned during recent executions of the AV program. The cache is checked whenever a file is accessed or when a scheduled scan is due. If the file""s AV state is in the cache, the AV state parameters for the file in the scan information cache are checked against the current parameters of the file. If the parameters match, a virus scan is not necessary. If the parameters do not match, or if the AV state for the file is not cached, then the file is scanned and the cache information updated. The drawback to this approach is that such caches are limited to a reasonable memory size and cannot efficiently track all the files (potentially millions) that may reside on a file server, or even the smaller number that reside on individual stand-alone personal computers. Because the cache is volatile, the AV state for only the most recently used files will be present in the cache.
Another approach stores the AV state (often just a checksum) in an external database that is then compared against the current values of the AV state parameters when the file is accessed. This technique is only effective if the AV state information is thoroughly secure against unauthorized changes. The user or administrator also faces the challenges inherent in maintaining the external database. Additionally, the database technique requires that the AV state is accessed separately from the file itself, thus incurring system overhead. The total processing cost of generating the AV state, storing it in the external database and retrieving it when needed can exceed the cost of scanning the file.
An alternate technique that is similar to the external database approach addresses the cost of accessing the AV state separately from the file itself by appending the AV state (again frequently just a checksum) to the end of the file. However, this scheme is less secure than the others in that a sophisticated virus can overwrite the checksum with the value for the infected file. Additionally, since the AV program modifies the file, errors in the program may cause loss of user data. Additionally, since the AV program modifies the file, errors in the program may cause loss of user data. Moreover, the addition of information to a file can cause various system utilities to assume the file is bad, causing the original version of the file to be reloaded, or it may be viewed as virus-like behavior, triggering a false alarm. This technique is also disfavored by users and systems administrators who are reluctant to give a third-party the right to modify their files.
Therefore, the current techniques used by AV programs provide only limited savings of user time and system resources when scanning files, while often introducing other risks and complications as a result.
The above-mentioned shortcomings, disadvantages and problems are addressed by the present invention, which will be understood by reading and studying the following specification.
Anti-virus (AV) state information for a file on a computer is stored within an associated file data structure managed by the file system of the computer. The AV state information is obtained from the data structure when the data structure has been retrieved by the file system as a result of the file being accessed. Because the data structure is automatically retrieved into memory by the file system, the invention incurs minimal resource overhead and provides fast retrieval of the AV state information. For files systems that have at least one reserved field in the directory entry for a file, the AV state information is stored into that field(s). An alternate aspect of the invention operates with file systems that maintain the data and resource information for a file as separate entities (xe2x80x9cforksxe2x80x9d) by storing the AV state information in the resource fork or in a special AV state fork.
The present invention describes systems, clients, servers, methods, and computer-readable media of varying scope. In addition to the aspects and advantages of the present invention described in this summary, further aspects and advantages of the invention will become apparent by reference to the drawings and by reading the detailed description that follows.