The present invention relates to techniques for handling malware scanning of files stored within a file storage device of a computer network. As will be appreciated by those skilled in the art, “malware” may include, amongst other things, viruses, worms, Trojans, and/or computer files, words, content, etc. that have been banned for the computer network, etc.
In a computer network, it is common to provide a file server arranged to provide certain centralised services to the users of client devices connected to that network. For example, the file server will often be used to store user files for subsequent access by authorised users over the network.
It is often desirable to perform malware scanning of the files stored within such a file server, and accordingly appropriate scanning software has been written for installation on the file server so as to enable files to be scanned at appropriate times, for example when they are written to the file server, read from the file server, etc. FIG. 1 is a block diagram illustrating a typical prior art arrangement of a computer network, where the computer network comprises a number of client devices 10 coupled to a file server 30 via an appropriate communication infrastructure 20, for example a wired network. In the FIG. 1 example, a malware scanner in the form of an anti-virus (AV) scanner 40 is installed on the file server 30 to perform scanning of the files stored on the file server 30. Typically, the anti-virus scanner 40 can be configured to determine when scanning is performed (i.e. when files are read, when files are written, both, etc.), what type of files are scanned (all files, only executable files, files of a type in which a macro program may be embedded, compressed files, etc.), and what type of scanning is performed (anti-virus algorithms that compare a suspect file to a dictionary of known virus characteristics, heuristic algorithms that seek to detect virus-like activity associated with a file being scanned, etc.).
One of the problems with the approach illustrated in FIG. 1 is that the anti-virus scanner 40 may significantly impact the performance of the file server, particularly when the anti-virus scanner is configured to perform rigorous scanning of files (e.g. by scanning many file types, by employing multiple scanning algorithms, by scanning when files are both read and written, etc.). Furthermore, it is necessary to write a separate version of the anti-virus scanner for each operating system that may be used on the file server 30, for example Windows NT, Windows 2000, Novell Netware, etc.
FIG. 2 illustrates an alternative known arrangement which aims to reduce the performance impact of the FIG. 1 approach. In accordance with the FIG. 2 approach, the AV scanner 60 is placed on a separate device to the file server 30, for example a desktop PC, with a redirector program 50 being installed on the file server 30 to intercept file access requests issued by the client devices 10 and to redirect those file accesses via the link 70 to the AV scanner 60, where any appropriate AV scanning is performed prior to the file access request being processed by the file server 30. Since the heart of the AV scanner is now separated from the file server 30, this approach clearly reduces the performance impact of the scanning process on the other activities being performed by the file server 30. However, the performance of file access processes can still be adversely affected by the scanning process, for example in cases where significant numbers of the files to be accessed have to undergo anti-virus scanning before being accessed. Further, it is still necessary to write redirector software 50 for each operating system that may be used by the file server 30.
The problem of having to write different software versions for each operating system has recently been compounded by the introduction of dedicated file storage devices that can be connected to the computer network, and which are intended solely to provide for central storage of files. Since these file storage devices do not need to perform all of the other functions that are typically associated with the more traditional file storage devices such as the file server 30 illustrated in FIGS. 1 and 2, they do not require the complex operating systems that are typically installed on file servers 30. Instead, most of these recent dedicated file storage devices, such as those available from Network Appliances, EMC, IBM, etc., have a “trimmed down”, proprietary operating system installed thereon to enable those storage devices solely to manage file storage and retrieval activities. These proprietary operating systems are typically not “open” operating systems, and so it is not possible to write software to run on them without obtaining the necessary approval and assistance of the device vendor.
Clearly, it would be desirable to enable any file storage device of a computer network to be scanned for malware, whether that file storage device be the more traditional file server type device, or a dedicated file storage device, and to facilitate such scanning without having to redesign and re-code the scanning software for each device/vendor. In addition, it would be desirable to farther reduce the performance impact that the malware scanning process may have on the file accessing process.
Accordingly, it is an object of the present invention to provide an improved technique for performing malware scanning of files stored within a file storage device of a computer network.