Efficient file scanning using secure listing of file modification times

Description

TECHNICAL FIELD

This invention pertains generally to computer security, and more specifically to using a secure listing of file modification times to efficiently scan files for malicious code.

BACKGROUND

The time required to scan files on a volume for malicious code is a significant performance issue for anti-malicious code software. As volumes become increasingly large, scan times become slower. Decreasing the amount of time required for such scanning would be highly desirable.

The only time that a volume actually needs to be scanned is upon the receipt of new or updated malicious code signatures. Thus scheduled scans (e.g., weekly scans) are not optimal, as they can be executed unnecessarily, when no new malicious code signatures have arrived, and/or fail to be executed when new signatures are received. This shortcoming can be addressed by scanning the volume whenever a new malicious code signature is received. However, scanning the entire volume every time signatures are received is slow. The only files which are likely to be malicious are recently modified or arrived files, since infection of a file by malicious code necessitates modifying the file, or if a worm arrives, then it must be created on the volume. Therefore, only the more recently modified files need to be scanned when new malicious code signatures arrive.

Using the file system modification date to determine which files to scan or the order in which to scan files is not reliable, because this data is not secure. Malicious code can and often does set this date back, so as to attempt to hide the infection or arrival of the file. Thus, scanning only files that appear to be recently modified according to the file system could result in overlooking infected files. The volume change log (where one exists) is also insecure, and thus cannot be relied on for the same reasons.

What is needed are computer implemented methods, computer readable media and computer systems for scanning files on a volume at a priority corresponding to the actual most recent modification time, upon receipt of new malicious code signatures.

DISCLOSURE OF INVENTION

Computer-implemented methods, computer systems and computer-readable media efficiently scan files for malicious code. More specifically, a scanning optimization manager maintains a non-tamperable record of modifications to files on a volume. The scanning optimization manager receives at least one malicious code signature. Responsive to the receipt of the at least one malicious code signature, the scanning optimization manager scans at least M some files on the volume for the at least one malicious code signature at a priority corresponding to an associated modification status.

The features and advantages described in this disclosure and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a high level overview of a system for efficiently scanning files for malicious code according to some embodiments of the present invention.

FIG. 2 is a flowchart, illustrating steps for efficiently scanning files for malicious code, according to some embodiments of the present invention.

The Figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.

DETAILED DESCRIPTION

FIG. 1 illustrates a high level overview of a system 100 for practicing some embodiments of the present invention. A scanning optimization manager 101 optimizes the scanning of files 103 on a volume 105 for malicious code by referring to a secure listing of file modification times 107. It is to be understood that although the scanning optimization manager 101 is illustrated as a single entity, as the term is used herein a scanning optimization manager 101 refers to a collection of functionalities which can be implemented as software, hardware, firmware or any combination of these. Where a scanning optimization manager 101 is implemented as software, it can be implemented as a standalone program, but can also be implemented in other ways, for example as part of a larger program, as a plurality of separate programs, as one or more device drivers or as one or more statically or dynamically linked libraries.

It is to be further understood that a scanning optimization manager 101 can be instantiated as part of an anti-malicious code software package 108 (as illustrated in FIG. 1) or as a component separate from the anti-malicious code software 108 that works in conjunction therewith. A scanning optimization manager 101 can be instantiated on and/or as part of a server, client, firewall, intrusion detection system, proxy, gateway, switch and/or any combination of these and/or other computing devices and/or platforms.

As illustrated in FIG. 1, the scanning optimization manager 101 maintains a non-tamperable record 107 of modifications to files 103 on a volume 105. In one embodiment, the scanning optimization manager 101 detects modifications being made to files 103 on the volume 105, for example file writes made by processes 109. Methodologies for detecting modifications being made to files 103 are known to those of ordinary skill in the relevant art, and the implementation mechanics of their use within the context of the present invention will be readily apparent to those so skilled in light of this specification. For example, system calls for modifying files 103 can be intercepted, or a file system filter driver can be used, or regular notifications from the operating system on file change can be used.

In many (but not all) embodiments of the present invention, modifications of temporary files 103 are not recorded. Additionally, many files 103 that are modified are deleted very shortly thereafter. In some embodiments, modified files 103 are watched for a short period of time (e.g., 30 seconds, 60 seconds, etc.) to determine whether they are subsequently deleted. Only if a file 103 is not deleted shortly after being modified is the modification logged. This cuts down on the number of files 103 that are logged for subsequent priority scanning. The exact interval can be adjusted by the end user for optimal performance on their machine.

As noted above, the scanning optimization manager 101 stores a secure record 107 of times at which modifications to files 103 are made. This record 107 is typically kept locked for exclusive access by the scanning optimization manager 101, and protected from access by other paths. How far back to maintain file 103 modification data is a variable design choice. Typically, files 103 that have not been modified within about two weeks are unlikely to be contain malicious code on a properly managed computer. Thus, in one embodiment, the scanning optimization manager 101 maintains the modification record 107 such that it contains a listing of modifications executed within the past two weeks. Of course, the record 107 can go back further (or less far) as desired, as space and efficiency permit.

Over time, anti-malicious code software 108 (e.g., anti-virus software) receives new or updated malicious code signatures 111 (e.g., from a server computer as part of an anti-malicious code software 108 signature 111 update process), as updated signatures 111 are identified and made available. Responsive to the receipt of a malicious code signature 111, the scanning optimization manager 101 scans at least some files 103 on the volume 105 for the malicious code signature 111 at a priority corresponding to the associated modification status (e.g., when the file 103 was last modified). The usual priority would be to scan the most recently modified files first, as these are files most at risk for being malicious.

The priority can be established by a combination of factors, (e.g., the modification date, position on the volume). In one embodiment the files 103 are grouped by access date, and then scanned within each group in the order in which they occur on the volume.

As illustrated in FIG. 2, in various embodiments of the present invention, many variations can be employed in order to scan files 103 at a priority corresponding to an associated modification status. For example, in some embodiments, the scanning optimization manager 101 scans 201 files 103 last modified within a defined time period at a high priority (e.g., as soon as possible) and scans 203 files 103 last modified prior to the defined time period (or not modified at all) at a low priority (e.g., in the background, or only when the CPU is otherwise idle). It is to be understood that the value of the defined time period is a variable design parameter (for example, two weeks, ten days, three weeks).

In some embodiments, the scanning optimization manager 101 scans 201 files 103 last modified within the defined time period at a high priority, scans 205 files 103 last modified prior to the defined time period at a low priority, and does not scan 207 unmodified files 103 at all.

In yet other embodiments, the scanning optimization in manager 101 scans 201 files 103 last modified within the defined time period, but does not scan 209 files last modified prior to the defined time period or unmodified files.

Over time, anti-malicious code software 108 (e.g., anti-virus software) receives new or updated malicious code signatures 111 (e.g., from a server computer as part of an anti-malicious code software 108 signature 111 update process), as updated signatures 111 are identified and made available. Responsive to the receipt of a malicious code methodologies and other aspects of the invention can be implemented as software, hardware, firmware or any combination of the three. Of course, wherever a component of the present invention is implemented as software, the component can be implemented as a script, as a standalone program, as part of a larger program, as a plurality of separate scripts and/or programs, as a statically or dynamically linked library, as a kernel loadable module, as a device driver, as executable program code stored on a computer-readable medium such as a hard drive, and/or in every and any other way known to those of skill in the art of computer programming. Additionally, the present invention is in no way limited to implementation in any specific programming language, or for any specific operating system or environment. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.