CN100557546C - Anti-viral method about the item storer - Google Patents

Anti-viral method about the item storer Download PDF

Info

Publication number
CN100557546C
CN100557546C CNB2005100823527A CN200510082352A CN100557546C CN 100557546 C CN100557546 C CN 100557546C CN B2005100823527 A CNB2005100823527 A CN B2005100823527A CN 200510082352 A CN200510082352 A CN 200510082352A CN 100557546 C CN100557546 C CN 100557546C
Authority
CN
China
Prior art keywords
storer
item
scanning
virus
content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2005100823527A
Other languages
Chinese (zh)
Other versions
CN1713107A (en
Inventor
B·S·拉曼
J·科雷恩
M·科斯蒂
N·R·埃利斯
R·库玛
S·H·阿加瓦尔
S·阿南德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Publication of CN1713107A publication Critical patent/CN1713107A/en
Application granted granted Critical
Publication of CN100557546C publication Critical patent/CN100557546C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Be used for the system and method for integrated anti-virus plug-in unit as the part of item storer.By the semanteme of relation property item storer by using the metadata component that is associated with the item storer and scan components to be provided for the operation of anti-virus plug-in unit.Metadata component can provide the signature value that is associated with storer, can represent the result that data scanning time and each are scanned.Scan components can provide the row of data-carrier store discipline right with synchronous and/or asynchronous mode, and the anti-virus plug-in unit that provides for dealer scans and cleaning.

Description

Anti-viral method about the item storer
The application requires the right of priority of following two provisional application: application number is US 60/581,569, submits on June 21st, 2004, and title is " ANTI VIRUS FOR AN ITEM STORE (about the anti-virus of item storer) "; Application number is US 60/581,896, submits on June 22nd, 2004, and title is " ANTIVIRUS FOR AN ITEM STORE (about the anti-virus of item storer) ".The application also requires the right of priority of following application: application number is US 10/959,383, submits on October 6th, 2004, and title is " ANTIVIRUS FOR AN ITEM STORE (about the anti-virus of item storer) ".These are applied for reference in its entirety and are herein incorporated.
Technical field
The present invention relates generally to anti-virus protection, relate in particular to the integrated system and method that promotes one or more anti-virus plug-in units in the memory environments, wherein can be and description entry according to link and attribute.
Background technology
Development of computer (as microprocessor speed, memory span, data transfer bandwidth, software function or the like) in general can drive the progress of computer utility in the various industries.Even the more powerful server system that is configured to server array usually also is provided to the services request of externally-originated source (as WWW) usually.Be gradually improved along with local Intranet becomes, thereby need maintain more macroreticular load and related application, so the built-in system demand also increases thereupon.Like this, a large amount of business data is stored in the data storage under the management system.
In addition, the sustainable growth of available electron data volume, and these data are kept in manageable mode also become important all the more in the data storage, this just promotes user friendly and fast data search and retrieval.Usually, typical data storage can refer to have the organized set of the information of structural data, so that can search for and select the desired data piece fast as computer program.
Data in the data storage can be organized by one or more forms, and wherein each form comprises a group record, and record can comprise a group field.Write down the row in the general indexed one-tenth form, and the general indexed one-tenth row of record field, like this so that the row/row of index to quoting the particular data in the form.Usually, such data storage can be considered the organized set of the relevant information that saves as " record " that wherein have information " field ".For example, the financial data storage can have the record such as such financial transaction such as receivables, payables, customer information.Between actual physics data storage itself (as the actual data that are kept in the memory device) and system user, management or operating system can provide software pad or layer usually.Like this, data storage maskable user need not to be concerned about bottom hardware level details.Generally speaking, all are handled by system administration manager from the request of user's access data.For example, information can be affixed to data file, or removes from data file, and information can be retrieved in such file or be updated, or the like, all these does not need the user to know that first floor system realizes.
Meanwhile, traditional data storage and operating system will rely on a plurality of incompatible data storage usually, and this comprises; Registration table, event log message, associated person information and Email perhaps use a plurality of flat data file, simply such as image and audio frequency.For example, in traditional data storage, the content that is saved is often used as corpus separatum, although they are also interrelated to a certain extent.Therefore, when having big quantifier, with flexibly and effective mechanism search for particular item based on the attribute of item and content and just become important.For example, may need the tradesman can search for the content that is independent of form---no matter which kind of file type certain content is, also no matter be that what application program is created.
Given new file system based on related object work also a new difficult problem may occur simultaneously.For example, virus may be kept at himself in such file system in new ways.Usually, traditional virus checking is limited in the file that generally is kept on the same computer of carrying out Antivirus program is carried out virus checking.Therefore, though specific entity, comprise terminal user and website, can carry out the virus checking that this locality is kept at file on its computing machine to a certain extent, but those entities be can not determine the viral risk that is associated with file under the control of other entity usually, wherein, malicious code can use the coded strings that leaves in the storage, and coded strings is will be in the client space decoded and propagate by Email for this.Like this, for traditional file systems, virus can reside in one or more document flows, although this only is a file.
Another aspect, in relationship type item storer, content can be kept in the item lastingly, and wherein, item can comprise a plurality of attributes, and other is associated each attribute and each.Like this, being saved in the neutralization of storer reads back from storer and can comprise result on many attributes that can accumulate in numerous.This can create different examples; The more new route or the read path that have many attributes such as establishment.Virus can be used such layout and " (piece meal) piecemeal " hides himself, for example, virus can be kept at encrypted body " X " in the object properties, and by consults memory and on client computer the attribute of having encrypted decoded and to propagate, such as the metadata that can manifest to the harmless image of Antivirus program.
By viral main body being distributed on a plurality of attributes and a plurality of item, a storer becomes viral storer.In other words, virus can be saved with the form of segment, and with assembling these segments and causing the simple inquiry of the execution of virus himself to write in a plurality of the attribute.Therefore, the conventional filter model of intervention renewal or read path is generally no longer suitable for such relationship type item arrangements of memory.
Therefore, be necessary to overcome the above-mentioned shortcoming that is associated with legacy system that relates to a storage operation and method.
Summary of the invention
Provided the summary that the present invention simplifies below, so that the basic comprehension of the one or more aspects of the present invention to be provided.This is generally if it were not for detailed comment of the present invention.It is not to identify key of the present invention or decisive element, neither describe scope of the present invention.Its sole purpose is to propose some notion of the present invention in simplified form, as the preamble that is described in more detail that hereinafter will provide.
The invention provides a kind of system and method, by use a kind of metadata component that is associated with storer and scan components with the expectation of one or more anti-viruss (AV) plug-in unit and semantic component in relationship type item storer.This metadata component can provide rule set and/or the logic in the storer, be used to guide the anti-virus plug-in unit as, when scans content, how to scan, when invalid, or the like.Metadata component also can provide a signature value of distributing to a storer, it can represent the time of scan-data, it has space specified in relationship type item storer (as the row of appointment), with the result that identifies this one scan (as clean result, suspect result, result of infection, need not scanning, or the like).Can provide application programming interfaces (API) to call plug-in unit when needed, upgrade signature and new signature value is set.In addition, various scanning behaviors can be introduced into, and provide a speed/accuracy as Query Result with the subtend user, make balance with the risk that these results are not scanned fully.For example, the user may be ready to sacrifice accuracy (accepting incomplete result in response to inquiry), the advantage that obtains to make all such contents that the result of whole scannings is worked.
In addition, the Else Rule collection in the storer can be established the link between the item, and wherein, rule set can further allow to link and be defined and provide the necessary information of analyzing data structure, to determine the link of text to element.Can use a kind of pattern that necessary rule set is provided and submit necessary information.For example, the assembly that can provide DOM Document Object Model to represent related entities is used for expression (in-memory representations) in the storer.In addition, scan components can provide the queuing of data storage discipline with synchronous and/or asynchronous mode, for scanning of AV plug-in unit and cleaning.
According to one aspect of the present invention, for providing, can be provided at the filter driver layout that many UNCs provide device (MUP) to go up storehouse to the back compatible of storage (and AV plug-in unit) with traditional file (as data stream file and application program)---(file that Uniform Naming Convention (UNC) can be the irrelevant means of machine that locating file is provided provides naming convention.) the such direct layering of filter assemblies on MUP provide a kind of file system component, its service is to the I/O request of UNC name space.Like this, the identical observability for the content that can be used for a storer just can be provided for the AV plug-in unit.
In related fields of the present invention, can provide the mutual part of a group interface as AV plug-in unit and relationship type item memory engine.What such interface for example can be used for routine is the form of a series of exhibition positions program and/or placeholder, and routine can be developed by dealer, links with AV plug-in unit and the relationship type item storer that will provide.
For reaching aforementioned and relevant purpose, the present invention can comprise the feature of following complete description.Following description and accompanying drawing sets forth in detail some illustrative aspect of the present invention.Yet, these aspects represent but only expression can use the minority distinct methods of the principle of the invention.Others of the present invention, advantage and novel feature can be by following detailed descriptions of the present invention and are considered in conjunction with the accompanying drawings, become apparent.
Description of drawings
Fig. 1 shows the block diagram of the relationship type item storer that uses anti-virus (AV) plug-in unit according to one aspect of the present invention.
Fig. 2 shows the block diagram of scan components according to one aspect of the present invention.
Fig. 3 shows the method that is used for background scanning according to one aspect of the present invention.
Fig. 4 a-4e has described and has created also each stage of scan line according to illustrative aspects of the present invention.
Fig. 5 shows the layered arrangement of the filtrator that is used for specific system architectures according to one aspect of the present invention.
Fig. 6 shows the concise and to the point exemplary description that is used for document is converted to the system of the data structure in memory that resides in a storer according to one aspect of the present invention.
Fig. 7 shows the circulation of the background scanning formation of data in the storer according to one aspect of the present invention.
Fig. 8 shows the backstage cleaning formation of data in the storer according to one aspect of the present invention.
Fig. 9 is the schematic block diagram that the suitable computing environment that can use each side of the present invention is shown.
Figure 10 shows the client-server system that can use the anti-virus scan method according to one aspect of the present invention.
Embodiment
With reference now to accompanying drawing, describe the present invention, wherein, identical reference number all is used in reference to identical element of generation.In the following description, for the purpose of explaining, many specific detail have been illustrated, so that thorough understanding of the present invention to be provided.Yet, be apparent that do not have such specific detail also can realize the present invention.In other example, show known structure and equipment with the form of block diagram, so that describe the present invention.
As employed in this application, term " assembly ", " handling procedure ", " model ", " system " or the like are meant the entity that computing machine is relevant, perhaps be software in combination, software or the execution of hardware, hardware and software.For example, assembly can be, but be not limited to the process of moving, processor, object, executable code, execution thread, program and/or computing machine on processor.As an illustration, application program of moving on server and server can be assemblies.One or more assemblies can reside in process and/or the execution thread, and assembly can be positioned on the computing machine and/or is distributed between two or many computing machines.And these assemblies can store the various computer-readable mediums of various data structures from it and carry out.Assembly can be communicated by letter by this locality and/or remote process, such as according to the signal with one or more packets (as from local system, distributed system in another component interaction, and/or by such as the data of networks such as the Internet via an assembly of signal and other system interaction).
At first with reference to figure 1,, show block diagram with the mutual relationship type item storer 100 of anti-virus (AV) plug-in unit 130 according to one aspect of the present invention.Usually, data item store 100 can be a relevant database, and it adopts three features, i.e. item, link and attribute.Item can be represented to wish to be expressed as " things " of item such as users such as client computer, and can be identified uniquely by item ID.Link provides the oriented relation of naming between two items.Attribute will have the value of label to be associated with item.Item is described according to link and attribute.The association of chained list aspect, and the attribute representation is about the out of Memory of item.
In addition, in such relational data storage environment, data can save as the row in one or more forms.Data storage can be used affairs T 1To T NThe form of (N is an integer) is by one or more queried accesses.Such affairs for example can comprise the row level operation of the data in the data item store 100.Affairs 112,114,116 can visit data storage based on the differentiated access level (as read-only access, read or the like) by the data storage mandate, and for this data storage, data are very important.
Of the present invention storer 100 can comprise metadata component 110 and scan components 120.Metadata component 110 can provide rule set and/or the logic in the data storage 110, to guide the operation of AV plug-in unit 130.Metadata component 110 can provide the semanteme of AV plug-in unit 130, such as when scan, how to scan, when invalid or the like.
In addition, metadata component 110 can provide the appointment of accepting to stop rank (bar level) of current Virus State known when carrying out virus scan on data storage 100.For example, can accept to stop that rank can be specified by time mark, wherein, storer can be assigned with an overall AV signature time mark, and it has the value of distributing to " VIRUSSIGNATURETS ".
Being used to start application programming interfaces (API) can comprise with the example data definitional language (DDL) that calls plug-in unit and upgrade signature and be provided with new signature value:
GetNewVirusSignature()
GetCurrentVirusSignature()
According to one aspect of the present invention, the row that is associated with the form of data storage 100 can comprise two row, be used to define two kinds of attributes: i.e. " last virus signature scanning (Last Virus Signature Scan) " and " scanning mode (Scan State) ", this general is more detailed description hereinafter.In brief, the time mark that " last virus signature scanning " expression is preserved each row of finishing last virus scan (AV) on being expert at, and " scanning mode " expression row content is " totally ", " suspicious " or or " infected ".When row was created, system's value of " last virus signature scanning " automatically was set to zero, and the state of row content is " suspicious ".Can provide application programming interfaces (API) to call anti-virus plug-in unit 130, it is used for scan-data storage 100 as required, and upgrades signature and new signature value is set.Therefore, metadata component can provide the signature value that is associated with storer 100, and it can represent the data scanning time, and relationship type storer designated space with the result that identifies this one scan (as, clean result, suspicious result, infected result).What will be appreciated that is though the inspection of use anti-virus may be a system default, when the user selects not scan specific items, also can specify the metadata component of " needn't check ".
Item storer 100 also can comprise scan components 120, and it can use plug-in unit 130 by reliable fashion.Scan components can provide the queuing (as recent renewal, variation or the like) of the item in the storer with synchronous and/or asynchronous mode, for the scanning of AV plug-in card program and the cleaning that are provided by third party dealer.
With reference now to Fig. 2,, block diagram shows scan components 120, further comprising asynchronous queued component 210 (background scanning), and queued component 220 (scanning during visit) (On-access Scan) synchronously.Generally speaking, the AV plug-in unit can not detect new virus piecemeal when entering storer.Like this, can allow the full content that the AV plug-in unit can analysis item storer 200.Therefore, the AV plug-in unit is not constrained in the special domain of a storer 200, even the user can be connected to this special domain.In addition, a storer 200 can further use schedule component 230, and it is ranked to the item memory content, scans for the AV plug-in card program.What will be appreciated that is that schedule component 230 also can be the part of scan components 120, even Fig. 2 is depicted as independent assembly with it.Such assembly can be ranked or goes out team, calls the AV plug-in unit and come the update metadata assembly based on this result content.
Usually, a storer 200 can be used for virus scan or virus cleaning by automatic item new or that upgraded is joined the team, and uses asynchronous queued component 210 to be used for " background scanning " formation.Item in the formation can for example go out team by schedule component 230 by item storer 200, and can synchronously call suitable AV interface.
The timetable that is used for the not scanned items handled by the AV plug-in unit can provide at " ItemHasVirus (item with virus) " API.Calling like this can synchronously be returned, and a storer 200 can upgrade the AV metadata component that is associated in the storer based on this boolean results of calling.For example, if interface returns " TRUE (very) " value, then object can be designated as and comprise virus, and the AV state of row is updated to:
lastVirusSignatureScanTS=@@VIRUSSIGNATURETS AND scanState=”infected”。
Equally, if interface returns " FALSE (vacation) " value, then object be found to be do not have viral.Therefore, Hang AV state can be updated to lastVirusSignatureScanTS=@@VIRUSSIGNATURETSAND scanState=" clean ".
With reference now to the synchronous queued component 220 (scanning during visit) in the storage,, can use such assembly, make no matter when on the item storer, to carry out and read, guarantee that generally the result only comprises the item with " clean (totally) " scanState (scanning mode) usually.Like this, the synchronous AV on the read path can guarantee that usually client computer can receive up-to-date result set, unless actual virus is detected when processing queue.However, can there be such situation, promptly may pays the great number price such guaranteeing.For example, first user is left several new photo in the territory in, wherein the second user search Word document.Now, when the scanning of first user's photo being deposited when inquiry plays spinoff, can require second user to wait for.
Meanwhile, when carrying out inquiry, not AV scanning completely if carry out the item scope of inquiry at every turn, then the possibility of result is incomplete.Therefore, the present invention introduces " forcing " scanning, as the part of synchronous queued component, based on " session variable " is set, determines the mode that application program should turn round.Even application program can be dependent on best method and accepts transaction results---this is incomplete, and this is because the AV plug-in unit does not also call on all component of item storer 200.Perhaps, if storer 200 find can be potentially Query Result to be worked some also be not scanned, then to having scanned side effect, with being included in the transaction results with such content.
Like this, whether should be introduced a kind of new session level Xuan Xiang @@VIRUSCHECKONREAD is set for control item by embedded inspection.When this field value of being assigned with " 0 ", the row of only considering its scanState=" clean " is usually inquired about in then all reading. The row of=" clean " is forced to scanning term of execution of inquiry.
Then, predicate can be changed with explanation:
WHERE(lastVirusSignatureScanTS=@@VIRUSSIGNATURETS?AND
scanSate=”clean”)
OR(@@VIRUSCHECKONREAD=1AND
lastSignatureScan!=@@VIRUS?SIGNATURETS?AND
ItemHasVirus(ItemId)=0))
Similarly predicate is evaluated on can other the lasting data of preserving in storage, as expansion (Extension) with link (Link).In this case, function ExtensionHasVirus () or LinkHasVirus () will be called.
In another aspect of this invention, schedule component 230 can be dispatched and infected item, handles for AV plug-in unit CleanItem API.This calls and can synchronously return, and can upgrade the AV metadata in item storer 200 based on this boolean results of calling.For example, if interface returns " TRUE " value, then object has been cleaned.Then, the AV state of row can be updated to lastVirusSignatureScanTS=@@VIRUSSIGNATURETS, and the value of scanSate=" clean ".On the other hand, if the interface return false, then object is not cleaned usually, and the AV state of row is updated to lastVirusSignatureScanTS=@@VIRUSSIGNATURETS, and the value of scanState=" infected (infecting) ".
Fig. 3 illustrates the method 300 of background scanning according to one aspect of the present invention.At first, at 310 places, a storer is finished the renewal of metadata component based on the result of AV plug-in unit on the item memory content.Next 315, the memory range of storage signature is updated, to reflect nearest AV plug-in unit scanning.Next, at 320 places, a storer can be put back into expired item in the formation, for follow-up AV scanning.In addition, nearest renewal also can be waited in such priority query.Explain in detail that as the front item in the formation can go out team by the item storer, and suitable AV interface can be at 325 places by synchronization call.Then, method is circulated back to step 310, and this moment, a storer was finished the renewal of metadata component based on the result of AV plug-in unit.Though illustrate and describe illustrative methods, the sequence limit of these pieces shown in the present invention is not subjected to a series of square frames of variety of event and/or action of representing here.For example, according to the present invention, except that order shown here, some action or incident can take place and/or take place simultaneously with other action or incident with different order.In addition, be not to need the square frame shown in all, incident or action to realize according to method of the present invention.And what will be appreciated that is, according to illustrative methods of the present invention and other method can with the method that illustrates herein and describe explicitly, and realize explicitly with other system and device not shown or that describe.
With reference now to Fig. 4 a-4e,, show the row that is associated with the form of a storer, it comprises two row, to define two kinds of attributes, i.e. " last virus signature scanning ", and " scanning mode ".Generally speaking, the core operation feature of relational data storage is to carry out the ability of associative query on form.The entity sets that is kept in the form can use set handling language (as SQL (Structured Query Language (SQL))) to visit.This language is appointed as data source with one or more forms, and only exports the row (if the words that have) that satisfies specified criteria.For example, as mentioned above, a storer can be relevant database, object database and/or object relationship database.For relevant database, one group of entity with same structure is known as form, and each entity is known as row.The component of this structure is known as row.Relevant database can comprise one or more forms.The example table signature that provides in Fig. 4 a-4e upgrades and can stand virus scan according to one aspect of the present invention.What will be appreciated that is the existence of the data of data storage conception traditional data stream of the present invention and relationship type object form.For example, when Query Result depended on virus attack, the content of form need be from virus attack like this.Especially, when malicious code can utilize the coded strings that leaves in the storage, coded strings was can be in the client computer space decoded and propagate by Email for this.For example, virus can be kept at the main body " X " of having encrypted in the attribute, so that it can and be decrypted the attribute of having encrypted by the inquiry storage, propagates himself like this on client computer.When carrying out inquiry, data storage of the present invention can be used a kind of queuing mechanism, is used for synchronous and/or asynchronous mode the item of form being ranked, and scans and cleans for the anti-virus plug-in unit that is provided by dealer.Afterwards, relationship type item memory engine can be based on inquiry, user context information especially, and response to Query Information is provided.
Fig. 4 a has described the establishment of row, and wherein, system is provided with lastVirusSignatureScanTS=0 and scanState=" suspect (suspicious) " automatically.Row can keep such numerical value, has scanned this row up to the AV plug-in unit, and afterwards, its time mark that will comprise scanning adds scanning result, as among Fig. 4 b by shown in " totally " state.Fig. 4 c shows capable renewal, and its discipline storer is provided with scanState=" suspect " automatically, but does not change the value of lastVirusSignatureScanTS.The anti-virus plug-in unit is responsible for scanned items, link or expansion row, and shows or item does not have virus, and perhaps this item is infected.Fig. 4 d illustrates clean state, its discipline storer lastVirusSignatureScanTS be set to currency, and the scanState attribute is set to " clean ".Same, Fig. 4 e illustrates an infected replacement situation.Like this, a storer lastVirusSignatureScanTS She Zhiwei @@VIRUSSIGNATURETS, the scanState attribute is " infected (infecting) ", can cause " isolation " of item.Therefore, these needs hold within it and can be cleaned by plug-in unit before inquiry in the future is available once more.
Fig. 5 shows the block diagram that particular hierarchical is arranged according to one aspect of the present invention.Usually, of the present invention existence that storer is conceived the data of traditional data stream and relationship type object form.Therefore, for the back compatible of a storer and AV plug-in unit thereof and traditional file (as data stream file and application program) is provided, the present invention uses a kind of new architecture that is used for filter file, wherein, many Uniform Naming Conventions provide device (MUP) assembly 515 to be registered as file system, and UNC provides device not to be registered as file system usually.Generally speaking, can guarantee that all UNC I/O can pass through MUP usually.Therefore, as shown in Figure 5, such as the storehouse (510,520,530) of the file filter device of AV filtrator etc. himself can be appended to MUP go up (as, layer itself is added on the MUP) and filter all UNC I/O, this comprises a document flow I/O of storer discipline.The file that Uniform Naming Convention (UNC) can be the irrelevant device of machine that is provided for locating file provides a kind of naming convention.MUP assembly 515 usefulness act on the file system of UNC name space visit, wherein to the same namespace of visible catalogue of item storer and filename also to the AV plug-in unit as seen.
As described, kernel mode 550 can be used as the kernel program or the core of computer operating system.Such operating system generally is responsible for deal with data and management input and output.Kernel mode 550 is as the part of operating system, and it is at first loaded and remains in the primary memory.Except that responsible management of process, file management and memory management etc., kernel component 550 provides application program and required essence service or the process of driver usually.For example, process can be dispatched corresponding to I/O, buffering, automatic spool, error handling processing or the like.In addition, should be noted that term kernel mode 550 services of using are intended to cover any service, step, driver, application program or other assembly that can be arranged in kernel address space herein.
In related fields of the present invention, can provide a group interface, as the mutual part of plug-in unit that provides by dealer and relationship type item memory engine.Such interface for example can be that a series of stubs that can be linked with the AV plug-in unit that will provide and relationship type item storer by dealer exploitation and/or the form of placeholder are provided.Such interface can be realized by dealer, is used for scanning and cleaning item, expansion and link.For example:
BOOL?ScanItem (ItemId?itemId)
BOOL?ScanExtension (ItemId?itemId,ExtensionId?extId)
BOOL?ScanLink (ItemId?itemId,LinkId?linkId)
Each interface can return a boolean state value.Comprise virus (or participate in piecemeal attack) if item is found, this value can be set to " very ", if item does not have virus, then this value is set to " vacation ".The similar example that is used for cleaning course can comprise:
BOOL?CleanItem (ItemId?itemId)
BOOL?CleanExtension (ItemId?itemId,ExtensionId?extId)
BOOL?CleanLink (ItemId?itemId,LinkId?linkId)
Each interface can return a boolean state value, if storage object is successfully cleaned, this value can be set to " very ", if the AV plug-in unit can not clean storage object, this value can be set to " vacation ".Such function can need the AV scan operation to storage object,, maybe when infected object is needed the AV clean operation, by the item memory calls.In both cases, use above-mentioned memory mechanism from storage, to take out the normally responsibility of AV dealer of item number certificate as required.What further will recognize is, scanning and the cleaning aspect is capable of being combined or carry out in the independent stage.Interface can be used for synchronous or asynchronous scanning and cleaning as required by the item memory calls.In addition, all usually item memory contents are to be visited by the standard queries mechanism that use has the special permission connection by the AV plug-in unit.In addition, the installation of pseudo-AV plug-in unit can for example be avoided by using through the assembly of signature.Each interface also can be supported " * void " plug-in unit context, to pass through each API.
Fig. 6 illustrates the concise and to the point exemplary description of system 610 according to one aspect of the present invention, and this system is used for converting XML document 612 to reside in the item storer that meets DOM Document Object Model 618 data structure in memory 620.XML document 612 is analyzed by analyzer 614, offers transition components 616 with the tabulation with semantic primitive and attribute.Then, this semantic primitive and attribute list can be converted or be mapped to the data structure 620 of the item storer that meets DOM Document Object Model 618.As described in the XML document 612, the document comprises a plurality of elements with father and son's link.The data element of representing with XML DOM can comprise a hierarchy, " people (People) " is as top mode, first leaf node or branch-element " John " have child node " like (Loves) " and " Mary ", and second leaf node or branch have node " Mary ".The analyzer that is selected to from second branch retrieval or match information will retrieve element " Mary ", and not know to link " John likes Mary (John Loves Mary) ".Yet of the present invention storer can fetch his-and-hers watches according to the chain between element or the item and show structural modeling, and therefore, link " John likes Mary " can easily be distinguished with this model.As can in data structure 620, seeing, analyzer can be a people with definite Mary by the link of following between " people " node and " Mary " node, and the link of following between " Mary " node and " John " node liked by John to determine Mary, retrieves the information about " Mary ".Therefore, this model is according to link, and presents data structure according to element (or) and attribute in addition, as the situation among the XML DOM.
Fig. 7 shows the circulation of background scanning preface queue operation according to one aspect of the present invention.This circulation begins when the item storer is finished the renewal of metadata component based on the result of AV plug-in unit on the item memory content at first.Next, move clockwise, upgrade the signature of a memory range, to reflect nearest AV plug-in unit scanning along arrow 720.Then move along arrow 740, a storer can be put back into expired item in the formation, for follow-up AV scanning.In addition, follow arrow 760, recent renewal also can be waited in such priority query.Can go out team in the formation by the item storer, and can be shown in arrow 780 synchronously call suitable AV interface.Scan cycle can circulate shown in arrow 790 and return then, and at this moment storer is finished the renewal of metadata component based on the result of AV plug-in unit.As previously explained, metadata component also can provide the signature value of distributing to a storer, it can represent the data scanning time, and in relationship type item storer designated space (as, specify columns), the result's (as clean result, suspicious result, infected result, unnecessary scanning or the like) to identify this scanning.This represents with chart 795.Like this, can provide a scanning co-pending part as the item life cycle.
The anti-virus plug-in unit is responsible for scanned items, link or expansion row, and shows that item does not have virus, perhaps item infective virus.For the item that cleaning has infected, as shown in Figure 8, can dispatch the item that has infected, handle for AV plug-in unit CleanItem API.This calls and can synchronously be returned, and the AV metadata can be updated in item storer 800.If call success (for example, if interface returns " very " value), then object can be considered to clean, and shows this situation in the row that is associated.
With reference now to Fig. 9,, show the brief, general description of the suitable computing environment on client computer and the server end, wherein can realize various aspect of the present invention.Though above in general context, described the present invention such as the computer executable instructions such as computer program that on and/or many computing machines, move, but it will be understood by those skilled in the art that the present invention also can realize in conjunction with other program module.Generally speaking, program module comprises routine, program, assembly, data structure or the like, and they are carried out specific task and/or realize specific abstract data type.In addition, those skilled in the art will recognize that, method of the present invention can realize in other computer system configurations, this comprises uniprocessor or multiprocessor computer system, minicomputer, large scale computer, and personal computer, hand-held computing equipment, based on microprocessor or programmable consumer electronics or the like.As previously explained, the aspect can realize in distributed computing environment that also in such distributed computing environment, task is to be carried out by the teleprocessing equipment by communication network link shown in of the present invention.Yet some aspect of the present invention (if not all) can independently realize on the computing machine.In distributed computing environment, program module can be arranged in local and remote memory storage device.Example comprises computing machine 920, comprises processing unit 921, system storage 922, and the system bus 923 that system storage is coupled to processing unit 921 at interior various system components.Processing unit 921 can be any of the various processors that can buy on market.Dual micro processor and other multiprocessor architecture also can be used as processing unit 921.
System bus can be any in the bus structure of several types, comprises memory bus or Memory Controller, peripheral bus, and the local bus that uses any multiple bus architecture that can buy on market.System storage can comprise ROM (read-only memory) (ROM) 924 and random-access memory (ram) 925.Basic input/output (BIOS) comprise such as the unloading phase help the basic routine of transmission information between the element computing machine 920 in, be stored among the ROM 924.
Computing machine 920 also comprise hard disk drive 927, for example read from or write the disc driver 928 of moveable magnetic disc 929, and be used to read from write CD-ROM dish 931 or be used to read from or write the CD drive 930 of other light medium.Hard disk drive 927, disc driver 928 and CD drive 930 link to each other with system bus 923 with CD drive interface 934 by hard disk drive interface 932, disk drive interface 933 respectively.Driver and the computer-readable medium that is associated thereof provide the non-volatile memories of data, data structure, computer executable instructions etc. for computing machine 920.Although the description of top computer-readable medium is meant hard disk, moveable magnetic disc and CD, but those skilled in the art will be appreciated that, other type media that can read by computing machine, as tape, flash card, digital video disc, Bernoulli Jacob's boxlike tape or the like, also can be used in the exemplary operation environment, and any such medium can comprise the computer executable instructions that is used to carry out the inventive method.
Many program modules can be kept among driver and the RAM 925, and this comprises operating system 935, one or more application programs 936, other program module 939 and routine data 939.Shown in operating system 935 in the computing machine in fact can be any operating system that can on market, buy.
The user can will order with information by keyboard 940 with such as mouse 942 such positioning equipments and be input in the computing machine 920.Other input equipment (not shown) can comprise microphone, operating rod, game mat, satellite dish, scanner or the like.The input equipment of these and other generally links to each other with processing unit 921 by the serial port interface 946 that is coupled to system bus, but also can link to each other by other interface, as parallel port, game port or USB (universal serial bus) (USB).The display device of monitor 949 or other type also can be by linking to each other with system bus 923 such as video adapter 949 such interfaces.Except that monitor, computing machine generally includes other peripheral output device (not shown), as loudspeaker and printer.
Computing machine 920 can be worked in using one or more networked environments that the logic of such remote computer connects such as remote computer 949.Remote computer 949 can be workstation, server computer, router, peer device or other common network node, and generally include with respect to computing machine 920 described many or all elements, although only figure 9 illustrates memory storage device 950.Logic shown in Fig. 9 connects can comprise Local Area Network 951 and wide area network (WAN) 952.Such networked environment is common in office, enterprise-wide. computer networks, Intranet and the Internet.
When using in the lan network environment, computing machine 920 can link to each other with LAN (Local Area Network) 951 by network interface or adapter 953.When using in the WAN network environment, computing machine 920 can comprise modulator-demodular unit 954 usually, and/or links to each other with the communication server on the LAN, and/or has and be used for by wide area network 952, sets up other device of communication as the Internet.Modulator-demodular unit 954 can be internal or external, can link to each other with system bus 923 by serial port interface 946.In networked environment, program module or its part of computing machine 920 descriptions can be stored in the remote memory storage device relatively.Will be appreciated that it is exemplary that shown networking connects, and also can use other device that is used for setting up communication link between computing machine.
According to practice, with reference to having described the present invention, except as otherwise noted by the symbolic representation of performed action of the computing machine as computing machine 920 and operation the technician in computer programming field.Such action and operation sometimes are called as the computing machine execution.What will be appreciated that is, the operation of action and the expression of symbol ground comprises the manipulation of processing unit 921 his-and-hers watches registrations according to the electric signal of bit, synthetic conversion or simplification that it impels electric signal to represent, and accumulator system (comprises system storage 922, hard disk drive 927, floppy disk 928, and CD-ROM 931) data bit at place, memory location keeps in, thereby reconfigure or changed the operation of computer system, and other signal Processing.The memory location of keeping such data bit is the physical location with certain electric, magnetic or light attribute corresponding to data bit.
With reference now to Figure 10,, shows the client-server system 1000 that uses the AV plug-in method according to one aspect of the present invention.One or more client computer 1020 can be hardware and/or software (as thread, process, computing equipment).System 1000 also can comprise one or more servers 1040.These one or more servers 1040 also can be hardware and/or software (as thread, process, computing equipment).For example, such server 1040 can hold thread to carry out conversion by employing the present invention.Client computer 1020 and server 1040 can communicate between two or more computer processes with the form of the packet of transmission according to the present invention.Client/server also can be shared identical process.As shown in the figure, system 1000 comprises the communications framework of communicating by letter 1080 that can promote between one or more client computer 1020 and the one or more servers 1040.One or more client computer 1020 can randomly be connected to one or more client data storages 1010 that store the information of client computer 1020 this locality.In addition, client computer 1020 is addressable and upgrade the database 1060 of the server computer 1040 that is arranged in the runtime server process.In one aspect of the invention, communications framework 1080 can be the internet, and its client process is the web browser, and server processes are web servers.Like this, typical client computer 1020 can be a multi-purpose computer, as have CPU (central processing unit) (CPU), system storage, modulator-demodular unit or is used for personal computer is connected to the conventional personal computer of assembly the network card, display of the Internet and other such as keyboard, the mouse or the like.Same, typical server 1040 can be university or company's mainframe computer, perhaps special purpose workstation or the like.
Will be appreciated that even described the present invention in the context of main AV plug-in unit in a memory range, but workflow can realize a plurality of storages.Generally speaking, dispose, can cause in a plurality of storages anti-microbial inconsistent assurance rank for a plurality of storeies at a plurality of machines.For alleviating such inconsistency, the plug-in unit that specific illustrative methods will allow client computer to store can scan to be read to go up shared content from another storage.This need comprise the anti-virus feature of the storage of starting with the serialized form by client applications child's item usually.According to this information and local policy, the plug-in unit that can be used for the client computer storage can scan the content that reads from the storage of source.In particular, such anti-virus plug-in unit is limited within the storage.Therefore, by sharing reading of content from the item storer, then application program is just protected by the anti-virus plug-in unit that main memory is somebody's turn to do in the storage of sharing as if the application program of moving on different machines.During a plurality of storages on different machines were disposed, this just caused anti-microbial inconsistent assurance rank between a plurality of storages.Solution is the content that reads plug-in unit scanning the sharing from another storage that allows the client computer storage.This may with by client applications consumption the item serialized form comprise start the storage the anti-virus feature.According to this information and local policy, the plug-in unit that can be used for the client computer storage can scan the content that reads from the storage of source.
Although described the present invention, will be appreciated that after reading and having understood this instructions and accompanying drawing, other skilled technician of this area can make the equivalence change and revise with respect to aspect shown in some.Especially for the difference in functionality of carrying out by said modules (assembly, equipment, circuit, system or the like), the term (comprising reference) that is used to describe these assemblies to " device " be intended to corresponding to any assembly of the appointed function of carrying out described assembly (as, equivalence on function), even with described structure structurally and inequivalence, also corresponding to any assembly of the function of carrying out illustrative aspects of the present invention shown here, except as otherwise noted.In this, will be appreciated that, the present invention includes system and computer-readable medium, it has and is used to carry out the action of the whole bag of tricks of the present invention and/or the computer executable instructions of incident.In addition, describe in detail or claims in used that term " comprises ", " having " with and multi-form meaning on, it is comprising property that these terms can " comprise " the similar mode of institute with term.

Claims (26)

1. item storer comprises:
Metadata component, it is provided for the semanteme with the operation of the mutual anti-virus plug-in unit of described storer;
Scan components, it queues to described anti-virus plug-in unit with the content of described storer, is used for the content of item storer is carried out virus scan;
Analyzer, be used to analyze the data structure of described storer, to determine the link of text to element, link between rule set in wherein said the storer is established, described rule set further allow to concern be defined and provide the necessary information of analyzing data structure, to determine the link of text to element.
2. as claimed in claim 1 storer is characterized in that, described metadata component provides the signature value of the sweep time of the described content of an expression.
3. as claimed in claim 1 storer is characterized in that described metadata component provides the scanning mode of described content.
4. storer as claimed in claim 3 is characterized in that, that described scanning mode is set to is suspicious, in totally and infecting one.
5. as claimed in claim 3 storer is characterized in that described scanning mode is set to and needn't scans.
6. storer as claimed in claim 1 is characterized in that, described scan components is ranked to described content with at least a synchronously and in the asynchronous system.
7. as claimed in claim 1 storer is characterized in that, described metadata component provides a signature value to described storer.
8. as claimed in claim 7 storer is characterized in that, the time of the content of described storer of described signature value representation scanning.
9. as claimed in claim 1 storer is characterized in that, described scan components comprises at least one in asynchronous queued component and the synchronous queued component.
10. as claimed in claim 1 storer is characterized in that also comprise schedule component, it dispatches the scan procedure of described anti-virus plug-in unit.
11. as claimed in claim 1 storer is characterized in that, also comprises and is used to clean the device that has infected item.
12. storer as claimed in claim 1 is characterized in that, also comprises to be used for providing file system with described storer the identical device to the observability of content to described anti-virus plug-in unit.
13. a method that is used for the item storer is carried out virus scan comprises:
Relationship type pattern in the defined item storer between a plurality of;
Be provided for the semanteme of the operation of anti-virus plug-in unit by described storer;
The content that scans described storer is to search virus; And
Analyze the data structure of described storer, with of the link of definite text to element,
Link between rule set in wherein said the storer is established, described rule set further allow to concern be defined and provide the necessary information of analyzing data structure, to determine the link of text to element.
14. method as claimed in claim 13 is characterized in that, also comprising to described storer provides a signature value, the described signature value invisible scanning time.
15. method as claimed in claim 13 is characterized in that, the content that also comprises to scanning provides scanning mode.
16. method as claimed in claim 13 is characterized in that, also comprises content is ranked for scanning.
17. method as claimed in claim 13 is characterized in that, also comprises content is gone out team from described scanning.
18. method as claimed in claim 13 is characterized in that, described scanning motion comprises with the method for synchronization and scans.
19. method as claimed in claim 13 is characterized in that, described scanning motion comprises with asynchronous system and scans.
20. method as claimed in claim 13 is characterized in that, also comprises automatically the modification content of described storer is joined the team, for scanning.
21. method as claimed in claim 13 is characterized in that, also comprises automatically the fresh content of described storer is joined the team, for scanning.
22. method as claimed in claim 18 is characterized in that, also comprises to carry out to force scanning.
23. method as claimed in claim 13 is characterized in that, also comprises the content that cleaning has infected.
24. an item storer comprises:
A plurality of filtrators, described a plurality of filtrators are disposed in many Uniform Naming Conventions and provide on the device, and so that file system component to be provided, described file system component is served I/O request and Uniform Naming Convention name,
Many Uniform Naming Conventions provide device, and it uses the remote access of the described file system of opposing, and
The anti-virus plug-in unit, it scans described file system, the same namespace of catalogue and filename also as seen to described anti-virus plug-in unit, the same namespace of described catalogue and filename to described file system as seen,
Analyzer is used to analyze the data structure of described storer, determining the link of text to element,
Link between rule set in wherein said the storer is established, described rule set further allow to concern be defined and provide the necessary information of analyzing data structure, to determine the link of text to element.
25. as claimed in claim 24 storer is characterized in that described filtrator is the kernel mode filter device.
26. one kind is used in conjunction with the method for anti-virus plug-in unit as the part of a plurality of storeies, described a plurality of storeies comprise the item storer of start a storer and client computer, and described method comprises:
Comprise the anti-virus feature of a described storer that starts with serialized form by the item of client applications consumption;
By the anti-virus plug-in unit that can use described client computer, the content of a described storer that starts of the item memory sharing of scanning and described client computer; And
Analyze the data structure of a described storer that starts, with of the link of definite text to element,
Link between rule set in wherein said a plurality of the storeies is established, described rule set further allow to concern be defined and provide the necessary information of analyzing data structure, to determine the link of text to element.
CNB2005100823527A 2004-06-21 2005-06-21 Anti-viral method about the item storer Active CN100557546C (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US58156904P 2004-06-21 2004-06-21
US60/581,569 2004-06-21
US60/581,896 2004-06-22
US10/959,383 2004-10-06

Publications (2)

Publication Number Publication Date
CN1713107A CN1713107A (en) 2005-12-28
CN100557546C true CN100557546C (en) 2009-11-04

Family

ID=35718749

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100823527A Active CN100557546C (en) 2004-06-21 2005-06-21 Anti-viral method about the item storer

Country Status (1)

Country Link
CN (1) CN100557546C (en)

Also Published As

Publication number Publication date
CN1713107A (en) 2005-12-28

Similar Documents

Publication Publication Date Title
US11636105B2 (en) Generating a subquery for an external data system using a configuration file
US20230409609A1 (en) Data relationships storage platform
AU2005201990B2 (en) Anti virus for an item store
RU2421803C2 (en) Notices of data modification
WO2010045331A2 (en) Method and apparatus for gathering and organizing information pertaining to an entity
JP2006018821A (en) System and method for providing conflict handling for peer-to-peer synchronization of units of information manageable by hardware/software interface system
US11727007B1 (en) Systems and methods for a unified analytics platform
CN100432997C (en) Extending service-oriented business frameworks
CN103917970B (en) Keyword search of customer interest in an enterprise
WO2022261249A1 (en) Distributed task assignment, distributed alerts and supression management, and artifact life tracking storage in a cluster computing system
US11915044B2 (en) Distributed task assignment in a cluster computing system
US20240283844A1 (en) Systems and Methods for Optimizing Distributed Computing Systems Including Server Architectures and Client Drivers
US11494381B1 (en) Ingestion and processing of both cloud-based and non-cloud-based data by a data intake and query system
CN100557546C (en) Anti-viral method about the item storer
Spaggiari et al. Architecting HBase applications: a guidebook for successful development and design
US20220156228A1 (en) Data Tagging And Synchronisation System
Cerezo et al. Experience of the Architectural Evolution of a Big Data System
Zolotas et al. An architecture for the development of distributed analytics based on polystore events
US20230244660A1 (en) Distributed alert and suppression management in a cluster computing system
Leiter et al. Beginning Microsoft SQL server 2008 administration
WO2018035211A1 (en) System and method of automated extraction and visualization of knowledge about enterprise technology, personnel and business functions
Rynning et al. BlogForever: D2. 4 Weblog spider prototype and associated methodology
Narder YValidator: a flexible tool for fetching and validating Indicators of Compromise
Nayak et al. A semantic search engine to discover and select sensor Web services for wireless sensor network
Small Ayeaye: An Ontology-Based Document Management System

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: MICROSOFT TECHNOLOGY LICENSING LLC

Free format text: FORMER OWNER: MICROSOFT CORP.

Effective date: 20150508

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20150508

Address after: Washington State

Patentee after: Micro soft technique license Co., Ltd

Address before: Washington State

Patentee before: Microsoft Corp.