CN100557546C - Anti virus for an item store - Google Patents

Anti virus for an item store Download PDF

Info

Publication number
CN100557546C
CN100557546C CNB2005100823527A CN200510082352A CN100557546C CN 100557546 C CN100557546 C CN 100557546C CN B2005100823527 A CNB2005100823527 A CN B2005100823527A CN 200510082352 A CN200510082352 A CN 200510082352A CN 100557546 C CN100557546 C CN 100557546C
Authority
CN
China
Prior art keywords
memory
item
scanning
items
content
Prior art date
Application number
CNB2005100823527A
Other languages
Chinese (zh)
Other versions
CN1713107A (en
Inventor
B·S·拉曼
J·科雷恩
M·科斯蒂
N·R·埃利斯
R·库玛
S·H·阿加瓦尔
S·阿南德
Original Assignee
微软公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US58156904P priority Critical
Priority to US60/581,569 priority
Priority to US60/581,896 priority
Priority to US10/959,383 priority
Application filed by 微软公司 filed Critical 微软公司
Publication of CN1713107A publication Critical patent/CN1713107A/en
Application granted granted Critical
Publication of CN100557546C publication Critical patent/CN100557546C/en

Links

Abstract

用于集成反病毒插件作为项存储器的一部分的系统和方法。 Anti-virus for integrating plug-ins as part of a system and method for memory entry. 由关系性项存储器通过使用与项存储器相关联的元数据组件和扫描组件来提供用于反病毒插件的操作的语义。 To provide anti-virus widget semantics for operation by the relation of the item to the memory by using the metadata component and a scanning component associated with the memory item. 元数据组件可提供与项存储器相关联的、可表示数据扫描时间以及每个被扫描项的结果的签名值。 Component metadata items may be provided with associated memory, it may represent a data scanning time and the results of each scan signature value items. 扫描组件能以同步和/或异步模式提供数据存储器中项的排对,以供销售商提供的反病毒插件扫描和清洁。 Scanning component can provide data to the memory banks in terms of synchronous and / or asynchronous mode for use by the antivirus scan widget and cleaning provided by vendors.

Description

关于项存储器的反病毒方法本申请要求以下两个临时申请的优先权:申请号为US 60/581,569,于2004 年6月21日提交,标题为"ANTI VIRUS FOR AN ITEM STORE (关于项存储器的反病毒)";申请号为US 60/581,896,于2004年6月22日提交,标题为"ANTI VIRUS FOR AN ITEM STORE (关于项存储器的反病毒)"。 Anti-Virus on term memory] This application claims priority to two provisional applications: Application No. US 60 / 581,569, filed June 21, 2004, entitled "ANTI VIRUS FOR AN ITEM STORE (on item memory anti-virus) "; application No. US 60 / 581,896, filed June 22, 2004, entitled" aNTI vIRUS fOR AN iTEM STORE (term memory about anti-virus). " 本申请还要求以下申请的优先权:申请号为US 10/959,383,于2004年10月6日提交,标题为"ANTI VIRUS FOR AN ITEM STORE (关于项存储器的反病毒)"。 This application also claims the benefit of priority: Application No. US 10 / 959,383, filed on October 6, 2004, entitled "ANTI VIRUS FOR AN ITEM STORE (term memory about anti-virus)." 这些申请作为参考整体合并于此。 These applications are incorporated herein by reference in its entirety as.

技术领域 FIELD

本发明一般涉及反病毒保护,尤其涉及促进项存储器环境中一个或多个反病毒插件的集成的系统和方法,其中可根据链接和属性而描述项。 The present invention relates generally to anti virus protection, particularly to facilitate entry of one or more memory integrated environment of a system and method for anti-virus insert, wherein the links described in accordance with items and properties.

背景技术 Background technique

计算机技术的发展(如微处理器速度、存储器容量、数据传输带宽、软件功能等等) 一般来说会带动各种行业中计算机应用的进步。 Development of computer technology (such as microprocessor speed, memory capacity, data transfer bandwidth, software functionality, etc.) in general will lead to advances in computer applications in a variety of industries. 即使是通常被配置为服务器阵列的更强大的服务器系统也通常被提供到源自外部源(像万维网)的服务请求。 Even if the server is typically configured as an array of more powerful server systems also typically provided from an external source to the (like the World Wide Web) service request. 随着本地内联网变得日趋完善,从而需要保养更大网络负载和相关应用程序,因此内部系统需求也随之增加。 With a local intranet become maturing, requiring more maintenance and network load related applications, the internal system requirements have increased. 这样,大量商业数据被保存在管理系统下的数据存储中。 In this way, a large number of business data is stored in the data storage systems under management.

此外,可用电子数据量持续增长,而且将这些数据以可管理的方式保存在数据存储中也变得越发重要了,这就促进用户友好和快速的数据搜索和检索。 In addition, the amount of available electronic data continues to grow, and these data can be managed in a manner stored in the data storage is also becoming increasingly important, which facilitate user-friendly and fast data search and retrieval. 通常, 典型的数据存储可指具有结构化数据的信息的有组织的集合,以便如计算机程序可快速搜索和选择所需数据块。 Typically, a typical data store may refer to an organized collection of information with data structured so that such a computer program can quickly search and select desired data block.

数据存储内的数据可通过一个或多个表格来组织,其中各个表格包含一组记录,且记录可包含一组字段。 Data within the data store can be organized via one or more tables, wherein each table contains a set of records, and a record may include a set field. 记录一般被索引成表格内的行,而记录字段一般被索引成列,这样以使索引的行/列对可引用表格中的特定数据。 Indexed recording typically in rows within the table, and the record fields are typically indexed as columns, such an index so that the row / column specific data can be referenced in the table. 通常,这样的数据存储可被视作保存为其中具有信息"字段"的"记录"的相关信息的有组织的集合。 Typically, such data stores can be considered as organized collection of stored information with "field" and "record" of information therein. 例如,财务数据存储可具有诸如应收款、应付款、客户信息等这样的财务交易的记录。 For example, financial data storage may have, such as receivables, recorded such financial transactions payables, customer information. 在实际物理数据存储本身(如实际保存在存储设备中的数据)和系统用户之间, 管理或操作系统通常可提供软件垫或层。 In the actual physical data store itself (such as the actual data stored in the storage device) between the user and the system, the management or operating system can typically provide a software cushion or layer. 这样,数据存储可屏蔽用户无需关心底层硬件级细节。 Thus, user data store may not care about the underlying hardware masking level detail. 一般而言,所有来自用户的访问数据的请求由系统管理器处理。 Generally, all requests from a user to access the data processed by the system manager. 例如, 信息可被附加到数据文件,或从数据文件中移除,信息可在这样的文件中被检索或被更新,等等,所有这些都不需要用户知道底层系统实现。 For example, information may be appended to the data file, or removed from the data file, the information can be retrieved or updated in such files, and the like, all of which do not require the user to know the underlying software system.

与此同时,传统的数据存储和操作系统通常要依赖多个不兼容的数据存储, 这包括;注册表、事件日志消息、联系人信息以及电子邮件,或者简单地使用多个平面数据文件,诸如图像和音频。 At the same time, traditional data storage and operating systems typically rely on multiple incompatible data storage, including; the registry, event log messages, contact information and e-mail, or simply use multiple flat data files, such as images and audio. 例如,在传统的数据存储中,被保存的内容通常被用作单独实体,尽管它们在某种程度上也互相关联。 For example, in the conventional data storage, the stored content is generally used as separate entities, although they are also to some extent related to each other. 因此,当存在大量项时,用灵活且有效的机制基于项的属性和内容来搜索特定项就变得重要了。 Therefore, when there are a large number of items, with a flexible and efficient mechanism based on attributes and content items to search for a specific item becomes important. 例如,可能需要技术工人能够搜索独立于格式的内容一一不管特定内容是何种文件类型,也不管是何应用程序创建的。 For example, you may need skilled workers able to search the contents of eleven independent format specific content regardless of what type of file, no matter what the application is created.

给定基于相关对象工作的新文件系统,同时也可能出现新的难题。 Given to the new file system based on work related objects, as well as new problems may also occur. 例如,病毒可能以新的方式来将其自身保存在这样的文件系统中。 For example, the virus may be a new way to save themselves in such a file system. 通常,传统的病毒检査被限制在对一般保存在执行反病毒程序的相同计算机上的文件执行病毒检査。 Typically, conventional virus checking is limited to the implementation of the virus files are generally stored on the same computer to perform anti-virus program checks. 因此, 虽然特定的实体,包括终端用户和网站,在某种程度上能够执行本地保存在其计算机上文件的病毒检査,但那些实体通常不能确定与其它实体控制下的文件相关联的病毒风险,其中,恶意代码可使用存放在存储中的已编码串,该已编码串将在客户空间中被解码并通过电子邮件传播。 Thus, while a particular entity, including end-users and websites, to some extent, be able to perform virus checking stored locally on their computer files, but those entities are often unsure virus risks associated with the file under the control of other entities in , wherein malicious codes can be stored in the store encoded string, the string to be decoded has been encoded and spread by email clients in the space. 这样,对传统文件系统而言,病毒可驻留在一个或多个文件流中,尽管这仅是一个文件。 Thus, for a traditional file system, the virus may reside in one or more streams in the file, although this is only one file.

另一个方面,在关系型项存储器中,内容可被持久保存在项中,其中,项可包括多个属性,每个属性与各个其它项相关联。 Another aspect, the memory in relational terms, content can be persisted in an item, wherein the item may include a plurality of attributes, each item associated with each other. 这样,保存到项存储器中和从存储器中读回可包括可聚集在众多项的许多属性上的结果。 Thus, the items stored in the memory may comprise a read back and collect on the many properties of many items of the results from the memory. 这可创建不同的范例;诸如创建具有许多属性的更新路径或读取路径。 This can create a different paradigm; such as creating an update path has many attributes or read paths. 病毒可使用这样的布置而"逐段地(piecemeal)"隐藏其自身,例如,病毒可将已加密主体"X"保存在对象属性中, 并通过查询存储器并在客户机上对已加密的属性进行解码来传播,诸如可显现对反病毒程序无害的图像的元数据。 Virus may be used such an arrangement be "in sections (a piecemeal)" hide itself, e.g., a virus may be encrypted body "X" stored in the object properties, and the and the encrypted attribute by querying the memory on the client propagation decoding, metadata may appear as an antivirus program sound image.

通过将病毒主体分布在多个属性和多个项上,项存储器可变成病毒存储器。 By distributed over multiple virus body and a plurality of attribute term, the virus may become memory storage. 换言之,病毒能以片断的形式被保存,且用聚集这些片断并导致病毒的执行的单纯查询来将其自身写到多个项的属性中。 In other words, the virus can be saved in the form of fragments, and the fragments gathered by a simple query execution and lead to the virus writes itself to the properties of multiple items. 因此,介入更新或读取路径的传统过滤器模型对这样的关系型项存储器布置而言一般不再适当。 Thus, update or read path intervention conventional filter model of relational terms such memory generally no longer appropriate in terms of arrangement.

因此,有必要克服与涉及项存储器操作的传统系统和方法相关联的上述缺点。 Therefore, it is necessary to overcome the above disadvantages associated with conventional systems and associated method of operation directed to the memory item.

发明内容 SUMMARY

下面给出了本发明简化的概要,以提供本发明一个或多个方面的基本理解。 The following presents a simplified summary of the present invention, to provide a basic understanding of one or more aspects of the present invention. 本概要不是本发明的详尽评论。 This summary is not an exhaustive review of the present invention. 其不是要标识本发明的关键或决定性元素,也不是要描述本发明的范围。 Which the present invention is not intended to identify key or critical elements nor to delineate the scope of the present invention. 其唯一目的是以简化形式提出本发明的某些概念,作为下文要给出的更详细说明的序言。 Its sole purpose is to present some concepts in a simplified form of the invention, as a prelude to the more detailed description given hereinafter.

本发明提供了一种系统和方法,通过使用一种与项存储器相关联的元数据组件和扫描组件来将一个或多个反病毒(AV)插件的期望和语义构件到关系型项存储器中。 The present invention provides a system and method by use of a memory associated with the item metadata component and a scanning component to the one or more desired components and semantic antivirus (AV) plug into a relational term memory. 该元数据组件可提供项存储器中的规则集和/或者逻辑,用于指引反病毒插件如,何时扫描内容、如何扫描、何时无效,等等。 The metadata component can provide the rule set entries in memory and / or logic, such as plug-ins for directing anti-virus, when to scan the contents, how to scan, when inactive, and the like. 元数据组件也可提供一分配给项存储器的签名值,它可表示扫描数据的时间,它具有在关系型项存储器中指定的空间(如指定的列),以标识这一扫描的结果(如干净结果、怀疑结果、感染结果、 无需扫描,等等)。 The metadata component can provide a signature value assigned to an item in memory, which may represent the time of the scan data with the specified key in the relational memory space (e.g., designated columns), to identify the results of the scan (e.g. Clean result, doubt the result, the result of infection, without scanning, etc.). 可提供应用程序接口(API)以在需要时调用插件,来更新签名并设置新的签名值。 It may provide an application programming interface (API) to invoke the plug when necessary, to update the signatures and set a new signature value. 另外,各种扫描行为可被引入,以对向用户提供项作为查询结果的速度/准确度,与这些结果没有被完全扫描的风险作出平衡。 In addition, various scanning behavior can be introduced to speed entry provided to the user as a result of the query / accuracy, balance and risk making these results have not been fully scanned. 例如,用户可能愿意牺牲准确度(响应于查询接受不完整的结果),来获得使所有这样的内容对全部扫描的结果起作用的优点。 For example, users may be willing to sacrifice accuracy (in response to a query to accept incomplete results), to obtain all the results of all such content scanning function advantages.

此外,项存储器中的其它规则集可确立项之间的链接,其中,规则集可进一步允许链接被定义并提供分析数据结构的必要信息,以确定文本到元素的链接。 Further, other rule sets may be established in the memory item links between items, wherein the rule set can further allow for links to be defined and provide the information necessary to analyze the data structure to determine the links of text to elements. 可使用一种模式来提供必要的规则集并提供必要信息。 A pattern may be used to provide the necessary rule set and provide the necessary information. 例如,可提供文档对象模型来表示相关实体的组件,用于存储器内表示(in-memory representations)。 For example, a document object model can be provided to represent components of related entities for in-memory represented (in-memory representations). 另外,扫描组件能以同步和/或异步模式来提供数据存储中项的排队,以供AV插件扫描和清洁。 Further, the scanning unit can be synchronous and / or asynchronous mode to provide the data store queue entry, and scan widget for AV cleaning.

依照本发明的一个方面,为提供向存储(及其AV插件)与传统文件(如数据流文件和应用程序)的向后兼容性,可提供在多通用命名约定提供器(MUP)上堆栈的过滤器驱动程序布置——(统一命名约定(UNC)可为提供定位文件的机器无关手段的文件提供命名约定。)过滤器组件在MUP上的这样的直接分层提供了一种文件系统组件,它服务对UNC名称空间I/0请求。 According to one aspect of the present invention, to provide a traditional file (e.g., data stream files and applications) backward compatibility, it can be provided in a multi-stack Universal Naming Convention Provider (the MUP) on the store (and its AV plug) filter driver arrangement - (Universal naming convention (UNC) can provide independent means for providing a file at the file naming convention machine.) such layered directly on a filter assembly MUP provides a file system component, it serves I / 0 requests for UNC namespace. 这样,对于可用于项存储器的内容的相同可见性就可被提供给AV插件。 Thus, the same visibility of the content items may be used in the memory can be supplied to the AV plug.

在本发明的相关方面中,可提供一组接口作为AV插件与关系型项存储器引擎的交互的一部分。 In a related aspect of the present invention may be provided as part of a set of interfaces to interact with the plug AV relational term engine memory. 这样的接口例如能用于例程的是一系列展位程序和/或占位符的形式,、例程可由销售商开发,以将提供的AV插件与关系型项存储器链接。 Such an interface is, for example, a series of routines that can be used booth programs and / or form by routine placeholders ,, vendor developed to provide an AV plug relational link memory item.

为达到前述和相关目的,本发明可包含以下完整描述的特征。 To achieve the foregoing and related ends, the invention may comprise a complete description of the following features. 下述描述和附图详细阐明了本发明的某些说明性方面。 The following description and the annexed drawings set forth in detail certain illustrative aspects of the invention. 然而,这些方面表示但仅表示可使用本发明原理的少数不同方法。 However, these aspects, but represents only a few different methods can be expressed using the principles of the present invention. 本发明的其它方面、优点和新颖特征可通过下面本发明的详细描述并结合附图考虑,来变得显而易见。 Other aspects, advantages, and novel features may be considered in conjunction with the accompanying drawings, be apparent from the following detailed description of the present invention.

附图说明 BRIEF DESCRIPTION

图1依照本发明的一个方面,示出了使用反病毒(AV)插件的关系型项存储器的框图。 FIG 1 in accordance with an aspect of the present invention, a block diagram illustrating the use of relational term memory antivirus (AV) of the plug.

图2依照本发明的一个方面,示出了扫描组件的框图。 FIG 2 in accordance with an aspect of the present invention, illustrates a block diagram of the scanning unit. 图3依照本发明的一个方面,示出了用于后台扫描的方法。 FIG 3 in accordance with an aspect of the present invention, illustrating a method for background scanning. 图4a—4e依照本发明的示例性方面,描述了创建并扫描行的各个阶段。 FIGS. 4a-4e according to an exemplary aspect of the invention, and describes the various stages of creating scan lines. 图5依照本发明的一个方面,示出了用于特定系统体系结构的过滤器的分层布置。 FIG 5 in accordance with an aspect of the present invention, illustrating a filter for a particular hierarchical arrangement of the system architecture.

图6依照本发明的一个方面,示出了用于将文档转换为驻留在项存储器的存储器中的数据结构的系统的简要示例性描述。 FIG 6 in accordance with an aspect of the present invention, is shown for converting the document is a brief description of an exemplary system reside in memory of the key memory data structure.

图7依照本发明的一个方面,示出了项存储器中数据的后台扫描队列的循环。 7 in accordance with an aspect of the present invention, illustrating a cycle item data in the memory in a background scan queue. 图8依照本发明的一个方面,示出了项存储器中数据的后台清洁队列。 8 in accordance with an aspect of the present invention, illustrating a background clean queue of data items in the memory. 图9是示出可使用本发明的各方面的合适计算环境的示意框图。 9 is a schematic block diagram illustrating the present invention may be used in a suitable computing environment in which various aspects. 图IO依照本发明的一个方面,示出了可使用反病毒扫描方法的客户机一服务器系统。 FIG IO accordance with one aspect of the present invention, illustrating a client-server system may use anti-virus scanning method.

具体实施方式 Detailed ways

现在参考附图来描述本发明,其中,相同的参考标号都用于指代相同的元素。 Now the present invention described with reference to the accompanying drawings, wherein like reference numerals are used to refer to like elements throughout. 在下面的描述中,为解释起见,阐明了许多特定细节,以提供对本发明的彻底理解。 In the following description, for purposes of explanation, numerous specific details are set forth to provide a thorough understanding of the present invention. 然而,明显的是,没有这样的特定细节也可实现本发明。 However, it is apparent that, without such specific details of the present invention may be implemented. 在其它实例中,以框图的形式示出了公知的结构和设备,以便于描述本发明。 In other instances, in block diagram form a well-known structures and devices for use in the present invention is described.

如在本申请中所使用的,术语"组件"、"处理程序"、"模型"、"系统" As used in this application, the terms "component," "handler," "model," "system,"

等等是指计算机相关的实体,或者为硬件、硬件和软件的组合、软件、或者执行中软件。 And the like refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution. 例如,组件可以是,但不局限于,在处理器上运行的进程、处理器、对象、 可执行代码、执行线程、程序和/或计算机。 For example, a component may be, but are not limited to, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and / or a computer. 作为说明,在服务器上运行的应用程序和服务器可以是组件。 By way of illustration, applications and servers running on the server can be a component. 一个或多个组件可驻留在进程和/或执行线程中,且组件可被定位在一台计算机上和/或分布在两台或多台计算机之间。 One or more components may reside within a process and / or thread of execution and a component may be localized on one computer and / or distributed between two or more computers. 而且,这些组件可从其上储存了各种数据结构的各种计算机可读介质执行。 Also, these components can execute from various computer storage readable media having various data structures performed. 组件可通过本地和/或远程进程来通信,诸如依照具有一个或多个数据包的信号(如来自与本地系统、分布式系统中的另一个组件交互,和/或通过诸如因特网等网络经由信号与其它系统交互的一个组件的数据)。 The components may communicate via local and / or remote processes such as in accordance with a signal having one or more data packets (e.g., from a local system, distributed system interacting with another component and / or a network such as the Internet via the signal data with other components of a system interaction).

首先参考图1,依照本发明的一个方面,示出了与反病毒(AV)插件130交互的关系型项存储器100的框图。 Referring first to FIG. 1, according to one aspect of the present invention, a block diagram 130 illustrating interactive anti-virus (AV) Plug-and relational memory 100 entries. 通常,数据项存储器100可以是关系型数据库,其采用三个特征,即项、链接和属性。 Typically, the data item memory 100 may be a relational database, which employs three features, namely, items, links and attributes. 项可表示诸如客户机等用户希望表示为项的"事物",并可由项ID唯一地标识。 Such items may represent a client such as the user wishes expressed as "things" items, and can be identified by the item ID uniquely. 链接提供两个项之间命名的有向关系。 Provide links between the two items have named the relationship. 属性将有标签的值与项相关联。 The property has a value associated with the item label. 项是根据链接和属性来描述的。 Entry is based on the link and attributes described. 链接表示项关联,而属性表示关于项的其它信息。 The link indicates the association, and other information regarding the property represents items.

此外,在这样的关系型数据存储环境中,数据可保存为一个或多个表格中的行。 Further, in such a relational data store environment data can be stored in one or more rows of the table. 数据存储可用事务T】到Tw (N为整数)的形式由一个或多个查询访问。 T} transaction data storage available to the Tw (N is an integer) in the form of one or more query access. 这样的事务例如可包括数据项存储器100中的数据的行级操作。 Such transactions may include, for example, row-level operation of the memory 100 of the data items. 事务112、 114、 116 可基于由数据存储授权的有差别的访问级别(如只读访问、读/写访问等等)来访问数据存储,对该数据存储而言,数据是非常重要的。 Transaction 112, 114, 116 may be differentiated based on the level of access authorization by the data storage (e.g. read-only access, read / write access, etc.) to access the data store, the data store, the data is very important.

本发明的项存储器100可包括元数据组件110以及扫描组件120。 The memories 100 of the invention may include a metadata component 110 and a scanning assembly 120. 元数据组件IIO可提供数据存储110中的规则集和/或逻辑,以指引AV插件130的操作。 The metadata component can provide IIO set of rules and / or logical data storage 110, 130 to direct the operation of the AV plug. 元数据组件110可提供AV插件130的语义,诸如何时扫描、如何扫描、何时无效等等。 The metadata component 110 can provide semantics AV plug 130, such as when to scan, how to scan, when invalid like.

此外,元数据组件110可提供当在数据存储100上执行病毒扫描时已知的当前病毒状态的可接受阻挡级别(bar levd)的指定。 Further, the metadata component 110 may be provided when performing a virus scan on the data storage 100 known in the current state of the virus barrier acceptable specified level (bar levd) a. 例如,可接受阻挡级别可由时间标记来指定,其中,存储器可被分配一全局AV签名时间标记,它具有分配给"VIRUSSIGNATURETS"的值。 For example, the time stamp may be an acceptable barrier to the specified level, wherein the memory may be assigned a global AV signature time stamp, which has a value assigned to "VIRUSSIGNATURETS" a.

用于启动应用程序接口(API)以调用插件来更新签名并设置新的签名值的示例性数据定义语言(DDL)可包括:GetNewVirusSignature()GetCurrent Vims S ignatureO 9 For starting an application program interface (API) to call the plugin to update the signatures and set a new exemplary data definition language of the signature value (DDL) may comprise: GetNewVirusSignature () GetCurrent Vims S ignatureO 9

依照本发明的一个方面,与数据存储100的表格相关联的行可包括两列,用于定义两种属性:即"最后一次病毒签名扫描(LastVims Signature Scan)"和"扫描状态(Scan State)",这将在下文中更详细的说明。 According to one aspect of the present invention, associated with table data stored in the associated row 100 may include two columns to define two properties: the "Last Virus Signature Scan (LastVims Signature Scan)" and "scan state (Scan State) "this will be described in more detail below. 简言之,"最后一次病毒签名扫描"表示对在行上完成最后一次病毒扫描(AV)的每一行保存的时间标记, 而"扫描状态"表示行内容是"干净"、"可疑"还是或者"被感染"。 In short, "the last virus signature scanning" means storing the completion of the last virus scan (AV) on the line for each row time stamp, and the "scan state" means that row of content is "clean", "doubtful" or or "be infected". 当行被创建时,系统自动将"最后一次病毒签名扫描"的值设置为零,且行内容的状态为"可疑"。 When a line is created, the system automatically "Last virus signature scanning" value to zero, state and contents of the line as "suspicious." 可提供应用程序接口(API)以调用反病毒插件130,它用于如所需地扫描数据存储100,以及更新签名和设置新的签名值。 May provide an application program interface (API) calls to the antivirus plug 130, which is used to store the desired data such as scan 100, and update signatures and set a new signature value. 因此,元数据组件可提供与项存储器100相关联的签名值,它可表示数据扫描时间,并在关系型存储器指定空间以标识这一扫描的结果(如,干净结果、可疑结果、被感染结果)。 Thus, the metadata component 100 may provide a signature key value associated memory, which may represent a data scanning time, and the specified spatial relationship type memory to identify the results of the scan (e.g., a clean result questionable result, the infection results ). 应当认识到的是,虽然使用反病毒检查可能是系统默认的,但是当用户选择不扫描指定项时,也可指定"不必检査"的元数据组件。 It should be recognized that although the use of anti-virus checker may be the default, but when the user chooses not to scan the specified items, you can also specify "Do not check the" meta-data components.

项存储器100还可包括扫描组件120,它可以可靠方式使用插件130。 The memory 100 may further include a scan key assembly 120, it can use the plug 130 in a reliable manner. 扫描组件能以同步和/或异步模式提供项存储器中的项的排队(如最近更新、变化等等), 以供由第三方销售商提供的AV插件程序扫描和清洁。 Scanning component can provide entry queue entry in memory (e.g., recent updates, changes, etc.) in a synchronous and / or asynchronous mode for scanning and cleaning AV plug provided by third-party vendors.

现在参考图2,框图示出了扫描组件120,以进一步包括异步排队组件210(后台扫描),以及同步排队组件220 (访问时扫描)(On-access Scan)。 Referring now to Figure 2, a block diagram illustrating a scanning unit 120, further comprising an asynchronous queuing component 210 (background scanning), and a synchronous queuing component 220 (On-access scan) (On-access Scan). 一般而言,AV 插件在进入项存储器时不能检测到新的逐段病毒。 In general, AV plug-in memory when entering items can not detect the new virus paragraph by paragraph. 这样,可允许AV插件能够分析项存储器200的全部内容。 In this way, AV plug may allow the entire contents of which items can be analyzed in memory 200. 因此,AV插件不被约束在项存储器200的特定域中, 即使用户可被连接到该特定域。 Thus, the AV plug is not confined in a specific domain key memory 200, even if the particular domain may be connected to the user. 另外,项存储器200可进一步使用调度组件230, 它对项存储器内容进行排队,以供AV插件程序扫描。 Further, memory 200 may further use the term scheduling component 230, its memory contents item queued for plug AV scan. 应当认识到的是,调度组件230也可以是扫描组件120的一部分,即使图2将其示出为单独组件。 It should be appreciated that the scheduling component 230 may also be part of the scanning component 120, even though it is shown in FIG. 2 as a separate component. 这样的组件可对内容进行排队或出队、调用AV插件、以及基于该结果来更新元数据组件。 Such components may be queued for content or a team, call AV plug-ins, as well as to update the metadata component based on the result.

通常,项存储器200可通过自动将新的或已更新的项入队用于病毒扫描或病毒清洁,来使用异步排队组件210用于"后台扫描"队列。 Typically, the memory item 200 may automatically by a new or updated items for virus scan or enqueued cleaning viruses, the asynchronous queuing component 210 used for "background scanning" queue. 队列中的项可由项存储器200例如通过调度组件230来出队,且可同步地调用适当的AV接口。 Queue entry 200 may be a memory item such as by scheduling component 230 dequeued, and may call an appropriate AV interface synchronization.

用于由AV插件处理的未扫描项的时间表可在"ItemHasVirus(具有病毒的项)" API中提供。 Schedule unscanned items for processing by the AV plug-in "(item with the virus) ItemHasVirus" API provided. 这样的调用可被同步地返回,且项存储器200可基于该调用的布尔结果来更新项存储器中相关联的AV元数据组件。 Such calls may be returned synchronously, and the term memory 200 may be based on the Boolean result of the call to update the AV metadata component in the memory associated items. 例如,若接口返回"TRUE (真)" 值,则对象可被指定为包含病毒,且行的AV状态被更新到:IastVi)rusSignatoeScanTS=@@VIRUSSIGNATURETS AND scanState=" For example, if the interface returns "TRUE (true)" value, then the object may be designated as containing a virus, and the AV status row is updated to: IastVi) rusSignatoeScanTS = @@ VIRUSSIGNATURETS AND scanState = "

infected"。 infected ".

同样,若接口返回"FALSE (假)"值,则对象被发现是没有病毒的。 Similarly, if the interface returns "FALSE (false)" value, the object is found to be virus-free. 因此, 行的AV状态可被更新到lastVimsSignatureScanTS=@@VIRUSSIGNATURETS AND scanState=" clean"。 Thus, AV status line may be updated to lastVimsSignatureScanTS = @@ VIRUSSIGNATURETS AND scanState = "clean".

现在参考存储内的同步排队组件220 (访问时扫描),可使用这样的组件,使得无论何时在项存储器上执行读取, 一般确保结果通常仅包含具有"clean (干净)" scanState (扫描状态)的项。 Synchronization now queued component in the reference memory 220 (Access Scan), such components may be used, such that whenever the memory read is performed on the item, generally ensure that the results usually contains only "clean (Clean)" scanState (scan state ) items. 这样,读取路径上的同步AV通常可保证客户机可接收最新的结果集,除非实际病毒在处理队列时被检测到。 Thus, the read path AV synchronization ensures that the client can typically receive the latest result set, unless actually detected the virus in the processing queue. 尽管如此,可存在这样的情形,即可能对这样的确保支付高额价格。 Nevertheless, there may be a situation that could pay the high price for such ensured. 例如,第一用户将多幅新照片存放在项域中,其中第二用户搜索Word文档。 For example, the first user to store multiple pictures in a new entry in the domain in which the second user searches for Word documents. 现在,当查询对第一用户的照片存放的扫描起副作用时,可要求第二用户等待。 Now, when a user queries the first photo stored scan from side effects, may require the user to wait a second.

与此同时,每次当执行查询时,若执行查询的项范围不是完全的AV扫描, 则结果可能是不完全的。 At the same time, each time the query is executed, if the scope of the query term is not a complete AV scan execution, the result may be incomplete. 因此,本发明引入"强迫"扫描,作为同步排队组件的一部分,基于设置"会话变量"的,确定应用程序应当运转的方式。 Accordingly, the present invention introduces a "forced" scanning as part of the synchronous queuing component, based on setting a "session variable", it is determined how the application should be running. 应用程序可依赖于最有利的方法并接受事务结果——即使这是不完整的,这是因为AV插件还没有在项存储器200的所有组件上调用。 Applications can rely on the most favorable way and accept the outcome of the transaction - even if it is incomplete, because the AV plug has not been called on all the components key memory 200. 或者,若项存储器200发现可潜在地对查询结果起作用的某些项还没有被扫描到,则对扫描起侧面影响,以将这样内容的包括到事务结果中。 Alternatively, when the memory item 200 may potentially find query results act some entries have not been scanned, then the scan from side impact, to include such content to the transaction result.

这样,为控制项是否应被内嵌检査,引入一种新的会话级设置选项@@VIRUSCHECKONREAD。 Thus, in order to control whether the item should be checked built, the introduction of a new session-level setting options @@ VIRUSCHECKONREAD. 当该字段被分配值"0"时,则所有的读査询通常仅考虑其scanState- "clean"的行。 When this field is assigned a value of "0", then all read queries typically only consider their scanState- "clean" line. 同样的,当被分配值"1"时,scanState!= "clean" 的行被强制在査询执行期间扫描。 Similarly, when a value is assigned "1", scanState! = "Clean" are forcibly scanned line during query execution.

然后,谓词可被改变以说明:WHERE(lastVirusSignatureScanTS=@@VIRUSSIGNATURETS AND scanSate=,'clean',)0R(@@VIRUSCHECK0NREAD=1 ANDlastSignatureScan !=@@VIRUSSIGNATURETS AND ItemHasVims(ItemId)=0);> 类似的谓词可在存储中的其它持久保存的数据上被评估,如扩展(Extension) 和链接(Link)。 Then, the predicate may be altered to account for: WHERE (lastVirusSignatureScanTS = @@ VIRUSSIGNATURETS AND scanSate =, 'clean',) 0R (@@ VIRUSCHECK0NREAD = 1 ANDlastSignatureScan = @@ VIRUSSIGNATURETS AND ItemHasVims (ItemId) = 0!);> Similar predicate can be evaluated on other persisted data in the store, such as extended (the extension) and links (link). 在这种情况下,函数ExtensionHasVirus()或LinkHasVirus()将被调用。 In this case, the function ExtensionHasVirus () or LinkHasVirus () is called.

在本发明的另一方面中,调度组件230可调度已感染项,以供AV插件Cleanltem API处理。 In another aspect of the present invention, the scheduling component 230 can schedule infected items, AV plug Cleanltem API for processing. 该调用可同步地返回,并可基于该调用的布尔结果在项存储器200中更新AV元数据。 The call can be returned synchronously, and the call based on the updated AV Boolean result item metadata in the memory 200. 例如,若接口返回"TRUE"值,则对象已被清洁了。 For example, if the interface to return "TRUE" value, the object has been cleaned. 然后,行的AV 状态可被更新到lastVirusSignatureScanTS = @@VIRUSSIGNATURETS,且scanSate的值="clean"。 Then, AV status line may be updated to lastVirusSignatureScanTS = @@ VIRUSSIGNATURETS, and scanSate value = "clean". 另一方面,若接口返回FALSE ,则对象通常未被清洁,且行的AV状态被更新到lastVirusSignatureScanTS=@@VIRUSSIGNATURETS,且scanState的值="infected (已感染)"。 On the other hand, if the interface returns FALSE, the objects are generally not cleaned, and the AV status line is updated to lastVirusSignatureScanTS = @@ VIRUSSIGNATURETS, and the value of scanState = "infected (infected)."

图3依照本发明的一个方面,示出后台扫描的方法300。 The method of FIG. 3 in accordance with an aspect of the present invention, shown in the background scanning 300. 首先,在310处,项存储器基于AV插件在项存储器内容上的结果来完成元数据组件的更新。 First, at 310, based on an AV Plug-term storage results in terms of memory contents to complete the update of the metadata component. 接下来在315,存储的存储范围签名被更新,以反映最近的AV插件扫描。 Next signatures are updated at 315, Storage range to reflect the recent AV plug-in scanner. 接下来,在320 处,项存储器可将过期的项放回到队列中,供后续AV扫描。 Next, at 320, the memory item may be expired items back into the queue, for a subsequent AV scan. 另外,最近的更新也可在这样的优先级队列上等待。 Further, recent updates can also be waiting on such priority queue. 如前面详细解释的,队列中的项可由项存储器出队, 且适当的AV接口可在325处被同步调用。 As previously explained in detail, item by item in the queue memory dequeued and appropriate AV interface can be called synchronized at 325. 然后,方法循环回到步骤310,此时项存储器基于AV插件的结果来完成元数据组件的更新。 The method then loops back to step 310, when the memory entry based on a result of AV plug to complete the update of the metadata component. 虽然这里用一系列表示各种事件和/或动作的方框来示出并描述示例性方法,但是本发明并不受所示的这些块的顺序限制。 Although represented by a series of blocks of various events and / or acts shown and described an exemplary method, but the present invention is not affected by the order of blocks shown limited. 例如,依照本发明,除此处所示的顺序之外,某些动作或事件能以不同的次序发生和/或与其它的动作或事件同时发生。 For example, according to the present invention, in addition to the sequence illustrated here, some acts or events may occur in different orders and / or concurrently with other acts or events. 另外,并非需要所有示出的方框、事件或动作来实现依照本发明的方法。 Moreover, not all illustrated blocks, events or actions to implement the method according to the present invention. 而且,应当认识到的是,依照本发明的示例性方法和其它方法可与此处示出和描述的方法相关联地,以及与未示出或描述的其它系统和装置相关联地实现。 Further, it should be appreciated that, in accordance with an exemplary method and other methods of the invention may be shown here and associated methods described herein, as well as with other systems and apparatus not illustrated or described in association implemented.

现在参考图4a—4e,示出了与项存储器的表格相关联的行,它包括两列,以定义两种属性,即"最后一次病毒签名扫描",以及"扫描状态"。 Referring now to FIGS. 4a-4e, shown associated with a table entry associated with the memory line, which includes two columns to define two properties, i.e., the "last Virus Signature Scan", and "scan state." 一般而言,关系型数据存储的核心操作特征是在表格上执行相联查询的能力。 Generally, core operating characteristic relational data store is the ability to perform associative queries over tables. 保存在表格中的实体集合可使用设置处理语言(如SQL (结构化查询语言))来访问。 Entity stored in the table can be used to set the set processing language (such as SQL (Structured Query Language)) to access. 该语言将一个或多个表格指定为数据源,并仅输出满足给定条件的行(若有的话)。 The language specifies one or more tables as the source of the data, and outputs only the rows which meet the condition (if any). 例如,如上所述,项存储器可以是关系型数据库、对象数据库和/或对象关系数据库。 For example, as described above, the memory item may be a relational database, an object database and / or object-relational database. 对于关系型数据库, 一组具有相同结构的实体被称作表格,且每个实体被称作行。 For relational databases, a set of entities with the same structure is called a table and each entity is called a row. 该结构的分量被称作列。 Component of the structure is referred to as columns. 关系型数据库可包括一个或多个表格。 Relational database can include one or more tables. 在图4a—4e中提供的示例性表格签名更新可依照本发明的一个方面来经受病毒扫描。 In the exemplary table provided in FIGS. 4a-4e signature updates may be subjected to a virus scan in accordance with an aspect of the present invention. 应当认识到的是, 本发明的数据存储构想传统数据流和关系型对象形式的数据的存在。 It should be appreciated that there are traditional data stream and the object-relational data stored in the form of the present invention contemplates data. 例如,当査询结果依赖于病毒攻击时,这样表格的内容需要来自病毒攻击。 For example, when query results depend on the virus attack, the contents of this table need from virus attacks. 特别地,当恶意代码可利用存放在存储中的已编码串时,该已编码串可在客户机空间中被解码并通过电子邮件传播。 In particular, when the malicious code stored in the available time has been stored in the code string, the code string have been decoded and can be spread by e-mail client space. 例如,病毒可将已加密的主体"X"保存在项属性中,这样以使它可通过査询存储并在客户机上对已加密的属性进行解密,来传播其自身。 For example, the virus can be encrypted body "X" to save the property, so that it can decrypt the encrypted attributes on the client by querying the store and to propagate itself. 在执行查询时,本发明的数据存储可使用一种排队机制,用于以同步和/或异步模式对表格中的项进行排队,以供由销售商提供的反病毒插件进行扫描和清洁。 When performing a query, the data store of the invention uses a queuing mechanism may be used for synchronous and / or asynchronous mode queue entries in the table, for the anti-virus plug provided by the vendor for scanning and cleaning. 之后,关系型项存储器引擎可基于査询,尤其是用户上下文信息,而提供对査询信息的响应。 Thereafter, the relational term memory based on the query engine, in particular user context information, and provide a response to the query information.

图4a描述了行的创建,其中,系统自动设置lastVirusSignatureScanTS=0且scaiiState= "suspect (可疑)"。 4a depicts the creation of rows, wherein the system is automatically set lastVirusSignatureScanTS = 0 and scaiiState = "suspect (suspicious)." 行可保持这样的数值,直到AV插件已经扫描了该行,之后,其将包含扫描的时间标记加上扫描结果,如在图4b中由"干净"状态所示。 Row can maintain such values ​​until the AV Plug-lines have been scanned, after which it will contain the timestamp of the scan plus the result of the scan, as shown in Figure 4b by a "clean" state shown in FIG. 图4c示出了行的更新,其中项存储器自动设置scanState= "suspect",但是不改变lastVirusSignatureScanTS的值。 FIG 4c illustrates updating rows, wherein the memory is automatically set entry scanState = "suspect", but does not change the value of lastVirusSignatureScanTS. 反病毒插件负责对扫描项、链接或扩展行,并表明或者项是没有病毒的,或者该项被感染。 Anti-virus plug-in is responsible for scanning items, links, or expanding it, and show that there is no virus or item, or the item is infected. 图4d示出干净状态,其中项存储器将lastVirusSignatureScanTS设置为⑥(^VIRUSSIGNATURETS的当前值,并将scanState属性设置为"clean"。同样的,图4e示出项被感染的替换情形。这样, 项存储器将lastVirusSignatureScanTS设置为⑨(^VIRUSSIGNATURETS, scanState 属性为"infected (已感染)",可导致项的"隔离"。因此,这些项需要在其内容可对将来的查询再次可用之前由插件来清洁。 FIG 4d illustrates a clean state wherein the memory entries to be lastVirusSignatureScanTS ⑥ (^ VIRUSSIGNATURETS current value, and scanState property to "clean". Similarly, Figure 4e shows an alternative case where the infected items. Thus, memory key the lastVirusSignatureScanTS set to ⑨ (^ VIRUSSIGNATURETS, scanState property is "infected (already infected)," can lead to "isolate" items. Therefore, these items need to be used before its contents can be cleaned by a plug-in for future queries again.

图5依照本发明的一个方面,示出了特定分层布置的框图。 FIG 5 in accordance with an aspect of the present invention, a block diagram illustrating a particular hierarchical arrangement. 通常,本发明的项存储器构想传统数据流和关系型对象形式的数据的存在。 Typically, the presence of a conventional data stream in the form of objects and relational items present invention contemplates the memory data. 因此,为提供项存储器及其AV插件与传统文件(如数据流文件和应用程序)的向后兼容性,本发明使用一种用于过滤器文件的新体系结构,其中,多统一命名约定提供器(MUP)组件515 注册为文件系统,且UNC提供器通常不注册为文件系统。 Thus, to provide a memory entry with a conventional plug and AV file (e.g., data stream files and applications) backward compatibility, the present invention uses a new architecture for file A filter, wherein the plurality Universal Naming Convention provided device (the MUP) registered as a file system component 515, and the UNC providers typically do not registered as a file system. 一般而言,可确保所有的UNCI/0通常能通过MUP。 Generally, ensures that all UNCI / 0 usually through MUP. 因此,如图5所示,诸如AV过滤器等的文件过滤器的堆栈(510、 520、 530)可将其自身附加到MUP上(如,将层本身加到MUP 上)并过滤所有的UNC I/O,这包括项存储器中项的文件流1/0。 Thus, the filter stack file as shown, such as a filter or the like AV 5 (510, 520, 530) can attach themselves to the MUP (e.g., be added to the layer itself MUP) and filter all UNC I / O, which includes an entry in the memory file entries stream 1/0. 统一命名约定(UNC) 可为提供用于定位文件的机器无关装置的文件提供一种命名约定。 Uniform Naming Convention (UNC) may provide a machine-independent means for locating the document to provide a file naming convention. MUP组件515 用作用于UNC名字空间访问的文件系统,其中对项存储器可见的目录和文件名的相同名字空间也对AV插件可见。 MUP component 515 is used as the file system for UNC namespace access, in which the items visible memory of the same name space directory and file names can also be found on the AV plug.

如所述,内核模式550可用作计算机操作系统的核心程序或核心。 As described, the kernel, or core 550 may be used as a kernel mode of a computer operating system. 这样的操作系统一般负责处理数据和管理输入和输出。 Such operating systems are generally responsible for processing data and managing input and output. 内核模式550作为操作系统的一部分,其被首先加载并保持在主存储器中。 Kernel mode 550, as part of the operating system, which is first loaded and held in the main memory. 除负责进程管理、文件管理以及存储器管理等之外,内核组件550通常提供应用程序和驱动程序所需的本质服务或过程。 In addition to be responsible for process management, file management and memory management, and the required kernel components 550 generally provides application and driver service or the nature of the process. 例如,过程可对应于i/o调度、缓冲、假脱机、出错处理等等。 For example, the process may correspond to the i / o scheduling, buffering, spooling, error handling and the like. 此外,应当注意到, 此处使用的术语内核模式550服务旨在覆盖可位于内核地址空间中的任何服务、步骤、驱动程序、应用程序或其它组件。 Further, it should be noted that the term Kernel-mode 550 service as used herein is intended to cover any service may be located in the kernel address space, step, driver, application or other component.

在本发明的相关方面中,可提供一组接口,作为由销售商提供的插件与关系型项存储器引擎的交互的一部分。 In a related aspect of the present invention, a set of interfaces can be provided as part of the interaction provided by the vendor of the insert and the relational term engine memory. 这样的接口例如可以是用于可由销售商开发以将提供的AV插件与关系型项存储器链接的一系列占位程序和/或占位符的形式。 Such an interface can be for example developed by vendors and AV insert and form the memory item relational links will provide a series of stubs / or placeholders. 这样的接口可由销售商实现,用于扫描并清洁项、扩展和链接。 Such an interface can be achieved vendors for scanning and cleaning items, extensions and links. 例如.-BOOL Scanltem (Itemld itemld)BOOL ScanExtension (Itemld itemld, Extensionld extld)BOOL ScanLink (Itemld itemld, Linkld linkld)每个接口可返回一布尔状态值。 For example.-BOOL Scanltem (Itemld itemld) BOOL ScanExtension (Itemld itemld, Extensionld extld) BOOL ScanLink (Itemld itemld, Linkld linkld) Each interface can return a Boolean state value. 若项被发现包含病毒(或参与逐段攻击)的话,该值可被设置为"真",若项没有病毒,则该值被设置为"假"。 If the item was found to contain a virus, then (paragraph by paragraph or participate in attacks), and this value can be set to "true" if the item is not a virus, the value is set to "false." 用于清洁过程的类似示例可包括:BOOL Cleanltem (Itemld itemld)BOOL CleanExtension (Itemld itemld, Extensionld extld)BOOL CleanLink (Itemld itemld, Linkld linkld)每个接口可返回一布尔状态值,若存储对象被成功地清洁的话,该值可被设置为"真",若AV插件不能清洁存储对象的话,该值可被设置为"假"。 Similarly examples for the cleaning procedure can include: BOOL Cleanltem (Itemld itemld) BOOL CleanExtension (Itemld itemld, Extensionld extld) BOOL CleanLink (Itemld itemld, Linkld linkld) Each interface can return a Boolean state value, if the store object was successfully clean, then this value can be set to "true" plug-ins can not be cleaned if the AV storage object, then the value may be set to "false." 这样的功能可在对存储对象需要AV扫描操作,,或当对受感染的对象需要AV清洁操作时,由项存储器调用。 Such functions may be,, or when an object requires infected AV cleaning operation, a call to a subject in need AV storage items by the memory scanning operation. 在两种情况下,使用上述的存储机制如所需地从存储中取出项数据通常是AV销售商的责任。 In both cases, the above-described storage mechanism as desired be removed from the item data is usually stored AV vendor's responsibility. 进一步要认识到的是,扫描和清洁方面可组合或在单独的阶段中执行。 It is further appreciated that the scanning and cleaning aspects can be combined or performed in a separate stage. 接口可按需由项存储器调用,用于同步或异步扫描和清洁。 Demand may be invoked by the interface memory items for scanning and cleaning asynchronous or synchronous. 另外,通常所有的项存储器内容是可由AV插件通过使用具有特许连接的标准查询机制来访问的。 In addition, generally all of the memory content may be AV items by using a plug having a connection standard query mechanisms Laid accessed. 另外,伪AV插件的安装可例如通过使用经签署的组件来避免。 Further, the installation can, for example, the dummy plug AV be avoided by using a signed assembly. 每个接口也可支持"*void"插件上下文,以通过每个API。 Each interface also supports "* void" plug-in context, through each API.

图6依照本发明的一个方面示出系统610的简要示例性描述,该系统用于将XML文档612转换成驻留在符合文档对象模型618的项存储器中的存储器中的数据结构620。 Figure 6 illustrates in accordance with one aspect of the present invention illustrating a brief description of an exemplary system 610, the system 612 is used to convert an XML document into a data structure 620 residing in the memory item 618 in line with the document object model in memory. XML文档612由分析器614分析,以将语义元素和属性的列表提供给转换组件616。 612 XML documents analyzed by the analyzer 614, a list of semantic elements and attributes to the converter assembly 616. 然后,该语义元素和属性列表可被转换或映射到符合文档对象模型618的项存储器的数据结构620。 Then, the list of semantic elements and attributes may be converted or mapped data structure 620 to conform to a document object model 618 of the memory item. 如在XML文档612中所述,该文档包括具有父子链接的多个元素。 As described in the XML document 612, the document includes a plurality of elements having a parent-child links. 用XML DOM表示的数据元素可包括一分层结构,"人们(People)"作为顶层节点,第一叶节点或分支一元素"John"具有子结点"爱(Loves)"和"Mary",且第二叶节点或分支具有节点"Mary"。 Represented by the data elements may include a XML DOM hierarchy, "People (People)" as the top node, a first branch or a leaf node element "John" having sub nodes "Love (Loves)" and "Mary", and the second leaf node or a branch node with "Mary". 被选择用来从第二分支中检索或匹配信息的分析器将检索元素"Mary",而不知道链接"John 爱Mary (John Loves Mary)"。 Is selected to retrieve or match information from the second branch would retrieve the element analyzer "Mary", without knowing the link "John loves Mary (John Loves Mary)". 然而,本发明的项存储器可根据元素或项之间的链接来对表示结构建模,因此,链接"John爱Mary"可容易地与本模型辨别。 However, the memory entry according to the present invention may be links between elements or items to be represented by structure modeling, therefore, the link "John loves Mary" the present model can be easily distinguished. 如可在数据结构620中看到的,分析器可通过跟随"人们"节点和"Mary"节点之间的链接以确定Mary是一个人,并跟随"Mary"节点和"John"节点之间的链接以确定Mary为John所爱,来检索有关"Mary"的信息。 As can be seen in the data structure 620, the analyzer can be obtained by following the link between the "People" node and the "Mary" node to determine Mary is a person and follow between "Mary" node and the "John" node link to determine as John loves Mary, to retrieve information about "Mary" is. 因此,本模型根据链接, 并另外根据元素(或项)和属性来呈现数据结构,如XMLDOM中的情况。 Thus, according to this link model, and according to additional elements (or items) and attributes used to render the data structures, such as in the case of XMLDOM.

图7依照本发明的一个方面,示出了后台扫描序队列操作的循环。 7 in accordance with an aspect of the present invention, illustrating the scanning sequence of the background cycle queue operation. 该循环最初在项存储器基于AV插件在项存储器内容上的结果完成元数据组件的更新时开始。 The start of the first complete cycle of updating the metadata component based on results of AV plug memory content items in the item memory. 接下来,沿着箭头720顺时针移动,更新项存储器范围的签名,以反映最近的AV插件扫描。 Next, the arrows move clockwise along the 720, updates the memory range of signature items, to reflect recent AV plug-in scanner. 接着沿着箭头740移动,项存储器可将过期的项放回到队列中,供后续的AV扫描。 740 then moves along the arrow, the term memory may be expired items back into the queue, for a subsequent AV scan. 另外,跟随箭头760,最近更新也可在这样的优先级队列上等待。 Further, following the arrows 760, recently updated may be waiting on such priority queue. 队列中的项可由项存储器出队,且可如箭头780所示的同步地调用适当的AV接口。 Queue entry dequeued by the term memory, and may invoke the appropriate AV interface 780 as shown by arrow in synchronization. 然后扫描循环可如箭头7卯所示循环返回,这时项存储器基于AV插件的结果而完成元数据组件的更新。 The cycle may then scan cycle 7 as shown by arrow d to return, when the memory entry based on a result AV completed widget update metadata component. 如先前所解释的,元数据组件也可提供分配给项存储器的签名值,它可表示数据扫描时间,并在关系型项存储器中指定空间(如,指定列), 以标识该扫描的结果(如干净结果、可疑结果、被感染结果、不必要扫描等等)。 As previously explained, the metadata component can also be provided assigned to the key signature value memory, which may represent a data scanning time, and specifies in a relational term memory space (e.g., designated columns), to identify the results of the scan ( such as a clean result, suspicious result, the infection results, unnecessary scanning, etc.). 这用图表795来表示。 This is represented graphically 795. 这样,可提供待决的扫描作为项生命周期的一部分。 In this way, the scan can be provided as part of the pending items lifecycle.

反病毒插件负责扫描项、链接或扩展行,以及表明项是没有病毒的,或者项已感染病毒。 Anti-virus plug-in is responsible for scanning items, links, or expanding it, and show entry is free of viruses or items have been infected with the virus. 为清洁已感染的项,如图8中所示,可对已感染的项进行调度,以供AV插件Cleanltem API处理。 As cleaning infected items, as shown in Figure 8, can be scheduled item has been infected, for processing AV plug Cleanltem API. 该调用可被同步地返回,且AV元数据可在项存储器800中被更新。 The call can be returned synchronously, and the AV metadata can be updated in the key memory 800. 若调用成功(例如,若接口返回"真"值),则对象可被认为是干净的,并在相关联的行中表明这种情况。 If the call is successful (for example, if the interface returns a "true" value), the object can be considered clean, and show that in this case the line associated.

现在参考图9,示出了客户机以及服务器端上的合适计算环境的简要概括描述,其中可实现本发明的各种方面。 Referring now to Figure 9, there is shown a brief general description of a suitable computing environment and a client on the server side, which can implement various aspects of the invention. 虽然上文已经在诸如在一台和/或多台计算机上运行的计算机程序等计算机可执行指令的通用上下文中描述了本发明,但是本领域的技术人员会认识到,本发明也可结合其它程序模块而实现。 While the foregoing has described the present invention, such as in the general context of a computer and / or computer programs running on the computer-executable instructions of a computer, those skilled in the art will recognize that the present invention may also be combined with other The realization of program modules. 一般而言,程序模块包括例程、程序、组件、数据结构等等,它们执行特定的任务和/或实现特定的抽象数据类型。 Generally, program modules include routines, programs, components, data structures, etc. that perform particular tasks and / or implement particular abstract data types. 此外,本领域的技术人员会认识到,本发明的方法可在其它计算机系统配置中实现,这包括单处理器或多处理器计算机系统、小型机、大型机,以及个人计算机、手持式计算设备、基于微处理器或可编程消费者电子设备等等。 Moreover, those skilled in the art will recognize that the methods of the invention may be implemented in other computer system configurations, including single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices , microprocessor-based or programmable consumer electronics, and so on. 如先前解释的,本发明的所示方面也可在分布计算环境中实现,在这样的分布计算环境中,任务是由通过通信网络链接的远程处理设备执行的。 As previously explained, the shown aspect of the present invention can also be implemented in a distributed computing environment, in such a distributed computing environment, tasks are performed by remote processing devices that are linked through a communications network. 然而本发明的某些方面(若不是所有)可在独立的计算机上实现。 However, some aspects of the invention (if not all) may be implemented on separate computers. 在分布计算环境中,程序模块可位于本地和远程存储器存储设备中。 In a distributed computing environment, program modules may be located in both local and remote memory storage devices. 示例包括计算机920,包括处理单元921、系统存储器922, 以及将系统存储器在内的各种系统组件耦合到处理单元921的系统总线923。 Examples include a computer 920, including a processing unit 921, a system memory 922, system memory and the various system components coupled to the processing unit 921. The system bus 923. 处理单元921可以是可在市场上买到的各种处理器的任一种。 The processing unit 921 may be any commercially available on the market a variety of processors. 双微处理器和其它多处理器体系结构也可用作处理单元921 。 Dual microprocessors and other multiprocessor architectures also can be employed as the processing unit 921.

系统总线可以是几种类型的总线结构中的任一种,包括存储器总线或存储器控制器、外围总线,以及使用任何多种可在市场上买到的总线体系结构的局部总线。 The system bus may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and using any of a variety of bus architectures available on the market local bus. 系统存储器可包括只读存储器(ROM)924和随机存取存储器(RAM)925。 The system memory may include read only memory (ROM) 924 and random access memory (RAM) 925. 基本输入/ 输出系统(BIOS)包含诸如在启动阶段帮助在计算机920内的元件之间传递信息的基本例程,被保存在ROM924中。 Basic input / output system (BIOS), such as during start-contained within the computer 920 basic routines to transfer information between elements, is stored in the ROM924.

计算机920还包括硬盘驱动器927、例如读自或写到可移动磁盘929的磁盘驱动器928,以及用于读自或写到CD-ROM盘931或用于读自或写到其它的光介质的光盘驱动器930。 The computer 920 further includes a hard disk drive 927, for example, read from or write to a removable magnetic disk 929 magnetic disk drive 928, and optical disk for read from or write to other optical media CD-ROM disk 931 or to read from or write to drive 930. 硬盘驱动器927、磁盘驱动器928以及光盘驱动器930分别通过硬盘驱动器接口932、磁盘驱动器接口933和光盘驱动器接口934与系统总线923 相连。 Hard disk drive 927, magnetic disk drive 928 and optical disk drive 930 by a hard disk drive interface 932, magnetic disk drive interface 933 is connected to an optical drive interface 934 and the system bus 923. 驱动器及其相关联的计算机可读介质为计算机920提供了数据、数据结构、 计算机可执行指令等的非易失性存储。 The drives and their associated computer-readable media computer 920 provides data, data structures, computer-executable instructions, etc. for the non-volatile storage. 尽管上面的计算机可读介质的描述是指硬盘、可移动磁盘和CD,但是本领域的技术人员应当认识到,可由计算机读取的其它类型介质,如磁带、闪存卡、数字视频盘、伯努利盒式磁带等等,也可用于示例性操作环境中,并且任何这样的介质可包含用于执行本发明方法的计算机可执行指令。 Although the description of computer-readable media above refers to a hard disk, a removable magnetic disk and the CD, those skilled in the art will recognize, may be other types of computer-readable media, such as magnetic tape, flash memory cards, digital video disks, Bernoulli Lee cassette tape, etc., can also be used in the exemplary operating environment, and that any such media may contain computer for performing the method of the present invention is executable instructions.

许多程序模块可保存在驱动器和RAM 925中,这包括操作系统935, 一个或多个应用程序936、其它程序模块939以及程序数据939。 A number of program modules can be stored in the drives and RAM 925, including an operating system 935, one or more application programs 936, other program modules 939, and program data 939. 所示计算机中的操作系统935实际上可以是任何可在市场上买到的操作系统。 As shown in the computer operating system 935 may be virtually any commercially available operating system on the market.

用户可通过键盘940和诸如鼠标942这样的定位设备将命令和信息输入到计算机920中。 User via the keyboard 940 and pointing device such as input commands and information into the computer 942 such as a mouse 920. 其它的输入设备(未示出)可包括麦克风、操纵杆、游戏垫、圆盘式卫星天线、扫描仪等等。 Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner or the like. 这些和其它的输入设备一般通过耦合到系统总线的串行端口接口946与处理单元921相连,但是也可通过其它接口相连,如并行端口、游戏端口或通用串行总线(USB)。 These and other input devices are generally connected by a serial port interface 946 coupled to the processing unit and the system bus 921, but may be connected by other interfaces, such as a parallel port, game port or a universal serial bus (USB). 监视器949或其它类型的显示设备也可通过诸如视频适配器949这样的接口与系统总线923相连。 Monitor 949 or other type of display device such as a video adapter may also be connected to such an interface 949 to the system bus 923. 除监视器之外,计算机通常包括其它的外围输出设备(未示出),如扬声器和打印机。 In addition to the monitor, computers typically include other peripheral output devices (not shown), such as speakers and printers.

计算机920可在使用到一个或多个诸如远程计算机949这样的远程计算机的逻辑连接的网络化环境中工作。 The computer 920 may be a networked environment using logic to one or more remote computers, such as a remote computer 949 such connection work. 远程计算机949可以是工作站、服务器计算机、路由器、对等设备或其它普通网络节点,且通常包括相对于计算机920所描述的许多或所有元件,尽管仅在图9中示出了存储器存储设备950。 The remote computer 949 may be a workstation, a server computer, a router, a peer device or other common network node, and typically includes many or all of the elements of a computer 920 is described, although only in FIG. 9 shows a memory storage device 950. 图9中示出的逻辑连接可包括局域网(LAN)951和广域网(WAN)952。 9 shows the logical connections may include a local area (LAN) 951 and a wide area network (WAN) 952. 这样的网络化环境常见于办公室、企业范围计算机网络、内联网和因特网。 Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.

当在LAN网络化环境中使用时,计算机920可通过网络接口或适配器953与局域网951相连。 When used in a LAN networking environment, the computer 920 may be connected to the LAN 951 through a network interface or adapter 953. 当在WAN网络化环境中使用时,计算机920通常可包括调制解调器954,和/或与LAN上的通信服务器相连,和/或具有用于通过广域网952,如因特网建立通信的其它装置。 When used in a WAN networking environment, the computer 920 typically includes a modem 954, and / or connected to a communications server on the LAN, and / or has other means for establishing through a wide area network such as the Internet 952 for communication. 调制解调器954可为内置或外置的,可通过串行端口接口946与系统总线923相连。 Modem 954 may be internal or external, may be connected through a serial port interface 946 to the system bus 923. 在网络化环境中,相对计算机920描述的程序模块或其部分可被保存在远程存储器存储设备中。 In a networked environment, program modules depicted relative to the computer 920, or portions thereof may be stored in the remote memory storage device. 应当认识到,所示的网络化连接是示例性的,也可使用用于在计算机之间建立通信链路的其它装置。 It should be appreciated that the network connections shown are exemplary and other means may be used to establish a communications link between the computers may be used.

依照在计算机程序设计领域的技术人员的实践,己经参照由像计算机920这样的计算机所执行的动作和操作的符号表示而描述了本发明,除非另外指明。 In accordance with the practices of persons skilled in the art of computer programming, the operation already referenced by a computer such as computer 920 and symbolic representations of operations performed by the present invention is described, unless otherwise indicated. 这样的动作和操作有时候被称为计算机执行的。 Such acts and operations are sometimes referred to as being computer-executed. 应当认识到的是,动作和符号地表示的操作包括处理单元921对表示数据比特的电信号的操纵,它促使电信号表示的合成转换或简化,以及存储器系统(包括系统存储器922、硬盘驱动器927、软盘驱动器928,以及CD-ROM931)中存储位置处的数据比特的维持,从而重新配置或改变了计算机系统的操作,以及其它信号处理。 It should be appreciated that the acts and symbolically represented operations include the manipulation of data bits represented by the electrical signal processing unit 921, which causes the synthesis or conversion simplified representation of the electrical signal, and a memory system (including the system memory 922, hard disk drive 927 , data bits is maintained at a storage location of the floppy disk drive 928, and CD-ROM931), thereby reconfigures or otherwise alters the operation of the computer system and other signal processing. 维持这样的数据比特的存储器位置是具有对应于数据比特的特定电、磁或光属性的物理位置。 Maintain such data bits memory locations are physical locations having particular electrical, magnetic, or optical properties corresponding to the data bits.

现在参考图10,依照本发明的一个方面示出了使用AV插件方法的客户机一服务器系统1000。 Referring now to Figure 10, in accordance with an aspect of the present invention shows a client-server system using the method 1000 of AV plug. 一个或多个客户机1020可以是硬件和/或软件(如线程、进程、 计算设备)。 One or more clients 1020 can be hardware and / or software (eg, threads, processes, computing devices). 系统1000也可包括一个或多个服务器1040。 The system 1000 may also include one or more servers 1040. 该一个或多个服务器1040 也可以是硬件和/或软件(如线程、进程、计算设备)。 The one or more servers 1040 can also be hardware and / or software (eg, threads, processes, computing devices). 例如,这样的服务器1040 For example, such servers 1040

可容纳线程以通过采用本发明来执行转换。 Can house threads to be performed by the present invention conversion. 客户机1020和服务器1040能以根据本发明发送的数据包的形式在两个或多个计算机进程之间进行通信。 The client 1020 and a server 1040 can be in the form of data packets transmitted according to the present invention for communication between two or more computer processes. 客户机/服务器也可共享相同的进程。 Client / server also share the same process. 如图所示,系统1000包括可促进一个或多个客户机1020 与一个或多个服务器1040之间的通信的通信框架1080。 As shown, the system 1000 includes one or more can facilitate client 1020 and one or more communication frame of communication between a server 10,401,080. 一个或多个客户机1020 可任选地连接到一个或多个可储存对客户机1020本地的信息的客户机数据存储1010。 One or more clients 1020 may optionally be connected to one or more client data store may store the client 1020 1010 pairs of local information. 此外,客户机1020可访问并更新位于运行服务器迸程的服务器计算机1040 中的数据库1060。 In addition, the client can access and update the database 1020 1060 1040 server computer that is running the server Beng process. 在本发明的一个方面中,通信框架1080可以是互联网,其客户机进程是web浏览器,且服务器进程是web服务器。 In one aspect of the present invention, the communications framework 1080 may be the Internet, which the client process is a web browser, a web server and the server process. 这样,典型的客户机1020可以是通用计算机,如具有中央处理单元(CPU)、系统存储器、调制解调器或者用于将个人计算机连接到因特网的网络卡、显示器以及其它诸如键盘、鼠标这样的组件等等的传统个人计算机。 Thus, a typical client 1020 can be a general purpose computer, such as a central processing unit (CPU), a system memory, a modem or a personal computer to connect to the Internet network cards, and other displays such as a keyboard, a mouse and the like of such components traditional personal computer. 同样的,典型的服务器1040可以是大学或公司大型计算机,或者专用工作站等等。 Similarly, the typical server 1040 can be university or corporate mainframe computers, or dedicated workstations, and so on.

应当认识到,即使主要在一个存储范围内的AV插件的上下文中描述了本发明,但是工作流可对多个存储实现。 It should be appreciated that, even if the main plug AV context in a memory range of the present invention are described, but may be implemented on a plurality of workflows stored. 一般而言,对于在多个机器的多个存储器部署, 可导致多个存储上对反病毒的不一致保证级别。 In general, for a deployment of a plurality of memory in a plurality of machines, the plurality of storage may result in inconsistent level of assurance for Anti Virus. 为减轻这样的不一致性,特定的示例性方法要允许客户机存储的插件能够扫描读自另一个存储上共享的内容。 To mitigate such inconsistency, a particular exemplary method allows the client to be able to scan widget stored on a read from another storage shared content. 这通常需要以由客户机应用程序小孩的项的串行化形式包括始发的存储的反病毒特征。 This usually takes the form of serialized items in the client application by the children stored characteristics including anti-virus originated. 根据这条信息和本地政策,可用于客户机存储的插件可扫描从源存储中读取的内容。 According to this information, and local policies, plug-ins can be used to store client can scan the contents read from the source storage. 更具体的说,这样的反病毒插件被限制在一个存储之内。 More specifically, such anti-virus plug-in is limited to a memory of. 因此,若在不同机器上运行的应用程序通过共享从项存储器中读取内容,则应用程序就由主存该共享的存储中的反病毒插件保护。 Therefore, if an application running on a different machine reads content from the memory via the shared item, the application program antivirus protection plug the shared memory by the main store. 在不同的机器上的多个存储部署中,这就导致多个存储之间反病毒的不一致保证级别。 A plurality of storage deployed on different machines, the assurance level which leads to inconsistencies between multiple anti-virus storage. 一个解决方案是允许客户机存储的插件扫描从另一存储上的共享中读取的内容。 One solution is to allow the client stores the contents of the plug-in scanner reads from the shared storage on the other. 这可能需要以由客户机应用程序消耗的项的串行化形式包括始发存储的反病毒特征。 This may need to be serialized in the form of items consumed by the client application feature including anti-virus originating stored. 根据该信息和本地政策,可用于客户机存储的插件可扫描从源存储中读取的内容。 Based on this information and local policy, the client can be used to scan the contents stored in the plug-in may read from the source store.

尽管已经相对于某些所示方面描述了本发明,但是应当认识到,当阅读并理解了本说明书以及附图之后,本领域熟练的其它技术人员可做出等效变更和修改。 While there has been illustrated with respect to certain aspects of the invention has been described, it will be appreciated upon reading and understanding the present specification, the following drawings, those skilled in the art can make other variations and modifications and equivalents. 尤其对于由上述组件(组件、设备、电路、系统等等)执行的不同功能,用于描述这些组件的术语(包括对"装置"的参考)旨在对应于执行所述组件的指定功能的任何组件(如,在功能上等效),即使与所述结构在结构上并不等效,也对应于执行此处所示的本发明的示例性方面的功能的任何组件,除非另外指明。 Especially for the different functions performed by the above described components (assemblies, devices, circuits, systems, etc.), the terms of these components (including a reference to a "means") used to execute the corresponding description is intended to specify the function of any component component (e.g., functionally equivalent), even though not structurally equivalent to the structurally, but also any component which performs the function of an exemplary aspect of the present invention illustrated herein, unless otherwise indicated. 在这点上, In this regard,

应当认识到,本发明包括系统以及计算机可读介质,其具有用于执行本发明的各种方法的动作和/或事件的计算机可执行指令。 It should be appreciated that the present invention includes a system and computer readable media having various methods for performing the operation of the present invention and computer / or event-executable instructions. 此外,在详细描述或权利要求书中使用了术语"包括"、"具有"以及其不同形式的意义上,这些术语可以与术语"包含"所类似的方式为包括性的。 Further, the detailed description or the claims the term "comprising", in the sense of "having" and their different forms, these terms with the term "comprising" is similar way inclusive.

Claims (25)

1. 一种项存储器,包含: 元数据组件,它提供用于与所述项存储器交互的反病毒插件的操作的语义; 扫描组件,它将所述项存储器的内容排队到所述反病毒插件,用于对项存储器的内容进行病毒扫描; 分析器,用于分析所述项存储器的数据结构,以确定文本到元素的链接,其中所述项存储器中的规则集确立项之间的链接,所述规则集进一步允许关系被定义并提供分析数据结构的必要信息、以确定文本到元素的链接。 An item memory, comprising: a metadata component that provides for operation of the semantic item antivirus plug interaction of memory; scanning element, the content items will line up to the memory plug antivirus , memory for content items scanned for viruses; analyzer for analyzing a data structure of the memory item to determine the text to the link elements, wherein the link between items in the item memory established set of rules, the set of rules is further defined relationship allows the necessary information and analyzing the data structure to determine the links of text to elements.
2. 如权利要求1所述的项存储器,其特征在于,所述元数据组件提供一表示所述内容的扫描时间的签名值。 Item 2. The memory according to claim 1, wherein the metadata component to provide a signature value represents the scan time of the content.
3. 如权利要求1所述的项存储器,其特征在于,所述元数据组件提供所述内容的扫描状态。 Item 3. The memory according to claim 1, wherein the metadata component supplies a scan state of the content.
4. 如权利要求3所述的项存储器,其特征在于,所述扫描状态被设置为可疑、 干净和已感染中的一个。 Item 4. The memory according to claim 3, wherein said scan state is set to a suspect, clean and infected one.
5. 如权利要求3所述的项存储器,其特征在于,所述扫描状态被设置为不必扫描。 Item 5. The memory according to claim 3, wherein said scan state is set without scanning.
6. 如权利要求1所述的项存储器,其特征在于,所述扫描组件以同步和异步方式中的至少一种对所述内容进行排队。 Item 6. The memory according to claim 1, wherein said scanning assembly to synchronous and asynchronous mode of the content of the at least one queue.
7. 如权利要求1所述的项存储器,其特征在于,所述元数据组件向所述项存储器提供一签名值。 Item 7. The memory according to claim 1, wherein said metadata component providing a signature value to the memory item.
8. 如权利要求7所述的项存储器,其特征在于,所述签名值表示扫描所述项存储器的内容的时间。 Item 8. The memory according to claim 7, characterized in that a scanning value of the content item signature memory of the time.
9. 如权利要求1所述的项存储器,其特征在于,所述扫描组件包含异步排队组件和同步排队组件中的至少一个。 Item 9. The memory according to claim 1, wherein said scanning component comprises a queued asynchronous and synchronous components at least one of the queued component.
10. 如权利要求1所述的项存储器,其特征在于,还包含调度组件,它调度所述反病毒插件的扫描进程。 Item 10. The memory according to claim 1, characterized in that, further comprising a scheduling component that schedules scan processes of the anti-virus insert.
11. 如权利要求1所述的项存储器,其特征在于,还包含用于清洁已感染项的装置。 Item 11. The memory according to claim 1, characterized by further comprising means for cleaning infected items.
12. 如权利要求1所述的项存储器,其特征在于,还包含用于向所述反病毒插件提供与所述项存储器的文件系统相同的对内容的可见性的装置。 Item 12. The memory according to claim 1, characterized in that, further comprising providing the same for the anti-virus plug-memory file system item visibility means the content.
13. —种用于对项存储器进行病毒扫描的方法,包含: 定义项存储器中多个项之间的关系型模式; 通过所述项存储器提供用于反病毒插件的操作的语义; 扫描所述项存储器的内容以查找病毒;以及分析所述项存储器的数据结构,以确定文本到元素的链接, 其中所述项存储器中的规则集确立项之间的链接,所述规则集进一步允许关系被定义并提供分析数据结构的必要信息、以确定文本到元素的链接。 13. The - method for scanning for viruses item memory, comprising: memory relational items defined pattern between a plurality of items; semantics provided for operating the antivirus insert through the memory item; scanning the content item memory for viruses; and analyzing the data structure of the memory item to determine the text to the link elements, wherein the link between items in the item memory establishing a rule set, the rule set to allow the relationship to be further define and provide the necessary information analyzing the data structure to determine the links of text to elements.
14. 如权利要求13所述的方法,其特征在于,还包含向所述项存储器提供一签名值,所述签名值指定扫描时间。 14. The method according to claim 13, wherein further comprising providing a memory item to the signature value of the signature value specified scan time.
15. 如权利要求13所述的方法,其特征在于,还包含向扫描的内容提供扫描状态。 15. The method according to claim 13, wherein, further comprising supplying a scanning state of the scan to the content. 16. 如权利要求13所述的方法,其特征在于,还包含对内容进行排队以供扫描。 16. The method according to claim 13, wherein the content further comprises a queue for scanning.
17. 如权利要求13所述的方法,其特征在于,还包含将内容从所述扫描中出队。 17. The method according to claim 13, wherein the content further comprises dequeued from the scan.
18. 如权利要求13所述的方法,其特征在于,所述扫描动作包含以同步方式进行扫描。 18. The method according to claim 13, characterized in that, the scanning operation comprises scanning in a synchronous manner.
19. 如权利要求13所述的方法,其特征在于,所述扫描动作包含以异步方式进行扫描。 19. The method according to claim 13, characterized in that, the scanning operation comprises scanning in an asynchronous manner.
20. 如权利要求13所述的方法,其特征在于,还包含自动将所述项存储器的已修改内容入队,以供扫描。 20. The method according to claim 13, wherein said item further comprises automatically memory content has been enqueued for scanning.
21. 如权利要求13所述的方法,其特征在于,还包含自动将所述项存储器的新内容入队,以供扫描。 21. The method according to claim 13, characterized by further comprising automatically the new content item is enqueued memory, for scanning.
22. 如权利要求18所述的方法,其特征在于,还包含执行强制扫描。 22. The method according to claim 18, characterized by further comprising a forced scan.
23. 如权利要求13所述的方法,其特征在于,还包含清洁已感染的内容。 23. The method according to claim 13, wherein, further comprising cleaning an infected content.
24. —种项存储器,包含: 多个过滤器,所述多个过滤器被布置在多统一命名约定提供器上,以提供文件系统组件,所述文件系统组件服务于I/O请求和统一命名约定名字, 多统一命名约定提供器,它用作对所述文件系统的远程访问,以及反病毒插件,它扫描所述文件系统,目录和文件名的相同名字空间也对所述反病毒插件可见,所述目录和文件名的相同名字空间对所述文件系统可见, 分析器,用于分析所述项存储器的数据结构,以确定文本到元素的链接, 其中所述项存储器中的规则集确立项之间的链接,所述规则集进一步允许关系被定义并提供分析数据结构的必要信息、以确定文本到元素的链接。 24. - to item memory, comprising: a plurality of filters, a plurality of filters are arranged in a plurality on the Uniform Naming Convention Provider, to provide a file system component, to the file system component service I / O requests and unified naming convention name, and more uniform naming conventions provider, which is used as remote access to the file system, as well as anti-virus plug-in, it scans the file system, the same namespace directory and file names can also be found on the anti-virus plug-in , the same name space of directories and filenames visible to the file system, an analyzer for analyzing a data structure of the memory item to determine links of text to elements, wherein the set of rules in the memory item established links between items, the relationship between the set of rules are defined and further allows the necessary information analyzing the data structure to determine the links of text to elements.
25. 如权利要求24所述的项存储器,其特征在于,所述过滤器是内核模式过滤器。 Item 25. The memory according to claim 24, wherein said filter is a kernel mode filter.
26. —种用于结合反病毒插件作为多个项存储器的一部分的方法,所述多个项存储器包括始发项存储器和客户机的项存储器,所述方法包含: 以由客户机应用程序消耗的项的串行化形式包括所述始发项存储器的反病毒特征; 通过对所述客户机可用的反病毒插件,扫描与所述客户机的项存储器共享的所述始发项存储器的内容;以及分析所述始发项存储器的数据结构,以确定文本到元素的链接, 其中所述多个项存储器中的规则集确立项之间的链接,所述规则集进一步允许关系被定义并提供分析数据结构的必要信息、以确定文本到元素的链接。 26. - anti-virus species used for binding a plurality of plug-ins as part of the method entries memory, the memory comprising a plurality of entry items originating term memory storage and a client, the method comprising: to be consumed by the client application in the form of serialized items including anti-virus originating wherein said memory item; term memory content by the antivirus widget available to the client, with the client scan shared memory of the originating item ; and a data item originating the memory structure analysis to determine the text to the link elements, wherein the plurality of items in a rule set memory link established between items, the rule set is further provided to allow the relationship to be defined and the information necessary to analyze the data structure to determine the text to link elements.
CNB2005100823527A 2004-06-21 2005-06-21 Anti virus for an item store CN100557546C (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US58156904P true 2004-06-21 2004-06-21
US60/581,569 2004-06-21
US60/581,896 2004-06-22
US10/959,383 2004-10-06

Publications (2)

Publication Number Publication Date
CN1713107A CN1713107A (en) 2005-12-28
CN100557546C true CN100557546C (en) 2009-11-04

Family

ID=35718749

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100823527A CN100557546C (en) 2004-06-21 2005-06-21 Anti virus for an item store

Country Status (1)

Country Link
CN (1) CN100557546C (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001073523A2 (en) * 2000-03-24 2001-10-04 Mcafee.Com Corporation Method and system for detecting viruses on handheld computers
US6721721B1 (en) * 2000-06-15 2004-04-13 International Business Machines Corporation Virus checking and reporting for computer database search results
GB2396227A (en) * 2002-12-12 2004-06-16 Messagelabs Ltd Method of detecting viruses in executable code

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001073523A2 (en) * 2000-03-24 2001-10-04 Mcafee.Com Corporation Method and system for detecting viruses on handheld computers
US6721721B1 (en) * 2000-06-15 2004-04-13 International Business Machines Corporation Virus checking and reporting for computer database search results
GB2396227A (en) * 2002-12-12 2004-06-16 Messagelabs Ltd Method of detecting viruses in executable code

Also Published As

Publication number Publication date
CN1713107A (en) 2005-12-28

Similar Documents

Publication Publication Date Title
White Hadoop: The definitive guide
Rajasekar et al. iRODS primer: integrated rule-oriented data system
US6266716B1 (en) Method and system for controlling data acquisition over an information bus
EP1309906B1 (en) Evidence-based security policy manager
Capriolo et al. Programming Hive: Data warehouse and query language for Hadoop
RU2421803C2 (en) Notices of data modification
US7117216B2 (en) Method and apparatus for runtime merging of hierarchical trees
US6704803B2 (en) Method and system for distributing data events over an information bus
JP4583377B2 (en) System and method to realize synchronization service relationships and hierarchies for units of manageable information by the hardware / software interface system
Marian et al. Projecting XML documents
CA2534257C (en) Storage api for a common data platform
Liang et al. Isolated program execution: An application transparent approach for executing untrusted programs
US7428546B2 (en) Systems and methods for data modeling in an item-based storage platform
CN101751469B (en) Systems and methods for supporting inheritance for user-defined types
US7529811B2 (en) Systems and methods for the implementation of a core schema for providing a top-level structure for organizing units of information manageable by a hardware/software interface system
US6976262B1 (en) Web-based enterprise management with multiple repository capability
US7483915B2 (en) Systems and method for representing relationships between units of information manageable by a hardware/software interface system
US7693917B2 (en) Method for adaptive data management
US7844582B1 (en) System and method for involving users in object management
US7925616B2 (en) Report system and method using context-sensitive prompt objects
US8244702B2 (en) Modification of a data repository based on an abstract data representation
Braumandl et al. ObjectGlobe: Ubiquitous query processing on the Internet
US7739316B2 (en) Systems and methods for the implementation of base schema for organizing units of information manageable by a hardware/software interface system
US6314460B1 (en) Method and apparatus for analyzing a storage network based on incomplete information from multiple respective controllers
US20040199572A1 (en) Architecture for distributed computing system and automated design, deployment, and management of distributed applications

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
ASS Succession or assignment of patent right

Owner name: MICROSOFT TECHNOLOGY LICENSING LLC

Free format text: FORMER OWNER: MICROSOFT CORP.

Effective date: 20150508

C41 Transfer of patent application or patent right or utility model