Persistent storage access system and method for a wireless malware scan engine

FIELD OF THE INVENTION

[0002] The present invention relates to wireless device security, and more particularly to scanning wireless devices for malware.

BACKGROUND OF THE INVENTION

[0003] The last decade has seen a rapid growth in the number and use of mobile cellular telephones. More recently, wireless devices have been introduced which combine the functionality of mobile telephones and Personal Digital Assistants (PDAs). It is expected that this area will undergo massive growth in the near future as new cellular telecommunication standards (e.g. GPRS, UMTS, and WAP) make possible the high speed transfer of data across the wireless interface.

[0004] It can be expected that such platforms will be susceptible to attack from so-called “malware” such as viruses, Trojan horses, and worms (referred to collectively hereinafter as “viruses”) in much the same way as present day personal computers and workstations are susceptible to malware attack. A number of mobile telephone viruses have already been identified.

[0005] In order to resist virus attacks, anti-virus software must be deployed into mobile platforms in much the same way as it has been deployed in the desktop environment. A number of different desktop anti-virus applications are currently available. The majority of these applications rely upon a basic scanning engine which searches suspect files for the presence of predetermined virus signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified viruses.

[0006] Typically, users download replacement databases every so often, either over the Internet, from a received e-mail, or from a CDROM or floppy disk. Users are also expected to update there software engines every so often in order to take advantage of new virus detection techniques (e.g. which may be required when a new strain of virus is detected).

[0007] Mobile wireless platforms present a series of problems for software developers (including developers of anti-virus software). Chief among these are the limited memory and processing power of mobile platforms, and the limited input/output capabilities which they possess (i.e. no CDROM or floppy drive, and no high bandwidth fixed line network or Internet connectivity).

[0008] Moreover, mobile wireless platforms are traditionally not standardized like conventional desktops. For example, instead of running Microsoft™ Windows™, such mobile wireless platforms may have installed thereon a variety of types of operating systems. This complicates the act of designing an anti-virus scanner that is capable of operating on any one of a plurality of mobile wireless platforms.

DISCLOSURE OF THE INVENTION

[0009] A system, method and computer program product are provided for scanning a mobile wireless device for malware. Initially, data stored in persistent memory of a mobile wireless device is accessed. Next, the data is scanned utilizing an anti-malware scanner of the mobile wireless device. Such data is accessed utilizing an abstract file system interface.

[0010] To this end, any type of data native to any particular platform may be accessed without platform-dependencies. A versatile technique is thus provided which is tailored for mobile wireless environments.

[0011] In one embodiment, the abstract file system interface may be implemented for each class of the data stored in the persistent memory. In various embodiments, the abstract file system interface may include an abstract directory interface, an abstract directory entry interface, and/or an abstract file interface.

[0012] In another embodiment, the abstract file system interface may include data structures with call back functions. Such call back functions may enumerate the data. Moreover, the call back functions may manipulate the data.

BRIEF DESCRIPTION OF THE DRAWINGS

[0013]
FIG. 1 illustrates an exemplary architecture for scanning a mobile wireless device for malware, in accordance with one embodiment.

[0014]
FIG. 2 illustrates an overview of the component architecture associated with the anti-malware scanner running on the mobile wireless devices.

[0015]
FIG. 3 illustrates a method for scanning a mobile wireless device for malware utilizing a user interface, in accordance with one embodiment.

[0016]
FIG. 4 illustrates a sample user interface screen that shows the features exposed by the anti-malware scanner.

[0017]
FIG. 5 illustrates a block diagram showing the interaction between a component manager and other subsystems such as the user interface.

[0018]
FIG. 6 illustrates a method for scanning a mobile wireless device for malware utilizing a component manager, in accordance with one embodiment.

[0019]
FIG. 7 illustrates a system including an on-access scanner, in accordance with one embodiment.

[0020]
FIG. 8 illustrates a framework with an on-access scanner interfacing with a file system, and filtering all file I/O related events.

[0021]
FIG. 9 illustrates the manner in which the on-access scanner is enabled and disabled during use based on on-demand scanning.

[0022]
FIG. 10 illustrates a Java scanning module interfacing with Java, and filtering all Java applet and Java script executions.

[0023]
FIG. 11 illustrates an on-demand scanner system including an on-demand scanner interacting with a component manager and a scan engine.

[0024]
FIG. 12 illustrates a method for performing on-demand scanning, in accordance with one embodiment.

[0025]
FIG. 13 illustrates a scan engine system including a scan engine module, a file parser, and an interpreter.

[0026]
FIG. 14 illustrates a service agent (SA) architecture, in accordance with one embodiment.

[0027]
FIG. 15 illustrates a method for scanning a mobile wireless device for malware, involving service agents.

[0028]
FIG. 16 illustrates a sample service agent activation method, in accordance with one embodiment.

[0029]
FIG. 17 provides a method for client and server package handling.

[0030]
FIG. 18 illustrates the various steps of a package installation process, in accordance with one embodiment.

[0031]
FIG. 19 illustrates the components of the platform abstraction layer and the manner in which they interface with a mobile wireless device and operating system thereof.

[0032]
FIG. 20 illustrates a transaction server command process flow, in accordance with one embodiment.

[0033]
FIG. 21 illustrates a plurality of personal device database table relationships, in accordance with one embodiment.

[0034]
FIG. 22 shows an exemplary client information flow, in accordance with one embodiment.

DETAILED DESCRIPTION

[0035]
FIG. 1 illustrates an exemplary architecture 100 for scanning a mobile wireless device for malware, in accordance with one embodiment. As shown, the architecture 100 includes a mobile wireless device 102. Such mobile wireless device 102 may include, but is not limited to a cellular phone, personal digital assistant (PDA), a palm computer, or any combination thereof Further, such mobile wireless device 102 may rely on any desired operating system. It should be noted that the vast variety of mobile wireless devices 102 operate different operating systems, unlike traditional desktop and laptop environments which typically run Microsoft™ Windows™ operating systems.

[0036] As may soon become apparent, the mobile wireless device 102 is associated with an application service provider and is equipped with an anti-malware scanner for providing active content security service. In the context of the present description, such anti-malware scanner may include any program adapted to scan or detect malware (i.e. virus, Trojan horse, worm and other forms of data or program that may result in an unexpected and/or unwanted outcome).

[0037] In use, the application service provider is initiated utilizing the mobile wireless device 102. Next, the anti-malware scanner installed on the mobile wireless device 102 is updated over a wireless network utilizing the application service provider. The mobile wireless device 102 is then scanned utilizing the updated anti-malware scanner.

[0038] In communication with the mobile wireless device 102 are server-side systems, or a back-end architecture 104. Such back-end architecture 104 is located at a service-provider site and provides centrally managed provisioning, component updates and usage reporting for serviced mobile wireless devices 102.

[0039] As shown in FIG. 1, the back-end architecture 104 may, in one embodiment, include a carrier gateway 106 for communicating with the mobile wireless device 102. A load distributor 108 may be coupled between the carrier gateway 106 and a plurality of hypertext transfer protocol (HTTP) servers 110 which, in turn, are coupled to a plurality of transaction servers 112. Further included is a database 114 coupled between the transaction servers 112 and a configuration/reporting server 116.

[0040] In use, the back-end architecture 104 receives device requests, and sends and receives client-specific data to and from the mobile wireless devices 102. The transaction servers 112 make database queries to store and retrieve information to/from the database 114. Client configuration information, usage information and component update packages are stored in the database 114. Configuration and reporting may be accomplished via Web interfaces 118. More information regarding such back-end architecture 104 will be set forth hereinafter in greater detail.

[0041] More information will now be set forth regarding an exemplary design of the mobile wireless devices 102. As wireless devices have limited resources, the anti-malware scanner on the mobile wireless devices 102 may be specifically designed with the following objects set forth in Table 1A in mind.

1TABLE 1AMaintain a low memory footprint.Consume as little CPU resources as possible, yet maintainactive monitoring for malicious software on the device.Minimize bandwidth requirements to the back-end server.Use the back-end server to minimize the work the device isrequired to perform.Maximize the flexibility of the scanner to address newthreats.

[0042] The anti-malware scanner may evolve over time as new computer viruses and other malicious code are discovered.

[0043] The anti-malware scanner is designed to protect wireless devices 102 from malicious code. The scope of this protection includes, but is not limited to the following set forth in Table 1B.

2TABLE 1BIdentify malicious code in persistent data stored on thedevice. This includes native executables as well asscripting languages embedded in documents.Prevent malicious code from being executed by activelyintervening when the data is accessed.Potentially monitor network activity to detect and interveneagainst external threats on the device.Provide a means for cleaning programs and documents that havebeen infected by malicious software.Report the necessary information to track active threats onthe network of wireless devices.

[0044] A glossary of terms that will be used in the present description is set forth in Table 1C.

3TABLE 1CTermDescriptionVirusA piece of executable binary or script that replicates by modifying and attachingto programs or executable/automation scripts. Viruses may damage data, causethe computer to crash, display messages, or lie dormant.Trojan HorseA program that either pretends to have, or is described as having, a set of usefulor desirable features, but actually contains a damaging payload. Most frequentlythe usage is shortened to “Trojan”. Trojan Horses are not technically viruses,since they do not replicate.WormA malware that replicates itself using computer networks, such as via email orIRC (Internet Relay Chat).MalwareVirus, Trojan horse, worm and other forms of data or program that result inunexpected and/or unwanted outcome.StorageDisk, flash-memory or other forms of non-volatile memory device.FileSingle storage object entity such as a program or a data file.DirectoryA storage index that contains a list of files or sub-directories.Archive FileSingle file containing multiple files organized by a directory structure. Example:ZIP, CAB, JRE, SISFile ScanningThe process used for detecting, identifying and removing malware on a storage.Process ScanningThe process used for detecting, identifying and removing malware in execution.Application-Malware scanning process for a particular application.specific ScanningExample: hostile SMS/MMS scanning, Email attachment scanning, hostile JavaApplet scanningOn-demandMalware scanning process initiated by the user or another application. UsuallyScanninginvolves a complete system-wide scanning, and the process is terminated whenscanning is completed.On-accessScanning process triggered by an OS or an application event. The on-accessScanningscanner stays resident in the system.

[0045] Anti-Malware Scanner Architecture

[0046] The anti-malware scanner architecture is based on a collection of components. These components are further analysed to expose properties and interfaces. This design helps isolate defects to specific components as well as providing a framework for porting the design to other devices with different hardware requirements.

[0047]
FIG. 2 illustrates an overview of the component architecture 200 associated with the anti-malware scanner running on the mobile wireless devices. As shown, a user interface 202 is provided which communicates with a component manager 204. Such component manager 204 is responsible for controlling and managing an on-access scanner module 206, on-demand scanner module 208, Java-scanner module 210, service manager module 212, and activity logging module 214. As shown, the on-access scanner module 206, on-demand scanner module 208, and the Java-scanner module 210 utilize a common scan engine 216.

[0048] For reasons that will soon become apparent, the anti-malware scanner component architecture 200 further includes a platform abstraction layer 218 that provides an interface between an operating system 220 of the mobile wireless device and the component manager 204 and the components associated therewith. Each of the foregoing components will be discussed subsequently in greater detail.

[0049] User Interface Design (202 of FIG. 2)

[0050]
FIG. 3 illustrates a method 300 for scanning a mobile wireless device for malware utilizing a user interface, in accordance with one embodiment. Initially, in decision 302, it is determined whether an update command is received from a user utilizing a graphical user interface of a mobile wireless device. As an option, the update command may be received upon the selection of an update icon displayed on the graphical user interface of the mobile wireless device. In operation 304, an anti-malware scanner installed on the mobile wireless device is then updated over a wireless network in response to the update command.

[0051] Next, it is determined in decision 306 as to whether a scan command has been received via the selection of a scan icon displayed on the graphical user interface of the mobile wireless device. More information regarding an exemplary interface with such icons will be set forth hereinafter during reference to FIG. 4. The mobile wireless device is then scanned utilizing the updated anti-malware scanner, as indicated in operation 308. Such anti-malware scanner may be conditionally updated based on the update command so as to regulate usage of the wireless network with the mobile wireless device.

[0052] As an option, a version number of a last update may be displayed utilizing the graphical user interface of the mobile wireless device. Further, a time of a last update may be displayed utilizing the graphical user interface of the mobile wireless device.

[0053] The anti-malware scanner user interface is very effective in design. Configuration settings and updates are handled by the back-end system, relieving the user from any responsibilities. Some basic feedback such as the product name, logo, and version information is provided. The user may check for product updates, and initiate a scan for malicious programs on removable media. The details for these capabilities are provided below.

[0054] Manual Virus Scanning

[0055] Manually virus scanning of the entire device is performed according to the configuration settings set by the IT administrator. That is, either all files may be scanned or only certain types of files. Also, the IT Administrator specifies how the anti-malware scanner responds to any infected file that is found. Upon scan completion, a report is created that reflects what was scanned and whether any computer viruses were found.

[0056] Check for Product Updates

[0057] Checking for product updates is made available from the main user interface. When update checking is requested, the anti-malware scanner attempts to update itself using a service agent in a manner that will soon be set forth.

[0058] About the Anti-Malware Scanner

[0059] An ‘About the anti-malware scanner’ dialog box is displayed upon user request. The contents of this dialog box contain the information of Table 1C-1.

4TABLE 1C-1All the necessary anti-malware scanner copyright messages.Scan engine and virus definition file version numbers.Last time the product was updated.

[0060]
FIG. 4 illustrates a sample user interface screen 400 that shows the features exposed by the anti-malware scanner. The user interface screen 400 may be displayed upon the selection of an anti-malware scanner tab 401 always shown on the user interface screen 400. Of course, other tabs such as a contacts tab 401-A, a mail tab 401-B, a browser tab 401-C, an address book tab 401-D, and a notes tab 401-E may also be provided. As shown in FIG. 4, a scan icon 402, an update icon 404, and an about icon 406 are illustrated upon the selection of the anti-malware scanner tab 401 for allowing a user to carry out the functionality of the anti-malware scanner.

[0061] Component Manager Design Specification (204 of FIG. 2)

[0062] The component manager inside the anti-malware scanner is the logic layer that instantiates the following subsystems of Table 1D.

5TABLE 1DOn-access scanning subsystem.On-demand scanning subsystem.Activity logging subsystem.Service agent subsystem.

[0063] The component manager contains logic on how to instantiate the different subsystems, how to configure them, and manages when to activate and deactivate subsystems. It drives the entire application and can provide the user interface with feedback on subsystem progress.

[0064] The user interface relies on the component manager to initiate actions such as manually scanning for computer viruses and to check for product updates.

[0065]
FIG. 5 illustrates a block diagram 500 showing the interaction between the component manager 502 and the other subsystems 504 such as the user interface 506. As shown, any number of subsystems 508 may be employed per the desires of the user.

[0066] How the Component Manager Works

[0067]
FIG. 6 illustrates a method 600 for scanning a mobile wireless device for malware utilizing a component manager, in accordance with one embodiment. The component manager is initially instantiated, in operation 602, just like any other core technology component of the present embodiment. As an option, the operation 602 may be executed in response to a scan command received from a user utilizing the user interface of the mobile wireless device.

[0068] Next, in operation 604, memory is allocated to store private data information for the component manager. The configuration manager is then used to load in anti-malware scanner scan settings in the private memory just allocated. See operation 606.

[0069] Based on the scan settings, the specialized subsystems are initiated. See operation 608. These subsystems may include the on-access scanning, activity logging and/or a service agent function. The on-demand scanning subsystem is only instantiated on a per need basis in order to save system resources. On-demand scanning is only needed when manual device scanning is requested. Based on these initialisation steps, a completion return code is returned to the owner of this subsystem.

[0070] The on-access scanning subsystem is initiated so real-time monitoring for viruses begins. When a computer virus is detected, a component manager callback function is called by the on-access scanning subsystem. Within this callback function the component manager determines based on the scan settings how it wishes the on-access scanning subsystem to deal with infected items. The completion status of this event is then passed to the activity logging subsystem for recording purposes.

[0071] When manual scanning is requested, it is performed according to the established configuration provided by an IT administrator. Manual scanning involves accessing several files or databases on the device and this same action is what the on-access scanner also monitors. In order to not cause system resources to be spent unnecessarily, the on-access scanning subsystem is disabled for the brief time period that the on-demand scanning is active.

[0072] Component Manager API

[0073] The component manager exposes all its functionality through an API layer. No platform dependencies are necessarily assumed. All interfaces follow a sandwiched approach where there is an initialisation to obtain an instance handle. Based on this instance handle, the component manager worker functions are available and when the object is not needed anymore the object is destroyed. The number of features that a user interface can request to be performed by the component manager may be limited. All knowledge on how scanning is performed may be contained within the component manager. A user interface can request from the component manager to do the following steps of Table 1E.

6TABLE 1EStart an on-demand scan.Start the service agent to check for updates.Find out the version of the scan engine and DAT files.Find out when was updating done the last time.

[0074] As the component manager handles different specialized subsystems, all events that are generated may be communicated back to the owner of the component manager handle using a callback function. To some of these events the callback function may return a TRUE Boolean value to indicate an affirmative answer that the core technology in question should proceed with the action that is about to happen, or return a FALSE to indicate that the action should not be performed.

[0075] As an example, when the service agent indicates that it is about to check for updates, if the callback function returns FALSE, this action may not happen.

[0076] See Table 2A for an exemplary component manager API.

7TABLE 2ACMgrCreate( )DescriptionThe CMgrCreate( ) function creates an instance of the component manager. A user interface layerthat wraps the core technology should make this call. The handle that is returned by this functioncall should be passed to all subsequent calls to the component manager.PrototypeHCMGR CMgrCreate( // Creates a component manager instance PFNCMGRNOTIFY pfnNotify, // [in] Function to notify. PVOID pUserParam // [in] Any user defined value. );ParameterspfnNotify[in] Pointer to a notification function that is called to notify the owner of this object about eventsthat are happening. See the description of CMgrNotify( ) function for more information.pUserParam[in] optionally the owner of this object can specify a user specific pointer size value that shouldbe passed to the callback function. This can be handy to eliminate the need of static variables onplatforms where static variables are not allowed.Return ValuesA handle to a component manager object. If NULL value is returned then this function callfailed. To find out the reason why this call failed call the ErrGet( ) function. This function isthoroughly documented in the platform abstraction layer. If the function succeeds it may be avalid handle that should be freed up using the CMgrDestroy( ) function when it is not neededanymore.See AlsoCMgrDestroy( ), CMgrActivate( ), CMgrNotify( )CMgrDestroy( )DescriptionThe CMgrDestroy( ) function destroys a component manager object that was created usingCmgrCreate( ). When this call is made all specialized subsystems are terminated and all resourcesassociated with these subsystems are freed up.Prototypeint CMgrDestroy( // Destroys component manager instance. HCMGR hCmgr // [in] handle to component manager. );ParametershCmgr[in] handle to a component manager to destroy. It must have been created using CMgrCreate( ).Return ValuesZero is returned to indicate success. −1 is returned to indicate error To find out the reason whythis call failed called the ErrGet( ) function. This function is thoroughly documented in theplatform abstraction layer.See AlsoCMgrCreate( ), CMgrActivate( ), CMgrNotify( )CMgrActivate( )DescriptionThe CMgrActivate( ) function starts the specified core technology component. It should be calledby the user interface to start certain actions such as a manual scan of the device or to startchecking for an update.Prototypeint CMgrActivate( // Activates a component. HCMGR hCmgr, // [in] handle to component manager. COMPID CompID // [in] subsystem to activate);ParametershCmgr[in] handle to a component manager that was created using CMgrCreate( ).CompID Core component identifier that should be activated. This value can be any of thefollowing values. If some other core component value is given an error is returned.COMPID_ONDEMAND, starts a manual scan of the device.COMPID_SERVAGENT, start to check for a product update.Return ValuesZero is returned to indicate success. −1 is returned to indicate error To find out the reason whythis call failed called the ErrGet( ) function. This function is thoroughly documented in theplatform abstraction layer.See AlsoCMgrCreate( ), CMgrDestroy( ), CMgrActivate( ), CMgrNotify( )CMgrNotify( )DescriptionThe CMgrNotify( ) function must be implemented by the calling application and a pointer to itmust be passed during initialisation to CMgrCreate( ). This component manager may notify thecaller about different events as they are about to occur so the application can record these eventsif it has to. The application can also indicate using the return code whether the event that it isbeing notified about should be allowed or disallowed from happening.PrototypeBOOL CMgrNotify( // Notification callback function. PCOMPMGRNOTIFYINFO pNotify // Notification structure. );ParameterspNotify[in] pointer to a notification structure. This structure hold everything needed to properly notifythe owner of this object about the events that are happening within the anti-malware scanner coretechnology. This structure is defined as:typedef struct tagCOMPMGRNOTIFYINFO{ PVOID pUserParam;// User defined value used inCompMgrCreate( ) COMPID CompID;// Component that generates thisevent. VSCNEVENT hEvent;// Why the notification functionwas called. COMPMGRVALID Valid;// Fields that are valid to check. HVSCNITEM hItem;// Item that scanner is notifyingabout. SCNDONEACTION DoneActionz;// Status of completion status} COMPMGRNOTIFYINFO, * PCOMPMGRNOTIFYINFO;The structure members should be interpreted by the caller as:pUserParam: The same user defined pointer size value that was given to the core componentmanager during creation is returned in this field. This is a convenient way for applications to nothave to resort to global static data usage since this is not supported on many platforms.CompID: This field indicates the component identification number that is notifying about anevent that is about to happen, or about an event that just happened. The possible componentidentification numbers are as follows:COMPID_ONACCESS, On-access scanning subsystem.COMPID_ONDEMAND, On-demand scanning subsystem.COMPID_ACTILOG, Activity logging subsystem.COMPID_SERVAGENT, Service agent subsystem.hEvent: This is the event that the CompID subsystem is notifying about. The possible eventidentifiers for this field are as follows:VSE_CANCELLEDThe previous request that the component manager notified about was cancelled as requested bythe object owner. This is nothing more than a confirmation message indicating that the requestwas understood. At this point the return code from this function has no meaning and it is ignored.VSE_INFECTEDThe component manager is indicating that a computer virus or some malicious code was found.The subsystem that found this malicious code is known from the CompID componentidentification number. If the component that found this malicious code is the on-demand scanner,a return code of TRUE indicates that scanning should continue. A return code of FALSEindicates that scanning should be stopped. If FALSE is returned a confirmation notificationmessage VSE_CANCELLED may be sent to the owner of this object. On the on-access and theon-demand scanning subsystems can generate this event.VSE_COMPLSTATUSThis event indicates the completion status of the action that was taken on an infected file. Thisevent can only be generated by the on-access and by the on-demand subsystems. For possiblecompletion status codes please see the DoneAction structure member. If the component thatfound this malicious code is the on-demand scanner, a return code of TRUE indicates thatscanning should continue. A return code of FALSE indicates that scanning should be stopped. IfFALSE is returned a confirmation notification message VSE_CANCELLED may be sent to theowner of this object. On the on-access and the on-demand scanning subsystems can generate thisevent.VSE_SCANNINGITEMThis is a notification event that tells the owner of this object that a file is about to be scanned forviruses. The file that is about to be scanned has already been pre-filtered based on the ITAdministrator specified scan setting so at this way the user interface has no say about what filesare being scanned. The only core components that can generate this event are the on-access andthe on-demand scanners. Because the user can choose to cancel a user initiated on-demand scan,the return code may only be respected if this event was generated by the on-demand scannersubsystem. A return code of TRUE indicates that scanning should continue. A return code ofFALSE indicates that scanning should be stopped. If FALSE is returned a confirmationnotification message VSE_CANCELLED may be sent to the owner of this object.VSE_STARTThis event indicates to the caller that the core technology component identified in the CompIDstructure member just finished initialising. This is only a notification message so any return codethat is returned to the component manager from this event notification may be ignored.VSE_ENDThis event indicates to the caller that the core technology component identified in the CompIDstructure member just terminated. This is only a notification message so any return code that isreturned to the component manager from this event notification may be ignored.Valid: This structure member indicates what other fields below this structure member containsvalid values. This structure field should be interpreted as a bit field and the individual bits shouldbe access the standard documented ‘C’ coding guideline way. The named bit fields are asfollows:bit_hItem, indicates that the hItem structure member is valid.bit_DoneAction, indicates that the DoneAction structure member is valid.hItem: This is a handle to a anti-malware scanner scan item. Information that is associated withthis handle can be accessed using the ScnItem family of functions.DoneAction: This structure member indicates the completion status of an action that wasperformed on an infected item. The completion status can be one of the following values:SCNDONE_NOACTION, Nothing was done about the infected item.SCNDONE_DENIEDACCESS, Infected item was denied access to.SCNDONE_CLEANED, Infected item was cleaned.SCNDONE_CLEANFAILED, Infected item could not be cleaned.SCNDONE_DELETED, Infected item was deleted.SCNDONE_DELETEFAILED, Infected item could not be deleted.Return ValuesThe Boolean return value depends on the type of event that the owner of this object is beingnotified with. Please see the description of each event for description on what the appropriatereturn code should be.See AlsoCMgrCreate( ), CMgrDestroy( ), CMgrActivate( )

[0077] On-Access Scanner Module (206 of FIG. 2)

[0078]
FIG. 7 illustrates a system 700 including an on-access scanner 702, in accordance with one embodiment. In general, the on-access scanner 702 is governed by operating system hooks 704 which provide document access notification. Further, the on-access scanner 702 interfaces with a scan engine 706 to scan documents. Still yet, the on-access scanner 702 reports scan activity to a component manager 708. More information relating to such operation will now be set forth.

[0079] The on-access scanner 702 identifies malware as documents are being access on the device. The on-access scanner 702 may be entirely transparent to the user until malicious code is discovered. Scanning can be performed on all executables and documents. This includes word processor documents or files being downloaded by a web browser. The on-access scanner can be configured to only scan certain types of documents.

[0080] The on-access scanner 702 is notified of various events related to accessing documents. It then determines whether the document needs to be scanned. The scan engine 706 is used to detect malicious code. When malicious code is discovered, the on-access scanner 702 notifies the component manager 708. It is then the component manager's responsibility to determine which of the following actions in Table 2B to perform.

8TABLE 2BNotify the user that malicious code was discovered.Clean the infected file. Once successfully cleaned, the usermay access the file.Delete the infected file. This results in an error messagedisplayed to the user that the file could not be accessed.Optionally ask the user whether the infected items should becleaned, deleted, or just denying access to it.

[0081] On-access file scanning is accomplished by hooking into a file access notification mechanism that resides inside the operating system. For a comprehensive protection it is crucial to be able to hook into all file access events prior to them happening and after they have occurred.

[0082] The purpose of hooking into all file access events prior to them happening is so they can be intercepted. The purpose of hooking into all file access events after they have occured is so the file in question can be analyzed prior to control being returned to the operating system. An important part of this notification interception is that an application that is part of this notification chain must have the capability to allow or disallow an event from continuing through the file system notification. Of course nothing can be allowed or disallowed once the event has already happened, such as a close event, but in case an infected file is opened, the hooking application must indicate to the operating system that this event should not traverse further in the file system.

[0083] The file system related events that are filtered are as follows.

[0084] File Create Event

[0085] When a file create event is received it may be because the user has decided to download, beam or install some sort of application. When a create event occurs, the anti-malware scanner keeps track of a reference information that is associated with this event, and matches it up with the corresponding close event. This is done because when a new file is created it does not contain any information that can be analyzed for malicious code. It is important to know that if a “file create” event is the same as a file open event, these two are combined into one.

[0086] File Open, Execute Program Event

[0087] Prior to opening a file, the anti-malware scanner must make sure that the file is not infected. If the file is not infected, identification information is obtained from it. This way, when the file is closed this same information is compared to determine if any changes were made to the file. If changes were made, the anti-malware scanner resorts to a more resource intensive task to ensure that the file does not contain any malicious code. It is important to note that if application execution is a different event from a regular file open event, file execution should be monitored the same way.

[0088] File Close Event

[0089] The close event must be monitored for several reasons. As described above, when a file is created, it is scanned after the close operation occurred so the anti-malware scanner can analyze its content for computer viruses.

[0090] File Rename Event

[0091] This is yet another important part of the protection because a smarter computer virus could try to create a text file that contains malicious executable code and prior to launching it, rename it to an executable file type.

[0092] On-Access Scanner Subsystem Interaction

[0093] The on-access scanner subsystem is made usable with the help of other application subsystems. Each subsystem that on-access scanning interacts with are described below. A reason why this interaction is needed is also explained.

[0094] Component Manager

[0095] When the on-access scanning subsystem determined that there is something important to notify about such as an error condition or that an infected files was found, it informs the component manager.

[0096] Scan Engine

[0097] The scan engine is the component that takes a file and analyzes it to see if the file contains any malicious code. The scan engine is invoked prior to an open event happening and after a close event has happened.

[0098] Operating System

[0099] The on-access scanning subsystem must interact with the underlying operating system that informs of all file related events that take place. The operating system may always inform about the following information in Table 2C.

9TABLE 2CThe full path and filename of the file that is being handledby the operating system.The function that the operating system is about to perform onthe indicated file.Any time a drive is being connected and disconnected.

[0100] It is important to know that the file system should allow for re-entrancy so when a file system event is intercepted, the file system hooking function can open any file on any drive and perform I/O operations.

[0101] On some operating systems it is not possible for an application to use static or global data. Therefore, it would be required on those platforms that a mechanism is provided where the hooked function can access some previously allocated and initiated data.

[0102] An example way of accomplishing this would be to have a file system hook installation function that accepts a pointer to a callback function and a void pointer to application defined data. This application defined data would then be passed with every call to the hooking function. An example set of functions that are required to perform comprehensive file system hooking is described in Table 3.

10TABLE 3FsInstallHook( )DescriptionThe FsInstallHook( ) function installs a file system hook. All file I/O related events that occurwithin the operating system are piped through this function.Prototypeint FsInstallHook( PFNFSHOOK pAppCallback, void *pUser, PFNFSHOOK *ppPrevHook );ParameterspAppCallback[in] application defined callback function that should be called for all file system events. Seefunction definition for FsHookFunc( ) for a detailed description.pUser[in] is a user defined data that is passed to the callback function with every call so it can accessits own initialized data.pPrevHook[out] pointer to a pointer to the previous file system hooking function. This is required so filesystem events can be chained. See function definition for FsHookFunc( ) for a detaileddescription.Return ValuesA return value of zero should be returned for success or any other number to indicate an errorcondition.See AlsoFsUninstallHook( ), FsHookFunc( )FsUninstallHook( )DescriptionThe FsUninstallHook( ) function removes a previously installed file system hook.Prototypeint FsUninstallHook(PFNFSHOOK pAppCallback);ParameterspAppCallback[in] application defined file system callback function that was installed. See function definitionfor FsHookFunc( ) for a detailed description.Return ValuesA return value of zero should be returned for success or any other number to indicate an errorcondition.See AlsoFsInstallHook( ), FsHookFunc( )FsHookFunc( )DescriptionThe FsHookFunc( ) is an application defined function that the operating system calls before a fileevent occurs. This allows an application to be notified of all file I/O related events before theyoccur and the application has the capability of allowing or disallowing a file I/O event fromcontinuing. Because FsHookFunc( ) is called before the event occurs, the hooking function maymost likely chain this event to the next caller in the list using the pPrevHook value that wasreturned during hook installation. In case the hooking function determines that further chainingof this file I/O event should not continue, it may return an error indicating this intent. As notedpreviously, the file system should allow for reentrancy so within FsHookFunc( ) the applicationcan perform I/O operations on any other file that it chooses.Prototypeint FsHookFunc(POSFILESTRUCT pOsFileInfo, void * pUserParam);ParameterspOsFileInfo[in] this is an operating system dependent structure that contains all the necessary informationneeded by the operating system to perform a file I/O related function. As an example ofinformation that a hooking function could obtain from here are:Full path and filename to the file being accessed.File system function identifier that is currently being requested such as CREATE, OPEN,EXECUTE, CLOSE, READ, WRITE, Etc.Function specific attributes such as file open attributes for an open function and file handle for aclose function.Return ValuesA return value of zero indicates success and any other number to indicate an error condition.When an error is returned the operating system should not process this event.See AlsoFsInstallHook( ), FsUninstallHook( )

[0103] On-Access Scanner API

[0104] To protect against malicious code such as computer viruses, the anti-malware scanner requires access to all files being accessed through system provided APIs. The on-access scanning subsystem resides parallel to the other specialized subsystems and as such the component manager manages it.

[0105]
FIG. 8 illustrates a framework 800 with an on-access scanner 801 interfacing with the file system 802 and filtering all file I/O related events. Every file that is about to be accessed is passed to the scan engine 804 that determines whether it is safe to access it. If the scan engine 804 determines that it is not safe, the component manager 806 may be notified and, based on established scan settings, some action may be done on the infected file. See Table 4 for an exemplary API.

11TABLE 4OnAccCreate( )DescriptionThe OnAccCreate( ) function creates an instance of the on-access scanning subsystem. If thecreation returns success the subsystem is ready to monitor for viruses in real-time. The actualmonitoring may begin when the OnAccEnable( ) function is called to request the subsystem toenable itself.PrototypeHONACCESS OnAccCreate( // Creates on-access scan instance PFONACCNOTIFY pfnNotify, // [in] Function to notify. PVOID pUserParam // [in[ Any user defined value. );ParametersphOnAccess[out] pointer to an on-access scanner handle. This is the same handle that must be passed toOnAccDestroy( ) before the application terminates.pfnNotifyAddress to a notification function. If NULL is passed in, all notifications may be turned off.Please see OnAccNotify( ) function for a detailed description of this function.pUserParamA user defined value that may be passed to the call-back function.Return ValuesZero is returned to indicate success. −1 is returned to indicate error To find out the reason whythis call failed called the ErrGet( ) function. This function is thoroughly documented in theplatform abstraction layer.See AlsoOnAccDestroy( ), OnAccEnable( ), OnAccNotify( )OnAccDestroy( )DescriptionThe OnAccDestroy( ) function destroys an on-access scan instance that was created usingOnAccCreate( ). There is no need to call OnAccEnable( ) function to disable the on-accessscanning subsystem prior to destroying.Prototypeint OnAccDestroy( //Destroys on-access scan instance. HONACCESS hOnAccess // [in] handle to destroy );ParametershOnAccess[in] handle to an on-access scanner subsystem. This is the same handle that was created usingOnAccCreate( ).Return ValuesZero is returned to indicate success. −1 is returned to indicate error To find out the reason whythis call failed called the ErrGet( ) function. This function is thoroughly documented in theplatform abstraction layer.See AlsoOnAccCreate( ), OnAccEnable( ), OnAccNotify( )OnAccEnable( )DescriptionThe OnAccEnable( ) function allows the caller to enable and disable the on-access scanningsubsystem that was created using OnAccCreate( ). The on-access scanner is enabled and disabledinternally to the anti-malware scanner when an on-demand scan is started. This is done so the on-access scanner does not interfere with the on-demand scanners work. When on-demand scanningis completed, on-access scanning is re-enabled.Prototypeint OnAccEnable( //Enable on-access scan subsystem. HONACCESS hOnAccess, // [in] handle to on-access scanner. BOOL bEnable // [in] TRUE/FALSE to enable/disable. );ParametershOnAccess[in] handle to an on-access scanner subsystem. This is the same handle that was created usingOnAccCreate( ).bEnable[in] A Boolean TRUE to indicate that the on-access scanning subsystem should be enabled, thatis it should monitor for file activities and scan files as they are being accessed. A Boolean valueof FALSE disables the on-access scanning subsystem.Return ValuesZero is returned to indicate success. −1 is returned to indicate error To find out the reason whythis call failed called the ErrGet( ) function. This function is thoroughly documented in theplatform abstraction layer.See AlsoOnAccCreate( ), OnAccDestroy( ), OnAccNotify( )

[0106] Table 5 illustrates additional optional components of the on-access scanner API.

[0107]
FIG. 9 illustrates the manner 900 in which the on-access scanner is enabled and disabled during use based on on-demand scanning. Upon on-demand scanning being requested in operation 902, on-access scanning is disabled in operation 904. Thus, on-demand scanning may be performed in operation 906.

[0108] Once the on-demand scanning is complete, the on-access scanning may be enabled in operation 908. By this design, the on-access scanning is disabled when on-demand scanning to preserve resources on the mobile wireless device. In the context of the foregoing interface, the OnAccEnable( ) command may be used to effect the enabling and disabling of the on-access scanning. More information on the on-demand scanning will be set forth hereinafter in greater detail.

[0109] Java Scanner (210 of FIG. 2)

[0110] Java Applet and Script Scanning

[0111] To protect against malicious Java applets and Java scripts, the anti-malware scanner requires access to executable images and scripts through system provided APIs. The Java applet/script scanning subsystem resides parallel to on-access scanning and on-demand scanning subsystems and, as such, it is managed by the component manager.

[0112]
FIG. 10 illustrates the Java scanning module 1000 interfacing with the Java VM 1002 and filtering all Java applet and Java script executions. Every Java object that is about to be executed is passed to the scan engine 1004 that determines whether it is safe to execute the Java object. If the scan engine determines that it is not safe, the component manager 1006 may be notified and, based on established scan settings, some action may be done on it.

[0113] See Table 6 for an exemplary Java Scanner API.

12TABLE 6JavaInstallHook( )DescriptionThe JavaInstallHook( ) function installs a Java applet interpreter or a Java script interpreter hook.All I/O related events that occur within the Java interpreter are piped through this function.Prototypeint JavaInstallHook( PFNJAVAHOOK pAppCallback, void * pUser, PFNJAVAHOOK * ppPrevHook );ParameterspAppCallback[in] application defined callback function that should be called for all Java events. See functiondefinition for JavaHookFunc( ) for a detailed description.pUser[in] is a user defined data that is passed to the callback function so it can access its owninitialized data.pPrevHook[out] pointer to a pointer to the previous Java interpreter hooking function. This is required soJava events can be chained. See function definition for JavaHookFunc( ) for a detaileddescription.Return ValuesA return value of zero should be returned for success or any other number to indicate an errorcondition.See AlsoJavaUninstallHook( ), JavaHookFunc( )JavaUninstallHook( )DescriptionThe JavaUninstallHook( ) function removes a previously installed Java interpreter hook.Prototypeint JavaUninstallHook( PFNJAVAHOOK pAppCallback );ParameterspAppCallback[in] application defined Java interpreter callback function that was installed. See functiondefinition for JavaHookFunc( ) for a detailed description.Return ValuesA return value of zero should be returned for success or any other number to indicate an errorcondition.See AlsoJavaInstallHook( ), JavaHookFunc( )JavaHookFunc( )DescriptionThe JavaHookFunc( ) is an application defined function that the Java interpreter calls before aJava applet or a Java script is executed. This allows an application to analyze and allow ordisallow the execution of the Java script. Because JavaHookFunc( ) is called before the executionoccurs, the hooking function may most likely chain this event to the next caller in the list usingthe pPrevHook value that was returned during hook installation. In case the hooking functiondetermines that further chaining of this event should not continue, it may return an errorindicating this intent.Prototypeint JavaHookFunc( PJAVAINTINFO pInterpreterInfo, void * pUserParam);Parameters[in] pInterpreterInfoThis is a Java interpreter dependent structure that contains all the necessary information neededby the Java interpreter to perform I/O related function. As an example of information that ahooking function could obtain from here are:Name of the Java object about to be accessed.Java interpreter specific function identifier that is being performed such as EXECUTE, CLOSE,Etc.Any Java interpreter data that is required to complete the request. As an example for an executeevent there should be a buffer pointer to the Java applet or Java script that is about to beexecuted.[in] pUserParamThis is the user defined value that was passed to JavaInstallHook( ) function. It is provided to thisfunction with every call.Return ValuesA return value of zero indicates success and any other number to indicate an error condition.When an error is returned the Java interpreter should not process this event.See AlsoJavaInstallHook( ), JavaUninstallHook( )

[0114] On-Demand Scanner Module (208 of FIG. 2)

[0115]
FIG. 11 illustrates an on-demand scanner system 1100 including an on-demand scanner 1101 interacting with a component manager 1102 and a scan engine 1004. Further provided is plug-in support 1006 which interfaces a plurality of abstract file system plug-ins 1108.

[0116] The on-demand scanner 1101 is a component of the anti-malware scanner system responsible for scanning collections of data objects. The component manager 1102 initiates calls to the on-demand scanner 1101. The on-demand scanner 1101 makes use of the scan engine 1102 to detect and clean malware. It also makes use of plug-ins 1106, 1108 to determine if a given file can be interpreted as a directory. For example, a compress archive can be enumerated like a directory. The plug-ins 1108 may supply alternate translations to files for decompression, decryption, or other aspects of using the file.

[0117] The on-demand scanner 1101 recursively enumerates all data objects on the device from a given starting location. While scanning files, three callback functions are used: pScanFile, pScanDirectory, and pCleanFile. To use the on-demand scanner 1101, the caller must initialise an SE_SCANNER from the scan engine 1104 and the proper callback functions.

[0118]
FIG. 12 illustrates a method 1200 for performing on-demand scanning, in accordance with one embodiment. As shown, the scanner is started in operation 1202, after which a first entry is identified in operation 1204. It is then determined whether the entry is of a file type or a directory type in decision 1206.

[0119] If the entry is of a file type, a filter is obtained in operation 1208, after which a file callback is executed in operation 1210. Based on the callback function, the file is then conditionally scanned in operation 1212. If the file is deemed infected, a clean callback is executed. See operation 1214.

[0120] If, on the other hand, the entry is of a directory type (see decision 1206), a directory callback is executed in operation 1216. Next, a recursive scan is executed in operation 1218. The foregoing method 1200 is continued until all of the entries are identified (see operation 1220).

[0121] On-Demand Scanner API

[0122] An exemplary API for carrying out the foregoing functionality is set forth in Table 7.

[0123] Scan Engine (216 of FIG. 2)

[0124]
FIG. 13 illustrates a scan engine system 1300 including a scan engine module 1302, a file parser 1304, and an interpreter 1306. The scan engine system 1300 interfaces the on-access and on-demand scanner modules 1308 to carry out virus detection and clean files. See operation 1310.

[0125] The scan engine system 1300 is responsible for scanning individual data objects for malware and to repair infected documents. Potentially infected data is presented to the scan engine system 1300 from the on-access and on-demand scanner modules 1308. It is built to be system independent, and thus has an abstraction for data objects that can be scanned and cleaned.

[0126] Scan Engine API

[0127] The purpose of the scanner API is to enable the on-demand and on-access scanner modules 1308 to initiate detection and cleaning of malware in a given data object. This involves providing the necessary detection and cleaning files as well as providing data objects to scan.

[0128] An abstract file system is used to make the scan engine system 1300 portable to new devices and enable scanning of many different data objects. More information about ADIR, ADIRENT, and AFILE data objects of the abstract file system will be set forth hereinafter in greater detail.

[0129] Table 8 illustrates an exemplary scan engine API.

13TABLE 8SEOpenScannerDescriptionCreate an instance of the scanner. The scanner is initialized with files found in the providedpADir. As the scanner doesn't know how to parse file names (being ASCII and Unicodeagnostic), the ADIR must filter out any non-PD files.PrototypeSCANNER *SEOpenScanner(HDIR hDir);ParametershDir[in] The supplied HDIR must enumerate only the PD files that are to be used by the scanner.Return ValueThe function return is an initialized SCANNER data structure. The contents of the SCANNERdata structure are internal to the scan engine implementation.See AlsoSECloseScanner( )SECloseScannerDescriptionWhen done using the scanner, it must be closed. This releases any resources that were used bythe scanner.Prototypevoid SECloseScanner (SCANNER *pScan);ParameterspScan[in] pScan is the scanner to close.See AlsoSEOpenScanner( )SEScanFileDescriptionScan the given file for malware. The return value may usually be −1 for no malware detected.Otherwise, SEScanFile returns an identifier for the discovered malware.The returned ID is used with the SECleanFile( ), SEGetScanName( ), and SEGetScanVariant( )functions. The ID doesn't completely identify the malware as the scanner state holds informationabout what was discovered.Prototypescan_result_t SEScanFile ( SCANNER *pScan, FILEPATH *pFileName, HFILE hFile);ParameterspScan[in] pScan is the scanner to use.pFileName[in] The name of the file being scanned.hFile[in] The file opened for read access. The hFile may be a specialized interface for reading thistype of file.Return ValueThe returned scan_result_t is an identifier for the malware detected. If malware is not detected,then the return value is −1.See AlsoSECleanFile( ), SEGetScanName( ), SEGetScanVaraint( ).SECleanFileDescriptionAttempt to repair the given infected file. This can only be called after SEScanFile( ) to identifymalware. The clean function may include deleting the file.Prototypeint SECleanFile ( SCANNER *pScan, FILEPATH *pFileName, AFILE *pFile, scan_result_t id)ParameterspScan[in] pScan is the scanner to use.pFileName[in] The file name of the file being scanned.hFile[in] The file opened for read access.Return ValuesOn success, SECleanFile returns Otherwise, it returns −1.See AlsoSEScanFile( ).SEScanGetNameDescriptionReturns the base name of the malware detected. The returned name may change in subsequentcalls to SEScanFile( ).Prototypechar *SEScanGetName(SCANNER *pScan, scan_result_t id)ParameterspScan[in] The scan engine used with SEScanFile( ).id[in] The returned ID from SEScanFile( ).Return ValuesReturns a UTF-8 encoded, zero terminated string. The string is the base name of the malwaredetected. If no name is available, NULL is returned.See AlsoSEScanGetVariant( ), SEScanFile( ).SEScanGetVariantDescriptionReturns the variant of the malware detected. Normally this is concatenated with the base name toform the full name of the malware.Prototypechar *SEScanGetVariant(SCANNER *pScan, scan_result_t id)ParameterspScan[in] The scan engine used with SEScanFile( ).id[in] The returned ID from SEScanFile( ).Return ValuesReturns a UTF-8 encoded, zero terminated string. The string is the extended name of themalware detected. Concatenate this to the end of the base name to get the complete name. If noname is available, NULL is returned.See AlsoSEScanGetName( ), SEScanFile( ).

[0130] PD File Format

[0131] The purpose of this file is to provide the necessary information to detect and clean malware on handheld devices.

[0132] The PD file is composed of a header and a collection of records. The header provides general information about the use and management of the PD file. The records contain details about scanning and cleaning malware.

[0133] One of the design considerations is that 2-byte entries is desired to be 2-byte aligned, and 4-byte entries to be 4-byte aligned. This resolves some portability issues to processors that can't or have difficulty accessing non-aligned memory references. Note that aligned 4-byte values are not enforced with the instruction byte-code unless the target platform requires it.

[0134] Other than keeping the scan engine small, one may also want to support incremental updates for the PD file. One goal is to keep file transfers to the PD devices small.

[0135] The following capabilities of Table 9 may be required.

14TABLE 9After the file header, the rest of the file is a list ofrecordsNew records can be added to the end of the fileRecords can be marked as freeFree records can be re-used for new recordsNeighboring free records are merged to create a largerfree recordA record may be moved in memory when updating the contentsof that recordIt's possible that all records may be moved when de-fragmenting the fileAvoid re-encrypting the entire file because of a smallchangeAn updated checksum needs to be supplied with patches toverify the update

[0136] File Header

[0137] Table 10 illustrates an exemplary file header.

15TABLE 10BytesDescription48 Copyright notice, end with CTRL+Z2Header size2Target platform identifier2Scan class identifier2Reserved. (To be determined - used as 4-byte alignment padding)4File version number (major, minor, revision, build)4File format version number4Date of creation4Date of last incremental update4Checksum of contents4Encryption seed4First scan record offset4First check record offset4First clean record offset4First free record offset

[0138] Header Size

[0139] This is used for future expansion. One can add new information to the header without breaking compatibility with older scan engines. This may never actually be used. Byte order for this value is target platform dependant.

[0140] Target Platform Identifier

[0141] To simplify parsing the PD file on the target machine, the PD file is formatted for the target. The target platform identifier denotes which type of target the file is intended. From this, the following information of Table 11 can be deduced.

16TABLE 11Big-endian or little endian byte orderText encoding formatByte alignment

[0142] The only defined combination is the following set forth in Table 12.

17TABLE 12Little endian byte orderUTF-8 text encoding2-byte values are 2 byte aligned, 4 byte values are4-byte aligned

[0143] The definition of Table 12 is used for the target platforms of Table 13.

18TABLE 13Windows variants on IA-32 processorsLinux on IA-32 processorsSymbian EPOC on ARM processors

[0144] Scan Class Identifier

[0145] The scan class identifier is a value for identifying what class of data the PD file is designed to scan. The following classes of Table 14 are identified at this time.

19TABLE 14ValueDescription1File system2Process3Data stream

[0146] Record Header

[0147] The records have a common layout to make incremental update simple and aide in finding records without making the scan engine large. An update would send only those records that need to be deleted, replaced, or added. See Table 15.

20TABLE 15OffsetBytesDescription02Record length (N)22Record type (Scan, name, check, clean, or free)44Record identifier84Address of next record of this type (0 if end of list)12Record data0-3Pad record out to 4-byte align

[0148] Instead of referencing parts of the file by address, the PD file uses record ID's. This makes it possible to move a record without having to change every reference to the record.

[0149] The record header uses addresses to create a linked list of each type of record. This may help improve performance in finding the proper record. Eventually this could be used to sort records by record ID.

[0150] Record lengths are only 2-byte values. This is intentional to make porting between 16-bit processors simple. For example, a mobile wireless device such as a Palm® Pilot™ uses a database instead of a file system. Each record can be at most 64 KB. Nearly all scan functions may be very small. As they get larger, new instructions should be added to the language to move the functionality into the scan engine.

[0151] It may be interesting to apply a simple Huffman compression algorithm to the PD byte codes on a record-by-record basis.

[0152] Scan Records

[0153] This record contains a function for doing an initial scan of the selected file. The amount of code needed for this scan may exceed 64 KB (the maximum record size). Thus, the first scan record starts the process, but may reference other scan records. One goal is to keep the initial scan record small, yet able to eliminate 80% of the clean files. This keeps the scan engine's memory footprint small as well as making efficient use of the processor.

[0154] If malware is discovered, the scan function may return the record ID of the name record for this item. This table entry may provide the proper check function to verify the malware variant present. Though this does a double reference, it may not be important. Most of the time is spent eliminating files so that this step may be rare.

[0155] Check Records

[0156] Check records contain functions for identifying the specific malware variant once identified by the scan records.

[0157] The check record starts with the following header information in Table 16.

21TABLE 16OffsetBytesDescription04Record ID of the clean function to call (or 0 if none)42Number of bytes in name section (N)61Number of names provided71Length of malware name, (N0)8N0Text name of the malware1Length of variant name (N1)N1Text name of the variant. . . (Repeat for k variants)1Length of variant name (Nk)NkText name of the variant0-1Pad record out to 2-byte align lengthN + 4Instructions for the check function

[0158] If no variants are detected, then ˜0 is returned. Otherwise, the index for the variant is returned. A 0 is used if the generic malware detection suffices.

[0159] It should be noted that many different check functions can be merged into a single record to reduce the file size if they are sufficiently similar. However, this can cause trouble for incremental updates.

[0160] Clean Records

[0161] A clean record contains a function for removing the malware and repairing files if possible.

[0162] It should be noted that multiple detected malware may use the same clean function.

[0163] Free Records

[0164] When a record is deleted, it is merged with other free records or added to the free record list. This allows the system to re-use space when performing incremental updates. It solves the problem of re-writing the entire file just because a portion was modified.

[0165] Replacing a record is the same as deleting the original, and then adding a new record in its place.

[0166] Free records may be set to zero to make predicting the checksum easier.

[0167] Activity Logging Module (214 of FIG. 2)

[0168] The activity logging subsystem is responsible for recording significant events to be collected at the back-end for analysis. This aids in providing information from the field to track outbreaks, detect and diagnose issues, and help determine how to improve the product.

[0169] The following are logged events in Table 17.

22TABLE 17Error conditions and warningsDetection of malwareInfected file name and pathMalware name and variantResponse to malwareFile name and pathAction takenStarting and stopping of servicesOn-demand scanOn-access scannerVirus scanner applicationService agent upgrades

[0170] The detection of and response to malware is separated. Detection is logged immediately when the malware it detected. Once the action is taken and successfully completed, the response is logged. If anything were to go wrong with the response, one would at least see the detection entry.

[0171] Adding log file entries is supported at two levels. The most common are functions that handle specific logging needs. These require all the necessary information and add them to the log file with the minimum effort from the programmer. The lower layer manages the log file rotation and a generic mechanism for adding entries.

[0172] Configuration

[0173] The activity log requires the following configuration values in Table 18.

23TABLE 18Log file rotation sizeLog file maximum sizeLog trace messages (yes/no)

[0174] A single log file is used until is reaches the log file rotation size. At which point, it is renamed and a new log file is started. Once the total space used by all of the log files exceeds the maximum, the oldest log file is removed. As log files are uploaded from the device, they are deleted from the device.

[0175] The log file location and naming conventions are configured per platform when the program is compiled.

[0176] Requirements

[0177] See Table 19 for possible requirements.

24TABLE 19It must be reasonable to translate the log file to multiplelanguages.Limit the log file size to a reasonable (configurable) maximumScroll log file entries as the log file becomes too large (?)Track time and date of log entriesAvailable to the service agent for transmission to the back-endOnce transferred, the log file may be truncated.It must be resilient to system crashesOutput in a simplified, structured XML format with header forASCII or UNICODE encodingEnforce log file structure and completeness if informationpresentedAbility to detect when log files have been lost due to exceedingthe maximum log file size.

[0178] Table 20 illustrates an exemplary interface associated with the activity logging module.

25TABLE 20High level APILogOpenDescriptionOpen the log file for reading.PrototypeHLOG LogOpen(HVSOPTS opts);Parametersopts[in] A handle to the configuration options manager.Return ValueReturns a handle to the log file. It is needed for all of the log functions.If reading the log file, call LogTruncate( ) after the last log file that is successfully transferredfrom the device. Call LogClose( ) when the log file is no longer being used. If LogTruncate( ) isnot called, then the entries may be read the next time LogOpen( ) is called.LogCloseDescriptionCloses the log file. This de-allocates all resources related to using the log file.Prototypevoid LogClose(HLOG log)Parameterslog[in] The log file to close.LogMessageDescriptionAdds a message entry into the log file. The type of message is based onLOG_MESSAGE_TYPE.LOG_TRACE is used to help diagnose problems by logging certain milestones in the program.Normally, trace messages are not added into the log file unless configured.LOG_WARNING is provided when a problem is encountered, but does not prevent the properoperation of the program.LOG_ERROR should be used when a recoverable error is encountered. Some functionality ofthe program may be hindered.LOG_FATAL should only be used when the error is severe, non-recoverable, or prevents theprogram from running. This may be useful in a post-mortem analysis if the device is returned.Note that the messages are intended for diagnosing field errors by the anti-malware scannersoftware engineers, and not intended for administrators to understand. Thus, these messages canbe in English.Prototypetypedef enum { LOG_TRACE, LOG_WARNING, LOG_ERROR, LOG_FATAL} LOG_MESSAGE_TYPE;void LogMessage(HLOG log, LOG_MESSAGE_TYPE type, VSWSTATUS status, char *pMessage)Parameterslog[int] This is a handle for the log file.type[in] The type of message being logged.status[int] This is the status code associated with the message. For non-English speaking countries,this may be used to display the error message in the native language.pMessage[in] A UTF-8 encoded, zero terminated string. This is used for extra information our engineerscan use to diagnose problems.LogMalwareDetectDescriptionThis must be called as soon as malware is detected. The file path must be converted into UTC-8as a zero terminated string. The scan engine provides malware names and variant names inUTC-8.Prototypevoid LogMalwareDetect( HLOG log, FILEPATH *pFilePath, char *pMalwareName, char *pMalwareVariant)Parameterslog[in] A handle to the log file.pFilePath[in] This specifies a full description of the infected data object. In a file system, this is the filepath. In a database, it uniquely identifies the record. Etc.pMalwareName[in] This is the malware name as returned by SEGetScanName( ).pMalwareVariant[in] This is the malware variant as returned by SEGetScanVariant( ).LogMalwareActionDescriptionThis must be called once an action to the detected malware is completed. A log entry should alsobe provided even for ignoring the malware. If the action does not successfully complete, awarning or error message should be added instead.The path provided must be converted to UTC-8. Note that 7-bit clean ASCII text is a subset ofthe UTC-8 specification.Prototypetypedef enum { LOG_CLEAN, LOG_DELETE, LOG_QUARANTEEN, LOG_IGNORE,} LOG_ACTION;void LogMalwareAction(HLOG log, FILEPATH *pPath, LOG_ACTION action)Parameterslog[in] A handle to the log file.pPath[in] This is a UTF-8 encoded, zero terminated string. It provides the full path description of thedata object identified. This should be the same string as sent to LogMalwareDetect( ).action[in] The action that was successfully completed on the infected data object.LogServiceEventDescriptionThis is used to track when services are started and stopped. Tracking these events can helpdiagnose problems in the field. For example, log entries on starting the application without itbeing stopped may denote that it crashed and was restarted. Onecan also detect whether the on-access scanner is being disabled and whether the on-demand scanner is being used regularly.More specific milestones should be tracked with the LOG_TRACE messages through theLogMessage( ) function. Unlike the LOG_TRACE messages, the service events are alwaysavailable in the log file.Prototypetypedef enum { LOG_START_SERVICE, LOG_STOP_SERVICE,} LOG_EVENT;typedef enum { LOG_APPLICATION, LOG_ON_DEMAND, LOG_ON_ACCESS, LOG_AGENT, LOG_INSTALL} LOG_SERVICE;void LogServiceEvent(HLOG log, LOG_EVENT event, LOG_SERVICE service)Parameterslog[in] A handle to the log file.event[in] Specify whether the service is starting or was stopped.service[in] Specify which service.Low level APIThe low level API manages the log file rotation and adding generic entries to the log file. Thisinterface is agnostic to what data is added to the log file. The high level API is implementedbased on these functions.The first group is for adding entries to the log file.LogOpenEntryLogEntryFieldLogCloseEntryThe above functions are used to create new high-level API functions that are consistent with thesubset of XML that is supported. Be careful to define all English words that are used askeywords. This way they can be parsed and translated easily to different languages. Thisensures that the raw log file is human readable, though in English, but is easy to also view in anyother language.The next group of functions is for consuming log file entries:LogOpenLogReadLogTruncateLogCloseLogOpenEntryDescriptionOpen a new log entry. Each entry is automatically stamped with the time and date.PrototypeHLOGENTRY LogOpenEntry( HLOG log, char *pEntryName)ParameterspEntryName[in] The name that may be used for this entry. This is placed in the log file as follows: <entry-name> [ fields ] </entry-name>Where entry-name is replaced with pEntryName.Return ValueA handle to the log entry is supplied, or NULL on error.See AlsoLogEntryField( ), LogCloseEntry( )LogEntryFieldDescriptionAdd a field to the given log entry. The field name and value are provided to help structure thelog entry. This is useful for generating different tables of information in the log file.Prototypeint LogEntryField( HLOGENTRY hLogEntry, char *pFieldName, char *pFieldValue);ParameterspLogEntry[in] This is a handle to the log entry to add the field.pFieldName[in] This is a UTC-8 encoded string for the field-value. It is used as in<field-name>field-value</field-name>pFieldValue[in] This is a UTC-8 encoded string used as the field-value.Return ValueThe LogEntryField( ) function returns 1 on success, or 0 if it failed to add the entry.LogCloseEntryDescriptionClose the log entry. No more fields may be added to the entry.Prototypevoid LogCloseEntry(HLOGENTRY hEntry);ParametershEntry[in] The log entry to close.LogReadDescriptionRead an entry from the log file.Prototypechar *LogRead(HLOG log)Parameterslog[in] The log file being read.Return ValueThe returned value a UTF-8 encoded, zero terminated string for the XML entry. It isautonomous in the sense that the caller can stop reading at any time and have a valid XML filefrom what was read.The returned string is only valid until the next call to LogRead( ). At which point, it may beoverwritten with the next entry or de-allocated. A call to LogClose( ) also invalidates the string.NULL is returned if there are no more log entries.LogTruncateDescriptionRemove all entries that were read from the log. This should be used once the log entries areconfirmed transferred off of the device.Prototypevoid LogTruncate(HLOG log);Parameterslog[in] A handle to the log file.

[0179] File Format

[0180] The file format may be based on XML. There is a common form that is supported by the low-level API. This is described as follows. Then below, specifics for each type of logged event are provided as well.

[0181] Each log file is numbered sequentially. This enables sorting and merging log files, as well as detecting when log files are missing. See Table 21.

26TABLE 21For UNICODE<?xml version=“1.0” encoding=“ISO-10646”?>For ASCII<?xml version=“1.0” encoding=“ISO-8859-1”?>Then the rest:<log id=log_id><entry-name date=“time-date-stamp”><field-name> value </field-name>. . .</entry-name>. . .

[0182] The strings entry-name and field-name are replaced with the actual entry and field names. The time-date-stamp is the time at which the entry is added to the log file. This is encoded as YYYYMMDDhhmmss, where YYYY is the year, MM is the month, DD is the day of the month, hh is the hour, mm is the minutes, and ss is the seconds.

[0183] A sample LogMessage object is shown in Table 22.

27TABLE 22<event date=“YYYYMMDDhhmmss”><type>message-type</type><message>message-body</message></event>message_type is one of trace, warning, error, or fatal.message_body is the text string provided for the message.

[0184] A sample LogMalwareDetect object is shown in Table 23.

28TABLE 23LogMalwareDetect<detect date=“YYYYMMDDhhmmss”><path>file-path</path><name>malware-name</name><variant>malware-variant</variant></detect>file-path is a string identifying where the infected item was found.malware-name is the name of the detected infectionmalware-variant is the verified variant name of the infectionLogMalwareAction<action date=“YYYYMMDDhhmmss”><path>file-path</path><action>scanner-action</action></action>scanner-action is one of “clean”, “delete”, “quarantine”, “ingore”.

[0185] A LogServiceEvent is shown in Table 24.

29TABLE 24<service date=“YYYYMMDDhhmmss”><name>service-name</name><action>service-action</action></service>service-name is the name of the service: “on-demand”, “on-access”,“application”, “agent”, “installer”.service-action the word “start” or “stop”.

[0186] Service Agent

[0187]
FIG. 14 illustrates a service agent (SA) architecture 1400, in accordance with one embodiment. As shown, a service agent 1402 interfaces with an user interface 1403, an on-access scanner module 1404, and an on-demand scanner module 1406. Such on-access scanner module 1404 and on-demand scanner module 1406, in turn, interface a scan engine 1408.

[0188] In use, the service agent 1402 communicates with the back-end architecture 1410 which may be controlled and monitored via a web-interface 1412. The service agent 1402 is thus responsible for communicating with the back-end architecture 1410. It handles delivering device-specific information such as log data to a remote back-end architecture 1410. The second responsibility is in retrieving the anti-malware scanner component installation and package updates. The component manager initiates service agent updates. This may be due to scheduled updates or by user initiated updates.

[0189]
FIG. 15 illustrates a method 1500 for scanning a mobile wireless device for malware. Initially, in operation 1502, a service agent 1402 is initiated utilizing a mobile wireless device. In one embodiment, the service agent may be initiated by a user interface of the mobile wireless device. Further, the service agent may be initiated by the anti-malware scanner of the mobile wireless device. Still yet, the service agent may be initiated by a daemon of the mobile wireless device. As an option, the service agent may be initiated by a scheduler of the mobile wireless device or a trigger.

[0190] Next, in operation 1504, information describing the mobile wireless device is transmitted to a back-end server over a wireless network utilizing the service agent of the mobile wireless device. In one embodiment, the information describing the mobile wireless may include log data. Such log data may be specific to the mobile wireless device.

[0191] In operation 1506, an update is then received from the back-end server over the wireless network utilizing the service agent of the mobile wireless device. Optionally, the update may be wrapped. Further, the update may include a header and a plurality of parts. Such parts may include a part-header section and a part-data section.

[0192] Subsequently, in operation 1508, an anti-malware scanner installed on the mobile wireless device is updated so that the mobile wireless device may be scanned utilizing the updated anti-malware scanner. More information regarding the foregoing architecture 1400 and associated method 1500 will now be set forth.

[0193] Agent Activation Scenarios

[0194]
FIG. 16 illustrates a sample service agent activation method 1600, in accordance with one embodiment. Depending on the operating system running on the wireless device, the service agent 1602 can be launched by the user-interface 1604, on-demand and on-access scanners 1606, a background process (daemon) and/or system scheduler 1608, itself 1609, and external signal/trigger 1610 originated from the service provider. More information regarding such triggers will now be set forth.

[0195] Activation Through User-Interface (Manual Trigger)

[0196] The agent can be directly launched from the wireless user-interface by the user. When the user selects an update-now button (or menu entry), the user-interface activates the agent.

[0197] Activation by the Agent (Self Trigger)

[0198] Under multi-process operating environment, the service agent stays resident and awaits (or sleeps) for update-interval time specified in the anti-malware scanner configuration before contacting the update server.

[0199] Scanner Activation (Scanner Trigger)

[0200] The agent is launched for new updates when the on-demand and/or on-access scanner notices that the update-interval-time has elapsed since the agent was activated last.

[0201] Scheduled Activation (Scheduled Trigger)

[0202] Operating system provided scheduler like cron™ in Unix/Linux™ is utilized to schedule the agent activation. Also, if the operating system allows daemon (or background process), a simple daemon is used to activate the service agent.

[0203] Carrier/Service Provider Activation (External Trigger)

[0204] This is an ideal method for deploying urgent virus signature updates while providing load balance. The wireless device/phone may support launching an application via a signal from its service provider. When an update signal from an external source is received by the device, it launches a pre-configured application, in this case the service agent, for immediate update.

[0205] Configuration

[0206] Like other the anti-malware scanner components on the device, the agent configuration information is kept in a central location. Table 25 lists the service agent communication configuration and status variables read/updated.

30TABLE 25VariableExampleDescriptionserverhttp://update1.mcafeeasap.Lists one or more update server URL's.com/cgi-bin/update.fcg,http://update2.mcafeeasap.com/cgi-bin/update.fcgmethod 1Specifies server selection method.0: direct-method - always attempt to connectto the first server given, connect to nextserver if the first one fails.1: round-robin - attempt to connect to serverlisted after previous connected server.last_connect167.68.79.100IP address port number of the last updateserver successfully connected.last_check20020110051530Last time the agent made a successful serverconnection.Format: YYYYMMDDhhmmssconnect_timeout5000Server connection timeout in milliseconds.read_timeout3000Socket read timeout value in milliseconds.write_timeout3000Socket write timeout value in milliseconds.connect_retry 5Maximum connection open retry count.read_retry 3Maximum socket read retry count.write_retry 3Maximum socket read retry count.download_dirX$/vswsa/downloadWhere to store downloaded package.

[0207] Service Package

[0208] The term “package” refers to any data/information uploaded/downloaded to/from a remote update server. Each package is made up of a header and parts. Each part consists of part-header and part-data sections. Designed for simplicity, endian-ness independence, and extensibility, the anti-malware scanner package format is an HTTP-like transmission format that allows multiple inclusion of any types of data. The package format is composed by subsequent entries:

[0209] Table 26 illustrates an exemplary format.

31TABLE 26Format<PART0>...<PARTn>with each part is composed of:<PART-HEADER><PART-DATA>The end-of-file marks the end-of-package data.Package and part header section has the following format:<FIELDn> ‘:’ <SP> <VALUEn> <CRLF>...<CRLF>where:<FIELDn> :: $NAMETOKEN<SP> :: [\b] (space character)<VALUEn> :: $VARTOKEN<CRLF> :: “\r\n” (carriage return followed bylinefeed)and:$NAMETOKEN :: [a-z, A-Z, 0-9]$VARTOKEN :: [{circumflex over ( )}\r\n]Between the <FIELD> values, two are mandatory:ContentName: ENRTY-NAMEContentLength: LENGTH

[0210] where:

[0211] ENRTY-NAME is the object identification name, and

[0212] LENGTH is the length of the subsequent DATA section in bytes.

[0213] The part-data section is made up of a binary chuck of data whose length is LENGTH. The format described above simplifies package creation and information access thus keeping the device application footprint small.

[0214] The part-header section can contain other useful information, for example, content type, compression method, signatures, checksums, etc. Also, it's possible to contain information that does not carry any data by setting the ContentLength: to zero and by making the <FIELD> carry data. As given in the example of Table 27, the device identification number is uploaded to a server by setting the ContentName to $DEVUID, including a field names X-DEVUID, and setting the ContentLength to zero. See Table 27 for a package containing device ID number.

32TABLE 27ContentName: $DEV-UIDX-DevUID: 091200831080281ContentLength: 0

[0215] The content name part can easily contain pathname information that make the format suitable for multi-level packaging transfers. Table 28 shows an example package uploaded to a server. It contains three separate information: 1) device identification number, 2) device log information, and 3) product and component version information (catalogue).

[0216] Upload Package

[0217] Three types of part contents are uploaded to a server for back-end processing are: 1) device identification number, 2) device system/log information in XML format, and 3) component version information. The device identification number is used by the back-end to validate a device connection. Uploaded system and log information is processed and stored in a back-end database for reporting. Product/component version information, catalogue, is used by the back-end server in selecting an installation package to download.

33TABLE 28RequiredContent NameFieldDescription$DEV-UIDX-DevUIDContains 16-byte device identification numbergiven in the X-DevUID field. Content length isalways zero.$DEV-LOGnoneContains system activity and virus detection loginformation to be stored in the back-enddatabase.$DEV-noneVirus signature database version, scan engineCATALOGUEversion numbers, and other component andproduct version information is included in thecatalogue. The back-end update server uses theversion information uploaded in determiningwhether to download a new installation package.

[0218] The upload package is created from data provided by individual components that are registered with the service agent to upload/report its information to the back-end server. The service agent simply requests the registered components for upload data. Table 29 illustrates sample upload parts.

34TABLE 29ContentName: $DEV-UIDX-DevUID: 091200831080281ContentLength: 0ContentName: $DEV-LOGContentType: text/xmlContentLength: 1252<?xml version=“1.0” encoding=“ISO-8859-1”?><log> <event time=“20020110110323”> <severity>0</severity> <message>Device was updated successfully</message> </event> <scan time=“20020110121545”> <name>Nasty</name> <type>trojan</type> <action>2</action> <infected>Address.prc</infected> </detect> . . .</log>ContentName: $DEV-CATALOGUEContentType: text/xmlContentLength: 815<?xml version=“1.0” encoding=“ISO-8859-1”?><catalogue> <product> <id>7002</id> <version>1.0</version> <name> Wireless</name> </product> <component> <name>engine</name> <version>4.10.08</version> </component> <component> <name>PD</name> <version>4288</version> </component> . . .<catalogue>

[0219] Client Authentication/Verification

[0220] The server uses the device identification number specified by the X-Device-UID field to verify and retrieve client-specific information. This verification is done as soon as any part of the HTTP POST data containing the device identification is received.

[0221] Event Log

[0222] Also given in the client upload package is a wireless component/application log entries. Like the catalogue information, the log entries are formatted in XML form. There are two types of log entries: detection log and application event log. The detection log entry contains detected malware name, its type, infected filename, and the action taken by the scanner. Application (or component) event log entry lists severity of the event and a short message describing the event. Both the detection and the event log entries have a timestamp specified in UTC. Table 30 illustrates a pair of XML formats.

35TABLE 30 <event time=“YYYYMMDDhhmmss”> <severity>severity-value</severity> <message>event-description</message> </event>Format 1 Event Log Entry Format <detect time=“YYYYMMDDhhmmss”> <name>malware-name</name> <type>malware-type</name> <infected>infected-file</infected> <action>scanner-action</action> </detect>Format 2 Detection Log Entry Format

[0223] The log entry time stamp given in UTC has the following format in Table 31.

36TABLE 31YYYY::year (e.g. 2002)MM::month (01-12)DD::day of the month (01-31)hh::hour of the day in 24 hour format (00-23)mm::minute (00-59)ss::second (00-59)

[0224] Table 32 illustrates a sample log.

37TABLE 32ContentName: $DEV-LOGContentType: text/xmlContentLength: 659<?xml version=“1.0” encoding =“ISO-8859-1”?><log> <event date=“20020108110323”> <Severity>0</severity> <message>PD updated</message> </event> <detect date=“20020108110645”> <name>Nasty</name> <type>virus</type> <infected>paint.exe</infected> <action>cleaned</cleaned> </detect> <detect date=“20020108110815”> <name>Nimda</name> <type>trojan</type> <infected>hello.exe</infected> <action>deleted</cleaned> </detect> <event date=“20020108111010”> <Severity>2</severity> <message>failed to scan kernel32.exe</message> </event><log>

[0225] Component Catalogue

[0226] The device catalogue (version information) uploads lists on the anti-malware scanner components. This catalogue information along with the device identification number is used in constructing a download package for the specific-device/client. Each catalogue entry given in the client upload package follows the format in Table 33.

38TABLE 33<catalogue> <product> <id>product-id</id> <version>version-number</version> [<name>product-name</name>] </product> <component> <id>component-id</id> <version>version-number</version> [<name>component-name</name>] </component> . . .</catalogue>

[0227] Upload Information Gathering

[0228] Except for the device identification information, the service agent does not directly generate or format the data in the upload package—the service agent uploads data obtained from its clients. The service agent uses a set of callback functions supplied by its caller (or client) to request upload information. The service agent API SaSetParameter (and SaSetParameters) is used to by service agent client(s) to specify how to obtain upload data from each component.

[0229] Below steps describe the upload process

[0230] A. Initialization

[0231] 1. each client is notified by the SA to construct a package part to upload.

[0232] 2. the SA prepares package header that contains total package size information

[0233] 3. device-identification part is constructed

[0234] B. Login

[0235] 1. connect to a remote server

[0236] 2. send package header and device-identification part $DEV-ID

[0237] C. Transmit

[0238] 1. For each registered client, request a block of data from the client and then transmit.

[0239] D. Cleanup

[0240] E. Notify clients upload status

[0241] Package Download

[0242] After uploading a package, the service agent awaits for the server to download an installation package. The package header specifies the total package size, and the SA uses it to determine if the package contains installation part(s). The package size specified is greater zero, the SA downloads and saves the entire package data onto a download directory and calls the component installer. Each install part in an install package is identified by the content name that specifies the data format. The installer uses the format identifier in selecting an appropriate unpacker/decompressor for extracting and installing files contained in the part. Table 34 illustrates a sample installation package.

39TABLE 34ContentName: $INST-SISContentType: binaryContentLength: 200105[200,105 byes of SIS data]

[0243] Client-Server Communication

[0244]
FIG. 17 provides a method 1700 for client and server package handling. As shown in FIG. 17, during a client process 1701, a package is prepared by a mobile wireless device to be uploaded. See operation 1702. This client package is then posted for access by the server in operation 1704. This prompts the initiation of a server process 1705.

[0245] During the server process 1705, the client package is received in operation 1706, after which the client is verified in operation 1708. If an error is detected in decision 1712, an error message is posted in operation 1710. If not, however, the database is updated based on the client package in operation 1714. Next, a server package is generated in operation 1716, after which the server package is posted for access by the client in operation 1718.

[0246] The client process 1701 then proceeds by receiving the server package in operation 1720. If an error is identified in decision 1722, the process is terminated. If, however, no error is detected, the contents that are listed in operation 1724 are installed in operation 1726. Further, the catalogue is updated in operation 1728.

[0247] The client-server communication is thus initiated by the service agent by posting an upload package to a remote server. When this HTTP(S) POST is made to the server, the client connection is verified and the entire client package is received. After receiving the client package, the server updates database with the uploaded information, and then returns a package generated based on the information uploaded. The client installs components in the server package and updates its installed component catalogue.

[0248] Client-Server Protocol

[0249] The device update process may take place by preparing the package format (MPF) that may be basically composed by an UID entry, an XML file containing device catalogue information like dat/engine/applications versions and log entries and eventually quarantine files.

[0250] Once the package is prepared, the service agent (SA ) may lookup its configuration searching for the URL to which to post the request. The URL may have the form shown in Table 35

40TABLE 35http://CARRIERDOMAIN/cgi-bin/update.fcgorhttps://CARRIERDOMAIN/cgi-bin/update.fcg

[0251] for HTTP over SSL connections. The package may be sent to the remote back-end agent (RBA) with a standard HTTP POST request like given that in Table 36.

41TABLE 36POST <CARRIERDOMAIN>/cgi-bin/update.fcg HTTP/1.0Host: <CARRIERDOMAIN>Content-Type: binary/MPFX-Device-UID: <DEVICE-UID>Content-Length: <SIZEOF-PACKAGE>[<SIZEOF-PACKAGE> bytes of binary data]

[0252] After that, the RBA may be invoked and it may unpack the package looking for the catalogue information coming from the device (i.e. details of what happens inside the RBA are described in another document). Based on the device current catalogue, the RBA may prepare a custom package whose format may be device dependent to better utilize intrinsic device capabilities and hence reduce the code footprint of the SA application. The RBA may send the prepared package as data inside the HTTP POST response given in Table 37. Then, the connection to the RBA may be closed and the SA may be free to process the package.

42TABLE 37POST <CARRIERDOMAIN>/cgi-bin/update.fcg HTTP/1.0Host: <CARRIERDOMAIN>Content-Type: binary/MPFX-Device-UID: <DEVICE-UID>Content-Length: <SIZEOF-PACKAGE>[<SIZEOF-PACKAGE> bytes of binary data]HTTP/1.0 200 OKHost: <CARRIERDOMAIN>Content-Type: binary/MPFContent-Length: <PACKAGE-SIZE>[<PACKAGE-SIZE> bytes of binary data]

[0253] Secure Communication and Authentication

[0254] The service agent uses system-provided secure channel (e.g. SSL) for server communication and authentication APIs for downloaded package verification. Data uploaded from a device to a server is done through secure channel to protect private information. The download package containing virus detection files and component upgrades need to be cryptographically signed and authenticated. Without proper authentication, the device may be vulnerable to a third party attack.

[0255] Table 38 illustrates an exemplary service agent API.

43TABLE 38SaOpenDescriptionThe SaOpen( ) call creates a service agent(SA) instance and returns its handle. The returnedhandle must be released using the SaClose( ) call.PrototypeHSAgent SaOpen(SAMODEL model, HVSOPTS hOpts);Parametersmodel[in] specifies the created service agent's run-time process model. Below list describes the serviceagent run-time models.SAMODELDescriptionSARUN_SPSInstantiated service agent resides in the caller's processspace. The caller needs to make subsequent SA calls forupdate, installation and status queries.SARUN_FORKSaOpen spawns/forks a service agent process. The SAprocess stays resident until SaClose is called. This run-timemodel is supported only under multi-task/multi-process OSsuch as Unix/Linux and Windows NT/2K.SARUN_DEFSpecifies the system default run-time model. SaOpen selectseither SARUN_SPS or SARUN_FORK depending on thesystem implementationHVSOPTS[in] application configuration/option handle. Table below provides the service agent run-timeconfiguration options obtained from the configuration handle.ConfigurationName/ReferenceValue TypeDescriptionSAPAR_INTERVALUINT16Service interval in minutes. Supportedunder SAMODE_FORK model.SAPAR_SERVERSSASERVERSSpecifies servers to contact forupload/download.SASERVERS is defined astypedef struct{ int nServers; URL* pList;} SASERVERS;Where URL istypedef struct{ char* pszURL;} URL;This parameter overrides server listed inthe configuration settings.SAPAR_SELECTBYTEServer selection method0 for direct-mode (first-listed first)1 for round-robinThis parameter overridesCFG_SERVER_SELECT setting in thesystem configuration.SAPAR_TIMEOUTUINT32Server communication timeout inmilliseconds.This parameter overridesCFG_SERVER_SELECT setting in thesystem configuration.SAPAR_TEMPPATHSTRSystem temp directory path. Thisparameter overrides CFG_SERVER_SELECTsetting in the system configuration.SAPAR_DOWNDIRPATHSTRWhere to store downloaded package. Thisparameter overrides CFG_SERVER_SELECTsetting in the system configuration.Return ValueA handle to the instantiated service agent. NULL indicates failure.See AlsoSaCloseSaCloseDescriptionSaClose releases system resources used by a service agent handle. If the SA is running as aseparate process, SARUN_FORK model, the process is terminated.Prototypeint SaClose(HSAGENT hAgent);ParametershAgent[in] service agent handle returned by SaOpenReturn value0 on success. −1 indicates error.See alsoSaOpenSaSetDnCallbackDescriptionUsed to specify a callback function during a package download process.Prototypeint SaSetDnCallback(HSAGENT hAgent, FNSADNPARTCB* pfnCallback);typedef int (* UpPartCallback)( char* pszPartName, size_t partSize, size_t totalSize,) SADNPARTCB;ParametershAgent[in] service agent handle returned by SaOpenpfnCallback[in] If set, the service agent calls the function specified for each part downloaded from a server.If the callback function returns −1, the agent aborts the download process.pszPartNamedownloaded part namepartSizedownloaded part sizetotalSizedownload package sizeReturn value0 on success. −1 indicates error.See alsoSaOpen, SaSetUpHandlersSaRegClientsDescriptionThe SaRegClients is used by the caller to specify a list upload clients. The service agent obtainsupload data and related information via a set of callback functions that define an upload client.Prototypeint SaSetUpHandlers( HSAGENT hAgent, FNSAUPPARTCB* pfnCallback, SAUPPERTCLIENT* clients, int howMany );typedef int (* UpPartCallback)( char* pszPartName, size_t partSize, size_t totalSize, int nPartNum, int nParts) FNSAUPPARTCB;typedef struct{ char* pszPartName; int (* Initialize)(void); size_t (* PartSize)(void); int (* GetData)( void* buffer, size_t cbBuffer, size_t* pcbSize ); int (* Cleanup)(BOOL bSuccess); int (* Result)(BOOL bSuccess);} SAUPPARTCLEINT;ParametershAgent[in] Service agent handle returned by SaOpen.pfnCallback[in] if specified, the service agent periodically makes calls the ‘pfhCallback’ function during theupload process with the following parameters:pszPartNamename of the part uploaded (or being uploaded)partSizepart data uploaded (in bytes)totalSizetotal upload package size (in bytes)nPartNumpart handler number listed in the upload handler list ‘handlers’nPartstotal number part handlers listed (= ‘howMany’).If the callback function returns −1, the service agent aborts the update process.clients[in] a list components involved in uploading information to a server. When an upload package isprepared by the service agent through a scheduled event or by a request by anothercomponent/application, the service agents goes through the upload “clients” given as the‘clients’. A SAUPPARTCLIENT structure contains callback functions the agent makes to aclient when preparing and sending upload-data (or part). The Initialize call is made by the serviceagent to notify each upload client to prepare data to upload. The PartSize is used to queryupload-data size. The GetData is called by the service agent to request a block of upload-datafrom its owner (or client). The Cleanup call is made to notify the client after entire data has beenuploaded to a server. The parameter nError is set to zero if the upload process was successful. −1to indicate failure.pszPartNameupload component/part name passed to the ‘pfnCallback’Initializeinforms the upload handler to prepare data to sendPartSizerequest the upload part sizeGetDatarequest a chunk of upload data from the handlerCleanupinforms the handler its part/data has been successfully uploaded or failedResultinforms the handler whether the entire upload process was successfulThe service agent, when ready to send a given upload part, calls the Initalize function to let itsclient know that it needs to prepare a upload data, and then requests the size of the uploadpart/data. The GetData function is used by the service agent to request a chunk of upload dataclient. The data received is immediately uploaded to a server. The Cleanup is called when entireupload data for the client has been transmitted or an error occurred. When all the componentupload parts have been uploaded, the service agent informs listed clients using the Resultcallback function.howMany[in] specifies the number of upload clients listedReturn Values0 to indicate success. −1 to indicate failure.See alsoSaSetDnCallback, SaUpdateSaUpdateDescriptionThe SaUpdate call performs three tasks: 1) device to server package upload, 2) server to devicepackage download, and 3) package installation. The device's upload package is prepared usingthe upload part handlers specified using the SaRegClients and SaSetDnCallback calls. Afteruploading a device package, SaUpdate downloads and installs a package containing wirelesscomponents from a server.Prototypeint SaUpdate( HSAGENT hAgent, BOOL* pbPkgInstalled );ParametershAgent[in] Service agent handle returned by SaOpen.pbPkgThere[out] TRUE if a package has been downloaded and installed successfully.Return Values0 to indicate success. −1 to indicate failure.See alsoSaRegClients, SaSetDnCallbackSaStateDescriptionThe SaState call returns the service agent's state. This call provides the caller with currentoperation being performed by the service agent under the SARUN_FORK model.PrototypeSASTATE SaState(HSAGENT hAgent);ParametershAgent [in] service agent handle returned by SaOpenReturn valueReturns one of the states listed below.SASTATEMeaningSAST_NOTIMPLNot implemented —OS does not multitasking/process.SAST_ERRORFailed to obtain the service agent state.SAST_STANDBYWaiting for service interval or waiting for call toSaUpdate.SAST_UPDATEUploading/download package to/from a server.SAST_INSTALLInstalling downloaded package.SAST_ABORTINGProcessing SaAbort request.See alsoSaUpdate, SaAbortSaAbortDescriptionThe SaAbort call aborts package upload/download and installation. This call is not supportedunder single-task/process model SARUN_SPS.If SaAbort is called during a upload process, each registered upload part handler is notifiedPrototypeint SaAbort (HSAGENT hAgent);ParametershAgent [in] service agent handle returned by SaOpenReturn Values0 if successful. −1 indicates error.See alsoSaUpdate, SaState

[0256] Installer

[0257] The anti-malware scanner installer is tasked with extracting and installing components. This includes the update or install packages the service agent receives from a back-end server. The configuration manager coordinates between the service agent and the installer to retrieve updates, and shuts down the on-access scanner so as not to cause a conflict when installing components.

[0258] Installation Package

[0259] The installation package contains one or more wireless installation components encapsulated in parts. Each part contains binary image of the component, version information, and special pre/post scripts used to install the component. The installation package format and its part format is identical to the service package uploaded to a server by the service agent.

[0260] One exemplary format is shown in Table 39.

44TABLE 39The installation package is made up of multiple parts:<PART0>...<PARTn>Each installation part is made up of part-header and part-data:<PART-HEADER><PART-DATA>Installation part-header is made up of part-data and component description:ContentName: <content-identifier>ContentType: <content-type>ContentLength: <content-length>ComponentID: <component-ID>ComponentName: <component-name>ComponentVersion: <component-version>

[0261] The content-identifier uniquely identifies the content information, content-type describes the content format/type of the part-data, and content-length provides the length (in bytes) the part-data included. Component-id is the wireless component identification number used in referencing a particular component, component-name specifies the component name, and component-version provides the version information. The example of Table 40 is an installation package containing PD and engine updates. The first part contains the virus signature file scan.pd, and the second part contains scan engine update with pre and post installation scripts to execute when installing the engine.

[0262] Content Name

[0263] The installer uses the content names in identify the install algorithm. Table 40 lists the content names accepted by the installer.

45TABLE 40Content NameDescription$ENGINEscan engine$PDvirus signature database$PDnvirus signature database containinga limited set of detections;where 0 ≦ n$PDUvirus signature database update$APPWireless application$CONFIGWireless application configuration$APP-1contains an application to be executedand removed (e.g. special virus cleanupapp)$PRE-SCRIPTscript/application to be executedbefore a component is installed$INST-SCRIPTscript/application for installing thecomponent; default install algorithm is bypassed when this script/app is included$POST-SCRIPTscript/application to be executedafter installation

[0264] Content Type

[0265] The content type provides the stored part-data (component install image) format type, either binary or text, and the component classification names. Table 41 lists the component classification names used in an install package.

46TABLE 41Content TypeDescriptionpd-filevirus-signature datacontainerpart-data containing one or more partsscriptsystem-specific script filelibrun-time library (e.g. DLL)appapplication binary

[0266] Component Identification

[0267] The component identification specifies the wireless component number. It is used to reference a specific component in the wireless component catalogue on the device. See Table 42.

47TABLE 42Component IDDescription1000full virus signature database1001, . . . , 1099virus signature database subset2000scan engine3000main application5000, . . . , 5999special applicationsContentName: $PDContentType: binary/pd-fileContentLength: 156ComponentID: 2000ComponentName: PDComponentVersion: 2.0.1[156 bytes long scan.pd image]ContentName: $ENGINEContentType: binary/containerContentLength: 650ContentPriority: 0ComponentID: 1000ComponentName: scan engineComponentVersion: 4.3.21ContentName: $PRE-SCRIPTContentType: text/scriptContentLength: 35/etc/rc.d/init.d/vmax stopContentName: $BINARYContentType: binary/libContentLength: 256[256 bytes long scanengine image]ContentName: $POST-SCRIPTContentType: text/scriptContentLength: 34/etc/rc.d/init.d/vmax start

[0268] Installation Process

[0269]
FIG. 18 illustrates the various steps 1800 of the package installation process, in accordance with one embodiment. Once an installation/update package has been downloaded, the service agent notifies the installer to extract and install/update new components. See operation 1802.

[0270] 1. obtain package information

[0271] a. enumerate through enclosed contents/parts (1804)

[0272] b. order components by priority

[0273] 2. notify components

[0274] 3. for each component:

[0275] a. extract components to a temporary storage (1806)

[0276] b. execute pre-install script if included (1808)

[0277] c. copy/move extracted component

[0278] d. update catalogue

[0279] e. execute post-install script

[0280] 4. notify components

[0281] 5. cleanup (1812)

[0282] The installation notification is sent out to components running on the device before and after an installation. See operation 1810. The notification information includes the component identification number of the component being updated.

[0283] Installer API

[0284] An illustrative installer API is shown in Table 43A.

48TABLE 43AInsPackageInstallDescriptionThe InsPackageInstall call installs the anti-malware scanner installationpackage.Prototypeint InsPacakgeInstall(void);ParametersnoneReturn Values0 on success. −1 indicates error.

[0285] Platform Abstraction Layer (218 of FIG. 2)

[0286] The wireless platform abstraction layer (PAL) is a middle-ware API designed to provide components with a platform-independent system interfaces. The abstraction layer is divided into following seven categories.

[0287]
FIG. 19 illustrates the components 1900 of the platform abstraction layer 1902 and the manner in which they interface with the mobile wireless device 1904 and operating system 1906 thereof. See Table 43B for a list of such components.

49TABLE 43B1.Storage I/O APIs for accessing files (or stored objects) anddirectories, (1908)2.Dynamic memory allocation APIs, (1910)3.Process/task control calls (1912)4.Network I/O calls (1914)5.System event handler APIs (1916)6.System identification and resource information routines (1918)7.Miscellaneous APIs (1920)

[0288] More information will now be set forth regarding the various components of the platform abstract layer.

[0289] Storage I/O (1908 of FIG. 19).

[0290] Storage I/O API is used by wireless to access and modify data objects (or files) stored on a non-volatile storage device (e.g. flash memory, hard disk) and managed by a file system or file system like storage and retrieval system. The API is divided into three categories: 1) I/O routines for reading/writing data to/from single object or file, 2) calls used to copy, move and delete a stored object, 3) and routines that provide object enumeration from a storage. See Table 44.

50TABLE 44NameArgumentsReturnsDescriptionFsFileOpenconst FILEPATH*HFILEOpens the specified file using the specified.pFilePath,FILEPATH is a system-specific datafmode_t modes,structure used to define a specific-file path.FsFileCloseHFILE hFileIn.Closes specified file handle.FsFileReadHFILE hFile,size_tReturns the number of bytes read intovoid* buffer,‘buffer’ after attempting to read ‘cbLength’size_t cbLengthfrom file handle ‘hFile’. (size_t)−1 isreturned on error.FsFileWriteHFILE hFile,size_tReturns the number of bytes written fromvoid* buffer,‘buffer’ after attempting to writesize_t cbLength‘cbLength’ bytes to file handle ‘hFile’.(size_t)−1 is returned on error.FsFileSeekHFILE hFile,off_tReturns current file handle offset positionoff_t offset,after moving ‘offset’ bytes from thefpos_t whencelocation directive ‘whence’.(off_t)−1 is returned on error.FsFileSetSizeHANDLE hFile,off_tSets the files size to ‘cbNewLength’ bytesoff_tlong.cbNewLength−1 is returned on error.FsFileDeleteconst FILEPATH*intDeletes the specified file.pFilePath−1 is returned on error.FsFileRenameconst FILEPATH*intRenames a file, moving it to differentpOldPath,directory if required.const FILEPATH*If a file with same path exists, the callpNewPathreturns an error.−1 is returned on error.FsFileCopyconst FILEPATH*intCopies a file to a different location. IfpSrcPath,‘bOverwrite’ is not set (= FILE) and aconst FILEPATH*destination file exists, an error is returned.pDestPath,BOOL bOverwriteFsFileCopyToDirconst FILEPATH*intCopies a file to the specified directorypSrcPath,location. If ‘bOverwrite’ is not set (= FILE)const DirPATH*and a destination file exists, an error ispDestDir,returned.BOOL bOverwriteFsFileStatconst FILEPATH*intReturns information (including file size,pFilePath,permission) on specified file.FILESTATE*pFileStatFsSetModeconst FILEPATH*intSets the file access permission to the modepszPath,specifiedfaccess_taccessModeFsDirRootvoidHDIRReturns the root directory handle.FsDirOpenconst DIRPATH*HDIRReturns a directory handle for the specifiedpDirPathdirectory.FsDirCloseHDIR hDirintReleases resource taken up by a directoryhandle.FsDirFirstHDIR hDirconstReturns the first directory entry.DIRENTRY*FsDirNextconst DIRENTRY*constReturns the directory entry listed after thepDirEntryDIRENTRY*entry pointed by the ‘pDirEntry’ pointer.FsGetFilePathvoid* bufferFILEPATH*Converts system-specific file path into theFILEPATH structure and returns itsmemory pointer. The returned pointerneeds to be released using theFsFreeFilePath.FsFreeFilePathFILEPATH*intFrees system resource associated with thepFilePathstructure pointed by ‘pFilePath’ pointer.FsGetDirPathvoid* bufferDIRPATH *Converts system-specific directory pathinto the DIRPATH structure and returns itsmemory pointer. The returned pointerneeds to be released using theFsFreeDirPath.FsFreeDirPathDIRPATH*intFrees system resource associated with thepDirPathstructure pointed by ‘pDirPath’ pointer.

[0291] Network Socket I/O (1914 of FIG. 19)

[0292] See Table 45 for an exemplary network socket I/O API.

51TABLE 45NameArgumentsReturnsDescriptionSocketOpenint domain,HSOCKETCreates a network socket and returns itsint type,handle.int protocolSocketConnectHSOCKET hSocket,intInitializes connection on a socketmsec_t timeout,−1 returned if error.SockAddrsockAddr,NETPORT_T portSocketBindHSOCKET hSocket,intSets the socket to bind to port ‘port’.NETPORT_T portClient IP address is set toINADDR_ANY.−1 returned if error.SocketAcceptHSOCKET hSocket,intAccepts a connection on a socket andSOCKADDR* pAddrreturns connected client IP information in‘pAddr’.−1 returned if error.SocketReceiveHSOCKET hSocket,size_tReads from a connected socket.msec_t timeout,void* buffer,size_t sizeSocketSendHSOCKET hSocket,size_tWrites to a connected socket.msec_t timeout,void* buffer,size_t sizeSocketCloseHSOCKET hSocketintCloses connection and releases systemresource.SSLOpenHSOCKET hSocketHSSLTransforms a normal (non-secure) socketto a SSL socket, and the SSL API callsshould be used instead.If the call fails, the ‘hSocket’ property isretained and NULL is returned.SSLConnectHSSL hSocket,intInitializes connection on a SSL socket.msec_t timeout,−1 returned if error.SockAddrsockAddr,NETPORT_T portSSLAcceptHSSL hSocket,intAccepts a SSL connection on a SSLSOCKADDR* pAddrsocket and returns connected client IPinformation in ‘pAddr’.−1 returned if error.SSLReceiveHSSL hSocket,size_tReads from a connected SSL socket.msec_t timeout,void* buffer,size_t sizeSSLSendHSSL hSocket,size_tWrites to a connected SSL socket.msec_t timeout,void* buffer,size_t sizeSSLCloseHSSL hSocketintCloses SSL connection and releasessystem resource.

[0293] Process Control API (1912 of FIG. 19)

[0294] See Table 46 for an exemplary process control API.

52TABLE 46NameArgumentsReturnsDescriptionProGetListpid_t** ppPidintReturns the number of current systemprocesses and a list of process id'sProFreeListpid_t* pPidintFrees process listed obtained usingProGetListProKillpid_t pidintTerminates specified process.ProOpenpid_t pidHPROCESSReturns a process handle correspondingto the process id.ProCloseHPROCESSintFrees resource associated with thehProcessprocess handle.ProGetNameHPROCESSintReturns process name.hProcess,void* pName,size_t cbNameProGetFilePathHPROCESSintReturns storage path for the processhProcess,image.FILEPATH**ppFilePathProGetCodeMemHPROCESSsize_tRetrieves ‘cbRead’ bytes of processhProcess,instruction code/data from process codesize_t offset,offset ‘offset’. Returns the number ofvoid* buffer,bytes read into ‘buffer’.size_t cbReadReturn value (size_t)−1 indicates error.

[0295] Dynamic Memory (1910 of FIG. 19)

[0296] See Table 47 for an exemplary dynamic memory API.

53TABLE 47NameArgumentsReturnsDescriptionMemMallocsize_t sizevoid*Returns a pointer to atleast ‘size’ bytes longdynamic memory block.MemFreevoid* ptrvoidFrees dynamic memoryallocated using MemMalloc

[0297] Event Handler API (1916 of FIG. 19)

[0298] See Table 48 for an exemplary event handler API.

54TABLE 48NameArgumentsReturnsDescriptionEvntSetHandlerint event,intSets a callback/handler forFNEVENT_HANDLER*event ‘event’.pFuncEvntGetHandlerint eventFNEVENT_HANDLER*Returns event handler forevent ‘event’

[0299] System Information (1918 of FIG. 19)

[0300] See Table 49 for an exemplary system information API.

55TABLE 49NameArgumentsReturnsDescriptionSysGetIdunsigned charintObtains 16-byte deviceid[16]identification code.

[0301] See Table 50 for an exemplary error/status API.

56TABLE 50NameArgumentsReturnsDescriptionErrSetLastVSWSTATUS errintSets the last error to‘err’ErrGetLastvoidVSWSTATUSReturns the lasterror set using theErrSetLast function.

[0302] Misc. API (1920 of FIG. 19)

[0303] See Table 51 for an exemplary misc. API.

57TABLE 51NameArgumentsReturnsDescriptionSleepmsec_tintsuspends current execution andmsecsleeps for ‘msec’ millisecondsMemSetvoid* dest,void*Sets the first ‘n’ bytes of memoryint pattern,pointed by ‘ptr’ to ‘pattern’.size_t nPointer to ‘ptr’ is returned.MemCopyvoid* dest,void*Copies ‘n’ bytes from memoryvoid* src,area ‘src’ to memory area ‘dest’size_t nand then returns pointer to ‘dest’.ExecBuffervoid* buffer,intTreats the ‘buffer’ as executablesize_t lengthbinary image and requests thesystem to execute. The return codeof the executable is returned.ExecFileconstintRequest the system to execute theFILEPATH*executable file identified bypExePath‘pExePath’. The return codereturned by the executable ispassed on to the caller.

[0304] Abstract File System Specification

[0305] The abstract file system provides an interface for supporting features in the platform abstraction layer (PAL). When porting the anti-malware scanner to new platforms, this interface may need to be implemented for every class of scannable data object on the device. The most common may be a file system. This may also include databases or custom persistent data storage on the device.

[0306] Implementing the Interface

[0307] The scanner components use the HDIR and HFILE handles to interact with files and directories. These handles are discussed in greater detail in the PAL. The abstract file system is one way of implementing these handles.

[0308] Three different interfaces need to be supported, as shown in Table 52.

58TABLE 52Abstract Directory: ADIRAbstract Directory Entry: ADIRENTAbstract File: AFILE

[0309] The ADIR is used to support HDIR. The ADIRENT supports both FILEPATH and DIRPATH. The AFILE supports HFILE.

[0310] For example, an HDIR is type cast into an ADIR pointer.

[0311] Thus, FsFileRead( ) can be defined as follows in Table 53.

59TABLE 53#define FsFileRead(hFile, pBuffer, length) \ ((ADIR *)hFile )->pRead(hFile, pBuffer, length)

[0312] This saves on the overhead of having to implement a FsFileRead( ) function that does essentially the same thing as the macro.

[0313] ADIR, ADIRENT, and AFILE are implemented as data structures with callback functions. The callback functions provide basic capabilities to enumerate and manipulate files. The calling application must implement these interfaces.

[0314] Data Types

[0315] See Table 54 for various exemplary data types.

60TABLE 54ADIRENT_TYPEDescriptionDenotes the type of ADIRENT.Prototypeenum ADIRENT_TYPE{ ADIRENT_UNKNOWN = 0, ADIRENT_AFILE = 1, ADIRENT_ADIR = 2};AFILE_MODEDescriptionWhen opening a file, the read/write mode must be specified. It can be changed later with a callto AFILE.setmode( ). For scanning files, the mode should be read only. However, to clean thefile, the mode may be changed to read/write if possible.Prototypeenum AFILE_MODE{ AFILE_READ_ONLY = 1, AFILE_WRITE_ONLY = 2, AFILE_READ_WRITE = 3,};

[0316] ADIR Interface

[0317] See Table 55 for an exemplary ADIR API.

61TABLE 55ADIRDescriptionThis interface provides an abstract directory. This is anything that has entries that can beenumerated like a directory structure.Prototypestruct ADIR{ ADIRENT *(*pOpenFirst)(ADIR *pADir); ADIRENT *(*pOpenNext)(ADIR *pADir); void (*pClose)(ADIR *pADir);};ExampleInternally, it may be useful to create a structure for holding private data members for the ADIRstructure. For example,typedef struct{ /* public */ ADIR adir; /* private */ char *pPath; char *pFilter; glob_t glob; int index;} PDIR;A function is needed to initially create an ADIR of any given type. The following shows how thedata structure is allocated and initialized under UNIX systems.ADIR *open_std_dir(const char *path const char *filter){ PDIR *dir = malloc(sizeof(PDIR)); if(dir != NULL) { memset(dir, 0, sizeof(PDIR)); dir->pPath = strdup(path); if(filter != NULL) dir->pFilter = strdup(filter); dir->adir.pOpenFirst = dir_open_first; dir->adir.pOpenNext = dir_open_next; dir->adir.pClose = dir_close; } return (ADIR *) dir;}pOpenFirstDescriptionOpen the first entry in the directory. The directory entries might not be sorted. This functionmerely starts the enumeration of entries.ExampleIn the above example, adir->pOpenFirst points to the dir_open_first() function:static ADIRENT *dir_open_first(ADIR *adir){ PDIR *dir = (PDIR *) adir; char *pattern; pattern = malloc(strlen(dir->pPath) +strlen(dir->pFilter) + 1); if(pattern != NULL) { strcpy(pattern, dir->pPath); strcat(pattern, dir->pFilter); if(glob(pattern, GLOB_MARK|GLOB_NOSORT, NULL,&dir->glob) == 0) { dir->index = 0; free(pattern); return dir_open_next(adir); } free(pattern); } return NULL;}pOpenNextDescriptionGet the next entry in the directory. It may be necessary to close the prior entry before openinganother entry. Returns NULL when no more entries are available.Examplestatic ADIRENT *dir_open_next(ADIR *adir){ PDIR *dir = (PDIR *) adir; if(dir->index < dir->glob.gl_pathc) { ADIRENT *ent = open_std_dirent(dir->glob.gl_pathv[dir->index]); dir->index++; return ent; } return NULL;}pCloseDescriptionRelease resources for the directory.Examplestatic void dir_close(ADIR *adir){ PDIR *dir = (PDIR *) adir; free(dir->pPath); dir->pPath = NULL; if(dir->pFilter) { free(dir->pFilter); dir->pFilter = NULL; } globfree(&dir->glob); #ifdef_DEBUG memset(dir, 0, sizeof(PDIR)); #endif/* _DEBUG */ free(adir); }

[0318] ADIRENT Interface

[0319] See Table 56 for an exemplary ADIRENT API.

62TABLE 56ADIRENTDescriptionThis is the abstract directory entry interface. These are returned by ADIR interfaces whenenumerating entries in the directory.Prototypestruct ADIRENT{text_t *(*pGetFName)(ADIRENT *pEnt);ADIRENT_TYPE (*pGetType)(ADIRENT *pEnt);ADIR *(*pOpenADir)(ADIRENT *pEnt);AFILE *(*pOpenAFile)(ADIRENT *pEnt, AFILE_MODE mode);int (*pRemove)(ADIRENT *pEnt);int (*pRename)(ADIRENT *pEnt1, ADIRENT *pEnt2)int (*pCopy)(ADIRENT *pEnt1, ADIRENT *pEnt2)int (*pStat)(ADIRENT *pEnt, FILESTAT *pFileStat)int (*pSetMode)(ADIRENT *pEnt, faccess_t accessMode)void (*pClose)(ADIRENT *pEnt);};ExampleIn order to have private data for the ADIRENT, the following data structure is commonly createdinternally:typedef struct{ADIRENT adirent;/* private */text_t *fname;ADIRENT_TYPE type;} PDIRENT;Note that the ADIR implementation references the open_std_dirent( ) function. This allocatesmemory and initializes the ADIRENT structure.ADIRENT *open_std_dirent(const char *fname){PDIRENT *ent;ent = malloc(sizeof(PDIRENT));if(ent){ent->fname = (text_t *) strdup(fname);ent->type = ADIRENT_UNKNOWN;ent->adirent.pGetFname = dirent_get_fname;ent->adirent.pGetType = dirent_get_type;ent->adirent.pOpenADir = dirent_open_adir;ent->adirent.pOpenAFile = dirent_open_afile;ent->adirent.pRemove = dirent_remove;ent->adirent.pClose = dirent_close;}return (ADIRENT *)ent;}pGetFNameDescriptionReturns the name of the file. The actual text_t is system dependant. However, for a givenoperating system, all ADIRENT implementations must use the same text_t type.Examplestatic text_t *dirent_get_fname(ADIRENT *dirent){PDIRENT *ent = (PDIRENT *) dirent;return ent->fname;}pGetTypeDescriptionReturns the type of file. ADIRENT_UNKOWN is returned if an error has occurred. Otherwise,the entry is identified as ADIRENT_AFILE or ADIRENT_ADIR. Use the pOpenADir ( ) andpOpenAFile ( ) functions accordingly.Examplestatic ADIRENT_TYPE dirent_get_type(ADIRENT *dirent){PDIRENT *ent = (PDIRENT *) dirent;struct stat st;ent->type = ADIRENT_UNKNOWN;if(stat((char *)ent->fname, &st) == 0){if(S_ISDIR(st.st_mode))ent->type = ADIRENT_ADIR;else if(S_ISREG(st.st_mode))ent->type = ADIRENT_AFILE;}return ent->type;}pOpenADirDescriptionIf the entry type is ADIRENT_ADIR, this returns an ADIR for the entry.Examplestatic ADIR *dirent_open_adir(ADIRENT *dirent){PDIRENT *ent = (PDIRENT *) dirent;if(ent->type != ADIRENT_ADIR)return NULL;return open_std_dir((char *)ent->fname, NULL);}pOpenAFileDescriptionIf the entry type is ADIRENT_AFILE, this returns a generic AFILE for the entry. UseOpenADirFilter ( ) and OpenAFileFilter ( ) to access alternate plug-in filters for files.Examplestatic AFILE *dirent_open_afile(ADIRENT *dirent,AFILE_MODE mode){PDIRENT *ent = (PDIRENT *) dirent;if(ent->type != ADIRENT_AFILE)return NULL;return open_std_file((char *)ent->fname, mode);}pRemoveDescriptionRemove the current file entry from the directory. After a call to remove( ), only close( ) mayfunction properly.Examplestatic int dirent_remove(ADIRENT *dirent){PDIRENT *ent = (PDIRENT *) dirent;return unlink((char *)ent->fname);}pRenameDescriptionRenames the pEnt1 to pEnt2.Prototypeint (*pRename)(ADIRENT *pEnt1, ADIRENT *pEnt2)pCopyDescriptionCopies directory entry pEnt1 to pEnt2.Prototypeint (*pCopy)(ADIRENT *pEnt1, ADIRENT *pEnt2)pStatDescriptionStat's the given directory entry.Prototypeint (*pStat)(ADIRENT *pEnt, FILESTAT *pFileStat)pSetModeDescriptionChanges the read/write file permissions for the directory entry.Prototypeint (*pSetMode)(ADIRENT *pEnt, faccess_t accessMode)pCloseDescriptionRelease resources used by the file entry.Examplestatic void dirent_close(ADIRENT *dirent){PDIRENT *ent = (PDIRENT *) dirent;free(ent->fname);#ifdef_DEBUGmemset(ent, 0, sizeof(PDIRENT));#endiffree(ent);}

[0320] AFILE Interface

[0321] See Table 57A for an exemplary AFILE API.

63TABLE 57AAFILEDescriptionThis is the abstract file interface. These are created by an ADIRENT.Prototypestruct AFILE{size_t (*pRead)(AFILE *fp, void *ptr, size_t size);size_t (*pWrite)(AFILE *fp, const void *ptr, size_t size);long (*pTell)(AFILE *fp);long (*pSeek)(AFILE *fp, long offset, int whence);int (*pEof)(AFILE *fp);int (*pError)(AFILE *fp);int (*pSetSize)(AFILE *fp, long offset);int (*pSetMode)(AFILE *fp, AFILE_MODE mode);int (*pClose)(AFILE *fp);};ExampleInternally, the following data structure provides extra information for the implementation:typedef struct{/* public members: */AFILE afile;/* private members: */FILE *fp;char *fname;} PFILE;The open_std_file( ) function is used by ADIRENT to allocate and initialize the AFILE structure.AFILE *open_std_file(const char *fname, AFILE_MODE mode){PFILE *file = malloc(sizeof(PFILE));if(file != NULL){char *file_mode = get_file_mode(mode);file->fname = strdup(fname);file->fp = fopen(fname, file_mode);if(file->fname != NULL && file->fp != NULL){file->afile.pRead = file_read;file->afile.pWrite = file_write;file->afile.pSeek = file_seek;file->afile.pTell = file_tell;file->afile.pClose = file_close;file->afile.pEof = file_eof;file->afile.pError = file_error;file->afile.pSetSize = file_setsize;return (AFILE *) file;}if(file->fname)free(file->fname);if(file->fp)fclose(file->fp);elseperror(“file error”);free(file);file = NULL;}return (AFILE *) file;}static char *get_file_mode(AFILE_MODE mode){char *file_mode = NULL;switch(mode){case AFILE_READ_ONLY:file_mode = “rb”;break;case AFILE_WRITE_ONLY:file_mode = “wb”;break;case AFILE_READ_WRITE:file_mode = “r+b”;break;default:assert(0);break;}return file_mode;}pReadDescriptionRead bytes from the given file. Returns the number of bytes actually read. It may be less thansize due to reaching the end of file or an error. Use pEof( ) and pError( ) to detect if at end of thefile or whether an error occurred.Examplestatic size_t file_read(AFILE *afile, void *pfr, size_t size){PFILE *file = (PFILE *) afile;return fread(ptr, size, 1, file->fp);}pWriteDescriptionWrite bytes to the given file. Returns the number of bytes actually written. If the return value isless than the number of bytes requested, then an error has occurred.Examplestatic size_t file_write(AFILE *afile,const void *ptr,size_t size){PFILE *file = (PFILE *) afile;return fwrite(ptr, size, 1, file->fp);}pTellDescriptionReturn the current offset into the file. This value can be used with seek( ) to return to the fileoffset.Prototypelong AFILE.tell(AFILE *fp)Examplestatic long file_tell(AFILE *afile){PFILE *file = (PFILE *) afile;return ftell(file->fp);}pSeekDescriptionSeeks to a new location in the file. Set whence to SEEK_CUR, SEEK_POS, or SEEK_END.Synopsislong AFILE.seek(AFILE *fp, long offset, int whence)Examplestatic int file_seek(AFILE *afile, long offset, int whence){PFILE *file = (PFILE *) afile;return fseek(file->fp, offset, whence);}pEofDescriptionThis returns one if at the end of the file. Otherwise, returns zero.Prototypeint AFILE.pEof(AFILE *fp)Examplestatic int file_eof(AFILE *afile){PFILE *file = (PFILE *) afile;return feof(file->fp);}pErrorDescriptionThis returns zero if no errors have occurred. Otherwise, returns a non-zero value.Examplestatic int file_error(AFILE *afile){PFILE *file = (PFILE *) afile;return ferror(file->fp);}pSetSizeDescriptionSets the new size of the file. This is intended for truncating the file.pSetModeDescriptionChanges the read / write access mode to the file.pCloseDescriptionDe-allocates resources used for the file.Examplestatic int file_close(AFILE *afile){PFILE *file = (PFILE *) afile;int ret = fclose(file->fp);file->fp = NULL;if(file->fname){free(file->fname);file->fname = NULL;}return ret;}

[0322] Configuration Settings

[0323] A configurations settings object manages all configuration settings. This object is use to set and retrieve information in permanent storage. The inner logic of this object manages the way information is stored and accessed. The component manager instantiates this object and passes a configuration settings handle to all other subsystems so they can access their options. Note is that there are no structures involved and each configuration setting is referenced by a symbolic name. As long as the symbolic name is known it can be accessed. Each subsystem uses a prefix to clearly identify its configuration settings.

[0324] The following are advantages to this configuration management system, as indicated in Table 57B.

64TABLE 57BThe logic of how to access information is contained within oneobject. If the storage method would need to be changed for somereason, it is only one objects implementation that changes andnone of the other subsystems get affected.Information is stored in a way that does not allow for useraccess.If the persistent storage object is not found, defaultpreconfigured values are returned. This way system security isnot jeopardized.

[0325] Table 57C shows a summary of all configuration settings object interfaces are:

65TABLE 57CScnOptsCreate( )ScnOptsDestroy( )ScnOptsGetInt( )ScnOptsSetInt( )ScnOptsGetString( )ScnOptsSetString( )

[0326] Following in Table 57D is a detailed description of each API.

66TABLE 57DScnOptsCreate( )DescriptionThe ScnOptsCreate( ) function creates a configuration settings object instance. The handle that isreturned by this function call should be passed to all subsequent calls to configuration settingsfamily of functions.PrototypeHVSOPTS ScnOptsCreate( void ); // Creates configuration settingsParametersNo parameters are required.Return ValuesIf NULL value is returned then this function call failed. To find out the reason why this callfailed call the ErrGet( ) function. This function is thoroughly documented in the platformabstraction layer. If the function succeeds it may be a valid handle that should be freed up usingthe ScnOptsDestroy( ) function when it is not needed anymore.See AlsoScnOptsDestroy( )ScnOptsDestroy( )DescriptionThe ScnOptsDestroy( ) function destroys a configuration settings object instance. The handlepassed to it is what was returned from ScnOptsCreate( ) function.Prototypeint ScnOptsDestroy( HVSOPTS hOpts ); // Destroys configuration settingsParametershOptsHandle to a configuration settings object that was obtained from a call to ScnOptsCreate( ).Return ValuesZero is returned to indicate success. −1 is returned to indicate error To find out the reason whythis call failed called the ErrGet( ) function. This function is thoroughly documented in theplatform abstraction layer.See AlsoScnOptsCreate( )ScnOptsGetInt( )DescriptionThe ScnOptsGetInt( ) function retrieves an integer type of value from the configuration settingsobject.Prototypeint ScnOptsGetInt( HVSOPTS hOpts, // [in] handle to configuration settings text_t * pszSymName, // [in] symbolic name of int value int * pIntVal // [out] integer value. );ParametershOptsHandle to a configuration settings object that was obtained from a call to ScnOptsCreate( ).pszSymNameA null terminated symbolic name representing the value that should be retrieved.pIntValPointer to an integer value where the requested setting is placed.Return ValuesZero is returned to indicate success. Success is that the specified value was found and it wasreturned in pIntVal. −1 is returned to indicate error. An error is most likely because thevalue was not found, or the specified symbolic name corresponds to a string typeand not to an integer type.See AlsoScnOptsSetInt( ), ScnOptsSetString( ), ScnOptsGetString( )ScnOptsGetString( )DescriptionThe ScnOptsGetString( ) function retrieves an string type of value from theconfiguration settings object.Prototypeint ScnOptsGetString( HVSOPTS hOpts, // [in] handle to configuration settings text_t * pszSymName, // [in] symbolic name of int value text_t * pCharVal, // [out] string value size_t * pCharLen // [in][out] size of pCharVal on entry. );ParametershOptsHandle to a configuration settings object that was obtained from a call to ScnOptsCreate( ).pszSymNameA null terminated symbolic name representing the value that should be set.pCharValPointer to a string value where the requested configuration setting is placed.pCharLenUpon entry this parameter must contain the maximum number of characters that pCharVal canhold. Upon exit this variable may contain the number of characters placed in this buffer.Return ValuesZero is returned to indicate success. Success is that the specified value was found and it wasreturned in pIntVal. −1 is returned to indicate error. An erroris most likely because the value wasnot found, or the specified symbolic name corresponds to a string type and not to an integer type.See AlsoScnOptsSetInt( ), ScnOptsGetInt( ), ScnOptsSetString( )ScnOptsSetInt( )DescriptionThe ScnOptsSetInt( ) function associates an integer value with the specified symbolic name.Prototypeint ScnOptsSetInt( HVSOPTS hOpts, // [in] handle to configuration settings text_t * pszSymName, // [in] symbolic name of int value int iIntVal // [in] integer value. );ParametershOptsHandle to a configuration settings object that was obtained from a call to ScnOptsCreate( ).pszSymNameA null terminated symbolic name representing the value that should be set.iIntValAn integer value that is associated with the above symbolic value.Return ValuesZero is returned to indicate success. Success is that the specified value was associated with thementioned symbolic name. −1 is returned to indicate error.See AlsoScnOptsGetInt( ), ScnOptsSetString( ), ScnOptsGetString( )ScnOptsSetString( )DescriptionThe ScnOptsSetString( ) function sets an string type of value to the configuration settings object.Prototypeint ScnOptsSetString( HVSOPTS hOpts, // [in] handle to configuration settings text_t * pszSymName, // [in] symbolic name of int value text_t * pCharVal, // [in] string value size_t iCharLen // [in] size of pCharVal on entry. );ParametershOptsHandle to a configuration settings object that was obtained from a call to ScnOptsCreate( ).pszSymNameA null terminated symbolic name representing the value that should be retrieved.pCharValPointer to a string value that is associated with the above mentioned symbolic name.iCharLenThis parameter contains the number of characters in pCharVal to save.Return ValuesZero is returned to indicate success. Success is that the specified value was associated with thespecified symbolic name. −1 is returned to indicate error.See AlsoScnOptsSetInt( ), ScnOptsGetInt( ), ScnOptsGetString( )

[0327] Configuration Settings Storage Definition

[0328] Configuration settings are stored in a text file in XML format. A sample configuration settings file is described in Table 58.

67TABLE 58< Wireless Settings><ScanAllFiles=0><ScanExtensions=SIS,APP,EXE><LogMaxFileSize=5120></ Wireless Settings>

[0329] ScanAllFiles is the symbolic name for the scan settings that tells whether all files should be scanned or just the files with the specified file extension. Because the value is made up entirely of numbers it should be accessed as a variable type integer.

[0330] ScanExtensions is the symbolic name for the scan settings that tells one what file types should be checked for malware in case ScanAllFiles is set to zero. Because the value is made up of alphanumeric values it should be accessed as a string.

[0331] Return Codes

[0332] The anti-malware scanner core technology architecture returns a common return code. This return code architecture is designed so clear identification can be made between error return codes and simple casual notification return codes. When interfacing with the component manager several other subsystems are involved in protecting the computer systems. From the return code itself it is possible to determine what subsystem is reporting a certain return code and the reason that subsystem decided to report it. This makes problem identification very trivial and notification messages are detailed.

[0333] The anti-malware scanner return code is a 32-bit value where each bit position has a meaning. The high order bit, 0x80000000 is set for error return codes only. If this bit is not set then the return code in question corresponds to a notification return code. Each the anti-malware scanner core component has its unique bit position within the return code. Bits positions reserved for subsystem have a range from 0x00100000 to 0x7FF00000 and this allows for detailed debugging and reporting because it is possible to track what subsystems an event traversed through before it was reported. The scanner subsystems use the following bit positions within a return code shown in Table 59.

68TABLE 59VSWSTATUS_SS_CMGR 0x00100000 Component managerVSWSTATUS_SS_OA 0x00200000 On-access scannerVSWSTATUS_SS_OD 0x00400000 On-demand scannerVSWSTATUS_SS_ALOG 0x00800000 Activity log.VSWSTATUS_SS_AGT 0x01000000 Service agent.

[0334] This methodology allows for 0xFFFFF possible error codes when combined with the high order bit, and 0xFFFFF notifications when not combined with the high order bit per subsystem.

[0335] All return codes that the anti-malware scanner returns can be found in the McStatus.h include file. This include file also contains several helper macros that facilitates return code dissecting. Among these macros are ISSTATUSOK and ISSTATUSERROR that are used for quick determination whether a function call succeeded or not.

[0336] More information relating to an illustrative abstract library will be set forth in APPENDIX A.

[0337] Back-End Architecture

[0338] The back-end architecture provides the following functionality in Table 60.

69TABLE 60Provisioning - Wireless service configuration.Reporting - usage and statistical information fromuploaded device information.Communication - device-to-server data communication viaHTTP/HTTPS.Database Transaction - device information logging, statusupdate, package selection.Component Update - device-specific component updatepackage preparation and distribution.Server-side scanning (optional) - SMTP, SMS, phone-to-phone information content scanning

[0339] Architecture

[0340] The design goal of the anti-malware scanner back-end infrastructure is to provide a high level of reliability and scalability by distributing the workload to multiple servers. The back-end infrastructure consists of the following components set forth in Table 61

70TABLE 61HTTP server CGI program (kcgi) for client request handlingDatabase transaction server application (pdbserver) fordatabase access.Database for client information storage.Web-based provisioning and reporting system.

[0341] With reference again to FIG. 1, client/server communication is initiated by a HTTP POST request from a wireless device to a HTTP server running a CGI named kcgi, an executable invoked by a HTTP daemon to handle client-server communication. Once a HTTP server receives a device request, it connects to a transaction server and sends and receives client-specific data. The transaction server, PDB Server, makes database queries to store and retrieve information to/from a database system. The anti-malware client configuration information, usage information and component update packages are stored in the database. The service configuration and reporting may be accomplished via Web interfaces.

[0342] kcgi—HTTP/Web Server CGI

[0343] The core CGI engine is implemented through a HTTP/Web server module named kcgi. It has been designed to efficiently handle multiple HTTP requests from wireless devices. The CGI is invoked by a Web server daemon (e.g. Apache) when a wireless device connects and uploads data through an HTTP POST request. See Table 62.

71TABLE 62POST /cgi-bin/kcgi.fcg HTTP/1.0Host: <BACK-END-HOST>. . .

[0344] When the CGI receives client data in the payload section of the POST request, it selects a transaction server after a round-robin lookup of a transaction server listing stored in the database and then routes the data to the selected server. Description of the transaction server (pdbserver) and the communication protocol is given in the next section. As a result of the protocol handshaking between kcgi and the pdbserver, a package is either generated or read from a local cache and is sent to the wireless device as PART (data section) of the HTTP response. In case the transaction server returns an error (e.g. authentication failure), kcgi returns an HTTP error response to the HTTP POST request.

[0345] PDB Server—Transaction Server Application

[0346] The personal device database transaction server, pdbserver, is a server application designed to be situated in-between a HTTP/Web server running kcgi and a database server(s) containing device and vendor-specific status and information. The pdbserver is a single-threaded, single-process application designed to handle multiple connections.

[0347] Command Line Arguments

[0348] The pdbserver supports six command line arguments—IP number, process user id, log directory path, upload package directory path, server listener port number, and maximum client connection.

[0349] Table 63 illustrates an example.

72TABLE 63 ./pdbserver --ip 161.69.79.100 --user pdbd --pkg/pdbd/packages --port 6179 --max-clients 256

[0350] The example command line instructs pdbserver to register with a database as a server with IP “161.69.79.100”, execute as a user “pdb” process, find packages in the “/pdbd/package s” directory, listens to connections on port 6179 and allow up-to 256 simultaneous client connections at a give time.

[0351] By default pdbserver saves posted log files under the “./”+<ip>+“:”+<port> directory. For the above example, pdbserver saves posted log files into the “./161.69.79.100:6179” directory. See Table 64 for exemplary pdbserver command-line arguments.

73TABLE 64ArgumentReq'dDefaultExampleDescription--ip✓none161.69.79.100This is the IP address of thepdbserver saved to thedatabase. The pdbserverbinds to all interfaces of thesystem it is running on.--port61796188Server port number.--user✓nonepdbdpdbserver process user-id--log<IP>:<PORT>./161.69.79.100:6179Where to save posted logdata--pkg✓none/pdbd/packagesWhere to locate packages tobe downloaded to clients.--max- 64 256Maximum number clients.clients

[0352] Architecture

[0353] The pdbserver is a single-process, single-threaded server application designed to serve multiple client connections simultaneously. Communication with clients is done using custom protocol over TCP/IP. The application code consists of three parts: initialization, service loop and cleanup.

[0354] Initialization

[0355] The initialization code consists of three parts: database connection/login, registration, and network/socket initialization.

[0356] Database Login

[0357] The current pdbserver implementation uses an Oracle user id “mdb”, password “tigard”, and connection string “lara” to log onto a remote PDB server. The Oracle connection string “lara” is used to reference a remote Oracle database server and must be defined in Oracle client network configuration file tnsnames.ora. Table 65 illustrates an example tnsnames.ora for an Oracle server running on the computer at pdb00.dev.mcafeelabs.com listening to port 1521. See Table 65 for an exemplary sample tnsnames.ora configuration.

74TABLE 65LARA.DEV.MCAFEELABS.COM = (DESCRIPTION =(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP) (HOST =pdb00.dev.mcafeelabs.com) (PORT = 1521)))(CONNECT_DATA =(SERVICE_NAME = pdb00.dev.mcafeelabs.com)))

[0358] Registration

[0359] Once a database connection is established, the pdbserver registers itself with the database. The back-end database keeps a list of pdbserver information for load-balancing purpose. The stored information can be obtained by a kcgi instance using the query-servers command.

[0360] Socket Initialization

[0361] The server's listener socket is initialized with no-delay mode, and the listener port is set to a user specified port number. The reason for setting the server socket in no-delay mode is to service clients without having to wait for read/write completion.

[0362] Service Loop

[0363] The pdbserver's main loop consists of accepting a connection to the listener socket, polling each client connection for I/O status updates, servicing each client's request, and removing clients who have timed out. The client network I/O status (read-ready, write-ready, error condition) is obtained using the poll API function. After each client's I/O status is updated, the server handles I/O requests for those clients whose I/O status is set for read/write and executes clients' commands when they are ready to execute.

[0364] Protocol

[0365] The kcgi/pdbserver communication protocol consists of a command and response sets. Each command/response is made up of a minimum of 8 bytes—the first 4 bytes for command/response code and the next 4 bytes for command/response data length. The command/response code and data length information are encoded in network-byte order. Command/response data is given if the length specified is not zero. See Table 66 for an exemplary command/response format.

75TABLE 66<command/response:4 bytes> <data-length:4 bytes>[data:data-length bytes]

[0366]
FIG. 20 illustrates a transaction server command process flow 2000, in accordance with one embodiment. As shown, a command is received in operation 2002, after which it is identified as a post data command 2004, a query server command 2006, or a quit command 2008. If the command received is a post data command 2004, device information is updated in operation 2010, an update package is retrieved in operation 2012, a log is saved in operation 2014, and the response is sent in operation 2020. Further, if the command received is a query server command 2006, a server list is retrieved in operation 2016, and the response is sent in operation 2020. Further, the quit command 2008 prompts a bye operation. See operation 2018. More information regarding such commands will now be set forth.

[0367] Commands

[0368] The pdbserver accepts three commands from kcgi: post-data, query-servers and quit. Each command consists of a 4-byte command code followed by a 4-byte command argument length and data. See Table 67 for an exemplary PDB Server Command List.

76TABLE 67CommandValueDescriptionpost-data0x0001Uploads device log file.query-0x0002retrieves the file version number of the latest device-serversspecific virus signature file stored in database.quit0x0004ends client connection to the pdbserver.

[0369] Post-Data

[0370] One of the main functionalities of the pdbserver is to verify and update individual device's status on the back-end database. The post-data command is used by kcgi to upload (or post) data sent by a wireless device using HTTP POST. Contained in the uploaded client data is a wireless component catalogue containing version information and event log. The catalogue information is used in selecting an update package to download to the device, and the log data is stored in the database for reporting. At the very beginning of the HTTP POST data is a device identification number used to authenticate the device. Both the catalogue and the log information received are in XML format. Refer to the service agent section of the anti-malware scanner Design Specification document for the catalogue and event log format.

[0371] Query-Servers

[0372] This command is used by kcgi in selecting a pdbserver, and returns a list of active PDB server IP's, port assignment, and number of clients connected to each server.

[0373] Return Code

[0374] For each command issued by a client, the pdbserver responds with a 4-byte response code followed by a 4-byte data length. Table 68A lists the current pdbserver response codes.

77TABLE 68AResponseValueDescriptionsuccess0x0000command executed successfully.cmd-failed0x8001failed to execute commandunknown-cmd0x8002unknown command issuedinvalid-arg0x8003invalid command argument giventimeout0x8004client failed to issue command on timenot-impl0x8005issued command not implementedinvalid-data0x8006same as invalid-arg; client data containsinvalid argument datano-record0x8007failed to locate requested (or required) datafrom databasedb-failure0x8008database transaction failuredb-unavail0x8009failed to connect to databaseinsuf-res0xCFFEinsufficient internal resource to executerequested commandinternal-err0xCFFFunknown internal error

[0375] Configuration and Reporting

[0376] The anti-malware scanner run-time configuration is setup through a web interface and maintained in the database. New configuration settings in XML format are downloaded to each device as a part of the HTTP POST return data. Each device entry in the unit information table has a group id used to reference the configuration for a given wireless device. Currently identified configuration settings are those set forth in Table 68B.

78TABLE 68BService-interval time - how often wireless devices contactthe back-end to upload/download data from the back-endScan action - virus scanner action (clean/repair, delete,ignore)

[0377] Usage and statistical reports are generated using a Web interface from database records gathered from device logs uploaded by the service agent on the device. Two types of reports are available, as indicated by Table 68C.

79TABLE 68CVirus detection reports - statistical information on thevirus names, types, actions taken.System activity reports - compilation of system errors andwarnings used to diagnose and troubleshoot.

[0378] Database Schema

[0379]
FIG. 21 illustrates the personal device database table relationships 2100, in accordance with one embodiment. The personal device database (PDB) is a relational database made up of six tables: unit_info (2102), device (2104), eng_pkg (2106), dat_pkg (2108), detection_log (2110), event_log (2112) and pdbserver (2114). The information contained in the relational database tables are used by a pdbserver to retrieve individual devices' engine and PD information, detection and event log records, and to list available pdbserver's for kcgi.

[0380] Device Information Table (2104 of FIG. 21)

[0381] Device-specific latest engine and DAT version information is kept in the device table. See Table 69 for an exemplary device information table.

80TABLE 69devicecolumntypekeyexampledescriptionidvarchar (16){square root}MOT10Adevice identificationnumberengvervarchar (10)EM10A.5.2.1latest AV engineversion number forthe device ‘id’datvervarchar (10)DM10A.5.2.1latest AV signaturedatabase versionfor the device ‘id’mfgvarchar (32)Motoroladevice manufacturenamerevvarchar (16)Adevice revisionnumbercmntvarchar (128)Motoroladevice comment/Model 10 Aremark textfor Verizon

[0382] Engine Package Table (2106 of FIG. 21)

[0383] Engine package filename for a specific device type and version is stored in the eng_pkg table. See Table 70 for exemplary device-specific engine package information.

81TABLE 70eng_pkgcolumntypekeyexampledescriptiondevicevarchar (16){square root}MOT10Adeviceidentificationnumberversionvarchar (10){square root}EM10A.5.2.0latest AV engineversion numberfor the devicepkgvarchar (64)eng.m10a.050200.pkgAV enginepackage name

[0384] DAT Package Table (2108 of FIG. 21)

[0385] The DAT package table (dat_pkg) contains device and version specific DAT package name information. See Table 71 for exemplary device-specific DAT package information.

82TABLE 71dat_pkgcolumntypekeyexampledescriptiondevicevarchar (16){square root}MOT10Adeviceidentificationnumberversionvarchar (10){square root}EM10A.5.2.0latest AVsignature databaseversion numberfor the devicepkgvarchar (64)dat.m10a.5.2.0.pkgsignature packagename

[0386] Unit Information Table (2102 of FIG. 21)

[0387] Every personal device has an entry in the unit_info table. Stored in this table are: 16-character fixed-length unit identification number, device identification number that specifies the device type, unit-group identification code that provides group association of a particular unit and virus scan data files and engine version numbers on the device. See Table 72 for an exemplary unit information table.

83TABLE 72unit_infocolumntypekeyexampledescriptionunitidchar (16){square root}C000A100008001234personal deviceunit identificationnumberdeviceidvarchar (16)MOT10Adeviceidentificationnumbergroupchar (8)VZ200unit groupidentificationnumberstatusint1unit activationstatusengvervarchar (10)EM10A.5.2.1AV engineversion on theunitdatvervarchar (10)DM10A.5.2.1AV signatureversion on theunitcontactchar (14)20011224161525last log uploadtimestamp (UTC);YYYY + MM +DD + hh +mm + ss

[0388] Detection Log (2110 of FIG. 21)

[0389] Virus/malware detection log entries posted by a device are kept in the detection log. Each log entry has unit identification number, timestamp, what was detected, and action taken by the scanner. See Table 73 for an exemplary malware detection log table.

84TABLE 73detection_logcolumntypekeyexampledescriptionunitidchar (16)C000A100008001234personal deviceunitidentificationnumberwhenchar (14)20011224161030reporteddetectiontimestamp(UTC)detectedvarchar (32)abc@mmmalware nametypevarchar (16)wormmalware typeinfectedvarchar (128)system.dllobject(e.g. file)infectedactionint1AV scanneraction

[0390] Event Log (2112 of FIG. 21)

[0391] System log information upload by devices are kept in the event log. Each log entry consists of unit id, log entry time, severity of the event, and event description. See Table 74A for an exemplary event log table.

85TABLE 74Aevent_logcolumntypekeyexampledescriptionunitidchar (16)C000A100008001234personaldevice unitidentificationnumberwhenchar (14)20011224161025reporteddetectiontimestamp(UTC)severityint1severity-levelof the reportedeventmessagevarchar (160)DAT updatedeventsuccessfullydescription

[0392] PDB Server Table (2114 of FIG. 21)

[0393] PDB server table lists active pdbserver instances and the number of clients each server is servicing. As a part of initialization process, each pdbserver registers its IP and port to the table, and maintains a client counter in the table. See Table 74B.

86TABLE 74Bpdbservercolumntypekeydescriptionipvarchar (15){square root}PDB Server IP numberportint{square root}PDB server port numberclientsintnumber of clients being served by IP:port

[0394] PDB Logger

[0395] The PDB Logger (pdblogger) is a separate application designed to process posted device log data as an off-line process. The system event and detection log information stored in a log directory is processed and recorded onto the event and detection tables by this application.

[0396]
FIG. 22 shows an exemplary client information flow 2200, in accordance with one embodiment.

[0397] Appendix A

[0398] Abstract Library

[0399] The design goal of the wireless abstraction library is to shield the application from platform-specific implementation details while providing consistent interfaces to the following subsystems in Table 75.

87TABLE 75dynamic memory allocationprocess enumeration and controlthreading and thread synchronizationstorage I/Onetwork socket I/Ostring conversionsystem event handling

[0400] An application using the API Library is required to make a call to the AlInitLibrary function before calling any other API functions. Also the user application is required to call the AlCleanupLibrary before terminating to release any system resources internal to the library. See Table 76.

88TABLE 76Initializing APINameArgumentsReturnsDescriptionAlInitLibraryvoidintinitialize libraryAlCleanupLibraryvoidintrelease system resource used

[0401] Error Functions

[0402] The abstraction library provides two functions to set and retrieve the last-error code for the calling thread. See Table 77.

89TABLE 78Error APINameArgumentsReturnsDescriptionAlErrGetLastvoidAlErrorCoderetrieves last-error codeAlErrSetLastAlErrorCodevoidsets the last-error code

[0403] System Information API See Table 79.

90TABLE 79Child Process APINameArgumentsReturnsDescriptionAlGetDeviceIDtext_t* pId,intretrieves the systemint iSizeidentification string

[0404] Process API

[0405] The abstraction library provided a set of functions for a child process execution, process list enumeration and process termination.

[0406] See Table 80.

91TABLE 80Process APINameArgumentsReturnsDescriptionAlExectext_t const*intloads and executes a new processpProg,text_t const*pCmdLineAlProGetListAlPID* pPIDs,intretrieves system process listint iMaxPIDsAlProFreeListAlPID* pPIDS,intreleases memory used to storeint iPIDsprocess listAlProOpenAlPID pidAL_PROCESS_HANDLEconverts process id to processhandleAlProCloseAL_PROCESS_HANDLEintrelease process handle returned byhProcessthe AlProOpen functionAlProKillAL_PROCESS_HANDLEintforce terminates a given processhProcess

[0407] Dynamic Memory API

[0408] The abstraction library provides two sets of dynamic memry allocation methods for multi-threaded applications. Under operating systems like Unix/Linix and Windows NT (Win32), a block of memory allocated from one thread using the malloc( ) function can be de-allocated in another thread, but under systems like Symbian 6.x. memry de-allocation must be preformed by the thread that created it. The AlMemSAlloc and AlMemSFree functions are provided to allocate/deallocate dynamic memry from the process thread, and the AlMemAlloc and the AlMemFree functions are provided for thread-specific memory allocation/deallocation. Under Unix/Linux and Win32, both AlMemSAlloc and AlMemAlloc are mapped to the POSIX malloc. See Table 81.

92TABLE 81Dynamic Memory APINameArgumentsReturnsDescriptionAlMemSAllocunsignedvoid*allocate memory from theint uSizeparent thread's heapAlMemSFreevoid* ptrvoidfree memory allocated usingthe AlMemSAlloc function.AlMemAllocunsignedvoid*allocate memory from theint uSizecalling thread's heapAlMemFreevoid* ptrvoidfree memory allocated usingthe AlMemAlloc function.

[0409] Thread API

[0410] The libary provides thread creation and termination functions. The AlCreateThread creates a new thread, the AlWaitThread provided thread termination waiting function, and AlCloseThread is used to release system resource associated with a thread. See Table 82.

93TABLE 83Thread APINameArgumentsReturnsDescriptionAlCreateThreadintAL_THREAD_HANDLEcreate a new thread(*pThreadProc) (void*),void *pData,int iStackSize =−1,int iMinHeap =−1,int iMaxHeap =−1AlWaitThreadAL_THREAD_HANDLEintwait for thread tohThread,terminateint iMsTimeoutAlCloseThreadAL_THREAD‘3HANDLEvoidclose and release threadhThreadresourceAlGetTlsvoidvoid*returns the pointerthread-local storageAlSetTlsvoidvoid*sets the pointer thread-local storageAlSleepintintsuspends the callingthread

[0411] Synchronization API

[0412] The abstraction library provides three types of thread synchronization objects: mutex, semaphore and critical section. Both unnamed and named mutex and semaphore objects are supported. See Table 84.

94TABLE 84uz,21/30 Synchronization APINameArgumentsReturnsDescriptionAlCreateMutextext_t const *pNameAL_MUTEX_HANDLEcreate anew mutexAlOpenMutextext_t const *pNameAL_MUTEX_HANDLEget handle to an existingmutexAlGetMutexAL_MUTEX_HANDLEintlock a given mutexhMutexAlReleaseMutexAL_MUTEX_HANDLEintunlock a given mutexhMutexAlCloseMutexAL_MUTEX_HANDLEvoidclose and release mutexhMutexresourceAlCreateSemaphoretext_t constAL_SEMAPHORE_HANDLEcreate a new semaphore*pName,int iCountAlapenSemaphoretext_t Const *pNameAL_SEMAPHORE HANDLEopen an existingsemaphoreAlGetSemaphoreAL_SEMAPHORE_HANDLEintwait on the specifiedhSemaphoresemaphoreAlReleaseSemaphoreAL_SEMAPHORE_HANDLEintincrease the count of thehSemaphore,specified semaphore by aint iCountgiven amountAlCloseSemaphoreAL_SEMAPHORE_HANDLEvoidclose and releasehSemaphore,semaphoreint iCountAlCreateCritsecvoidAL_CRITSEC_HANDLEcreate a critical sectionAlGetCritsecAL_CRITSEC_HANDLEintwait for ownership of ahCritsecspecified critical sectionAlReleaseCritsecAL_CRITSEC_HANDLEintrelease the ownership ofhCritseca critical sectionAlCloseCritsecAL_CRITSEC_HANDLEvoidclose and release thehCritsecspecified critical sectionand its resource

[0413] Storage I/O

[0414] The storage I/O API is used by the anti-malware scanner to access and modify data objects (or files) stored on a non-volatile storage device (e.g. flash memory, hard disk) and managed by a file system or file system like storage and retrievel system.The API is divided into three categories: 1) I/O routines for reading writing data to/from single object or file, 2) calls used to copy, move and delete a stored object, 3) and routines that provide directory object enumeration. See Table 85.

95TABLE 85Storage I/O APINameArgumentsReturnsDescriptionAlFsFileOpentext_t constAL_FILE_HANDLEopen a file for reading/writing and*pFName,returns file handleunsigned intuModeAlFsFileCloseAL_FILE_HANDLEintrelease and close file handlehFileAlFsFileReadAL_FIL_HANDLEintread file datahFile, unsignedchar* buffer,int nSizeAlFsFileWriteAL_FIL_HANDLEintwrite data to filehFile,unsigned charconst* buffer,int iSizeAlFsFileSeekAL_FIL_HANDLElongreposition read/write file offsethFile, longoffset, intiWhenceAlFsFileTellAL_FIL_HANDLElongobtain read/write file offsethFileAlFsFileSetSizeAL_FIL_HANDLElongchange file sizehFile, longlNewSizeAlFsFileDeletetext_t const*intdelete filepFNameAlFsFileRenametext_t const*intrename a file or directorypOFName, text_tconst*pNFName);AlFsFileCopytext_t const*intcopy a filepSFName, text_tconst* pSFNameAlFsFileStattext_t const*intobtain a file or directorypFName, structinformationAlFileStat*pFStatAlSetFileModetext_t const*intset a file or directory attributepFName,unsigned longulModeAlFsBuildPathtext_t const*text_t*construct a path from directory andpDName, text_tfile pathsconst* pFNameAlFsGetRootstext_tintobtain a lists of roots.**pRoots, intiMaxRootsAlFsDirOpentext_t ConstAL_DIR_HANDLEopen a directory*pDNameAlFsDirCloseAL_DIR_HANDLEintclose directory handlehDirAlFsDirNextAL_DIR_HANDLEintobtain a directory entryhDir, structAlDirEntry* pDEAlFsIsDirAlFAtt attribinttest for directoryAlFsGetTemptext_t* consttext_t*returns a full path for a temporarypDirectoryfile

[0415] Network Sockets API

[0416] Both standard and secure (SSL) sockets API's for developing client/server applications are provided in the abstraction library. See Table 86.

96TABLE 86Socket APINameArgumentsReturnsDescriptionAlSockCreateint iDomain,AL_SOCKET_HANDLEcreates and returns aint iType,handle to a socketint iProtocolobjectAlSockCloseAL_SOCKET_HANDLEintcloses a socket handlehSockAlSockBindAL_SOCKET_HANDLEintbinds a network addresshSock,to a socketAlSockAddr *pAddrAlSockAcceptAL_SOCKET_HANDLEintaccepts a connection tohSock,a socketint iMsTimeoutAlSockConnectAL_SOCKET_HANDLEintestablishes a connectionhSock,to a peerAlSockAddr *pAddr,int iMsTimeoutAlSockRecvAL_SOCKET_HANDLEintreceives data from ahSock,socket connectionunsigned char *Buffer,int iSize,int iMsTimeoutAlSockSendAL_SOCKET_HANDLEintsends data on ahSock,connected socketunsigned char const *Buffer,hit iSize,hit iMsTimeoutAlSockAddrBuildtext_t const *pHName,intconverts a hostname andint iPort,port into a socketAlSockAddr *pAddraddress

[0417] See Table 87 for a secure socket API.

97TABLE 87Secure Socket APIRe-NameArgumentsturnsDescriptionAlSSockOpenAL_SOCKET_HANDLEintconverts non-hSocksecure socketinto a securesocket objectfor SSLcommumcationAlSSockCloseAL_SSOCKET_HANDLEintcloses SSLhSSocksocketAlSSockBindAL_SSOCKET_HANDLEintSSL version ofhSSock,AlSockBindAlSockAddr *pAddrAlSSockAcceptAL_SSOCKET_HANDLEintSSL version ofhSSock,AlSockAcceptint iMsTimeoutAlSSockConnectAL_SSOCKET_HANDLEintSSL version ofhSSock,AlSockConnectAlSockAddr *pAddr,int iMsTimeoutAlSSockRecvAL_SSOCKET_HANDLEintSSL version ofhSSock,AlSockRecevunsigned char *Buffer,int iSize,int iMsTimeoutAlSSockSendAL_SSOCKET_HANDLEintSSL version ofhSSock,AlSockSendunsigned char const *Buffer,int iSize, int iMsTimeout

[0418] String Functions

[0419] The string functions in the platform Abstraction Library provide a platform-specific string type to/from an UTF8 string conversions and string type-specific allocation functions. See Table 88.

98TABLE 88String APINameArgumentsReturnsDescriptionAlStrCpyFromTStrchar* pDest,char*copy and converttext_t const* pSrcplatform-specificstring type tp anUTF8 stringAlTStrCpyFromStrtext_t* pDest,text_t*copy and convertchar const* pSrca UTF8 string toa platform-specific stringAlStrAllocunsigned int uSizechar*create a buffer fora single-bytezero-terminatedstringAlStrDupchar const* pStrchar*duplicate givensingle-bytezero-terminatedstringAlStrTranstext_t const* pTStrchar*convert aplatform-specificstring to an UTF8stringAlStrFreechar* pStrvoidrelease memoryallocated by theAlStrAlloc,AlStrDup andAlStrTransfunctionsAlStrIStrchar const* pString,char*locate ‘pPattern’char const* pPatternin ‘pString’ andreturn a pointerthe beginning ofthe found stringAlTStrAllocunsigned int uSizetext_t*allocate andreturn a pointer toa buffer largeenough to hold‘uSize’ longtext_t stringAlTStrDuptext_t const* pStringtext_t*duplicate aplatform-specificstring and return apointer to theduplicated stringAlTStrTranschar const* pStringtext_t*convert an UTF8string to aplatform-specificstringAlTStrFreetext_t* pStringvoidrelease memoryallocated to holda text_t stringby theAlTStrAlloc,AlStrDup andthe AllStrTransfunctionsAlTStrLentext_t* pStringintreturn length of aplatform-specificstring

[0420] System Event Functions

[0421] The system event functions provides an application with a method to install an event handler for a given system event. See Table 89.

99TABLE 89System Event APIRe-NameArgumentsturnsDescriptionAlEventGetHandlerint event,intobtain existingAL_EVENT_CBFUNC*event handlerfor specifiedeventAlEventSetHandlerint event,intset a callbackAL_EVENT_CBFUNChandler forcbFuncspecified event

[0422] API Reference

[0423] See Table 90 for an exemplary API reference.

[0424] Below table provides a list of possible system events and corresponding handlers. Actual implementation may be platform-specific.

100System EventsEventDescriptionSYS_EVENT_FILE_OPENFile open request event. Full file pathis passed to registered callbackfunction before the system/kernelopens the file. Access to the file isdenied if the event handler returns−1.SYS_EVENT_FILE_CLOSEFile close event notification. Full filepath is passed to registered callbackfunction after the system/kernelcloses the file.SYS_EVENT_FILE_RENAMEFile rename event. Both source anddestination file paths are passed toregistered callback function beforethe file is renamed. Event handlerreturns −1 if the file rename is notaccepted.SYS_EVENT_FILE_COPYFile copy event. Both source anddestination file paths are passed toregistered callback function beforethe file is renamed. Event handlerreturns −1 if the file copy is notaccepted.SYS_EVENT_FILE_DELETEFile delete event. Full file path ispassed on to event handler.−1 is returned if the callback functionrejects the operation.SYS_EVENT_MSG_RECVSMS/MMS message receive event.The message's storage path is passedon to registered callback function.−1 is returned if the message is notto be opened.SYS_EVENT_MSG_SENDSMS/MMS message ready to send.The message's storage path is passedon to registered callback function. −1is returned if the message is not to betransmitted.

[0425] (A1EventGetHandler continued)

101Return value0 if successful, −1 otherwise.See alsoAlEventSetHandlerAlEventSetHandlerDescriptionSpecifies an event handler for a given system event.Prototypeint AlEventSetHandler(int event, AL_EVENT_CBFUNC cbFunc);Parametersint event[in] System event number.AL_EVENT_CBFUNC[in] Application provided event handlerpCbFuncfor the specified event number.Return value0 if successful, −1 otherwise.See alsoAlEventGetHandler

[0426] While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

	Number	Date	Country
Parent	10121087	Apr 2002	US
Child	10122092	Apr 2002	US

	Number	Date	Country
Parent	10006413	Nov 2001	US
Child	10121087	Apr 2002	US
Parent	09920065	Aug 2001	US
Child	10006413	Nov 2001	US

Persistent storage access system and method for a wireless malware scan engine

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

US Classifications

International Classifications

Abstract

Description

Claims

RELATED APPLICATION(S)

Continuations (1)

Continuation in Parts (2)