US2009171957A1PendingUtilityA1

Method and system of applying policy on screened files

Assignee: MICROSOFT CORPPriority: Nov 30, 2004Filed: Oct 21, 2008Published: Jul 2, 2009
Est. expiryNov 30, 2024(expired)· nominal 20-yr term from priority
G06F 21/6281G06F 21/6218
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Described is a mechanism comprising a data screening filter and user mode service that applies (enforces) policies regarding allowing or blocking file content of a directory, based on matching the filename against patterns associated with that directory. An administrator configures a screening policy, such as the types of files to allow in a particular directory and the types of files to block. File groups of member patterns and non-member exclusion patterns are defined and selectively collected in directory screening objects (DSOs). A directory screening object (DSO) is associated with a directory. When an I/O create request specifying a filename and a target directory is received, the filename is evaluated against the member/non-member patterns in the file groups referenced by the DSO for that directory to make for an allow or block policy decision. If not matched, DSOs on parent directories are evaluated upwards seeking a policy decision.

Claims

exact text as granted — not AI-modified
1 . In a computing environment, a system comprising:
 a data screen mechanism that receives an I/O request directed towards a file in a target directory of a file system volume, the I/O request containing information corresponding to the filename and the target directory;   a set of one or more data screening objects, each data screening object associated with a directory of the file system volume and having information corresponding to pattern data that relates to filenames; and   the data screen mechanism determining based on the target directory whether a data screening object applies to the I/O request, and if so, evaluating the filename corresponding to the I/O request against the pattern data to determine policy application based on a relationship between the filename and the pattern data.   
   
   
       2 . The system of  claim 1  further comprising a set of at least one file group, each file group containing pattern data, and wherein the information corresponding to the pattern data in the data screening object comprises a reference to at least one file group in the set. 
   
   
       3 . The system of  claim 2  wherein each file group includes a first field for member patterns and a second field for non-member patterns. 
   
   
       4 . The system of  claim 3  wherein the filename is a member of a group when the filename does not fit a pattern in the second field and fits a pattern in the first field. 
   
   
       5 . The system of  claim 4  wherein the data screen mechanism determines policy application based on a relationship between the filename and the pattern data by determining whether the filename is a member of a group. 
   
   
       6 . The system of  claim 5  wherein the data screening object contains a first field for listing a first set of zero or more file groups and corresponding to a first policy, and a second field for listing a second set of zero or more file groups corresponding to a second policy, and wherein the data screen mechanism applies the first policy if the filename is a member of any file group in the first field and applies the second policy if the filename is a member of any file group in the second field. 
   
   
       7 . The system of  claim 6  wherein the first field corresponds to an allow policy and the second field corresponds to a block policy, and wherein the allow policy overrides the block policy. 
   
   
       8 . The system of  claim 6  wherein the filename is neither a member of any file group in the first field nor a member of any file group in the second field, and wherein the data screen mechanism determines whether a data screening object applies to the I/O request by looking for another data screening object associated with at least one parent directory of the target directory. 
   
   
       9 . The system of  claim 1  wherein the data screen mechanism comprises a filter driver. 
   
   
       10 . The system of  claim 9  further comprising a user mode service coupled for communication with the data screen mechanism, the data screen mechanism configured to provide a notification to the user mode service upon at least one type of policy application. 
   
   
       11 . In a computing environment, a method comprising:
 associating pattern data corresponding to a set of one or more namespaces with a directory;   receiving an I/O request, the request I/O including data corresponding to a filename and a target directory; and   determining whether the filename relates to the pattern data, and if so, determining a policy to apply based on the relationship of the filename to that pattern.   
   
   
       12 . The method of  claim 11  wherein the pattern data includes at least one pattern having a wildcard. 
   
   
       13 . The method of  claim 11  wherein associating the pattern data with the directory comprises associating a data screen object containing information corresponding to the pattern data with the directory. 
   
   
       14 . The method of  claim 13  wherein the data screen object includes a first and second data fields, with at least one field containing information corresponding to at least some of the pattern data. 
   
   
       15 . The method of  claim 14  wherein the information corresponding to at least some of the pattern data comprises at least one reference to the pattern data. 
   
   
       16 . The method of  claim 14  wherein the first field corresponds to a first policy and the second field corresponds to a second policy. 
   
   
       17 . The method of  claim 16  wherein the first field corresponds to an allow policy and the second field corresponds to a block policy, and wherein determining the policy to apply comprises evaluating the first field for pattern data to attempt to obtain a policy result before evaluating the second field for pattern data. 
   
   
       18 . The method of  claim 11  wherein determining whether the filename relates to the pattern data comprises determining whether the filename fits any pattern data for the target directory, and if so, applying a policy. 
   
   
       19 . The method of  claim 18  wherein determining whether the filename fits any pattern data for the target directory comprises determining whether a data screen object is associated with the target directory. 
   
   
       20 . The method of  claim 18  wherein a data screen object is associated with the target directory and contains a first field for one policy and a second field for another policy, each field arranged to contain information corresponding to file group data in which any file group contains at least some of the pattern data, and wherein determining whether the filename relates to the pattern data comprises determining whether the filename is a member of a file group. 
   
   
       21 . The method of  claim 20  wherein each file group contains a data field for member patterns and a data field for non-member patterns, and wherein determining whether the filename is a member of a file group comprises evaluating the filename against any non-member patterns before evaluating the filename against any member patterns, wherein when the filename is not a member of the group if it fits any non-member pattern or does not fit any member pattern. 
   
   
       23 - 39 . (canceled)

Join the waitlist — get patent alerts

Track US2009171957A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.