| CPC G06F 21/565 (2013.01) [G06F 21/552 (2013.01); G06F 21/568 (2013.01)] | 18 Claims |
|
1. A method for synthetic file scanning, the method comprising:
identifying, on a storage device, a plurality of files that are scanned periodically for malicious activity;
for each respective file in the plurality of files, determining a respective likelihood value of the respective file being targeted by the malicious activity;
including, in a subset of files, each respective file in the plurality of files with a respective likelihood value that is greater than a threshold likelihood value;
for each respective file in the subset of files, identifying at least one fragment of the respective file that is susceptible to the malicious activity, based on characteristics of the malicious activity;
extracting the at least one fragment from each respective file;
storing the extracted at least one fragment from each respective file in a synthetic file in encrypted form, wherein contents of the synthetic file are arranged in accordance with storage addresses of each respective file in the subset of files;
scanning the synthetic file periodically instead of the plurality of files, wherein the synthetic file is updated before each periodic scan;
determining, based on the scanning, that the synthetic file is uninfected, wherein determining that the synthetic file is uninfected is indicative that the subset of files in the plurality of files whose fragments make up the synthetic file are uninfected; and
marking each respective file in the subset of files whose fragment is included in the synthetic file as a clean file.
|