Computer viruses and other malware are a continuing threat to computers. Although various techniques and products exist for preventing malware and for detecting its existence on a computer system, it is to be expected that a certain percentage of computer systems will be infected by malware and will need remedial action. Often termed “cleanup” or “disinfection,” various products exist that will remove malware and its effects from a computer system. Unfortunately, though, current cleanup techniques have drawbacks.
One technique is to create cleanup rules based upon common or conventional malware behavior. These cleanup rules are embodied in special computer software arranged to remove the malware and its effects from a computer system. These cleanup rules are readily available; however, their effectiveness depends upon how closely the type of malware infection fits these particular cleanup rules. If the malware performs system modifications not anticipated by the cleanup rules, or if the malware behavior is not common, then these cleanup rules will be ineffective. For example, various cleanup rules are present in many of Trend Micro, Inc. products such as PC-cillin and OfficeScan.
A second technique uses cleanup software specifically created to clean up after a particular malware infection. Creation of the software requires an engineer to perform analysis of the malware on a test machine in a laboratory, to record the changes in the computer system, and to manually formulate cleanup steps to remove the malware and its effects from the computer. For example, the cleanup steps clean system registries and system files that the malware has modified. This technique provides a near-perfect cleanup but has a lag from the time of the initial infection to the time the cleanup software is released to a customer. Also, the engineer's task can be difficult and a user is also required to download and apply the new cleanup software to the infected computer system.
In fact, one of the most time-consuming tasks for a software engineer is to perform this analysis. One example in the prior art is the Damage Cleanup Engine/Damage Cleanup Template (DCE/DCT) and System Clean Package available from Trend Micro, Inc. of Cupertino, Calif. The engineer must set up the right environments for a given computing platform on a test machine, create snapshots for system monitoring tools, execute the malware files, test for changes in the system, clean the system, perform pattern modifications if necessary and then retest the pattern. Each test needs to be performed repeatedly across numerous computing platforms for the pattern to be effective on these different computing platforms. Once the pattern is released by the engineer, a user must download the cleanup software, extract files, restart his or her computer, set various parameters, etc., all of which is time consuming for the user.
In view of the above drawbacks of currently available prior art techniques for performing malware cleanup, improved techniques and products are desired.