The generation and spread of computer viruses is a major problem in modern day computing. Generally, a computer virus is a program that is capable of attaching to other programs or sets of computer instructions, replicating itself, and performing unsolicited or malicious actions on a computer system. Generally, computer viruses are designed to spread by attaching to floppy disks or data transmissions between computer users, and are designed to do damage while remaining undetected. The damage done by computer viruses may range from mild interference with a program, such as the display of an unwanted political message in a dialog box, to the complete destruction of data on a user's hard drive. It is estimated that new viruses are created at a rate of over 100 per month.
A variety of programs have been developed to detect and destroy computer viruses. As is known in the art, a common method of detecting viruses is to use a virus scanning engine to scan for known computer viruses in executable files, application macro files, disk boot sectors, etc. Generally, computer viruses are comprised of binary sequences called "virus signatures." Upon the detection of a virus signature by the virus scanning engine, a virus disinfection program may then be used to extract the harmful information from the infected code, thereby disinfecting that code. Common virus scanning software allows for boot-sector scanning upon system bootup, on-demand scanning at the explicit request of the user, and/or on-access scanning of a file when that file is accessed by the operating system or an application.
In order to detect computer viruses, a virus scanning engine is generally provided in conjunction with one or more files called "virus signature files". The virus scanning engine scans a user's computer files via a serial comparison of each file against the virus signature files. Importantly, if the signature of a certain virus is not contained in any of the virus signature files, that virus will not be detected by the virus scanning engine.
By way of example, and not by way of limitation, one leading antivirus program and its accompanying virus signature files is described. It is emphasized that this example is presented only for clarity of presentation, and does not limit the scope or context of the preferred embodiments to certain software packages, software types, or operating system types. Indeed, the preferred embodiments are advantageously applied to many different types of antivirus software programs on many different types of operating systems and computing configurations.
A leading antivirus application, produced by McAfee Associates, is called VirusScan.TM.. VirusScan.TM. is a software application offered for sale in a variety of outlets and forms. VirusScan.TM. is accompanied by documentation in printed form (see, e.g., "VirusScan Quick Start Guide", McAfee Associates 1997, accompanying the CD-ROM version of VirusScan for Windows 95, NT, 3.1x, DOS and OS/2), in computer-readable form (see, e.g., the directory .backslash.MANUALS on the CD-ROM version of VirusScan for Windows 95, NT, 3.1x, DOS and OS/2), and on the World Wide Web at http://www.mcafee.com. The contents of these documents are hereby incorporated by reference into the present application.
In one form, the VirusScan.TM. application is adapted for use on a user's client computer running on a Windows 95.TM. platform. A main routine used by this antivirus application is "SCAN.EXE", a program file that is typically placed in the directory C:.backslash.PROGRAM_FILES.backslash.MCAFEE.backslash.VIRUSSCAN on the user's hard drive. The program SCAN.EXE is adapted to be used for any of the following types of virus scanning: virus scanning of system boot-sectors at startup, on-demand virus scanning at the explicit request of the user, and on-access virus scanning of a file when that file is accessed by the operating system or an application. In the Windows 95.TM. environment, the Registry files are often modified such that SCAN.EXE is run at computer startup, and also remains resident for scanning all files upon file access.
In a typical configuration, VirusScan.TM. is used in conjunction with a set of virus signature files having the names CLEAN.DAT, MCALYZE.DAT, NAMES.DAT, and SCAN.DAT. As of McAfee's Oct. 15, 1997 release of version 3010 of its VirusScan.TM. signature file updates, these virus signature files collectively comprise over 1.6 MB of virus information.
In a typical configuration, the files CLEAN.DAT, MCALYZE.DAT, NAMES.DAT, and SCAN.DAT are also placed in the directory C:.backslash.PROGRAM_FILES.backslash.MCAFEE.backslash.VIRUSSCAN on the user's hard drive.
For purposes of clarity and simplicity in describing the background and preferred embodiments, this disclosure will refer to a generic antivirus program "Antivirus_Application.exe" and a generic antivirus signature file VIRUS_SIGNATURES.DAT.
Generally speaking, a recent trend is for manufacturers of antivirus applications to update their virus signature files VIRUS_SIGNATURES.DAT as new viruses are discovered and as cures for these viruses are developed, and to make these updated signature files available to users on a periodic basis (e.g. monthly, quarterly, etc.). For example, an antivirus program manufacturer may post the update file VIRUS_SIGNATURES.DAT on a bulletin board system, on an FTP (File Transfer Protocol) site, or on a World Wide Web site for downloading by users.
FIG. 1 illustrates one serious problem that arises from the constant onslaught of new v ruses. FIG. 1 shows a flowchart of steps 100 which can occur when a typical user purchases and loads an antivirus program equipped with virus signature files, but neglects to keep its virus signature files current. At step 102, on a first date such as Apr. 1, Year 0 (4/1/00), the user acquires and loads the antivirus application Antivirus_Application.EXE and the signature files VIRUS_SIGNATURES.DAT, the file VIRUS_SIGNATURES.DAT having a last-revised date, for example, of Feb. 1, 2000. At step 104, the Antivirus_Application.exe routine and the VIRUS_SIGNATURES.DAT file are successfully run on the user's computer. The user, being satisfied that he or she has adequately protected the computer, does not update the VIRUS_SIGNATURES.DAT file.
However, in the meantime, as shown in FIG. 1 at step 106, on May 15, 2000 a third-party "hacker" develops and begins the distribution and spreading of BAD_APPLE.V, a new virus which replicates itself and destroys user data. At step 108, on Jul. 15, 2000, the antivirus manufacturer who makes Antivirus_Application.exe discovers BAD_APPLE.V. At step 110, that day the manufacturer develops a fix for BAD_APPLE.V and writes its virus signature (along with data to implement the fix) into the next release of VIRUS_SIGNATURES.DAT. At step 112, the antivirus manufacturer releases an updated VIRUS_SIGNATURES.DAT dated Sep. 1, 2000. In addition to containing other virus signatures and fixes, the new VIRUS_SIGNATURES.DAT file contains the virus signature and fix for BAD_APPLE.V.
At step 114, on Jan. 13, 2001, the user from step 104 finally becomes infected by the BAD_APPLE.DAT virus. For example, the user may have borrowed a floppy disk infected with BAD_APPLE.V from a friend, or may have downloaded an application infected with BAD_APPLE.V from the Internet. At that very time, at step 116, the program Antivirus_Application.exe scans the infected program. However, at step 116 the BAD_APPLE.V virus goes undetected by Antivirus_Application.exe because the VIRUS_SIGNATURE.DAT file being used is an old one dated Feb. 1, 2000 and therefore it does not contain the virus signature for BAD_APPLE.V. Because it has remained undetected, at step 118 on Jan. 19, 2001, the BAD_APPLE.V virus destroys data on the user's computer.
The scenario of FIG. 1 is a common manner in which desktop systems that are purportedly "protected" from infection nevertheless become infected by new viruses, and represents a problem unique to computer antivirus applications. Upgrades to antivirus files generally have no effect on the user's usage of the desktop system. As represented by the scenario of FIG. 1, the need for antivirus upgrades is often not realized by a user until it is too late. In another common scenario, the virus scanning Antivirus_Application.exe may itself be outdated, having been superseded by a newer and superior engine. These outdated engines are often unable to detect the new species of viruses, which are constantly evolving, such as "stealth" viruses and "polymorphic" viruses.
Unfortunately, even if the user is comparatively sophisticated in his or her ability to maintain the most recent virus scanning engines and virus signature files, preventable virus infection may still occur. With the proliferation of users on the Internet and World Wide Web, new viruses may be spread almost instantaneously upon their introduction. Unless the user affirmatively checks up on the manufacturer's new releases daily, his or her system may not be protected with the most recent virus signature files and scanning routines available.
FIG. 2 illustrates another practical problem that may arise regarding antivirus software distribution, this time in the context of a typical corporate local area network (LAN). FIG. 2 shows a typical local area network 200 comprising a network server 202, a communications network 204 such as an ETHERNET network, a plurality of user nodes 206A-206N, and an Internet gateway 208. As known in the art, Internet gateway 208 is generally coupled via an appropriate protocol connection to the Internet 210, either through an ISP (Internet Service Provider) or a dedicated connection to the Internet 210.
In a common scenario associated with the environment of FIG. 2, one or more dedicated system administrators 212 have the task of ensuring that the antivirus software on the local desktop machines 206A-206N stays updated. Thus, in the environment of FIG. 2, there are additional layers of complexity associated with the updating of desktop antivirus software in comparison to the single user scenario. In particular, the system administrator 212 must (a) maintain an awareness of all antivirus software needs of the various user nodes 206A-206N, (b) maintain an awareness of all update information relating to the antivirus software, and (c) retrieve and install the latest versions and updates for each user node as soon as those updates become available. While modern antivirus updating systems may allow the system administrator 212 to manually request and receive updates from an antivirus manufacturer FTP or World Wide Web Site 214 across the Internet 210, as shown in FIG. 2, it is nevertheless a labor-intensive task to distribute and install the antivirus updates effectively and rapidly. The antivirus update collection and distribution tasks can readily become difficult to keep up with, especially where a typical corporate network may have a variety of hardware platforms (e.g., IBM, MacIntosh, Sun, Silicon Graphics), and a variety of software platforms (e.g., Windows 95, Windows 3.1, DOS, LINUX, UNIX, MacIntosh), each combination of which will have its own unique set of virus scanning engines and virus signature files. It is well known in the art, for example, that viruses are operating system specific, and so the local client computers 206A-206N of FIG. 2 will likely require several different virus scanning engines and virus signature files. Each of these product lines will likely have distinct and disparate updating schedules, further frustrating the efforts of the system administrator 212.
Accordingly, it would be desirable to provide a method and system for providing the most up-to-date virus scanning, disinfection, and signature files on a user's computer for protecting against the newest viruses.
It would be further desirable to provide a method and system for the antivirus software updating to be simple and automatic, such that unsophisticated users are consistently provided with the most recent antivirus protection available.
It would be even further desirable to provide a method of antivirus software update distribution which allows a higher frequency of update releases from antivirus software manufacturers for the most up-to-date, or even up-to-the-hour, antivirus protection available.
It would be even further desirable to provide a method of automated antivirus software update distribution to the different types of user nodes of a local corporate network, with minimized intervention required by the system administrator.