1. Field of the Invention
The present invention relates to a method and system for verifying whether system configuration data changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system.
2. Description of the Related Art
Computer software, such as operating systems and applications, typically uses configuration data to control the start-up and operational behavior of the software. For example, in the MICROSOFT WINDOWS® operating system, such configuration data is stored in a data structure known as the WINDOWS® registry. The registry is a data structure that contains information and settings for all the hardware and operating system software, as well as information and settings for most non-operating system software, users, preferences of the PC, etc.
In addition to reading information from a registry, software can modify the registry. Such actions may include creating new keys and/or values, modifying existing keys and/or values, and deleting keys and/or values. Legitimate software programs may modify the registry, but malware programs may also modify the registry. A typical computer malware is a program or piece of code that is loaded onto a computer and/or performs some undesired actions on a computer without the knowledge or consent of the computer operator.
In order to combat such computer malware, anti-malware software, such as anti-virus software may be used. One important function of such anti-malware software is to prevent unauthorized changes to the registry, so as to prevent malware from modifying the registry. As there are typically thousands of registry entries and thousands of malware programs, verifying changes to the registry is a large task, requiring significant storage and computing resources. A need arises for a technique by which unauthorized changes to the registry may be detected, but which uses system resources efficiently.