With the increasing popularity of the Internet, there continues to be significant growth in services offered online: web banking allows customers to manage funds in their bank and brokerage accounts from a personal computer; various Internet payment systems, such as Yandex.money, Webmoney or PayPal, allow consumers to conveniently pay for goods and services from merchants from auction sites, etc. In addition, users run an ever increasing array of application software and save their important work product both locally on their personal computers, and on remote servers. Therefore, it is not surprising that there is also an ever increasing number of malicious applications intended to steal, extort and spy on important data.
In order to combat malicious programs, we have antivirus applications, which have existed for quite a long time, such as Kaspersky Internet Security, as well as products from Microsoft Corporation, Symantec, McAfee, Trend Micro, F-Secure, and many others. These security applications use a wide variety of detection and treatment technologies, including signature and heuristic checks, virtual machines and emulators, etc. These technologies provide efficient detection and removal of various malicious applications and the consequences of their operation.
However, it should be noted that the development of malicious applications is always evolving, and the creators of malicious applications use cutting-edge methods to avoid or counter antivirus applications. One such technique involves methods for spreading malicious applications which can actively infect files (i.e., viruses) or can be spread on the network and by email (i.e., worms). Additionally, the spread of malicious applications can exploit various vulnerabilities in operating system software and user applications, as well as social networks, targeting in particular lay persons without much expertise in computer security. Many malicious applications can be quite difficult to detect and remove, even for experts.
Malicious applications can be installed whose sole function is to provide remote control of the infected computer (i.e., backdoor), conceal certain objects or activities in the operating system (i.e., rootkits), or avoid performing actions that are obviously malicious (for example, fake antivirus applications), all of which makes detection more difficult. Code obfuscation also substantially complicates the detection of malicious applications, many of which consist of not just one executable file but may be composed of multiple related components, each of them executing its own part of the malicious functionality.
For example, U.S. Pat. No. 7,540,030 proposes a system for removal of malicious applications from a computer. For this purpose, a special CHECK scenario is used on the infected computer, which performs a search for malicious applications and for consequences of their operation. In case if the CHECK scenario finds a malicious application, a FIX scenario is run thereafter, which cures the user's computer.
Removal of a malicious application does not guarantee that it will be removed from the computer forever. There are a number of composite malicious applications, which can restore a deleted component using the other components. For instance, U.S. Pat. No. 7,533,131 proposes a method for removal of malicious applications that try to restore copies of themselves. Various solutions, described in U.S. Pubs. No. 2007/143843 and 2006/0130141, are used to determine the effectiveness of the performed treatment by verifying the fact of removal of malicious applications. In addition, even if all components of malicious applications were removed, it is often impossible to completely reverse all consequences of the malicious applications' operation, i.e. created and/or modified files, or created and/or modified registry keys.
Another problem relates to problems that may be caused as side-effects of the removal processes themselves. For example, the treatment of a computer system may require removal of an operating system file that is infected but still necessary for the operating system to work properly; in this case, removal of such a file will not allow the operating system to work correctly or even to load in the first place. Therefore, a solution is needed that can effectively treat infected computer systems while avoiding the problems outlined above.