Typically, the operation of a computer or processing system (hereafter, “computer”) may be divided into two stages, pre-boot and runtime. The pre-boot process or phase often comprises starting or resetting a computer. When first turned on (cold boot) or reset/rebooted (warm boot), a computer executes the software that loads and starts the computer's operating system and prepares it for use. Thus, the computer can be said to pull itself up by its own bootstraps. The runtime process or phase often occurs after the pre-boot phase and includes the execution of an operating system and other user applications. The runtime phase is typically the phase that users interact with the computer. Thus, the computer can be said to being running application programs. It is contemplated that a computer or processing system includes devices, such as, for example, mobile or stationary computers, personal digital assistants, telecommunication devices and/or similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements).
In this context, the term “virus” may refer to an intrusive program that infects computer files by inserting in those files copies of itself or a “virus” may refer to a mutation of a binary data image (i.e. a file that has been altered by an intrusive program). The copies may be executed when the file is loaded into memory, allowing them to infect still other files, and so on. Viruses often, but not always, have damaging side effects—sometimes intentionally, sometimes not. For example, some viruses may destroy a computer's hard disk or take up memory space that could otherwise be used by programs. In this context, a virus may also include programs, such as, for example, a destructive program that is disguised as a benign program (i.e. a Trojan Horse), a program that covertly performs an operation without the user's consent or knowledge (e.g. spyware), or other unfriendly programs. During the pre-boot phase virus infected files may be particularly troubling. Normally, in the pre-boot phase all of the software executes in the most privileged processor mode and there is no protection of the memory space. In addition, pre-boot software may be loaded from adapter cards or from across a network.
Typically, computer systems scan, or search files, for viruses during the runtime phase of operation. Common commercial virus scanning techniques include scanning a file system for viruses after the operating system is running. However, by only scanning for viruses during the runtime phase, any viruses which may load or execute during the pre-boot phase or that portion of the runtime phase prior to the running of the virus scanner are unchecked. Furthermore, because current techniques for detecting virus infections run after the operating system is running, the techniques depend and/or are tailored to the specific host operating system. A need, therefore, exists for an improved system or technique for implementing a virus scanning device.