Currently, it is common for malicious software such as computer viruses, worms, spyware, etc., to affect a computer such that it will not behave as expected. Malicious software can delete files, slow computer performance, clog e-mail accounts, steal confidential information, cause computer crashes, allow unauthorized access and generally perform other actions that are undesirable or not expected by the user of the computer.
Current technology allows computer users to create backups of their computer systems and of their files and to restore their computer systems and files in the event of a catastrophic failure such as a loss of power, a hard drive crash or a system operation failure. But, in these situations the computer user generally knows when the failure has occurred. Assuming that the user had performed a backup prior to the failure, it can be straightforward to restore their computer system and files to a state prior to the computer failure. Of course, those users who perform a backup more frequently will generally be able to restore their computer system to a point closer to the time of the failure. Unfortunately, these prior art techniques are not effective when dealing with infection of a computer by malicious software.
FIG. 1 illustrates a prior art technique for taking scheduled “snapshots” and manual “snapshots” of a computer system. Traditional backup/restore software applications allow an operating system or a user to take a snapshot of the state of a computer and its files at a particular point in time. A snapshot typically records changes to the computer system and its files from a previous point in time and allows a user to restore their computer system to a time when the snapshot was taken. Timeline 10 shows a series of hourly scheduled snapshots taken automatically by the computer system and timeline 20 shows a number of manual snapshots initiated by the user. Scheduled snapshots are only taken when scheduled (e.g., hourly, daily or weekly) and are not triggered by a particular event. Manual snapshots are typically initiated by a computer user at important milestones such as at an important software installation, a project completion, a server upgrade or a system integration. These snapshot methods might be suitable for a hardware crash or a system error, but if the computer has been infected by malicious software the backup/restore application has no idea when the infection occurred and thus does not know from which point to restore the computer.
For example, in timeline 10 if the computer user does not become aware of the infection until after 1800 then the user might waste a lot of time trying to restore the computer at points 1800, 1700 and 1600, only to find that the computer is still infected. It is only when the user uses the snapshot taken at time 1400 to restore the computer is the computer finally restored to a malicious software-free state. Even if the user has taken manual snapshots as in timeline 20, the user still is unaware of when the computer was first infected and does not know from which snapshot point to restore the computer. If the malicious software is detected days or weeks after the initial infection it can be nearly impossible to determine when the infection first occurred. A user might err on the side of caution and decide to restore the computer from a point days or weeks before the infection occurred, but then valuable system and user data might be lost.
Another problem arises because the computer user is unaware of when the malicious software first infected the computer system. Certain backup/restore applications store restore points and their data in protected system files. Because these system files might not be scanned by virus scanning software, it is possible that a given snapshot and its associated restore point contains malicious software. Because the user does not know at which point in time the computer became infected, he or she may inadvertently restore the computer using a snapshot that contains malicious software. Further, certain malicious software uses protected kernel mode drivers that cannot be scanned by many types of virus scanning software. In both of these situations, running virus scanning software might be ineffective and provide a false sense of security because the scanning software would be ineffective in removing the malicious software.
For the above reasons, it is desirable to have a system and technique that would address the above deficiencies in the prior art and would allow a computer system to recover properly and with minimal effort after being infected by malicious software.