1. Field
The present invention relates generally to information processing systems and, more specifically, to management of files infected by a computer virus.
2. Description
In the past few years, computer viruses have caused damage to processing systems throughout the world. A computer virus is a program capable of operation on a system (such as a personal computer) that is self-replicating and that can xe2x80x9cinfectxe2x80x9d other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved, and in most cases, functionally similar version of the virus. Detection, identification, and handling of computer viruses is the focus of commercial software products called xe2x80x9canti-virusxe2x80x9d programs.
Anti-virus programs typically scan files on a processing system word by word or byte by byte to detect a virus by identifying a xe2x80x9csignature stringxe2x80x9d of digital values in a file. The detection of a particular signature string indicates that identifiable virus code is present in the file. Once the virus is detected and identified, the anti-virus program responds in one of several ways. The anti-virus program may simply delete the file from the computer system, thereby removing the virus, but this action also destroys the file""s original contents. This result may entail considerable and possibly irreparable damage to a user""s data, programs or file systems. Alternatively, the anti-virus program may attempt to xe2x80x9ccleanxe2x80x9d the infected file by removing virus code from the file, thereby restoring the file to its original functional state. A method often used to clean the file is to simply overwrite suspected virus code with a string of zeroes. This destroys the virus. However, if a virus is detected in error (e.g., a false positive is indicated by the anti-virus program) or the wrong bytes in the file are overwritten, then the attempt to clean the infected file results in the partial destruction of the original file. This may result in the file being unusable. If the attempt to clean the infected file fails, the infected file is usually deleted. In other cases, the anti-virus program (which may be frequently updated to handle newly discovered viruses) may not yet have the logic to clean the specific virus found in the infected file. Some anti-virus products may rename the infected file or move it to another storage location to reduce the probability of the file being accidentally used or transferred, so the virus will not be spread. However, both of these options leave the virus on the processing system in files accessible to the user and the virus may still be inadvertently spread if the file is executed or transferred to another processing system.
Thus, existing anti-virus techniques are deficient in how they manage files containing computer viruses.
An embodiment of the present invention is a method of managing a file infected by at least one computer virus. The method includes creating a first file in a directory, copying the virus infected file to the first file, scrambling the contents of the first file, and deleting the virus infected file.
Another embodiment of the present invention is a system for managing computer virus infected files. The system includes scrambler logic to scramble the contents of a virus infected file to produce a scrambled virus infected file, a virus bin to safely store the scrambled virus infected file, and unscrambler logic to unscramble the scrambled virus infected file to reproduce the virus infected file.