1. Field of the Invention
This invention pertains in general to computer security and in particular to repairing a computer infected with a computer virus or other malicious software.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, and adware. The malware attacks a computer by making one or more alterations on the computer that enable the malware to function. Simple malware, such as a virus, can infect a computer by altering a file so that it infects other files when executed. More complex malware, such as spyware, can infect multiple aspects of the computer, such as registry keys, executing processes, and executable files.
Existing security software can detect malware infections and, in many instances, repair them. The security software contains basic knowledge about the infection methods used by different types of malware, and also contains knowledge of how to repair the computer by disabling and/or removing the malware. Since instances of the security software are typically executing on thousands or millions of computers, the repair knowledge contained therein generally represents the lowest common denominator approach to repairing the infection. For example, if the malware infects the computer by changing a file handler in the registry to point to the malware instead of to legitimate software, the security software can disable the malware by restoring the handler to its default value. This approach is likely to work across all of the computers on which the security software is executing, because all of those computers are likely to support the default file handler.
The tradeoff of using the lowest common denominator approach is that the repairs performed by the security software are often suboptimal. For example, the computer might not have used the default file handler before the malware infection, meaning that the repair did not actually restore the computer to its original state. In some situations, context information that would enable the security software to make an optimal repair, such as information describing the location of a backup for an infected file, may be present on the computer.
Nevertheless, existing security software cannot take advantage of the context because there is no capability for making context information available to the security software, and the software correspondingly lacks the capability to analyze the context in order to make better repair decisions. As a result, there is a need for a way to leverage context information available on the computer to improve the repairs performed by security software.