Currently, computer viruses and other types of malware continue to plague computers and computer networks. While continual efforts are made to prevent, detect and eliminate malware from computers, the malware itself also continues to evolve and evade detection.
As known in the art, scanning provides users the capability to detect and clean computers infected by known malware. When malware is first reported, an antivirus software company typically analyzes the malware, produces a (or updates the) pattern file that identifies the malware, and releases that pattern to the public for use in detecting the malware. Typically, a pattern file may be downloaded by a user immediately upon its availability (perhaps in a pre-release version), and a compilation of pattern files are available periodically in an official release. The pattern file and a virus scan engine work hand-in-hand to enable a variety of software products to detect the latest malware, whether embodied in a file, application software, or other.
One previous technique used to combat malware involves an antivirus software product that uses the application programming interface (API) of an operating system in order to manually scan a file suspected of containing malware. An enhanced API may also be used to provide more powerful file enumeration.
Unfortunately, a manual scan (or scheduled scan) of software files on disk using the API of the computer operating system has drawbacks. Scanning of a file using an API is not effective in all cases if malware locks the file such that it may not be scanned. For example, malware may utilize the existing operating system to lock any of its component files or other files to prevent them from being scanned for viruses. Secondly, prior art techniques may not be able to identify all types of root kit malware—this type of malware is sophisticated enough to be able to hide from detection and cleaning. And because root kit malware technology also changes rapidly in order to avoid detection, many infected files may avoid detection during scanning. Thirdly, such prior art techniques may be ineffective if the disk being scanned is modified during the scan—a file consistency problem.
Finally, a prior art scan cannot deal effectively with recursively dropped files due to a “watchdog.” A watchdog is a component of malware that monitors the other various components of the malware (malicious files, registry keys, etc.), detects when any of these components have been scanned or removed by virus cleaning software, and then recursively drops these components back into place in order to recover from the cleaning action. A normal scanning and cleaning cannot deal effectively with this type of malware because the malware can recover and replace itself even after the cleaning. In particular, if cleaning software fails to find and remove the watchdog component first, the watchdog will recursively drop files as the other components are removed.
For all these reasons, it would be desirable to improve upon current malware scanning techniques in order to provide better detection and cleaning of malware.