The present invention relates generally to recovering a computer system, and more particularly, to a system and method for defining a safe quarantine area on a disk for use in storing information about changes made to the disk during a virus cleaning operation. The information is used to recover data if the computer system is corrupted during cleaning of the system for viruses.
A huge surge in computer viruses has occurred in the last decade. Computer viruses have gone from an academic curiosity to a persistent, worldwide problem. Today, viruses affect vast numbers of computers in locations throughout the world. A computer virus is generally a manmade destructive computer program or code that is loaded onto a computer system without the knowledge of the user. The computer virus is often a self-replicating program containing code that explicitly copies itself and can infect other programs by modifying them or their environment. Even a simple virus can be dangerous as the virus can quickly use a large portion of the available memory and possibly bring down the computer system.
Viruses can be written for, and spread on, virtually any computing platform. A virus can infect, or become resident in almost any software component, including an application, operating system, system boot code, or device driver. Computer viruses spread by attaching themselves to other programs (e.g., word processing or spreadsheet applications) or to a boot sector of a disk. When an infected file is activated or executed, or when the computer is started from an infected disk, the virus is also executed and attempts to infect other files. Since a virus is software code, it can be transmitted along with any legitimate software that enters the computer environment.
The term virus generally refers to any destructible or harmful program or code that attempts to hide its possibly malicious function or tries to spread onto as many computers as possible. One common type of virus is a macro virus which is encoded as a macro embedded in a document. Many applications support macro languages which allow the user to embed a macro in a document and have the macro execute each time the document is opened. Once a computer system is infected with a macro virus, the virus can embed itself in all future documents created with the associated application.
Another common virus is a boot sector virus which replaces the computer system's master boot record with its own code. The boot sector virus is a small program executed each time a computer boots. The virus infects floppy disks and hard disks by inserting itself into the boot sector of the disk, which contains code that is executed during the system boot process. Since the master boot record executes every time the computer is started, the boot sector virus can be very dangerous to the integrity of the computer system. The boot sector virus typically enters the computer system through a floppy disk installed in the floppy drive when the computer system is started. Other types of viruses include polymorphic virus, Trojan horse, and computer worm.
Many anti-virus programs have become commercially available for protection against viruses. There are three main types of anti-virus software: activity monitors, integrity checkers, and scanners. Activity monitoring programs attempt to prevent infection before it happens by looking for virus type activity, such as attempts to reformat a disk. Integrity checkers compute a small checksum or hash value for files which are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. These programs catch unknown viruses as well as known ones. Integrity checkers may be called to check entire disks or they may be resident, checking each program that is about to be executed.
Scanners are the most widely used type of anti-virus program. Virus scanners generally operate in batch mode, scanning all files on a system, hard disk, or floppy disk, when requested by the user, or at set intervals. They look for known viruses by searching disks and files for scan strings or patterns. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program that is about to be executed. Most scanning programs include an update feature that allows the anti-virus program to download profiles of new viruses from the Internet so that the program can check for new viruses soon after they are discovered. Most scanners also include virus removers which are operable to clean infected files. One example of an anti-virus scanner is McAfee's VSHIELD.
A virus scan may be performed, for example, on a volume boot sector, such as an NTFS (NT File System) boot sector. The volume boot sector is created when a high-level format of a hard disk partition is performed. The volume boot sector includes a disk parameter block which contains information that is used by the operating system to determine where other internal structures of the partition are located. The boot sector's code is executed directly when the disk is booted, thus making it a favorite target for virus writers. The virus scan is typically performed on the hard drive with the system booted using a backup operating system. If infected files are found during the virus scan, a cleaning operation is performed. However, since the disk is being accessed without the use of the primary operating system, there is a risk of corrupting the data. For example, the infected disk may have been operable prior to cleaning but is no longer able to boot the computer system. If the data is corrupted during the cleaning process it may be necessary to return the computer system to the state it was in before cleaning of the disk was attempted, so that data on the disk is accessible. This requires that changes made during the cleaning operation be recorded so that the changes can be reversed, if required. Since these changes may be extensive, it is unlikely that they would fit onto a floppy disk or other removable storage device.
There are also other changes that may be made to the computer system, such as system upgrades or patches, which may require modification to data on a computer hard drive while the system is booted using a backup operating system.
There is, therefore, a need for a method and system for defining a safe area on the disk being modified to store changes made to the disk to return the computer system to the state it was in before the changes were made.