As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features—all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs will be generally referred to hereinafter as computer malware, or more simply, malware.
When a computer system is attacked or “infected” by a computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computers.
A traditional defense against computer malware, and particularly computer viruses and worms, is antivirus software. Generally described, antivirus software scans data, looking for identifiable patterns associated with known computer malware. Frequently, this is done by matching patterns within the data to what is referred to as a “signature” of the malware. One of the core deficiencies in this malware detection model is that an unknown computer malware may propagate unchecked in a network until a computer's antivirus software is updated to identify and respond to the new computer malware.
When a malware infection occurs, the infection may be handled in one of many different ways. Preferably, the infected computing device is capable of being “cleaned” so that the malware is no longer resident. However, in some instances, the malware may be configured to employ self-preservation techniques to resist being cleaned. In this instance, cleaning the computing device may not be feasible or may only be possible with a software update. Alternatively, files associated with the malware may be deleted from the computing device. However, as known to those skilled in the art and others, some malware attach to innocuous “hosts” which contain user data that will be lost if an infected file is deleted.
In yet another alternative, the malware may be “quarantined.” Typically, a quarantine occurs when data associated with the malware is altered to prevent execution of the malware. Quarantining malware is especially useful when a file may have been incorrectly identified as malware, the user wants to delay cleaning a file until a later time, or an infected file contains user data that needs to be saved. In some existing systems, a quarantined file is both prevented from executing program code and concealed from antivirus software that scans a computing device for malware. For example, one method of implementing a quarantine includes moving a file to a quarantine folder along with associated metadata that describes the location of the file. Among other things, the quarantine folder has established settings that prevent files from “executing” program code. To conceal the quarantined file from antivirus software, the data in the file is typically encoded. As a result, the file is not capable of causing harm to a computing device and will not be identified as malware if scanned by antivirus software.
In instances when one or more files are moved, attributes of the files may change in ways that are unexpected by users. For example, to prevent some users from accessing unauthorized data, heightened file system security features are implemented on some files/directories and not others. In this instance, a file may be encrypted and therefore inaccessible to unauthorized users who do not possess a “key.” However, if the file is moved, the new directory that stores the file may not maintain the same heightened security features as the directory that originally stored the file. Thus, in instances when a file infected with malware is moved to a quarantine folder, user data may become accessible to unauthorized users even though the file was originally encrypted in a directory that implemented security features designed to prevent unauthorized access. More generally, attributes associated with a file in one directory may change in ways that are unexpected to users when the file is moved to a different directory.
In light of the above-identified problems, it would be beneficial to have a system and method of quarantining a file while allowing the file to retain its original attributes.