A computer virus is software that is executed by a computer without the knowledge or authorization of the computer's user and that causes unauthorized and unwanted changes to components of the computer or to information stored on the computer. For example, some viruses alter or destroy data stored on disk, scramble characters on video display screens, display misleading messages to users, and consume computer or network resources thereby preventing users from performing desired tasks. A virus usually attempts to propagate itself to other computers by making copies of itself on any accessible diskettes or hard disks (collectively "disks") or other non-volatile memory such as "flash" read-only memory (ROM). A virus "attack" herein means any change made to a computer component by a virus, such as a change to stored information or the making of a propagation copy of the virus.
Viruses typically propagate by opportunistically copying themselves to ("infecting") any disks that happen to be accessible when a computer executes the virus. If a user transports an infected disk to a second computer and the second computer executes the virus, the virus then attempts to infect disks on the second computer, and so on. Viruses generally employ one of two techniques to cause a subsequent execution of themselves. Some viruses attach themselves to application programs that are stored on a disk. When a user runs the infected program, the virus also executes. Most viruses, however, are "bootstrap-time viruses" that replace the startup (bootstrap) program located on the infected disk with a program that causes the computer to execute the virus if the disk is subsequently used as a startup disk on this or another computer. Once the virus executes, it arranges for itself to remain in the memory of the computer after bootstrap, but causes the computer to execute the normal bootstrap program so as to mask its presence. Following completion of bootstrap, the virus remains stored on the computer and capable of causing further mischief.
Bootstrap programs execute as part of a bootstrap sequence initiated by the application of power or a reset signal to a computer. During this sequence, the computer performs a power-on self-test ("POST"), then locates a bootstrap program on a disk and then executes the bootstrap program. The bootstrap program is always stored at a characteristic, fixed location (the "boot block") on the disk. Generally, the bootstrap program readies the computer for normal functioning by causing it to load and execute an operating system, such as MS-DOS, OS/2, NetWare, UNIX, or Windows-NT, although the bootstrap program can also cause the computer to execute one or more other programs prior to executing the operating system. Accordingly, as used herein, the term "bootstrap" includes the time and steps taken between the application of power or reset signal and the execution of the last program prior to the operating system; and "operating system" is software that manages a computer's resources (e.g., disks and memory) and provides low-level services (e.g., I/O, timer, memory management, interprogram communication) to application programs. An "application program" is not part of an operating system and can only execute under the control of an operating system.
To overcome the problems created by viruses, practitioners have developed a variety of "anti-virus" programs that both detect and remove known viruses. Anti-virus software searches for "signatures", including characteristic behaviors, of viruses and removes any found viruses. Examples of commercially available anti-virus programs include Command Software Systems F-PROT, IBM AntiVirus, and Sophos Sweep. However, and quite problematically, bootstrap-time viruses can interfere with the operation of prior art anti-virus software. In addition, the presence of an operating system can obscure the presence of a virus in the memory of a computer.
As noted previously, a bootstrap program is stored at a characteristic disk location or address. For "addressing" purposes, disks are divided into surfaces, tracks, and sectors. The "formatted capacity", in bytes, of a disk (also known as the "advertised capacity") equals the product of the number of: surfaces, tracks per surface, sectors per track, and bytes per sector of the disk. A hard disk can be further o divided into one or more logical "partitions", each partition being treated as a separate disk. Generally, the first sector of a diskette and the first sector of each partition of a hard disk contains a disk descriptor block which contains size and geometry information about the disk, such as the number of sectors per track. "BIOS Parameter Block" herein refers to the area on the disk where this information is characteristically stored. The following Table 1 lists the relevant fields of the BIOS Parameter Block. "Conventional storage capacity" of a disk herein means the formatted capacity of the disk as reflected by information in the BIOS Parameter Block of the disk.
TABLE 1 ______________________________________ Selected Fields of the BIOS Parameter Block Size (bytes) Field ______________________________________ 2 Number of bytes per sector 2 Total number of sectors in volume (logical partition) 2 Number of sectors per track 2 Number of surfaces (heads) 2 Number of entries in root directory ______________________________________
It is therefore an objective of the invention to provide a startup disk (diskette or hard disk) that causes the computer to automatically execute anti-virus software each time the computer starts from the disk, i.e., during bootstrap, so as to detect bootstrap-time viruses before or after they have executed and implanted themselves in the system.
It is a further objective to provide a disk that stores the anti-virus software without reducing the amount of conventional storage capacity on the disk.
It is a further objective to provide a disk that stores the anti-virus software so as to make it inaccessible to many viruses.
It is a further objective to provide a mechanism to detect and repair virus-inflicted damage to the anti-virus software.
It is a yet further objective to provide a virus-tolerant disk (startup and other disk) that can withstand an attack by a virus without incurring damage to information stored on the disk.
Other objectives will, in part, be obvious and will, in part, appear hereinafter. The invention accordingly comprises an article of manufacture possessing the features and properties exemplified in the constructions described herein and the several steps and the relation of one or more of such steps with respect to the others and the apparatus embodying the features of construction, combination of elements and the arrangement of parts which are adapted to effect such steps, all as exemplified in the following detailed description, and the scope of the invention will be indicated in the claims.