In one convention system, a host central processing unit (CPU) in a host executes an anti-malware software program that is (ideally) intended to detect the presence of malicious program code in the host and/or arriving at the host from a network, and to prevent and counteract the deleterious effects of such malicious program code on the host. In actual implementation, however, such anti-malware software suffers from significant disadvantages and drawbacks that may prevent the software from achieving these ideally intended results.
For example, when, in the course of attempting to perform its above duties, such software interacts with a device in the host, there can be little to no confidence that the software actually is interacting with that device, and not with a malicious program executing in the host that is attempting to spoof the anti-malware software (e.g., by exploiting a “man in the middle” attack strategy). This may result in the malicious program being able to carry out its activities without being detected or counteracted by the anti-malware software. Additionally, for these and/or other reasons, the anti-malware software may be incapable of detecting and preventing unauthorized access by the malicious program to the host device.
Also, anti-malware software typically saves critical malware detection and recovery information in a password-protected, storage partition. Unfortunately, a malicious program may be able to snoop the provision of the password by the anti-malware software. This may permit the malicious program to be able to access the partition and to modify the information stored in partition. This may permit the malicious program to be able to change (and/or to prevent the effective updating of) the information in such a way as to prevent the anti-malware software from being able to detect and/or remedy the malicious program. Additionally, such anti-malware software typically is incapable of detecting and/or remedying presence of such a malicious program in a host protected area (HPA, e.g., compatible and/or in compliance with American National Standards Institute (ANSI), Information Technology—AT Attachment 8—ATA/ATAPI Command Set (ATA8-ACS), INCITS 452-2009 and/or other versions of this ANSI standard) in storage.
Additionally, some malicious programs are so tenacious and destructive that only certain specialized techniques are able to remove them, while still permitting recovery the user data, without substantial risk of continued infection. For example, one common technique to remove such malicious programs involves performing a complete wipe of host storage, and to reinstall the host operating system from a known uninfected recovery disk. Unfortunately, as a direct consequence of this technique, user data in the host storage is erased. Also unfortunately, depending upon the particular malicious program involved, it is possible that the malicious program may remain in the storage and may be reactivated at a future time. Further unfortunately, depending upon the number of operating system updates that have occurred since the time when the recovery disk was produced, the recovery disk may not contain program code that is capable of detecting or remedying the particular malicious program present in the host.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art. Accordingly, it is intended that the claimed subject matter be viewed broadly.