1. Field of the Invention
The present invention relates to computer system security. More particularly, the present invention relates to a system and method of detecting malicious code in a computing device.
2. Description of Related Art
Anti-virus applications typically protect a computing device from viruses, also referred to herein as malevolent applications, malicious code, or virus code, by examining the computing device's memory and file system for signs of virus infestation. This examination process is called scanning.
In order to fully scan a given computing devices memory and file system, all files associated with a suspect, or unknown, application, also referred to herein as simply an application, must be accessed by the anti-virus application scanner to check for any malicious code, i.e., virus code. Knowing this, the creators, also called Authors, of virus code are constantly seeking ways to prevent an anti-virus application from accessing, and scanning, virus files.
One current method used by virus Authors to prevent an anti-virus application from accessing, and scanning, virus files is the use of exclusively locked files. Exclusively locked files have been known since 2002. Most recently, Authors of spy ware, a form of malicious code, have begun using exclusively locked files to lock their executable virus files from scanning and thereby prevent detection, and removal, of these files by anti-virus applications.
Using exclusively locked files to prevent an anti-virus application from accessing, and scanning, and therefore detecting and removing, virus code is an effective method. This is because, currently, once a file has been exclusively locked, it is “owned” by the locking application, i.e., the application the file is marked for exclusive use by, and any other program, application or process, such as an anti-virus application, can not open the exclusively locked file for reading or scanning. Consequently, the anti-virus application can potentially fail to detect the virus code and fail to identify the file, and the parent application, as malevolent, i.e., the anti-virus application scan can return a “false negative” result in the presence of exclusively locked virus files.
It would be advantageous to provide an anti-virus application the capability to access, and scan, exclusively locked files so that exclusively locked virus files can be detected, and removed from a computing device.