1. Field of the Invention
The present invention relates generally to computer software, and more particularly, to a method for protecting executable software programs against infection by computer software virus programs.
2. Description of Related Art
Computer software virus programs are malicious programs adapted to corrupt other executable computer software programs, such as by replicating themselves over an existing program or by adding code to the beginning or end of the program. Since their appearance, the number, performance, and intelligence of virus programs has greatly increased. The persons who write computer viruses continue to find means for making their viruses increasingly transparent and difficult to detect by a computer user.
However, the methods used by various virus programs for infecting computer programs are substantially similar. Most computer viruses replicate themselves by infecting executable programs. Executable programs typically comprise a series of instructions that are executed by a central processing unit (CPU) of a computer containing the program, when the program is invoked. The program contains a series of instructions referred to as "first instructions" . These instructions are located within the program, in a location that is either fixed by a disk operating system (DOS) that the executable program is designed for, or in a location referred to as the "program entry point". The program entry point is indicated by an "entry point indicator" inside the program and may be different for each program.
The objective of computer viruses is to obtain control of a desired executable program, before normal processing of the program begins. Therefore, the virus program must have its instructions executed by the CPU, before the CPU begins processing the instructions of the executable program. For the virus to be executed before the executable program, the virus must either modify the first instructions or entry point of the program, so that the virus instructions will be processed at execution time, before the computer program is processed. Infection of the program typically comprises the virus adding its executable instructions or code to the program. The virus then causes the program to be invoked with the first instructions of the virus, instead of the program's first instructions, corrupting and possibly destroying the program.
Most viruses cannot be detected by computer users without using programs specifically designed for virus detection referred to as "anti-virus" programs. The anti-virus programs are written for detection, and possibly destruction, of viruses. The most important goal of anti-virus programs is to detect the presence of a virus in a computer system as early as possible. Once a virus is detected, the anti-virus program typically signals the user, for informing the user that a virus was detected. Since the virus often writes its code into the program at several different locations, restoring the program is a time consuming process. Further, as the virus code is in the program at different locations, it is substantially difficult to be absolutely sure that the virus code is completely removed from the program when the program is restored, without damaging the program itself.
There are systems in the prior art for protecting executable programs from infections by virus programs. One such system denies performing any writing operation on any executable program, without taking account of modified bytes of the program. This system is used by some anti-virus programs. A disadvantage to this system is that writing to an executable program is a completely legal operation, and protection systems that deny writing to an executable program typically produce false positives (wrongly identifying a legal operation or program as a virus program), rather than stopping real virus operations and programs. However, modifying an executable program's entry point or first instructions is rarely performed by normal executable programs and is often performed by virus programs.
Avoiding false positives is one of the more important functions of an anti-virus program, in order to provide a reliable program and achieve the users trust. A preferred method for detecting virus programs without making false positives, is to provide a method that generates an alarm signal only when it is confirmed that an operation is executed by a virus. However, when an operation executed by a virus is detected, the virus could have made changes and modifications to the program.
One method for recovery of a computer program infected by a computer virus is disclosed in U.S. Pat. No. 5,408,642, to Mann. The disclosed method takes a unique fingerprint of a program to be recovered, along with data relating to the beginning portion of the program, and stores the fingerprint and data at a separate location. A fingerprinted program thought to be infected by a virus is processed for generating a fingerprint of a string of data of the program. The generated fingerprint is compared to the stored fingerprint, to determine if they match. If the fingerprints do not match, a value utilized to select the string can be incremented and the comparison process repeated.
U.S. Pat. No. 5,349,655, to Mann, discloses a method for recovery of a computer program infected by a computer virus, similar to the method disclosed in U.S. Pat. No. 5,408,642, to Mann. The disclosed method includes generating strings of data prior to infection by a virus and storing the strings. Second strings of data are then generated and compared to the prior strings of data, to determine if the data has been corrupted by a virus and for recovering the data.
U.S. Pat. No. 5,359,659, to Rosenthal, is directed to a method for securing software against corruption by computer virus programs. The disclosed method includes coupling security routines capable of detecting the presence of any virus infection, or other corruption, to a program. The loading information of an executable program is modified so that upon any attempt to execute the program, the security routines will execute first and scan for viruses or other corruption. If any viruses or corruption are detected, execution of the program is aborted and a warning is displayed. If no viruses or corruption are detected, the security routines are removed from the computer's memory and the program continues normally.
U.S. Pat. No. 5,319,776, to Hile et al., discloses a method for in transit detection of computer virus with a safeguard. The disclosed method tests data in transit between a source medium and a destination medium. Each character of an incoming data stream is tested against multiple search strings representing the signatures of multiple known computer viruses. When a virus is detected, the incoming data is prevented from remaining on the destination storage medium.
U.S. Pat. No. 5,121,345, to Lentz, discloses a system and method for protecting the integrity of computer data and software from a computer virus. U.S. Pat. No. 5,367,682, to Chang, discloses data processing virus protection circuitry including a permanent memory for storing a redundant partition table.
Although the methods and systems disclosed in the above enumerated prior art references have improved features, they fail to disclose all of the advantageous features achieved by the method of the present invention.