1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting file modifications performed by malicious codes.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Malicious codes have become so prevalent that experienced computer users have some form of antivirus in their computers. Antivirus products for scanning data for malicious codes are commercially available from several vendors, including Trend Micro, Inc.
Conventional antivirus products typically employ some form of signature matching and behavior blocking mechanism to detect files infected by malicious codes. These aforementioned techniques rely on having correct signatures and rules to detect infected files. Unfortunately, signatures for detecting malicious codes may not be available for hours or even days after detection of new malicious codes. Unlike signature matching, behavior blocking does not rely on malicious code signatures. However, behavior blocking has relatively high false alarm rate and may adversely interfere with or even prevent operation of legitimate software.
Once a file is identified as infected, access to and execution of the infected file is blocked by the antivirus. A clean pattern may be created to disinfect the file (i.e., to remove the malicious codes or effects of malicious codes from the file). The clean pattern is typically created manually, and may take some time to create. In the meantime, while the clean pattern is being created by antivirus researchers, the malicious codes that infected the file continue to propagate and infect other files. Worse, the clean pattern may be “buggy” and inadvertently corrupt the infected file or other files, cause a system crash, or force the host computer to keep rebooting.