This disclosure relates generally to computer systems and, more particularly, to a method and system for detecting, and recovering from, computer viruses during the boot process.
A problem encountered by many users of computer systems is the inadvertent introduction of computer viruses into the computer system. These computer viruses can cause unrecoverable errors and can have a large detrimental economic impact on the owner of the computer system. Computer viruses are computer programs or pieces of computer code that are loaded onto the computer system without the user""s knowledge and that operates against the user""s wishes. Technically, a computer virus is capable of replicating itself. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.
A similar type of destructive computer program is known as a Trojan horse. A Trojan horse masquerades as a benign application, such as a utility application. Unlike a virus, a Trojan horse does not replicate itself, however, Trojan horse programs can be just as destructive as computer viruses. For example, a particularly insidious type of Trojan horse masquerades as a program to rid a computer system of viruses, but instead introduces viruses onto the computer system. As used herein, the term xe2x80x9ccomputer virusxe2x80x9d is used to collectively refer to any type of inadvertently-introduced destructive computer code on a computer system, including viruses, worms, and Trojan horses.
In order to detect these harmful programs and code, virus detection programs have become increasingly available. These virus detection programs generally search the memory of a computer system to detect known computer viruses. The programs notify the user of a computer system when a potential virus is located, and many such programs remove any viruses that are found. In addition, most virus detection programs include an auto-update feature that enables the program to download profiles of new viruses so that the program can check for new viruses as soon as they are discovered.
A virus detection program usually contains two parts: a scanner and a file containing virus xe2x80x9csignaturesxe2x80x9d. The virus signatures are unique characteristics that identify specific viruses. A further description of antivirus scanners and signatures is set forth in U.S. Pat. No. 6,016,546, issued to Kephart et al., and entitled xe2x80x9cEfficient Detection of Computer Viruses and Other Data Traitsxe2x80x9d, which is herein incorporated by reference in its entirety. Generally, each time a new virus is discovered, the author of the virus-detection program must create a new virus signature that tells the scanner how to recognize the new virus. Because new viruses appear at a relatively rapid pace, anti-virus scanners are potentially ineffective against new viruses whose xe2x80x9csignaturesxe2x80x9d have not been loaded into the signature file.
Many virus authors design computer viruses to acquire control of the computer system before the computer system""s operating system has a chance to run any virus detection programs. This is accomplished by designing the virus to infect the boot record of the system""s bootable media. For the purposes of this document a boot record shall refer to either the Master Boot Record (xe2x80x9cMBRxe2x80x9d) associated with fixed media devices or the boot sector associated with removable media devices. Additionally, the terms hard disk and floppy disk shall be interpreted to mean any fixed or removable media respectively. A boot record virus is a common type of virus that replaces the boot record with its own code. Because the boot record executes every time a computer system is booted from a hard disk, a boot record virus is extremely dangerous to the integrity of a computer system.
Typical approaches to dealing with boot record viruses include write protection and virus detection programs. In the write protection approach, the contents of the boot record may only be read but may not be modified, thus inhibiting infection by a boot record virus. A drawback to the write protection approach, however, is that it can be easily circumvented. That is, the write protection approach usually works by having code in the BASIC input/output system (xe2x80x9cBIOSxe2x80x9d) enforce the prohibition on writing to the boot record. This works to prevent contamination when the virus attempts to use BIOS routines for accessing the boot record, but is circumvented when the infecting program writes directly to the hardware. Another pitfall of the write protection approach is that it potentially inhibits useful processing within the computer system. Some software applications, such as boot loaders and managers and media formatters legitimately, need to write to the boot record. In order for such applications to operate properly, the xe2x80x9cwrite protectionxe2x80x9d for the boot record must be disabled, leaving the boot record vulnerable to infection.
Virus detection programs that are designed to detect boot record virus infection typically provide notification but do not generally provide for recovery from the virus. One such virus detection scheme is presented in U.S. Pat. No. 5,509,120, issued to Merkin et al., and entitled xe2x80x9cMethod and System for Detecting Computer Viruses During Power Onxe2x80x9d, which is herein incorporated by reference in its entirety. Merkin ""120 discloses a scheme that computes an xe2x80x9cuncontaminatedxe2x80x9d cyclic redundancy check (xe2x80x9cCRCxe2x80x9d) of the MBR and of the operating system boot record when both are known to be free of viruses. During each boot, the computer system performs a validity check by computing the CRC of the operating system and master boot records and then comparing these CRC""s with the uncontaminated CRC""s. If actual and uncontaminated CRC""s do not match, an error message is displayed to alert the user of possible virus contamination.
What is needed is a more robust virus detection scheme that not only detects all boot record viruses, even new ones, that may infect a boot record, but that also allows the boot record to recover from a virus infection. Ideally, the virus detection scheme would allow the boot record to be modified when legitimately required.
A method, computer system, and apparatus perform boot record recovery. In at least one embodiment, a method of operating a computer system comprises determining whether a boot record is virus-free. The boot record is identified as xe2x80x9ccleanxe2x80x9d if it is determined to be virus-free. The snapshot of the clean boot record is stored in non-volatile memory. During the boot process, the contents of the current boot record are compared with the contents of the snapshot to determine whether a mismatch exits in at least one embodiment, this processing occurs after POST. If a mismatch does not exist, the contents of the current boot record are executed as part of the IPL process. In at least one embodiment, the determining whether a boot record is virus-free includes obtaining a user input from the user of the computer system. In at least one embodiment, the current boot record resides in volatile memory.
At least one embodiment of the method further comprises reporting a message to the user if a mismatch exists between the current boot record and the snapshot. A mismatch occurs when relevant information has been altered in the current boot record. In at least one other embodiment, the contents of the snapshot are executed if the mismatch exists.
Alternatively, the user provides an input that is received as a proceed indicator. If the user-provided value in the proceed indicator is a first value, then the contents of the snapshot are executed during the IPL, thereby effecting a recovery of the boot record with the clean snapshot. On the other hand, if the user-provided value in the proceed indicator is a second value, then the contents of the current boot sector are executed during the IPL. This situation will occur when the user is aware of; and comfortable with, the change to the current boot record.
In at least one embodiment, the current boot record is restored by copying the contents of the snapshot to the current boot record if the mismatch exists. Alternatively, at least one other embodiment provides that the contents of the snapshot are overwritten with the contents of the current boot record if the mismatch exists. In at least one other embodiment, a user input is used to determine which of the prior two approaches to adopt. That is, if the contents of a proceed indicator are a first value, then the contents of the snapshot are overwritten with the contents of the current boot sector.
In at least one embodiment, a computer system that performs virus detection and recovery comprises a process and a BASIC input/output system (BIOS) coupled to the processor. The BIOS memory includes a module that determines whether a boot record is virus free and a module that, if the boot record is virus-free, identifies the boot record as a clean boot record. The BIOS memory also includes a module that stores a copy of the clean boot record in a non-volatile memory to create a snapshot. The BIOS memory also includes a module that compares the contents of a current boot record with the snapshot to determine if relevant discrepancies exist, resulting in a mismatch. If a mismatch exists, another module in the BIOS executes the contents of the current boot record. At least one embodiment of the module that determines whether the boot record is virus-free receives a user input. In at least one embodiment, the user input is an indication of whether the user believes the boot record to be virus-free.
In at least one embodiment, an apparatus that performs virus detection and recovery comprises a computer-readable medium having a computer program accessible therefrom. The computer program includes a module that determines whether a boot record is virus free. The computer program also includes a module that identifies the boot record as a clean boot record if it is determined to be virus-free. Another module stores a copy of the clean boot record in a non-volatile memory to create a snapshot of the clean boot record. Another module compares the contents of a current boot record with the snapshot to determine whether a mismatch exists. Another module executes the current boot record if the mismatch exists. One skilled in the art will recognize that the modules on the computer-readable medium may be separate software programs or may simply be logically distinct portions of the same software program.
In at least one embodiment, the computer-readable medium is a BIOS memory. In another embodiment, the computer-readable medium is any floppy disk, hard disk, or any other non-volatile storage medium.