Field of the Invention
The present invention relates to a method used to detect the presence of malicious code infections on a computer system. More particularly, the present invention is in the technical field of computer security that includes computer forensics. More particularly, the present invention addresses the limitations of existing malicious code scanning technology.
Description of the Related Art
When a computer device is infected by a malicious code infection the user will often notice degradation of system performance as the infection can create unwanted and time consuming system activity, excessive memory usage, and bandwidth consuming network traffic. These factors can also cause instability problems leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malicious code infection of which they are unaware.
Existing prior art of commercial computer security vendors use many different forms of software to detect and attempt to remove instances of malicious code. This software can make use of various methods to detect malicious code infections including scanning files on the computer as well as allowing suspicious files to execute in a “sand-box” environment to determine their scope and purpose. Integrity checking and heuristic analysis are also other proven scanning techniques. Malicious code scanning generally involves examining files for a fingerprint or “signature” that is characteristic of an executable program known to contain malicious code.
Detecting the presence of malicious code infections is challenging as the authors of malicious code design their software code to be difficult to detect, often employing obfuscation techniques that deliberately hides the presence of malicious code infections on a computer system. For example, the application or program containing the malicious code may not be displayed in reports designed to inform the user/administrator of processes currently running on the compromised computer.
When files on a computer system are scanned for malicious code infections several operations are performed in specific sequence. Preliminary actions are simple and quick verifications that can be used to rule out the possibility that the file contains malicious code. Examples of operations performed early in the scanning process include comparing checksums, file header information, number of file sections and other file properties that typically differ between clean and infected files. By performing these functions in a prescribed sequence where the next step takes longer than the previous step, the entire scanning process becomes quicker as easier aspects of malicious code identification are tested first. In all cases, the last step in all commercial and open source scanning solution is an attempt to remove the malicious code infections without causing additional harm to the compromised computer or its data. The present invention does not support this last step as the forensic image being analyzed for malicious code is a “read-only” file.
While existing commercial and open source malware vendors all serve the same purpose, the identification and removal of malicious code, their success rates vary significantly. The digital signatures used to identify instances of malicious code infections are closely guarded intellectual property. As a result, the effectiveness of any malware detection product is directly linked to the number of malicious code signatures it is aware of, typically a function of its independent research. Digital signatures are not shared among competitors. As a result, it is possible to scan a computer for malicious code using vendor product “X” and find nothing indicating an infection. In comparison, vendor “Y's” product would find the infection due to its advanced knowledge of emerging instances of malicious code and their digital signatures. Recent research has established that most commercial malware products only identify, on average, 90% of known malicious code infections.
To be effective, commercial malware products need to take control of the file system of the computer it is installed on. This control aspect enables it to prevent an infected file from infecting other files, spreading the malware to other files on the same computer, or in the worst case scenario, infecting other computer systems. But this need to be in control of the file system comes at a cost. Using prior art arrangements, only one commercial malware product can be installed on a computer system at a time. Trying to install multiple malware detection products on a single computer system typically results in a deadly embrace, where both products fight for absolute control of the file system. This deadly embrace results in a malfunctioning computer as each malware detection product sees the other as an adversary launching a malicious attack designed to take control of the file system. This “one only” installation limitation puts the user at another disadvantage in that the malware detection product currently installed may have limited knowledge of “new emerging viruses” and as a result is likely to report that a computer system is “clean,” when in fact it is infected with a malicious code infection.