As electronic connectivity, networking and automation expands in business and organizations, as data (information) and file transfers become faster, and while the number of unauthorized programs, viruses, malicious mobile code, spyware, etc., grows to new levels on a daily basis, there is an increasing need for a new technology that organizations can utilize to address these threats in a manner that is not limited by traditional file signature methods of protecting the internal file contents of 32/64-bit Microsoft computer hard drive(s) and devices that connect to 32/64-bit Microsoft computers.
As an example, a Microsoft 32-bit computer, or a 64-bit Microsoft computer, may be connected to a network, which is connected to the Internet, which is further connected to several other networks via gateways that are referred to in this document as “connection points”, which may allow data to be automatically transferred to/from any “connection point” to that particular computer. As the internal threat of corporate espionage grows greater and greater on a daily basis, the installation of unauthorized software from those individuals who have the authority to manage and control networks is also growing on a daily basis. The terms Microsoft PC, Microsoft Server, Microsoft computer, Microsoft 32-bit computer, and/or any other similar variations and combinations using Microsoft to describe a specific computer, device and/or server may be used interchangeably to mean a computer, device and/or server on which a Microsoft operating system (O/S) is implemented.
The overall problem that exists in most of the technology utilized in today's modern computing environment, is that the number of viruses, malicious mobile code, spyware, unauthorized programs has grown to such a large number, that it requires, at a minimum, daily electronic updates to maintain a file signature database on known viruses, etc., which could require hours to receive a daily update and scan an individual computer for the possible new viruses. Furthermore, the computer must not only be scanned for new viruses, but also for previous known viruses that are still being electronically transmitted across the Internet. The requirement to receive an update and scan an individual computer requires such a significant amount of network and computer resources that it significantly affects a users ability to utilize a networked computer during a normal daily scan for possible viruses, etc.
Because of the problems described above, a new technology (i.e., a utility) is needed that can take advantage of an existing operating system (O/S) file management system to perform an analysis of any internal hard drive(s) in a computer (e.g., as used herein a “Microsoft computer” is defined to include any computer running a computer and/or server O/S from Microsoft Corporation of Redmond Wash.). The utility may determine all executable program files, regardless of the file naming convention used to name the files and use an algorithm to establish a unique ID for each executable program file located on the hard disk. When the analysis is complete, the utility may continue to cycle (i.e., scan) all of the hard drive(s) to insure (i.e., maintain) the integrity of each specific program file, detect any unauthorized change to any specific program file, and detect any new unauthorized program file that might be installed anywhere within the computers internal hard drive(s).
Information system industry experts, who understand the latest features and capabilities about operating system (O/S) design and development and that are familiar with kernel operations, are aware that the ability to intercept kernel events is a major key to providing adequate security to an O/S. While the 32/64-bit Microsoft O/S kernel provides a mechanism to intercept many events, there is currently no known mechanism available that would allow a security solution to receive a kernel event or notification that a file transfer protocol (i.e., a file download/upload) is about to start, for 100% of the programs that have the ability to transfer files in and out of a networked computer. Because there is no such kernel mechanism currently available, and no known development plans at this time in future O/S's (e.g., Vista, etc.), to intercept and control 100% of all program file transfer activity, a solution is needed that provides the ability to detect physical changes in existing program files and detect the installation of new program files. Preferably, the solution may co-exist as an O/S utility with the O/S file management system and have the ability to independently perform an analysis (i.e., scan) and maintain the authorized integrity on every program file that exists within the Microsoft computer.