The use of a personal computer has now become an integral part of the life of users in home and business environments. Computer users expect and, indeed, demand reliable performance of their computers and associated computer programs. In view of these expectations, developers of computer hardware and software strive to design and offer reliable computer systems that operate in a well-defined fashion. For example, if a user of a word processing program enters the appropriate keystroke to open a document, the user expects the program to open the document for operation. If the word processing program fails to operate in the expected manner, then the user can quickly grow frustrated with the program and either seek a remedy from the program provider or abandon future use of the program. Clearly, computer developers and users alike have a vested interest in the reliable performance of a computer system.
Unfortunately, a minority of computer users enjoy modifying computer systems to perform in an unintended or unexpected manner. Computer hackers with a mischievous sense of humor, as well as those with a more sinister personality, have developed computer viruses that "infect" computer files, resulting in modification of file content or alteration of operation by the underlying executable program. Typically, a virus can be executed when the infected file is loaded into memory of a computer, which allows the virus to infect other files residing on the computer.
Because viruses can often cause damage to computer files residing on a computer, the computer industry has addressed this problem by offering programs for protecting computer files from known viruses. These virus protection programs are typically implemented as utility programs separate from the executable programs that they are intended to protect from virus infection. These utility programs typically scan files residing on a local computer to determine whether a file is infected with a recognizable virus. In response to detecting an infected file, the virus protection program can alert the user about the infected file. In addition, the virus protection program can attempt to "cure" the infected file by removing the virus from the file and the local machine.
A utility program typically scans local files in response to booting the computer or during a predetermined time period for operation of a computer. Alternatively, if you access a file on a local machine, the utility program can scan the file at that time. Because utility programs typically offer virus protection by scanning files residing on a local machine, these utility programs can fail to address certain file events that may arise in a computer network environment, such as accessing a file on a remote server. For example, a utility program cannot scan a file that resides outside of the local user's machine, such as a file accessed via a remote server.
In mid-1995, Microsoft Corporation, the developer of the popular "WORD" word processing program, faced the problem of contamination of word processing documents by a virus readily distributed over computer networks. The virus, which Microsoft called the "WORD Prank Macro" virus or the "Concept" virus, could infect all documents that a user saved in the "WORD" program after the program loaded an infected file on the user's machine. This macro virus could attack a document by inserting a copy of itself into the data file. To quickly address this problem, Microsoft offered users a "patch" solution which was implemented as a set of routines separate from the "WORD" program. A user could obtain the patch program, known as "scanprot.dot," from Microsoft Corporation by downloading the routines from a remote server on the Internet. Once installed, the patch could trap certain known open file events and, in response, examine a file to be opened for possible virus infection. In the event that a file containing a component associated with a virus was detected, the patch program would advise the user of the potential risk of opening the suspicious file.
Although the patch solved the virus problem for many users of the "WORD" program, this patch solution suffered from the inherent disadvantage of being separate from the word processing program. In contrast to built-in protection, the patch represents a set of routines that a user must install and operate to obtain virus protection. In a large corporate computing environment, the installation and administration of a separate virus protection program for a large group of users represents a significant project for an MIS department. Indeed, if by inadvertent error the patch is not installed for a single user in this corporate computing environment, this user's machine could become infected with the virus, and result in the spread of the virus to data files on the machine. The virus can then spread to other non-protected machines connected to the user's machine. Consequently, there is a need for a virus protection mechanism that is implemented as an integral component of an executable program, such as a word processing program.
Although the patch can offer protection of a file for selected open file events, the separate implementation of the patch prevents this solution from handling all open file events. For a word processing program, such as the "WORD" program, one will appreciate that there exists a wide variety of ways to open a document or file. External open events, such as selecting the "Open" command from a pull-down menu or double-clicking on a file displayed on the desktop, can be trapped by an event handler of the patch to initiate virus protection. The patch, however, cannot successfully detect all external open file events. In addition, internal open file events cannot be trapped by an external event handler because they are hidden within the internal code layer of the executable program. These internal open file events do not generate an action that is readily recognizable by a separate program, such as the patch solution. If all external and internal open file events cannot be addressed by a separate protection program, then it is possible for a hacker to circumvent the patch protection by exploiting this hole in the protection perimeter. To address external and internal open file events, it is necessary to incorporate virus protection within the executable program itself. Thus, there is a further need for a system for protecting a file or document from virus infection by including protection within the executable program compatible with these files.