1. Field of the Invention
The present invention relates generally to the detection of viruses in computer files and more particularly to the detection and removal of viruses in macros.
2. Description of the Related Art
The increasing use of computers and the increasing communication between vast numbers of computers has greatly facilitated and promoted the spread of computer viruses. Computer viruses are found in portions of code which are buried within computer programs. When programs that are infected with the virus are executed, the code portions are activated to provide unintended and sometimes damaging operations in the computer system.
Viruses are commonly detected using signature scanning techniques. Known viruses have extended strings or signatures which are like a fingerprint that can be used to detect the virus. In signature scanning an executable file sequence is scanned to see if it includes an extended string that matches a string that is known to be a virus. When the signature or string is found within the executable file, a positive virus determination is made. Since matching to known patterns is involved, the signature scan is virtually useless against viruses whose patterns have not been previously identified. Particularly, signature scanning completely fails to detect new, unknown virus strains, and does not adequately protect against mutating viruses, which intentionally assume various shapes and forms upon replication. Additionally, since executable files (e.g., those with extensions .exe or .com) are typically scanned, viruses which do not reside in such files are not examined and therefore are not detected with signature scanning.
Many application programs support the use of macros which are used to automatically perform long or repetitive sequences of actions. Macros are a series of instructions including menu selections, keystrokes and/or commands that are recorded and assigned a name or a key. Macros can be triggered by the application program such as by pressing the key or calling the macro name. Some macros are embedded within application data files, and thus may remain hidden from the user. Additionally, macros can be arranged to execute automatically, without user input. Thus, a macro which the user does not know about and which does not need manual triggering by the user may reside in files such as application data files. Certain viruses reside in macros and use macro instructions to perform unintended and sometimes damaging actions. These viruses are referred to as macro viruses. One problem with macro viruses is that they avoid executable file scanners since they typically do not reside in executable files. Additionally, macro viruses avoid detection since they can be hidden or embedded within files such as application data files. Furthermore, there are a tremendous number of computer users who know how to use macro programming languages so the number and variation of macro viruses is extremely high. Accordingly, even if signature scanning techniques were used to detect viruses in macros they would be ineffective since there are numerous unknown macro viruses. Additionally, even if a comprehensive signature scanner were available, it would quickly become obsolete because of the ongoing generation and production of new, unknown macro viruses.
Conventional virus treatment techniques are also inadequate for treating macros with viruses. These techniques look for particular, known viruses and apply a specific correction technique dependent upon the particular virus detected. Because of the vast array of unknown macro viruses, such techniques are not very effective in the treatment of macros which are infected by viruses. Even if unknown macros were detected, merely deleting the file with the infected macro is not an attractive solution, since infected macros often include legitimate operations that the user may want to retain. Thus, there is a need to selectively remove viruses, particularly unknown viruses, from macros to provide a clean, corrected file which can be subsequently used.
Another problem is that viruses, and therefore, the information that is needed to detect them, are in a constant state of change. Thus, a virus detection method and apparatus which facilitates easy updates of virus detection information is needed. Particularly required is easily modified unknown macro virus detection information.
Thus, there is a need for the detection of viruses which reside in macros. Moreover, there is a need for detecting unknown macro viruses, for cleaning macro viruses selectively, and for conveniently updating macro virus detection information.