The present invention relates generally to a virus detection system and method, and more particularly, to a system and method for bi-directional updating of a virus database.
A huge surge in computer viruses has occurred in the last decade. Computer viruses have gone from an academic curiosity to a persistent, worldwide problem. Today, viruses affect vast numbers of computers in locations throughout the world. A computer virus is generally a manmade destructive computer program or code that is loaded onto a computer system without the knowledge of the user. The computer virus is often a self-replicating program containing code that explicitly copies itself and can infect other programs by modifying them or their environment. Even a simple virus can be dangerous as the virus can quickly use a large portion of the available memory and possibly bring down the computer system.
Viruses can be written for, and spread on, virtually any computing platform. A virus can infect, or become resident in almost any software component, including an application, operating system, system boot code, or device driver. Computer viruses spread by attaching themselves to other programs (e.g., word processing or spreadsheet applications) or to a boot sector of a disk. When an infected file is activated or executed, or when the computer is started from an infected disk, the virus is also executed and attempts to infect other files. Since a virus is software code, it can be transmitted along with any legitimate software that enters the computer environment. Some viruses are capable of transmitting themselves across networks and bypassing security systems. For example, a virus can spread to files on a local area network (LAN) based file server, and from there to other client systems attached to the server. Similarly, systems that run programs from wide area network (WAN) file servers can become infected if the programs on the server are susceptible to infection. In the networked world of the Internet, viruses can rapidly spread.
The term virus generally refers to any destructible or harmful program or code that attempts to hide its possibly malicious function or tries to spread onto as many computers as possible. One common type of virus is a macro virus which is encoded as a macro embedded in a document. Many applications support macro languages which allow the user to embed a macro in a document and have the macro execute each time the document is opened. Once a computer system is infected with a macro virus, the virus can embed itself in all future documents created with the associated application.
Another common virus is a boot sector virus which replaces the computer system's master boot record with its own code. The boot sector virus is a small program executed each time a computer boots. The virus infects floppy disks and hard disks by inserting itself into the boot sector of the disk, which contains code that is executed during the system boot process. Since the master boot record executes every time the computer is started, the boot sector virus can be very dangerous to the integrity of the computer system. The boot sector virus typically enters the computer system through a floppy disk installed in the floppy drive when the computer system is started.
Another type of virus, which is often difficult to detect, is a polymorphic virus. This virus produces varied but operational copies of itself. Code within the virus includes an encryption routine to help the virus hide from detection, plus a decryption routine to restore the virus to its original state when it executes.
A Trojan horse is another type of virus which masquerades as a legitimate software program. The Trojan horse generally does not replicate. It waits until its trigger event occurs and then displays a message or destroys files or disks.
A computer worm is another type of virus that can replicate itself and use memory but cannot attach itself to other programs. The computer worm is a self-contained program, or set of programs, that is able to spread functional copies of itself or its segments to other computer systems, usually via network connections. Host computer worms are entirely contained in the computer they run on and use network connections only to copy themselves to other computers. Network worms consist of multiple parts (called “segments”), each running on different machines and using the network for several communication purposes.
Many antivirus programs have become commercially available for protection against viruses. There are three main types of antivirus software: activity monitors, integrity checkers, and scanners. Activity monitoring programs attempt to prevent infection before it happens by looking for virus type activity, such as attempts to reformat a disk. Integrity checkers compute a small checksum or hash value for files which are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. These programs catch unknown viruses as well as known ones. Integrity checkers may be called to check entire disks or they may be resident, checking each program that is about to be executed.
Scanners are the most widely used type of antivirus program. Virus scanners generally operate in batch mode, scanning all files on a system, hard disk, or floppy disk, when requested by the user, or at set intervals. They look for known viruses by searching disks and files for scan strings or patterns. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program that is about to be executed. Most scanning programs include an update feature that allows the antivirus program to download profiles of new viruses from the Internet or network resources so that the program can check for new viruses soon after they are discovered. Most scanners also include virus removers which are operable to clean infected files. One example of an antivirus scanner is McAfee's VSHIELD brand antivirus scanner.
In order to identify computer viruses, a virus-scanning engine is generally provided in combination with one or more files called antivirus data files. The virus-scanning engine scans a user's computer files by means of an evaluation of each file against the antivirus data files. The virus-scanning engine detects the viruses, and then cleans or disinfects the files and systems with an antivirus data file that has been created to counteract the damage created by the detected virus. Viruses are continuously being created that are harmful to files and systems, thus, the systems must be continuously updated with the latest antivirus data file so that the systems can be scanned and cleaned with the latest antivirus data file through virus detection programs.
Importantly, if the signature of a certain virus is not contained in any of the antivirus data files, that virus will not be detected by the virus-scanning engine. Generally, such antivirus data files are updated as new viruses are being discovered.
When a conventional system performs an update to a virus database, the application downloads the latest virus database (e.g., *.DAT or dat) files from the Internet or a network resource. For example, a computer virus scanning product such as McAfee's VIRUSSCAN or GROUPSHIELD EXCHANGE brand computer virus scanning product may be used to download the latest dat files from the Internet or from a network resource. These types of updates are referred to as ‘unidirectional’ updates since the update is received from a remote source and downloaded to the local computer where the update takes place. Updates to the local computer's virus database are typically scheduled to occur periodically. However, a user may also manually download updated dat files from a virus protection web site, for example, if the user suspects that his computer is infected with a new virus. A drawback to unidirectional updating is that a user may manually download a new virus file update, find a virus on his computer, and not notify a system administrator that the virus has been detected. In this case, the virus may spread throughout the network for hours or days before it is identified by the system administrator or the update is installed on the network resource and the virus is detected on other computers within the network.
There is, therefore, a need for a system and method for local computers within a network to notify the network resource of a new virus so that other local computers can be checked for the virus before it has a chance to spread throughout the network.