The Internet is a global, publicly accessible network of interconnected computer networks, which has long been employed by users for communicating and for sharing information. As the Internet continues to evolve, the risk of a user's computer system and/or a computer network being infiltrated by malware (e.g., malicious code) also increases. Once the malware has infiltrated a user's computer system and/or computer network, extensive damage may occur. For example, the malware may be designed to delete files, rewrite the operating system's (OS) registry, install and/or modify components, and/or corrupt hard drives, etc. Therefore, detecting and/or removing malware more efficiently and intelligently is a critical task for individuals and organizations alike.
Some malwares, such as rootkits, are particularly difficult to detect since they may be capable of hiding their presence from other applications, such as malware scanning engine or anti-virus engines. To facilitate discussion, these types of malwares are herein refer to as stealth malware. Typically, stealth malware may infiltrate a user's computer system and/or computer network by, for example, modifying the boot-up sequence, installing configuration files, installing system programs, and/or installing registry keys etc., within a computer system.
Consider the situation wherein, for example, a stealth malware has infiltrated a user's computer system and installed registry keys within the user's computer system's OS registry. Once the user powers on the computer system, a Basic Input/Output System (BIOS) initiates and accesses a program boot sector to invoke the program boot sector to call an OS loader. The OS loader may be configured to load the computer's OS registry into memory. As part of the boot-up sequence, the computer system then verities the registry keys and loads application programs and drivers required to run at start-up.
Since the stealth malware has modify the registry keys of the user's computer system, the stealth malware programs are configured to be launched during start-up (e.g. during the OS boot up sequence). Therefore, the stealth malware may be running and masking its presence before an anti-virus engine may have the opportunity to discover the malicious code. Thus, extensive damage to the user's computer system and/or computer network may occur before the user may become aware of the presence of the stealth malware.
Detection and removal of stealth malware with an anti-virus engine or even by manual inspection can be difficult. For example, stealth malware may actively block other applications from detecting and/or removing the malicious code by hiding the registry keys the stealth malware has installed within the OS registry. Since the stealth malware is unable to actively hide its presence when the OS is dormant, one technique for detecting stealth malware has been to put the OS into a dormant state.
Once the OS is in a dormant state, a dormant OS scan may be performed. As the term is employed herein, dormant OS scan refers to the technique of shutting down the supposedly infected OS and scanning the entire hard disk while the infected OS is in a dormant state. By scanning the entire hard disk while the infected OS is in a dormant state, the stealth malware is prevented from actively hiding its presence (such as, for example, preventing the detection and removal of the malicious registry keys).
Traditionally, in order to execute a dormant OS scan, scanning is performed on the dormant OS using a second OS, which has not been infected. For example, once the first OS, which is suspected to be infected, has been shut down, the hard drive containing the first OS may be removed and installed onto another computer system that has a second OS, which has not been infected. Generally speaking, the task of removing a hard drive is usually not a task that an ordinary computer user may be capable of or inclined to perform since most ordinary computer user may lack the skill and/or know-how to perform this task. In addition, since the dormant OS scan requires a second computer system, the user may somehow be required to locate a second computer. Thus, for a company, the task may have to be performed by information technology (IT) personnel.
Since the stealth malware may have created many files, the clean computer system may employ an anti-virus engine to scan all of the files within the infected hard drive in order to remove most and/or all malware, including stealth malware, which may be present on the infected hard drive. Once the infected hard drive has been scanned and cleaned, the now clean hard drive may then be re-installed back into the original computer system.
Although the above-discussed dormant OS scan approach may identify and eliminate the stealth malware, the resources (people cost, time, and/or processing power) that may be consumed during the cleaning process may make the dormant OS scan method an expensive solution, especially given the large hard disk size that is typical of modern computer system. For example, it is not uncommon for a typical modern computer system, even a consumer computer system, to have 300 GB (or more) of hard disk space. Since the dormant OS scan approach generally requires the scanning of the entire hard drive, such scanning may take many hours to complete. In addition, while the dormant OS scan is taking place, the user of the infected computer system and also the user of the clean computer system may both be deprived of the usage of their computers. As a result, productivity may be negatively impacted.