Security software encompasses a variety of applications, including system restoration after, for example, a catastrophic system failure or compromise. System restoration applications repair or restore a damaged system state by rolling back the system to a previous secure and safe state. A damaged system can result from vulnerability exploitation, system compromise, or catastrophic failure of system resources (e.g., disk failure, compromise of operating system, etc.). A damaged system may also result from unforeseen software incompatibilities, user error, etc. Images can be used to provide a restore point or safe state for rolling back a system. In some cases, images may be used to configure new equipment in a desired way, or to provide multiple environments on a single computer. Images, such as those generated by the Ghost utility application available from Symantec Corporation, may comprise “snapshots” of a system or operating environment taken at a given point in time. As used herein, the term image may comprise a disk image, such as one generated by Norton Ghost, or any other type of file or repository of data representing the state of a physical or virtual system, such as may be used to restore or configure the system, including without limitation a disk image, a virtual machine file, or backup tape or other backup medium. Images, which include files and configuration settings, may embody a virtual “system” or machine that represents a collection of files and data that can be run as a system. In the case of a Microsoft Windows-based computing environment, registries containing configuration settings may be included in the images. Other databases or files containing configuration settings for operating environments other than Windows may also be included in images.
Although a system associated with an image can be scanned for known vulnerabilities at or before the time of image creation, new vulnerabilities could occur or be discovered or exploited after the image is created, but before the image is used, e.g., in a system restoration. The use of these vulnerable images may unknowingly create an unsafe state.
While in some cases it may be possible to access all or some of the files associated with an image for purposes of performing a search of the files for the presence of suspect code, vulnerable files, or other indicia of a newly-discovered vulnerability, such a search may not be sufficient to detect and repair certain vulnerabilities, such as those that might require that the NT Windows registry (or similar configuration database) be updated, for example.
Thus, there is a need for a solution to detect and repair vulnerabilities in images prior to system restoration or other use of the image.