Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2000-05-31
2004-09-14
Baderman, Scott (Department: 2114)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S036000
Reexamination Certificate
active
06792556
ABSTRACT:
BACKGROUND
This disclosure relates generally to computer systems and, more particularly, to a method and system for detecting, and recovering from, computer viruses during the boot process.
A problem encountered by many users of computer systems is the inadvertent introduction of computer viruses into the computer system. These computer viruses can cause unrecoverable errors and can have a large detrimental economic impact on the owner of the computer system. Computer viruses are computer programs or pieces of computer code that are loaded onto the computer system without the user's knowledge and that operates against the user's wishes. Technically, a computer virus is capable of replicating itself. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.
A similar type of destructive computer program is known as a Trojan horse. A Trojan horse masquerades as a benign application, such as a utility application. Unlike a virus, a Trojan horse does not replicate itself, however, Trojan horse programs can be just as destructive as computer viruses. For example, a particularly insidious type of Trojan horse masquerades as a program to rid a computer system of viruses, but instead introduces viruses onto the computer system. As used herein, the term “computer virus” is used to collectively refer to any type of inadvertently-introduced destructive computer code on a computer system, including viruses, worms, and Trojan horses.
In order to detect these harmful programs and code, virus detection programs have become increasingly available. These virus detection programs generally search the memory of a computer system to detect known computer viruses. The programs notify the user of a computer system when a potential virus is located, and many such programs remove any viruses that are found. In addition, most virus detection programs include an auto-update feature that enables the program to download profiles of new viruses so that the program can check for new viruses as soon as they are discovered.
A virus detection program usually contains two parts: a scanner and a file containing virus “signatures”. The virus signatures are unique characteristics that identify specific viruses. A further description of antivirus scanners and signatures is set forth in U.S. Pat. No. 6,016,546, issued to Kephart et al., and entitled “Efficient Detection of Computer Viruses and Other Data Traits”, which is herein incorporated by reference in its entirety. Generally, each time a new virus is discovered, the author of the virus-detection program must create a new virus signature that tells the scanner how to recognize the new virus. Because new viruses appear at a relatively rapid pace, anti-virus scanners are potentially ineffective against new viruses whose “signatures” have not been loaded into the signature file.
Many virus authors design computer viruses to acquire control of the computer system before the computer system's operating system has a chance to run any virus detection programs. This is accomplished by designing the virus to infect the boot record of the system's bootable media. For the purposes of this document a boot record shall refer to either the Master Boot Record (“MBR”) associated with fixed media devices or the boot sector associated with removable media devices. Additionally, the terms hard disk and floppy disk shall be interpreted to mean any fixed or removable media respectively. A boot record virus is a common type of virus that replaces the boot record with its own code. Because the boot record executes every time a computer system is booted from a hard disk, a boot record virus is extremely dangerous to the integrity of a computer system.
Typical approaches to dealing with boot record viruses include write protection and virus detection programs. In the write protection approach, the contents of the boot record may only be read but may not be modified, thus inhibiting infection by a boot record virus. A drawback to the write protection approach, however, is that it can be easily circumvented. That is, the write protection approach usually works by having code in the BASIC input/output system (“BIOS”) enforce the prohibition on writing to the boot record. This works to prevent contamination when the virus attempts to use BIOS routines for accessing the boot record, but is circumvented when the infecting program writes directly to the hardware. Another pitfall of the write protection approach is that it potentially inhibits useful processing within the computer system. Some software applications, such as boot loaders and managers and media formatters legitimately, need to write to the boot record. In order for such applications to operate properly, the “write protection” for the boot record must be disabled, leaving the boot record vulnerable to infection.
Virus detection programs that are designed to detect boot record virus infection typically provide notification but do not generally provide for recovery from the virus. One such virus detection scheme is presented in U.S. Pat. No. 5,509,120, issued to Merkin et al., and entitled “Method and System for Detecting Computer Viruses During Power On”, which is herein incorporated by reference in its entirety. Merkin '120 discloses a scheme that computes an “uncontaminated” cyclic redundancy check (“CRC”) of the MBR and of the operating system boot record when both are known to be free of viruses. During each boot, the computer system performs a validity check by computing the CRC of the operating system and master boot records and then comparing these CRC's with the uncontaminated CRC's. If actual and uncontaminated CRC's do not match, an error message is displayed to alert the user of possible virus contamination.
What is needed is a more robust virus detection scheme that not only detects all boot record viruses, even new ones, that may infect a boot record, but that also allows the boot record to recover from a virus infection. Ideally, the virus detection scheme would allow the boot record to be modified when legitimately required.
SUMMARY
A method, computer system, and apparatus perform boot record recovery. In at least one embodiment, a method of operating a computer system comprises determining whether a boot record is virus-free. The boot record is identified as “clean” if it is determined to be virus-free. The snapshot of the clean boot record is stored in non-volatile memory. During the boot process, the contents of the current boot record are compared with the contents of the snapshot to determine whether a mismatch exits in at least one embodiment, this processing occurs after POST. If a mismatch does not exist, the contents of the current boot record are executed as part of the IPL process. In at least one embodiment, the determining whether a boot record is virus-free includes obtaining a user input from the user of the computer system. In at least one embodiment, the current boot record resides in volatile memory.
At least one embodiment of the method further comprises reporting a message to the user if a mismatch exists between the current boot record and the snapshot. A mismatch occurs when relevant information has been altered in the current boot record. In at least one other embodiment, the contents of the snapshot are executed if the mismatch exists.
Alternatively, the user provides an input that is received as a proceed indicator. If the user-provided value in the proceed indicator is a first value, then the contents of the snapshot are executed during the IPL, thereby effecting a recovery of the boot record with the clean snapshot. On the other hand, if the user-provided value in the proceed indicator is a second value, then the contents of the current boot sector are executed during the IPL. This situation will occur when the user is aware of; and comfortable with, the change to the current boot record.
In at least one embodiment, the current b
Baderman Scott
Dell Products L.P.
Haynes and Boone LLP
Lohn Joshua
LandOfFree
Boot record recovery does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Boot record recovery, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Boot record recovery will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3216717