Abstract

An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virus-infected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given to the overlay module (262). The overlay module (262) calls repair routines in the foundation module (240), the overlay module (262), and the virus itself (224), as necessary, to restore over-written host bytes (228) from the infected host file (220) to their proper locations in the infected host file (220). Repairs made to the image (220") of the host file (220) in the virtual machine (216) are reflected to a back-up file (220') in the computer system (202).

Other References

• "Automated Program Analysis for Computer Virus Detection", IBM Technical Disclosure Bulletin, vol. 34, No. 2, Jul. 1991, pp. 415-416
• "Artificial Immunity for Personal Computers", IBM Technical Disclosure Bulletin, vol. 34, No. 2, Jul. 1991, pp. 150-154
• Marshall, G., "Pest Control", LAN Magazine, Jun. 1995, pp. 54-67
• Digitext, "Dr. Solomon's Anti-Virus Toolkit for Windows and DOS", S&S International PLC, Jan. 1995, pp. 1-15, 47-65, 75-77, 91-95, 113-115, and 123-142, United Kingdom
• Veldman, Frans, "Virus Writing Is High-Tech Infosecurity Warfare", Security on the I-Way '95, 1995, pp. L-1-L-16, U.S.A
• Symantec Corporation, "Norton AntiVirus for Windows 95 & Special Subscription Offer", 1995, U.S.A
• "ThunderBYTE Anti-Virus Utilities User Manual", ThunderBYTE B.V., 1995, pp. i-191, Wijchen, The Netherlands
• "Virus Infection Techniques: Part 3", Virus Bulletin, Jan. 1995, pp. 006-007, Oxfordshire, England
• "UK--Sophos Intros Unix Virus Detection Software Jan. 26, 1995", Newsbytes News Network, Jan. 26, 1995, U.S.A
• Cohen, Frederick B., "A Short Course on Computer Viruses", John Wiley & Sons, Inc., Second Edition, pp. 54-55, 199-209, 1994, U.S.A
• Veldman, Frans, "Heuristic Anti-Virus Technology", Proceedings of the International Virus Protection and Information Security Council, Apr. 1, 1994
• Karney, James, "Changing the Rules on Viruses; Trend Micro Devices Inc.'s PC Rx 4.0 virus Detection Software", PC Magazine, Aug., 1994, vol. 13, No. 14; p. NE36, U.S.A
• Wells, Joseph, "Viruses in the Wild", Proceedings of the International Virus Protection and Information Security Council, Apr. 1, 1994
• Gordon, Scott, "Viruses & Netware", Proceedings of the International Virus Protection and Information Security Council, Mar. 31, 1994
• Solomon, Alan, "Viruses & Polymorphism", Proceedings of the International Virus Protection and Information Security Council, Mar. 31, 1994
• Case, Tori, "Viruses: An Executive Brief", Proceedings of the International Virus Protection and Information Security Council, Mar. 31, 1994
• Gotlieb, Leo, "End users and responsible computing: Information Management", CMA--the Management Accounting Magazine, Sep., 1993, vol. 67, No. 7, p. 13, U.S.A
• "Network Management; LAN Buyers Guide: Network Management; Buyers Guide", LAN Magazine, Aug., 1992, vol. 7; No. 8, p. 188, U.S.A
• "Anti-virus Company Claims Polymorphic Breakthrough Jul. 10, 1992", Newsbytes News Network, Jul. 10, 1992, U.S.A
• Schnaidt, Patricia, "Security; data security issues; Lesson 44; Tutorial", LAN Magazine, Mar., 1992, U.S.A
• Skulason, Fridrik, "For Programmers", Virus Bulletin, Jul. 1990, pp. 10-11, Oxon, Englan