Browse Prior Art Database

Method and System to Recover From Virus Damage by Transactionalizing Program Operations

IP.com Disclosure Number: IPCOM000031851D
Original Publication Date: 2004-Oct-14
Included in the Prior Art Database: 2004-Oct-14
Document File: 2 page(s) / 40K

Publishing Venue

IBM

Abstract

This article addresses the problems due to shortcoming of current antivirus software systems to recover from a malware damage. The article outlines a mechanism to recover by applying transaction principles to file-system and other operation system operations.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Method and System to Recover From Virus Damage by Transactionalizing Program Operations

Antivirus software scans existing files and disk input-output streams to identify known malware. Malware consists of viruses and worm programs that exploit flaws in running processes like Apache/Ftp deamon or run on their own as separate processes.

Once a virus or worm is identified, antivirus software tries to cleanup the system of virus/worm infection either by deleting or quarantining files. Depending on the complexity of damage done by a virus, the antivirus software may or may not be able to undo the effects of infection. Available systems can usually undo simple changes or modifications made by virus- i.e. if a Registry key is changed, then remove those changes. However correcting the damage caused by a virus becomes more complicated when a multi-step process is involved, or if the changes made are not simple - i.e randomly corrupt a file on a disk drive.

This article provides a mechanism to identify and undo changes that malware causes to an infected system. The core idea of this article is to model the changes done to computer system by a program as a transaction, with transaction start and end (commit or abandonment) driven by assessment of the operation sequence.

By applying principles of Journaling File System(JFS), Log Structured Files Systems (LFS) and expanding the scope of a transaction to span to a process's lifetime, it is possible to identify and roll back the system modifications made by malware processes.

Available anti-virus solutions are effective in undoing simple and well known damage. Other programs like ptrace, and strace provide mechanisms to identify low-level program operations. Several systems also provide mechanisms to maintain point-in-time filesystem snapshots and roll back to a predetermined state. This article suggests tagging operations in a tra...