NONDESTRUCTIVE VIRUS ISOLATION AND REMEDIATION (19-Aug-2009)

NONDESTRUCTIVE VIRUS ISOLATION

AND

Computer virus detection today either physically scans files or scans for viruses as programs are loaded into memory. Once detected, existing tools quarantine, delete, or fix the contaminated file which may result in loss of some data.

Computer viruses often infect existing files and when caught result in loss of data or functionality. Our solution would heuristically catch computer viruses before they actually attach themselves to existing files. Current AV software scans most processes as they are loaded into memory. Many however are loaded without being scanned such as active X controls, device drivers, services, and other system related processes.

• Use a disk I/O filter driver or use a virtualized environment to temporarily isolate disk I/O (eg. SMC virtual disk or RnR filter driver)
• Assess whether any protected areas of the disk or direct disk accesses have occurred.
• Examples include system registry, system kernal, device drivers, cache regions, boot areas, swap file, or other black listed files
• When AV updates are applied, synchronize the boundaries of the protected regions
• The process would be suspended or delayed so that the I/O can be further analyzed.
• Put the requested I/O into the virtual area or isolation/sandbox area. (eg. ZFS or copy on write technology)
• Once the disk I/O is isolate...