Method for recovery of a computer program infected by a computer virus
First Claim
1. A method of restoring a computer program infected by a computer virus comprising:
- (a) generating a unique fingerprint for a computer program prior to said computer program being infected;
(b) generating a first string which is a transitive function of a first plurality of substrings of said computer program said function having an inverse function for calculating an unknown input given all other inputs and a value of the function;
(c) storing said unique fingerprint and said first string prior to said computer program being infected at a separate location;
(d) generating a substring of said computer program from said first string and said computer program by utilizing said inverse function;
(e) generating a fingerprint of a second string formed of a second plurality of substrings of said computer program and a trial substring generated from said computer program and said first string;
(f) comparing the fingerprint generated in step e) with the fingerprint saved at step c) and determining that said computer program can be restored if said fingerprints match;
(g) restoring said computer program as said second plurality of substrings and said trial substring if said comparison in step f) determines that restoration is possible.
3 Assignments
0 Petitions
Accused Products
Abstract
A recovery technique allows a computer program to be recovered from a program which has been infected with a computer virus. Prior to the program being infected, a unique fingerprint of the program is taken and stored along with data relating to the beginning portion of the program at a location separate from the program. A program thought to be infected is processed by generating a fingerprint of a string in the program utilizing the stored data. The fingerprint that is generated is compared with the stored fingerprint to determine whether or not the two fingerprints match. If the fingerprints match, the program is restored from the stored information and the string. If the fingerprints do not match, the value utilized to select the string can be incremented and the process repeated.
151 Citations
7 Claims
-
1. A method of restoring a computer program infected by a computer virus comprising:
-
(a) generating a unique fingerprint for a computer program prior to said computer program being infected; (b) generating a first string which is a transitive function of a first plurality of substrings of said computer program said function having an inverse function for calculating an unknown input given all other inputs and a value of the function; (c) storing said unique fingerprint and said first string prior to said computer program being infected at a separate location; (d) generating a substring of said computer program from said first string and said computer program by utilizing said inverse function; (e) generating a fingerprint of a second string formed of a second plurality of substrings of said computer program and a trial substring generated from said computer program and said first string; (f) comparing the fingerprint generated in step e) with the fingerprint saved at step c) and determining that said computer program can be restored if said fingerprints match; (g) restoring said computer program as said second plurality of substrings and said trial substring if said comparison in step f) determines that restoration is possible. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification
-
- Resources
-
Current AssigneeSymantec Corporation (NortonLifeLock Inc.)
-
Original AssigneeSymantec Corporation (NortonLifeLock Inc.)
-
InventorsMann, Omri
-
Primary Examiner(s)Beausoliel, Jr., Robert W.
-
Assistant Examiner(s)LE, DIEU MINH T
-
Application NumberUS07/881,859Time in Patent Office861 DaysField of Search395/575, 380/4, 380/24, 380/25, 371/14, 371/19, 371/67.1US Class Current714/6.31CPC Class CodesG06F 11/1402 Saving, restoring, recoveri...G06F 21/565 by checking file integrityG06F 21/568 eliminating virus, restorin...
