Method and apparatus for protecting a computer system from computer viruses

US 5,511,184 A
Filed: 10/22/1993
Issued: 04/23/1996
Est. Priority Date: 04/22/1991
Status: Expired due to Term

First Claim

Patent Images

1. A computing system which is protected against a virus, the system having a boot loading means for loading a boot program into the system from a storage means, wherein the storage means contains a first plurality of interrupt vectors which are sent to the system prior to loading the boot program, the system comprising:

a read-only memory for storing a first program;

first program executing means for executing the first program when the system is turned on and prior to loading said boot program, said first program comprising;

vector generating means for generating a second plurality of interrupt vectors;

vector comparing means for comparing said first plurality of interrupt vectors to said second plurality of interrupt vectors; and

signaling means for generating a first signal if said first plurality of interrupt vectors is equivalent to said second plurality of interrupt vectors, and for generating a second signal if said first plurality of interrupt vectors is not equivalent to said second plurality of interrupt vectors;

boot program executing means for executing the boot program after the first program executing means executes the first program and only upon receipt of said first signal;

vector generating means for generating a third plurality of interrupt vectors;

vector comparing means for comparing said first plurality of interrupt vectors to said third plurality of interrupt vectors;

signalling means for generating a third signal if said first plurality of interrupt vectors is equivalent to said third plurality of interrupt vectors, and for generating a fourth signal if said first plurality of interrupt vectors is not equivalent to said third plurality of interrupt vectors; and

write control means for controlling writes into the storage means, the write control means including write preventing means for preventing writes to the storage means until said third signal is received.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for protection against attack by computer virus. Detection and prevention of a virus attack at boot time is achieved by write-protecting the storage devices of the system before the booting process and by detecting the presence of virus by checking integrity of the interrupt vectors of the system. Similar checks may be run on the system modules, device drivers, and application programs, using, for example, a checksum to insure that no further viruses are present in those programs.

133 Citations

10 Claims

1. A computing system which is protected against a virus, the system having a boot loading means for loading a boot program into the system from a storage means, wherein the storage means contains a first plurality of interrupt vectors which are sent to the system prior to loading the boot program, the system comprising:
- a read-only memory for storing a first program;
  
  first program executing means for executing the first program when the system is turned on and prior to loading said boot program, said first program comprising;
  
  vector generating means for generating a second plurality of interrupt vectors;
  
  vector comparing means for comparing said first plurality of interrupt vectors to said second plurality of interrupt vectors; and
  
  signaling means for generating a first signal if said first plurality of interrupt vectors is equivalent to said second plurality of interrupt vectors, and for generating a second signal if said first plurality of interrupt vectors is not equivalent to said second plurality of interrupt vectors;
  
  boot program executing means for executing the boot program after the first program executing means executes the first program and only upon receipt of said first signal;
  
  vector generating means for generating a third plurality of interrupt vectors;
  
  vector comparing means for comparing said first plurality of interrupt vectors to said third plurality of interrupt vectors;
  
  signalling means for generating a third signal if said first plurality of interrupt vectors is equivalent to said third plurality of interrupt vectors, and for generating a fourth signal if said first plurality of interrupt vectors is not equivalent to said third plurality of interrupt vectors; and
  
  write control means for controlling writes into the storage means, the write control means including write preventing means for preventing writes to the storage means until said third signal is received.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer system according to claim 1 further comprising:
    - driver loading means for loading an I/O driver program into the system only after receipt of said third signal;
      
      driver program executing means for executing the I/O driver program after the boot program executing means executes the boot program;
      
      vector generating means for generating a fourth plurality of interrupt vectors;
      
      vector comparing means for comparing said first plurality of interrupt vectors to said fourth plurality of interrupt vectors;
      
      signalling means for generating a fifth signal if said first plurality of interrupt vectors is equivalent to said fourth plurality of interrupt vectors, and for generating a sixth signal if said first plurality of interrupt vectors is not equivalent to said fourth plurality of interrupt vectors; and
      
      wherein the write preventing means includes means for preventing writes into the storage means while the I/O driver program is executing and until said fifth signal is received.
  - 3. The computer system according to claim 1, wherein said information includes a normal system driver checksum for a system driver program, said computer system further comprising:
    - system driver loading means for loading the system driver program into the system only after receipt of said third signal;
      
      system driver program executing means for executing the system driver program after the boot program executing means executes the boot program;
      
      checksum calculating means for calculating a calculated system driver checksum from the system driver program;
      
      checksum comparing means for comparing the normal system driver checksum to the calculated system driver checksum;
      
      signalling means for generating a fifth signal if said normal system driver checksum is the same as the calculated system driver checksum, and for generating a sixth signal if said normal system driver checksum is different from the calculated system driver checksum; and
      
      wherein the system driver loading means prevents the loading of the system driver into the system until said fifth signal is received.
  - 4. The computer system according to claim 3, wherein said information includes a normal installable device driver checksum for an installable device driver program, said computer system further comprising:
    - installable device driver loading means for loading the installable device driver program into the system only after receipt of said fifth signal;
      
      checksum calculating means for calculating a calculated installable device driver checksum from the installable device driver program;
      
      checksum comparing means for comparing the normal installable device driver checksum to the calculated installable device driver checksum;
      
      signalling means for generating a seventh signal if said normal installable device driver checksum is the same as the calculated installable device driver checksum, and for generating a eighth signal if said normal installable device driver checksum is different from the calculated installable device driver checksum; and
      
      wherein the installable device driver loading means prevents the loading of the installable device driver into the system until said seventh signal is received.
  - 5. The computer system according to claim 1, wherein said information includes a user-defined check value for a second program, said second program separate from said first program and separate from said boot program, the computer system further comprising:
    - program loading means for loading the second program into the system;
      
      check value calculating means for calculating a program check value from the second program;
      
      check value comparing means for comparing the user-defined check value to the calculated check value;
      
      signalling means for generating a fifth signal if said user-defined check value is equivalent to the calculated check value, and for generating a sixth signal if said user-defined check value is not equivalent to the calculated check value; and
      
      wherein the program loading means prevents the loading of the second program into the system until said fifth signal is received.

6. A method for protecting a computing system against a virus, the system having a means for inputting a booting program into the system from a storage means, wherein the storage means contains a first plurality of interrupt vectors which are sent to the system prior to loading the botting program, the method comprising the steps of:
- storing a first program in a read-only memory;
  
  executing the first program when the system is turned on, said executing step comprising the steps of;
  
  generating a second plurality of interrupt vectors;
  
  comparing said first plurality of interrupt vectors to said second plurality of interrupt vectors prior to loading said boot program into the system;
  
  generating a first signal if said first plurality of interrupt vectors is equivalent to said second plurality of interrupt vectors, and generating a second signal if said first plurality of interrupt vectors is not equivalent to said second plurality of interrupt vectors;
  
  loading said boot program into the system, the boot program being stored in the storage means;
  
  executing the boot program after the first program is executed and upon receipt of the first signal;
  
  generating a third plurality of interrupt vectors;
  
  comparing said first plurality of interrupt vectors to said third plurality of interrupt vectors;
  
  generating a third signal if said first plurality of interrupt vectors is equivalent to said third plurality of interrupt vectors, and generating a fourth signal if said first plurality of interrupt vectors is not equivalent to said third plurality of interrupt vectors; and
  
  preventing writes to the storage means until said third signal is received.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method according to claim 6 further comprising the steps of:
    - loading an I/O driver program into the system only after receipt of said third signal;
      
      executing the I/O driver program after executing the boot program;
      
      generating a fourth plurality of interrupt vectors;
      
      comparing said first plurality of interrupt vectors to said fourth plurality of interrupt vectors;
      
      generating a fifth signal if said first plurality of interrupt vectors is equivalent to said fourth plurality of interrupt vectors, and generating a sixth signal if said first plurality of interrupt vectors is not equivalent to said fourth plurality of interrupt vectors; and
      
      wherein the write preventing step comprises the step of preventing writes into the storage means while the I/O driver program is executing and until said fifth signal is received.
  - 8. The method according to claim 6, wherein said storage means includes a normal system driver checksum for a system driver program, said method further comprising the steps of:
    - calculating a calculated system driver checksum from the system driver program;
      
      comparing said normal system driver checksum to the calculated system driver checksum;
      
      generating a fifth signal if said normal system driver checksum is the same as the calculated system driver checksum, and generating a sixth signal if said normal system driver checksum is different from the calculated system driver checksum; and
      
      preventing the loading of the system driver program into the system if a sixth signal is received.
  - 9. The method according to claim 8, wherein said storage means includes a normal installable device driver checksum for an installable device driver program, said method further comprising the steps of:
    - calculating a calculated installable device driver checksum from the installable device driver program;
      
      comparing said normal installable device driver checksum to the calculated installable device driver checksum;
      
      generating a seventh signal if said normal installable device driver checksum is the same as the calculated installable device driver checksum, and generating a eighth signal if said normal installable device driver checksum is different from the calculated installable device driver checksum; and
      
      preventing the loading of the installable device driver program into the system if an eighth signal is received.
  - 10. The method according to claim 6 further comprising the steps of:
    - storing a user-defined check value for a second program into said storage means, said second program separate from said first program and separate from said boot program;
      
      checking said second program, said checking comprising the steps of;
      
      calculating a program check value for the second program;
      
      comparing the user-defined check value to the calculated check value;
      
      generating a fifth signal if said user-defined check value is equivalent to said calculated check value, and generating a sixth signal if said user-defined check value is not equivalent to said calculated check value; and
      
      preventing the loading of the second program into the system if a sixth signal is received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wistron Corporation
Original Assignee
Acer, Inc.
Inventors
Lin, Pei-Hu
Primary Examiner(s)
Black, Thomas G.
Assistant Examiner(s)
Alam, Hosain T.

Application Number

US08/141,436
Time in Patent Office

914 Days
Field of Search

395/700, 395/600, 395/575, 380/4, 380/25, 371/21.1
US Class Current

710/261
CPC Class Codes

G06F 21/567   using dedicated hardware

G06F 21/575   Secure boot

G06F 21/78   to assure secure storage of...

Method and apparatus for protecting a computer system from computer viruses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

133 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting a computer system from computer viruses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links