Method and apparatus for protecting data files on a computer from virus infection

US 5,956,481 A
Filed: 02/06/1997
Issued: 09/21/1999
Est. Priority Date: 02/06/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method for protecting files on a computer from infection by a virus, the files compatible with a program module running on the computer, comprising the steps of:

detecting one of an external and internal open file event for a selected one of the files;

prior to responding to the detected open file event, determining whether the selected file is likely to contain the virus;

in the event that the selected file is likely to contain the virus, then providing a notice advising that the selected file may contain the virus;

otherwise, responding to the open file event by opening the file for operation with the program module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protection of data files on a computer system from infection or damage by a computer virus. A virus protection system can detect either an external or internal open file event for a file maintained on a local or remote computer. Typically, the protection system is implemented as an internal component of the program module that processes the files protected by the protection system. Prior to responding to a detected open file event, an inquiry is conducted to determine whether the file is likely to contain a virus. If so, a notice is generated to indicate that the file may contain a virus, thereby advising of the possible danger of spreading the virus to other files if the file opening is completed. If the file is not likely to contain the virus, the response to the detected open file event is completed by opening the file for processing by the program module.

Citations

34 Claims

1. A computer-implemented method for protecting files on a computer from infection by a virus, the files compatible with a program module running on the computer, comprising the steps of:
- detecting one of an external and internal open file event for a selected one of the files;
  
  prior to responding to the detected open file event, determining whether the selected file is likely to contain the virus;
  
  in the event that the selected file is likely to contain the virus, then providing a notice advising that the selected file may contain the virus;
  
  otherwise, responding to the open file event by opening the file for operation with the program module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1 further comprising the step of opening the selected file for operation with the program module in response to selecting an open file option presented by the notice.
  - 3. The computer-implemented method of claim 2 further comprising the step of terminating a response to the open file event in response to selecting a close file option presented by the notice, thereby preventing an opening of the selected file.
  - 4. The computer-implemented method of claim 3 further comprising the step of opening the selected file in a safe mode in response to selecting a virus protection option presented by the notice, wherein the selected file is opened in the safe mode as a protected file that does not include any components associated with the virus.
  - 5. The computer-implemented method of claim 4 wherein the virus is a macro virus and the protected file is loaded for operation with the program module without loading any macro of the selected file.
  - 6. The computer-implemented method of claim 5 wherein the protected file is marked as read-only to make it difficult for the selected file to be saved as a replacement for the selected file.
  - 7. The computer-implemented method of claim 1 wherein the determining step comprises determining whether the selected file comprises a component associated with the virus and, if so, identifying the selected file as likely to contain the virus.
  - 8. The computer-implemented method of claim 1 wherein the determining step comprises determining whether the selected file has been previously examined for virus infection and, if so, identifying the selected file as a clean file that does not contain the virus.
  - 9. The computer-implemented method of claim 1 wherein the determining step comprises:
    - determining whether the selected file comprises a component associated with the virus;
      
      if the selected file comprises a component associated with the virus, then determining whether the file is a predetermined type that is unlikely to contain the virus;
      
      if so, identifying the selected file as available for operation with the program module;
      
      otherwise, identifying the selected file as likely to contain the virus.
  - 10. The computer-implemented method of claim 9 wherein the virus is a macro virus and the component of the selected file is a macro.
  - 11. The computer-implemented method of claim 9, wherein the step of determining whether the file is a predetermined type comprises checking whether the selected file resides in a predetermined directory.
  - 12. The computer-implemented method of claim 9, wherein a digital signature is assigned to the selected file when the selected file is examined for virus protection, and wherein the step of determining whether the file is a predetermined type comprises checking the digital signature of the selected file to determine whether the file was previously opened by a trusted entity.

13. A computer-readable medium having computer executable instructions for a virus protection routine incorporated within a program module, for causing a computer to perform the steps of:
- detecting a request to access a data file in response to one of an external and internal open file event;
  
  in response to the request to access the data file, determining whether the data file contains a known virus component;
  
  if the data file contains a known virus component, then(i) providing an advisory notice that the data file is susceptible to infection by a virus; and
  
  (ii) providing an option to access the data file using a safe mode; and
  
  if the option to access the data file in the safe mode is selected, then accessing the data file with the known virus component disabled.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer-readable medium of claim 13, having further computer executable instructions for causing the computer to perform the steps of:
    - providing an option to access the data file in an unrestricted mode; and
      
      if the option to access the data file in an unrestricted mode is selected, then accessing the data file with the known virus component enabled.
  - 15. The computer-readable medium of claim 13, having further computer executable instructions for causing the computer to perform the steps of:
    - providing an option to cancel the access to the data file; and
      
      if the option to cancel the access to the data file is selected, then canceling the request to access the data file.
  - 16. The computer-readable medium of claim 13, wherein the step of determining whether the data file contains a known virus component comprises:
    - if the known virus component is a macro, then determining whether the data file contains a macro.
  - 17. The computer-readable medium of claim 13, wherein the step of determining whether the data file contains the known virus component comprises the step of:
    - if the known virus component is a customization, then determining whether the data file contains a customization.
  - 18. The computer-readable medium of claim 13, wherein the step of detecting a request to access a data file comprises detecting an external file open event or detecting an internal file open event.
  - 19. The computer-readable medium of claim 13, wherein the step of accessing the data file with the known virus component disabled comprises accessing the data file in a read-only mode.
  - 20. The computer-readable medium of claim 13, having further computer executable instructions for causing the computer to perform the steps of:
    - if the data file contains a known virus component, then determining whether the data file resides in a predetermined directory; and
      
      if the data file resides in a predetermined directory, then accessing the data file with the known virus component enabled.
  - 21. The computer-readable medium of claim 13, wherein a digital signature is assigned to the data file to indicate that the data file has been examined for infection by a virus and to indicate whether the data file has been accessed in the safe mode, and wherein the computer-readable medium has further computer executable instructions for causing the computer to perform the steps of:
    - if the data file contains a known virus component, then checking the digital signature for the data file to determine whether the data file has been previously examined for infection by a virus; and
      
      if the data file has been previously examined for infection by a virus, and if the digital signature indicates that the data file has been accessed in the safe mode, then accessing the data file with the known virus component disabled.

22. A computer-implemented method for protecting a plurality of files on a computer from infection by a known virus component using a virus check routine incorporated within a program module, the program module operative to access the files and the virus check routine operative to store a digital signature with a selected data file once the selected data file is accessed by the program module, comprising the steps of:
- detecting a request to access the selected data file in response to one of an external and internal open file event;
  
  determining whether the selected data file contains the known virus component;
  
  if the selected data file contains the known virus component, then determining whether the selected data file was previously accessed by the program module by(i) obtaining the digital signature for the selected data file;
  
  (ii) obtaining a digital session key for the present session of the program module; and
  
  (iii) comparing the digital signature with the digital session key;
  
  if the digital signature matches the digital session key, then determining that the selected data file was previously accessed by the program module;
  
  determining whether the selected data file was previously accessed using a safe access mode; and
  
  if the selected data file was previously accessed using the safe access mode, then accessing the selected data file using the safe access mode.
- View Dependent Claims (23, 24, 25)
- - 23. The computer-implemented method of claim 22, wherein the step of accessing the selected data file using the safe access mode comprises accessing the selected data file without the known virus component.
  - 24. The computer-implemented method of claim 22, wherein the step of accessing the selected data file using the safe access mode further comprises accessing the selected data file in a read-only mode.
  - 25. The computer-implemented method of claim 22, further comprising the steps of:
    - if the digital signature does not match the digital session key, then(i) displaying an advisory message warning that the selected data file is susceptible to infection by a virus; and
      
      (ii) providing an option to process the selected data file using the safe access mode; and
      
      if the option to process the selected data file using the safe access mode is selected, then accessing the selected data file without the known virus component;
      
      otherwise, accessing the selected data file with the known virus component.

26. A computer-implemented method for detecting a known virus component using a virus check routine incorporated within a program module operative to process a file that is susceptible to a virus, comprising:
- detecting a request to process a selected file in response to one of an external and internal open file event;
  
  determining whether the selected file contains a known virus component;
  
  if the selected file contains a known virus component, then(i) providing an advisory notice indicating that the selected file contains a known virus component; and
  
  (ii) providing file processing options to process the selected file;
  
  receiving one of the file processing options as a selected file processing option;
  
  processing the selected file in accordance with the selected file processing option;
  
  detecting a second request to process the selected file; and
  
  if the advisory notice indicating that the selected file contains a known virus component was previously provided, then processing the selected file in accordance with the selected file processing option without providing a second advisory notice.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The computer-implemented method of claim 26, wherein the file processing options comprise:
    - a safe mode file processing option to process the selected file without the known virus component;
      
      an unrestricted mode file processing option to process the selected file with the known virus component; and
      
      an abort mode file processing option to abort processing the selected file.
  - 28. The computer-implemented method of claim 26, wherein the step of processing the selected file in accordance with the selected file processing option comprises assigning a digital signature to the selected file.
  - 29. The computer-implemented method of claim 28, wherein the step of detecting a second request to process the selected file comprises:
    - obtaining the digital signature for the selected file;
      
      obtaining a digital session key for the present session of the program module; and
      
      comparing the digital signature for the selected file with the digital session key for the present session of the program module;
      
      if the digital session key and the digital signature match, then detecting a second request to process the selected file.
  - 30. The computer-implemented method of claim 26, wherein the step of detecting a request process a selected file comprises detecting an internal or external open file command.
  - 31. The computer-implemented method of claim 26, wherein the step of determining whether the selected file contains a known virus component comprises determining whether the selected file contains a macro.
  - 32. The computer-implemented method of claim 26, wherein the step of determining whether the selected file contains a known virus component comprises determining whether the selected file contains a customization.
  - 33. The computer-implemented method of claim 26, further comprising the step of determining whether the selected file is a template.
  - 34. The computer-implemented method of claim 26, further comprising the step of determining whether the selected file is located in a predetermined directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Altberg, Ebbe H. A., Walsh, James E.
Primary Examiner(s)
Hua, Ly

Application Number

US08/797,485
Time in Patent Office

957 Days
Field of Search

395/183.14, 395/183.15, 395/183.12, 395/186, 395/682, 395/680, 364/580, 380/4
US Class Current

726/23
CPC Class Codes

G06F 11/004   Error avoidance G06F11/07 a...

G06F 11/32   with visual or acoustical i...

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

Method and apparatus for protecting data files on a computer from virus infection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting data files on a computer from virus infection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links