DE4225345A1 - Computer virus and sabotage program detecting method - using sequence of tests to identify if request for operation is valid and provides blocking and warning indication if not - Google Patents

Abstract

The protection and detection method involves checking on attempted accesses to computer memory to ensure that the information does not contain a 'virus' or sabotage programme. This protects the MS-DOS operating system against damage. The process involves a sequence of operations beginning with a request for sector oriented functions that are checked for a response from the operating system. A positive result of the check allows the operation to proceed. If the result is negative a check is made to determine if the operation is from an authorised service programme. If the request is valid the operation is allowed to proceed. If not the operation is blocked and a warning generated. USE/ADVANTAGE - Allows unknown viruses and sabotage programs to be detected.

Description

In view of the massive spread of virus and Sabotage programs of all kinds are gaining the fact Meaning that the system areas of data carriers, especially hard disks and floppy disks, in the operating system MS-DOS are not protected against deliberate destruction. The known anti-virus methods are limited to Detection of so-called virus signatures in the form of certain Strings in files and in memory. The great The disadvantage of such methods is that they are naturally have to be limited to the already known viruses. In particular, they cannot do damage prevent if an unknown virus becomes active. The Recognizing the virus signatures is another way of doing this become more difficult that now polymorphic viruses viruses that change their signature themselves can.

To clarify the dangers that the unprotected MS-DOS System threat, it should be explained that already short Program fragments with a total length of, for example 8 bytes and an execution time of just a few Milliseconds each access to a computer hard drive and even prevent the operating system from pulling up (booting) can. A restoration of the destroyed in this way Hard drive, if any, is only made by experts in laborious and time-consuming manual work possible.  

The invention is accordingly based on the object Procedures to specify the MS-DOS operating system protect that attempts at sabotage even with unknown Virus signatures can not be prevented, but at Do no harm to activation, especially none overwrite vital system areas of the data carrier and can destroy it. The solution to the problem is in Claim 1 specified.

The invention is based on the principle, before execution of potentially dangerous access to system areas of Disks previously used by the MS-DOS operating system without any Security check have been carried out to the user warn if not obviously system-related There is a need for such access. To the closer Explanation of the method according to the invention should first the MS-DOS operating system in the one of interest here Context will be briefly explained.

MS-DOS basically offers two groups of Programming functions that manipulate data carriers, so hard drives or floppy disks can serve, namely file-oriented and sector-oriented functions. There a Application program normally only may perform file-oriented operations and a Disks only from individual sectors, cylinders and heads exists, the MS-DOS core takes care of every file-oriented Operation for the transparent implementation of the logical Term "file" in the physical values "sector", "Cylinder" etc. In addition, the core must be in everyone file-oriented operation is also transparent Manage system area.  

To put it simply, a data carrier consists of System area and the data area. The system area of a typical hard disk contains, again schematically, one Partition sector, a boot sector and two copies of one File allocation table FAT (from File Allocation Table). To the System area can also be the root Directory and the three files necessary for booting Add IO.SYS, MSDOS.SYS and COMMAND.COM. Under the The security aspect is the following about the system area important: The system area is essential for the right one Function of the system, it is relatively small compared to Data area, and it should only be managed and managed by the MS-DOS core be modified. The last condition is from MS-DOS hurt themselves because some system functions, e.g. B. that Formatting disks, creating a partition etc. have been moved from the core to external utilities. These utilities are formally part of MS DOS, but not from the core, so its activities are not can monitor and control. The MS-DOS core offers therefore some sectoral functions to this Utilities access to the system area too enable. Essentially, this is the "Absolute Disk Read" and "Absolute Disk Write" functions, d. H. Interrupts 25 and 26 (in hexadecimal Spelling).

If only file-oriented functions are used damage can hardly be caused. Has a sabotage program in this way no access to the system area and could at most overwrite or delete files. Because of that Sabotage program the names of files and directories in are generally unknown, the sabotage program would have to work blindly through the files. That would time consuming and eye-catching. In addition, the victim could  User to restore deleted files immediately, e.g. B. through the "UNDELETE" utility.

Real and irreparable damage can be a Sabotage program solely through the sector-oriented Arrange functions. Therefore, the test takes place according to characteristic a) held in claim 1 for these functions.

Any attempt to call a sectoral function is suspected of sabotage, unless the call is from MS-DOS itself, i.e. from the core or from certain, approved Utilities comes from one Application program. Hence the tests according to Process steps a) and c) in claim 1.

Overall, there is only one sector-oriented function six possible targets for sabotage programs, namely

• a) by calling the "ABSOLUTE DISK WRITE" function (Interrupt 26),
• b) by calling up hard disk or floppy disk Device drivers,
• c) by calling the function "EXECUTE DEVICE DRIVER REQUEST" (Interrupt 2f, function 0802),
• d) by calling the "GENERIC BLOCK DEVICE REQUEST" function (Interrupt 21, function 440d),
• e) by calling the "ROM-BIOS Fixed Disk" function (Interrupt 13)  
• f) by jumping directly to the original ROM address of the "ROM-BIOS Fixed Disk" function, which can be determined by the "SET DISK INTERRUPT HANDLER" function (interrupt 2f, Function 13).

These possible points of attack that a complete Representation are also the subject of Developments of the invention.

To carry out process step c), the Name of the calling program determined, for example for approved programs "FORMAT" or "FDISK". Here but a sabotage program fairly easily also the program name in the program environment could modify to an allowed Pretending the program is advantageous when calling the "LOAD AND EXECUTE A PROGRAM" function, also EXEC function called, the name of the program to be executed saved and compared with the name of the calling program. The both names must match, otherwise the warning spent.

When calling the functions "ABSOLUTE DISK WRITE", "GENERIC BLOCK DEVICE REQUEST "and" ROM-BIOS FIXED-DISK "will each the associated interrupt, for example interrupt 26 for "ABSOLUTE DISK WRITE" during the initialization phase redirected, the name of the calling program checked and then returned to the original interrupt.

When calling up a disk driver, it is first determined whether it is write access to the system area acts. Then to check if the access comes from the core, it is determined whether there is currently an MS-DOS function is executed and whether the transfer address, i.e. the Address from which the data is written to the disk  should refer to a core data buffer. To carry out the disk driver call is redirected to that by a new disk driver was created during initialization who carries out the tests and if the outcome is positive the previous disk driver for access calls.

The output of a warning expediently includes the output of a optically striking warning window on the screen of the Calculator. The warning window gives the cause for the warning and, if necessary, further details for Diagnostic purposes, for example the full path name of the Causer, the physical address of the complaint Call, the register contents, the system and the user Stack, etc. In addition, the warning window can be a menu included, which gives the user several options for the Response to the warning including a blockage of the function performed there. The block can be once for the function currently being carried out or for the duration of the currently running program. On the other hand, the user can despite the warning Allow the function to be executed once or permanently.

The for the execution of the test according to procedural step c) approved utilities are conveniently on a list approved programs as follows:

CHKDSK, DEBUG, DISKCOPY, FDISK, FORMAT, MIRROR, RECOVER, REPLACE, SYS, UNDELETE, UNFORMAT.

In addition, the user has the option of more Programs that he believes to be reliable are included in the list to enter, namely programs that also have a  need sector-oriented access to system areas, for example the well-known program "PC TOOLS".

Claims (9)

1. Process for protecting MS-DOS computers against sabotage programs or "viruses", characterized by the process steps:

• a) when calling sector-oriented functions, it is checked whether the call originates from the core of the operating system,
• b) if the result of the test in step a) is positive, the call is permitted,
• c) if the result of the test according to step a) is negative, it is checked whether the call comes from an approved utility,
• d) if the result of the test in step c) is positive, the call is permitted,
• e) if the result of the test in step c) is negative, execution is blocked and a warning is issued to the computer user.

2. The method according to claim 1, characterized, that the name of the calling program determined and with a list approved programs is compared. 3. The method according to claim 2, characterized, that when the EXEC function is called, the name of the program to be executed and saved with the name of the calling program is compared. 4. The method according to claim 2 or 3, characterized,  that when one of the functions "ABSOLUT DISK WRITE" is called or "GENERIC BLOCK DEVICE REQUEST" or "ROM-BIOS FIXED- DISK "the associated INTERRUPT during the Initialization phase redirected to the name of the calling program checked and then to the original INTERRUPT is returned. 5. The method according to claim 1, characterized, that when calling the disk driver or the function "EXECUTE DEVICE DRIVER REQUEST" determines whether a There is write access to the system area, and that then to check whether the access comes from the core, it is determined whether there is currently an MS-DOS function is executed and whether the transfer address is on a Core data buffer relates. 6. The method according to claim 5, characterized, that to carry out the tests of Disk driver call is redirected in that the Initialization a new disk driver is created who carries out the tests and, if the result is positive, the previous disk driver for executing the access calls. 7. The method according to any one of claims 1 to 6, characterized, that the warning is the output of a visually striking Warning window on the computer screen includes and that the warning window indicates the cause of the warning. 8. The method according to claim 7, characterized,  that the warning window contains a menu that the user several ways to respond to the warning including blocking the listed Function indicates and provides a fault diagnosis. 9. The method according to any one of claims 1 to 8, characterized, that for the execution of step c) the approved utilities in a list be the user through additional programs can supplement.