RU2538287C2 - Method of checking computer with antivirus in uefi at early stage of booting computer - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to protecting a computer from malware. The method of checking a computer with an antivirus in UEFI at an early stage of booting the computer comprises steps of: turning on the computer; the computer loading Unified Extensible Firmware (UEFI) from the memory module of the computer motherboard; at the UEFI execution step, switching to a driver execution environment for launching the antivirus module from a separate partition of the motherboard memory module, wherein the antivirus module checks the computer hard drives for signs of viral activity and if viruses are detected, performs procedures for elimination thereof, and after operation of the antivirus module, protecting the memory module from reading and writing with the aim of changing or blocking the memory module, and the transferring UEFI control for further booting of the computer.

EFFECT: improved computer safety.

3 cl, 1 dwg

Description

The present invention relates to a computer that is protected from malware at an early stage of loading.

Currently, Unified Extensible Firmware (UEFI) is being developed for modern computers, or rather their motherboards. This interface is designed to replace the computer BIOS and is intended to correctly initialize the equipment when the system is turned on and transfer control to the bootloader of the operating system. UEFI has two phases: the preliminary EFI phase, at which the computer elements are initialized and the driver execution phase of the Driver Execution Environment (DXE), after which the computer’s operating system is already loaded, see, for example, US 2009319763 A1 dated 12.24.2009. Thanks to the use of UEFI, the loading of the computer operating system is accelerated.

The closest technical solution is RU 119910 U1, dated 08.27.2012, which describes a method of protection against unauthorized access to a computer. In this method, it is proposed to configure the BIOS so that immediately after completing the Power On Self-Test (POST) procedure, it launches the embedded security module. In this case, the security module contains a means for blocking access to the BIOS settings to everyone except authorized administrators of the security module, means for authenticating the user / administrator of the security module, and authentication of the user / administrator is carried out using an identification device (IU) connected to the PC system bus, the means to transfer BIOS control to further boot the computer after user / administrator authentication .. However, these remedies are not sufficient precisely protect your computer from malware.

The proposed technical solution is aimed at creating a computer protected by antivirus in UEFI at an early stage of computer boot.

The task that the present invention allows to solve is the possibility of a guaranteed anti-virus scan until any software environments potentially capable of carrying out malicious actions (containing viruses) are launched on the device and affect the process of further information processing.

The technical result of the proposed technical solution is to increase the security of the computer.

The technical result is achieved by the fact that the method of checking the computer with antivirus in UEFI at an early stage of computer boot contains the steps:

- turn on the computer,

- computer boot Unified Extensible Firmware (UEFI), from the memory module of the motherboard of the computer,

- at the UEFI stage - making the transition to the driver execution environment, launching the antivirus module from a separate section of the memory module of the computer motherboard, while the antivirus module checks the computer’s hard drives for signs of virus activity and, in the presence of viruses, takes steps to eliminate them,

- and after the end of the operation of the antivirus module, establishing the protection of the memory module from reading and writing with the aim of the impossibility of changing or blocking the memory module, and then transferring the UEFI control to further boot the computer.

In this case, the antivirus module can be an updatable program including: antivirus and antispyware and / or authorization program, and / or other well-known program that protects the computer from unauthorized access.

In addition, the memory module of the computer in which the UEFI is stored must be a FLASH chip.

Figure 1 shows a diagram that implements an antivirus scan method of a computer in UEFI at an early stage of computer boot.

Consider the work of the proposed method for checking a computer with antivirus in UEFI at an early stage of computer loading, using an example of a computer with anti-virus protection against unauthorized access. To operate the proposed computer, the motherboard of the computer is used, which has a memory module in the form of a FLASH chip, where instead of BIOS (BIOS) UEFI is recorded. In addition, the FLASH chip contains a section for storing data of the antivirus module. The remaining elements of the computer represent standard computer elements: a processor with a cooling system, RAM, a video card, hard disks (SSD or HDD), a monitor, a case with a power supply, a keyboard and mouse.

A method for checking an anti-virus computer in UEFI at an early stage of computer boot is as follows. The user turns on the computer, after which the UEFI download starts, and various graphic or textual design of the UEFI download can be formed on the monitor. After performing the UEFI transition to the driver execution environment - DXE, the antivirus module is launched. The antivirus module is an automatically launched at least one program that checks the computer’s hard drives for the presence of potentially dangerous programs for the computer. The antivirus program is stored previously in the section for storing data of the FLASH microcircuit. This antivirus program can be updated only in the conditions of production of the motherboard or in the service center. At the same time, the progress of at least one antivirus program on the monitor screen is accompanied by various graphic and / or textual design that allows you to track and perform the necessary actions to delete potentially dangerous files found by the antivirus for your computer.

For example, after running the antivirus program, a list of suspicious files found and information that allows the user to be displayed on the monitor screen:

- completely delete the found (s) suspicious files,

- quarantine the found suspicious files,

- remove from the suspicious file the part that is a threat to the computer,

- or other actions related to the processing of found suspicious files,

- Continue loading the computer.

After completion of the indicated antivirus operations, regional (the section where the antivirus scan module is stored) is set to protect the FLASH chip from reading and writing with the aim of not being able to change or block the module. In the case of a successful anti-virus check, the system automatically switches to UEFI actions that preload or load the main computer operating system.

A specific embodiment of the proposed technical solution has been disclosed above, but it is obvious to any person skilled in the art that based on the disclosed data, it is possible to create variations of computer protection methods with antivirus in UEFI, for example, using a sequential combination of protection combinations of several different antiviruses. Thus, the scope of the invention should not be limited to the specific embodiment disclosed in the proposed claims.

Claims (3)

1. A method for checking an anti-virus computer in UEFI at an early stage of a computer boot, comprising the steps of:
- turn on the computer,
- loading the computer Unified Extensible Firmware (UEFI) from the memory module of the motherboard of the computer,
- at the stage of UEFI transition to the execution environment of the drivers for launching the antivirus module from a separate section of the memory module of the computer motherboard, the antivirus module checks the computer’s hard drives for signs of virus activity and, in the presence of viruses, takes steps to eliminate them,
- and after the end of the operation of the antivirus module, establishing the protection of the memory module from reading and writing with the aim of the impossibility of changing or blocking the memory module, and then transferring the UEFI control to further boot the computer. 2. A method for checking a computer with antivirus in UEFI at an early stage of loading a computer, the antivirus module according to claim 1, characterized in that it is an updatable program including: antivirus and antispyware and / or authorization program, and / or other known program that protects the computer from unauthorized access. 3. A method for checking a computer in UEFI by an antivirus at an early stage of loading a computer is the antivirus module according to claim 1, characterized in that the memory module of the computer in which the UEFI is stored is a FLASH chip.