RU2638735C2 - System and method of optimizing anti-virus testing of inactive operating systems - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: system contains an operating system enumeration (OS) for searching the installed inactive OSes, determining the logical drive identifiers for each installed inactive OS; a file searching tool designed to identify an inactive OS that needs to be checked for harmful files, and anti-virus scanning of files in the inactive OS. If several inactive OS are installed, the inactive OS is selected for anti-virus scanning, and the logical drive identifiers associated with the inactive OS are compared with the logical drive identifiers associated with the active OS, where the active OS is the OS that was started at the time of the scanning; the files that belong to the inactive OS in the active OS are determined according to the full path of storing the specified files in the inactive OS via the associated logical drive identifiers.

EFFECT: speeding up the anti-virus scanning of an inactive operating system and performing the anti-virus scanning of only one inactive operating system with several installed operating systems.

17 cl, 5 dwg, 1 tbl

Description

Technical field

This invention relates to systems and methods for anti-virus scanning of operating systems for malicious files and, more specifically, to systems and methods for anti-virus scanning of inactive operating systems installed on a user's computer from an active operating system.

State of the art

Computer security is an integral part of information technology. Computer security breaches can occur if computers are infected with various malicious programs (hereinafter referred to as malicious files), such as viruses, trojans, exploits (rootkit), rootkits (stealth virus), and etc. Computers can be infected in various ways, for example, through information networks, both local and global, or through external portable storage devices (“flash drives”). Examples of infection through information networks are methods such as receiving and reading an e-mail by e-mail of a user containing a malicious file in the attachment, or infection when a user visits the website on which the malicious file was posted. Also, a malicious file (for example, a "network worm") may try to get to the user's computer, i.e. without the knowledge of the user. The variety of malicious files and methods of infection prompted the emergence of many different tools to protect computers from the effects of malicious files. Such tools are anti-virus applications, various systems ("scanners") that search for malicious files, firewalls (Eng. Firewall), and so on, up to complex systems for protecting against malicious files and distributing them. However, users' computers are still infected with malicious files anyway.

One of the reasons for the continued infection of computers is the ability of some malicious files, such as stealth files, to hide from protection tools. Another reason may be the increasing appearance of malicious files in order to obtain commercial benefits both by the developers of malicious software (software) and their distributors (customers), which led to the creation of more complex malicious files and, as a consequence, complicating the process of their detection. For example, such malicious programs (files) may be so-called rootkits or malicious files that resist treatment (i.e., they can recover on their own, Cure-resistant malware). A rootkit is a set of software tools that allow you to hide your presence on a computer, namely, hide processes launched from malicious files. In addition, rootkits can be implemented at the zero level of protection (the kernel level in the information security architecture and functional fault tolerance), according to which rootkits receive maximum privileges of access to computer resources. This allows rootkits to intercept system services that the operating system and applications use while working on the computer and go unnoticed on the computer. For example, if an anti-virus application located on a computer scans data / files stored on a hard (physical) disk, then as part of the scan process, the operating system makes at least one call to the “open file” function when accessing the file being scanned. However, the rootkit will intercept the called function and return the response to the requested process, for example, in the form of an “file missing” error or redirect the function call to another “clean” file. Thus, the antivirus application will not be able to scan the required file and, accordingly, detect the malicious file.

One of the solutions to detect such malicious files as rootkits is solutions related to the anti-virus scan before or directly during the boot of the operating system. Another solution allows you to download a third-party operating system from an external device (for example, an optical disk or a "flash drive") to conduct an anti-virus scan of a computer device (system), which includes a full scan of data (files) on a data storage device.

So, in the patent US 8230511 B2 describes the technology of anti-virus scanning of a computer device using a secure trusted operating system that contains an anti-virus application, while the operating system and anti-virus application were launched from an external device. When malicious files are detected, they are deleted from the computer device. After an anti-virus scan and removal of the found malicious files, the computer device is rebooted, during which the already cleaned "internal" operating system of the computer device is loaded, where the internal OS is understood as the OS that is the installed OS of the computer device.

However, with this solution, a complete anti-virus scan of the computer system (i.e., all data (files) contained on it) is performed, which takes quite a long time. In addition, the following circumstance should also be taken into account: when a virus is deleted, which, for example, is contained in a critical file (i.e. a file that, when deleted, the OS will not start or work correctly), it may fail to load or the internal operating system . Another circumstance is the need for proper cleaning of the OS, for example, the Windows registry, otherwise the OS may stop working. Another drawback of existing approaches is the lack of the ability to conduct anti-virus scanning of one of the inactive operating systems if there are several installed operating systems on the computer device, since these solutions will not be able to determine which files belong to which operating system. Inactive operating system refers to an operating system that is installed on a computer device, but is not currently running. Also, the approaches presented do not solve the problem of combating malicious files that have the ability to recover on their own, for example, using a copy of this file after deleting it. In addition, new approaches aimed at identifying malicious files that prevent the launch of antivirus solutions and / or loading the operating system are always relevant.

Therefore, although the solution described above allows you to detect malicious files, new approaches are required to conduct an anti-virus scan of the operating system, in particular, an inactive operating system, and / or to eliminate the consequences of deleting malicious files from an inactive operating system (i.e., correctly deleting a file with a search dependent files and / or data). Accordingly, there is a need for a system and method for optimizing (speeding up) the anti-virus scan of inactive operating systems.

SUMMARY OF THE INVENTION

The present invention is intended for anti-virus scanning of an inactive operating system.

One technical result of the invention is to accelerate the anti-virus scan of files of an inactive operating system with respect to known anti-virus checks by determining whether the files belong to the inactive OS to be checked by determining the location (full storage path) of files in the checked (inactive) OS by matching logical drive identifiers, related to the active OS and inactive OS, and conducting a point or partial anti-virus scan of inactive OS files.

Another technical result of the claimed invention is to conduct anti-virus scan of files of only one necessary inactive operating system if there are several installed operating systems on a computer device.

As one of the variants of implementation, a system of anti-virus scanning of files of the operating system is proposed, which is installed on the computer and is not running at the time of the specified scan, i.e. an inactive operating system, while the claimed system contains a database associated with a means of listing operating systems (OS) and a means of searching for malicious files in an inactive OS, designed to store at least a set of drivers for various file systems and information designed to perform anti-virus scanning inactive OS; OS listing tool designed to search for at least one inactive OS installed on the computer, determining logical drive identifiers for each installed inactive OS and transmitting information about each inactive OS and the corresponding name of each inactive OS to the malware search tool, while the OS listing tool determines all hard drives installed on the computer; analyzes the structure of each hard drive installed on the computer using a set of drivers for various file systems; defines a list of logical drives; identifies files that perform OS boot (downloader files) on specific logical drives; analyzes the structure of each identified bootloader file, during which the type of OS to which the bootloader belongs is determined, and the location of the OS on logical disks; forms a list of inactive OSs that contains at least one inactive OS; and defines logical drive identifiers for each inactive OS; file search tool intended for anti-virus scanning of files of at least one inactive OS, while during the anti-virus scan of each inactive OS, said search tool matches logical drive identifiers related to the inactive OS with logical drive identifiers related to the active OS, where active OS means the OS that was launched at the time of the specified verification; defines files that are related to an inactive OS, according to the full path of storage of the specified files; performs anti-virus scan of files at specific storage addresses; Detects and deletes at least one malicious file.

In another embodiment of the system, the OS listing facility additionally, when analyzing the structure of the identified bootloader file, determines the full address of the location of the files.

In yet another embodiment of the system, the OS listing tool during the analysis of the structure of each identified bootloader file further includes an analysis of indirect features, according to which it determines the identifier of the operating system.

In another embodiment of the system, the identifiers of logical disks for the Microsoft Windows operating system are understood to mean at least the names of the logical disks.

In yet another embodiment of the system, information about inactive OSs means at least one or more of the following information: OS type, OS family name, OS version, OS capacity, and the location of the OS boot files.

In another embodiment of the system, the file search tool only detects files for anti-virus scanning related to autorun files of the OS, critical files of the OS, and executable files stored in the autorun folders of computer users.

In yet another embodiment of the system, a file search tool, upon receipt of information about more than one inactive OS, determines the sequence and time of the anti-virus scan of certain inactive OS.

As another embodiment, a computer-implemented method of anti-virus scanning of operating system files (inactive OS) is installed, which is installed on the computer and is not running at the time of the specified scan, the method comprising the steps of searching at least the OS listing tool one inactive OS installed on the computer, during which all the hard drives installed on the computer are detected, the structure of each hard drive installed is analyzed On the computer, using a set of drivers for various file systems, they determine the list of logical drives, identify the files that load the OS (bootloaders) on specific logical drives, analyze the structure of each detected bootloader, during which determine the type of OS, to which the file loader belongs, and the location of the OS on logical drives, form a list of inactive OS, which contains at least one inactive OS; determine the identifiers of logical drives for each installed inactive OS; using the means of searching for malicious files in an inactive operating system, anti-virus scanning of files of at least one inactive operating system is performed, while during an anti-virus scan of each inactive operating system, logical drive identifiers related to the inactive operating system are compared with logical drive identifiers related to the active operating system, where an active OS is understood as an OS that was launched at the time of the specified check, files that are related to an inactive OS are determined, according to the full path of storage data files, perform anti-virus scan of files according to specific storage addresses, identify and delete at least one malicious file.

In another embodiment of the method, the hard drive is any storage device designed to store data, including the hard drive itself, a solid state drive, and a network drive.

In another embodiment of the method, the analysis of the structure of the file downloader further includes the analysis of indirect features, according to which it determines the name of the operating system.

In another embodiment of the method, when determining more than one inactive operating system, the sequence and time of the anti-virus scan of certain inactive operating systems are determined.

In yet another embodiment of the method, when determining more than one inactive operating system, the need for anti-virus scanning of each inactive operating system is determined.

In another embodiment of the method, the need for an anti-virus scan is determined using a request to the user or automatically.

Brief description of the attached drawings

The accompanying drawings, which are included to provide an additional understanding of the invention and form part of this description, show embodiments of the invention and together with the description serve to explain the principles of the invention.

The claimed invention is illustrated by the following drawings.

FIG. 1 shows an example of a general purpose computer system on which the claimed invention can be implemented.

FIG. Figure 2 illustrates the runtime of the anti-virus scan system for inactive operating systems.

FIG. 3 illustrates the architecture of the anti-virus scan system for inactive operating systems with the subsequent elimination of the consequences of deleting a malicious file during the anti-virus scan of files of an inactive operating system.

FIG. 4 illustrates an example implementation of a method for listing operating systems during an anti-virus scan of inactive operating systems using the claimed invention.

FIG. 5 illustrates a frequent case of implementing the method of searching for a malicious file, checking a malicious file, and clearing an inactive operating system of the consequences of deleting a malicious file.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details provided to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined only in the scope of the attached claims.

In FIG. 1 shows a computer system on which the described invention may be implemented.

FIG. 1 represents an example of a general-purpose computer system (it can be either a personal computer or a server) 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus th architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26, contains basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating ROM systems 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 1. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

FIG. Figure 2 illustrates the runtime of the anti-virus scan system for inactive operating systems.

In FIG. 2, one of the embodiments of the claimed anti-virus scan system for inactive operating systems is considered, namely, anti-virus scanning of files of an inactive operating system using an anti-virus tool 130 if there are 20 or more installed operating systems on a computer device (computer). It is worth noting that an inactive operating system (OS) refers to an OS that is installed on the user's computer 20, but is not used (not running) at the current time and is stored on a storage device, for example, on a hard disk 27. In turn An active operating system refers to an OS that is loaded and executed on a computer. An example of such an OS is operating system 35, i.e. loaded OS in the RAM 25 of the computer 20 and is currently used by the user.

It should be noted that a storage device is a device that can store various data (files) or information that the OS can use, including data from the OS itself. Also, the storage device can be an array of storage devices, for example, in the form of RAID (English redundant array of independent disks - redundant array of independent hard drives), i.e. an array of several disks. Examples of storage devices are both the 27 hard drive and devices such as HHD (half-height drive), SSD (Solid-State Disk), flash drives, and others. An array of storage devices can consist of devices physically connected to each other, for example, several hard drives, and spaced in space and connected through a network, for example, using the Internet 190. The network can be either local or global. An array of storage devices can contain both the same types of devices, and different from each other.

Currently, operating systems, in particular operating systems of the Microsoft Windows family, when interacting with a storage device, use the ability to divide storage devices (hard drives) into partitions (English partition). A partition can be either primary (English primary partition) or extended (optional, English extended partition). In addition, the disk contains a partition table (English partition table), which is part of the master boot record (English master boot record, MBR). In addition, there may be several primary partitions, with each partition having its own file system. An extended partition can be only one and does not have its own file system, but it can contain other logical partitions (disks), while the number of logical disks and their size is limited only by the size of the storage device. In addition, logical drives as well as primary partitions can have either one type of file system or a different one. Partitioning a disk is necessary, for example, to install several operating systems that are installed on separate logical partitions (disks) to separate files of one OS from files of another, or to separate operating system files from user files, as well as for the convenience of storing and interacting with files (data) stored on a storage device.

It is worth noting that the logical drive is perceived by the OS as a separate device that has its own name, directory (s) and other data corresponding to the hard drive. Therefore, each logical drive is assigned its own identifier, for example, a letter name, such as "C:", "D:", "Z:" and so on. Partitioning into logical drives is usually done during formatting of the storage device (hereinafter this term will be used as a hard drive). Formatting a hard disk is the partitioning of the hard disk in the computer into addressable elements in order to prepare the hard disk for receiving information. In addition, when installing several operating systems on the computer 20, each operating system, as a rule, will store (place) its data (files) on a separate logical disk. For example, the Windows XP OS will be located on the local C: drive, and the Windows 7 OS on the local D: drive. At the same time, for each installed operating system, the numbering of logical drives will be individual (an example is presented in the Table below).

So, consider a particular embodiment of the claimed invention, while the hard disk 160 contains at least two operating systems that are installed on the computer. One OS is running, i.e. is an active OS, the other OS is not running, i.e. are inactive OS. It is worth noting that the more inactive OSs are installed on the computer and stored on the hard drive, the more preferred it is to use the claimed invention, because when the OS is increased, anti-virus scanning of each inactive OS separately is difficult. So, to conduct an anti-virus scan of inactive operating systems, the operating system 35, for example, “Linux”, is loaded into the RAM 35 of the computer 20, and the antivirus tool 130, which can be either application 37 or a hardware-software device, is launched in the loaded OS can be executed on the processor of the computer 20. The hard disk (storage device) 160 may consist of either a single hard disk 160a (not shown in Fig. 2) or a plurality of hard disks 160a ... 160n (not shown in Fig. 2).

As described above, the hard disk 160 for each operating system is a set of logical drives, and for each operating system, the identifier (for example, name) of each logical drive is different. So, the same hard disk partition (i.e., local disk) will have different names for different OS. An example for a computer on which the hard disk is divided into four local disks and two operating systems are installed (OS “Windows XP” and OS “Windows 7”) is presented in the table below.

Thus, when loading an OS, the identifiers (names) of logical drives will be individual for each OS installed on the computer (both inactive and active). Therefore, to check any file (data, information) stored on the hard disk 160, any operating system, it is necessary to access the specified file in accordance with the full path to the file in a particular OS. The full path is a string expression specifying the location of the file. An example of the full path (route) to the executable file of the Kaspersky Endpoint Security 10 application is the following string expression: “C: \ Program Files (x86) \ Kaspersky LabYKaspersky Endpoint Security 10 for Windows SP1 \ kesdr.exe”.

It is worth noting that for the implementation options, when the Linux operating system is installed on computer 20 except the Windows operating system, then the term “mount point” is used in “Linux”, which corresponds to the identifier (name) of logical disks so that the mount point indicates the name of the folder (file) inside the Linux OS file system into which the logical drive is displayed having the corresponding (defined) identifier of the logical drive.

In turn, the anti-virus tool 130, running on the computer 20 in the active operating system 35, contains a list of tools 140 that are intended for anti-virus scanning of inactive operating systems, and a database 150. The composition of the tools from the list of tools 140 and their purpose are presented in the description of FIG. . 3. Database 150 stores data (information) intended for anti-virus scanning of inactive OS by anti-virus tool 130 and / or its tools from the list of tools 140. Examples of such data may be a description of malicious files (for example, file signatures in the form of hash sums ), as well as various policies (rules) of security, control or detection of malicious files. The database can also store various supporting information, for example, lists of various types of files. Database 150 is replenished and changeable, while replenishment and change are made in accordance with the needs (necessary information to be fulfilled by the means of its intended use) of both the antivirus tool 130 itself and the needs of the funds from the list of tools 140. Depending on the implementation, the changes may can be entered either directly from the user's computer or remotely, for example, using the anti-virus server 180 via the Internet 190. In addition, in one embodiment, the database is 150 can be located separately (remotely) from the anti-virus tool 130, for example, on the anti-virus server 180. It is also worth noting that in addition to the database 150, any information storage element can be used. So, for example, a file, registry or sector on the hard drive.

A feature of antivirus scanning of inactive OSs is the ability to determine whether files belong to the inactive OS by detecting the location of files in the OS being scanned and to perform point and / or partial scanning (antivirus scan) of files of the inactive OS, rather than checking all data (files) on the hard drive presented in the known inventions. For this, the claimed invention enumerates (numbering) logical drives for each inactive OS.

During the anti-virus scan of inactive OS, the anti-virus tool 130 has the ability to perform the following actions:

- search for all inactive OSs, such as 170a ... 170n, on the hard disk 160, during which identifiers (names) of logical disks for each OS are determined, and the relationship between the names of logical disks of different OSs,

- determination of the need for anti-virus scanning of each detected inactive OS,

- queuing anti-virus scans for inactive OS,

- search for malicious files for each inactive OS,

- upon detection of a malicious file, the criticality of the detected malicious file is checked both for the inactive OS being checked and for other operating systems contained on the user's computer,

- removal or treatment of a malicious file,

- cleaning of an inactive OS (hard disk) from traces of a malicious file, i.e. from traces of malicious activity of malicious files.

It is worth noting that the traces of the operation of a malicious file are understood as various connections of the malicious file with other OS files, for example, the presence of a link to a malicious file in another file; a file link (for example, a symlink, from the English. Symbolic link) to another (second, third, ...) part of the malicious file located in another folder or even on another local drive; links from the OS registry to the identified malicious file or shortcut (English shortcut) in the “Desktop” folder. The search for malicious files is carried out according to the identifiers of the disks that correspond to the inactive OS being checked and in certain places (local disks, directories, folders). In addition, in the preferred embodiment, when conducting an anti-virus scan, it checks mainly autorun files, OS system files, critical OS files and files located in autorun folders.

In FIG. Figure 3 shows the architecture of the anti-virus scan system for inactive operating systems with the subsequent elimination of the consequences of deleting a malicious file during the anti-virus scan of files of an inactive operating system. In one embodiment, the anti-virus scan system for inactive OS (hereinafter referred to as the claimed system) contains at least OS 210 enumerator, malware search tool for inactive OS (hereinafter referred to as file search tool) 220, and an inactive OS cleaner (hereinafter referred to as a means of cleansing) ) 230 and a critical file control tool (hereinafter referred to as a control tool) 240. In addition, the claimed system or its tools interact with a database 150 and an array of hard disks (hereinafter referred to as a hard disk) 160. It should be noted that the claimed system does not granichivaetsya said composition means, and may also have a connection to a remote server, for example, the central server 180 (shown in FIG. 2). Communication with the server 180 will be via the Internet 190.

Anti-virus server 180 can have various purposes, including, in one embodiment, contain databases 150 or at least one of the tools 210, 220, 230, and 240, i.e. have the functionality and purpose of these funds. In this case, the OS 210 listing tool, the file search tool 220, the comparison tool 230, and the control tool 240 can partially or fully redirect tasks assigned to them to the anti-virus server 180. Then, the tools 210, 220, 230, and 240 will be the tools that transmit and receive the necessary information for the operation of the anti-virus scan system of inactive OS. Thus, said system in one embodiment may be a distributed system.

In another embodiment, the OS enumerator 210 and the file search tool 220 can be combined in an anti-virus file scan system of inactive operating systems, and in turn, the cleaning tool 230 and the control tool 240 can form a system for eliminating the consequences of deleting a malicious file during the anti-virus file scan inactive operating system.

So, the OS 210 enumerator is designed to search on the hard disk 160 for all stored OS 170a ... 170n and determine the list of logical drives and the corresponding identifiers (for example, names) of logical drives for each OS found. For this, the OS 210 enumerator determines all the hard (physical) disks installed on the computer 20 and parses (analyzes) the structure of the physical disk 160 (in the case when several physical disks are parsed each) in order to determine the partitions of the physical disk and the number of logical disks into which the hard disks 160 installed on the computer 20 are divided. In one embodiment, the structure of the hard disk 160 is parsed using a set of drivers for various file systems. Depending on the implementation of the invention, a set of drivers may be included in the OS 210 enumerator, or be requested from the database 150. The OS 210 enumerator using the driver determines the list of partitions of the physical disk, i.e. a list of logical disks into which the physical disk 160 is partitioned. Next, the tool 210 searches and analyzes the installed OS on the computer 20. During the search for the installed OS, the tool 210 detects all downloader files (that is, files that are necessary to start the OS boot process ) operating systems contained on logical drives. In addition, in one embodiment, when a loader file is detected, the enumerator 210 checks its integrity. The integrity of the file downloader is checked, for example, by determining the presence of all the necessary information in the file. After that, the listing tool 210 analyzes the structure of each identified bootloader file to determine at least the type of OS to which the bootloader belongs, the full path (address) of loading the OS, and the storage location of files belonging to the identified OS. In addition, Listing Tool 210 additionally determines the OS family name, OS version, OS bit depth, a service for working with OS files, a list of users, a service for working with the system registry (only for Microsoft Windows). For example, the boot path for the Microsoft Windows XP family of OS is determined using the boot.ini bootloader configurator. According to a specific OS boot path, the OS is checked for the specified address and the system registry of the corresponding OS is detected. After that, the tool 210 analyzes the system registry of each detected OS, during which it determines on which logical disks the files of the analyzed OS are located and which names of logical disks correspond to the analyzed OS. Thus, the enumerator 210 detects all installed inactive operating systems on the computer 20, the list of logical drives and the names of the logical drives corresponding to each installed inactive OS. In addition, the tool 210 will match the logical drive names of one inactive OS with the logical drive names of another inactive / active OS. The result of matching the names of logical drives of different OSs can be a formed table containing information about the names of logical drives of different OSs. Further, the listing tool 210 transmits information about the installed inactive OS and the corresponding identifiers (names) of logical disks to the file search tool 220. Information about inactive OS means at least the type of OS, OS version, and location of the OS boot files, but is not limited to them.

In a particular embodiment of the claimed invention, the enumerator 210 can determine the number of logical drives using an active (loaded) OS. To do this, tool 210 will find the registry of the active OS and analyze it (in the case of the Windows operating system).

File search tool 220 is designed to determine (select) at least one inactive OS that needs to be checked for malicious files, and to perform anti-virus scanning of files of the selected inactive OS. Determining the need for anti-virus scanning of files of an inactive OS is based on at least one of the following criteria:

- the user's response to the request for anti-virus scanning of inactive OS (the request may be for all inactive OS, or for some of them), while in the response the user indicates which inactive OS should be checked;

- a flag is set that indicates the anti-virus scan of each inactive OS after identifying the corresponding inactive OS, and in case of identifying inactive OS more than one, a scan schedule and a sequence of checks for detected inactive OSs can be generated;

- the date of the last anti-virus scan of an inactive OS is outdated, for example, the user sets it or by default the time threshold between anti-virus checks of an inactive OS, exceeding which requires an anti-virus scan of an inactive OS;

- etc.

After determining the need for an anti-virus scan of at least one inactive OS, the file search tool 220 performs an anti-virus scan. During the anti-virus scan, the file search tool 220 determines the location (full storage path) of each file of the inactive OS to be checked according to the names (letters) of logical disks corresponding to the inactive OS to be checked. For this, the file search tool 220 matches the identifiers (names) of the logical disks related to the inactive OS being checked with the identifiers of the logical disks related to the active OS. It is worth noting that anti-virus scanning can be performed both on all files of the inactive OS being scanned, and only on a part of the files. In a preferred embodiment, anti-virus scanning of files related to autorun files used to run the inactive OS to be scanned, critical files and executable files stored in the autorun folders of computer users is performed. In order to determine the location of these files, the file search tool 220 uses the obtained identifiers (for example, names) of logical disks for an inactive OS and their correspondence to the identifiers (names) of logical disks of the active OS. For operating systems of the Microsoft Windows family, the registry of the inactive OS will also be checked. Directly anti-virus scanning of files is performed using modern technical solutions and technologies contained, for example, in the software products of Kaspersky Lab JSC.

When a malicious file is detected, file search tool 220 decides to delete or disinfect the detected file. In one implementation, before deciding on the detected malicious file, the specified file will be in quarantine mode (for example, in the quarantine folder, which will be isolated from other files). In one embodiment, the file search tool 220 may independently decide to delete the file. In another embodiment, the tool 220 transmits information about the found malicious file to the cleanup tool 230. The transmitted information contains various information about the file itself, such as the file name, file type, file location, file hash, etc.

It is worth noting that when deleting a malicious file in an inactive operating system, there is a possibility of an error in the inactive OS when the specified OS will be loaded or executed on the computer, i.e. will become an active OS. In order to eliminate the consequences of deleting malicious files, a number of measures are required to identify and delete data or files associated with the said malicious file. In the framework of the claimed invention, such measures are carried out using a means of cleaning inactive OS 230 and means of control 240.

In turn, the inactive OS 230 cleaner is designed to perform additional analysis related to the detected malicious file and / or its subsequent removal. An additional analysis is to search for various data (traces of malicious activity) associated with the malicious file in order to eliminate the possibility of recovering the malicious file or eliminate the error in the inactive OS when it becomes the active OS. It is worth noting that the data associated with the remote malicious file is data that contains the full path to the location of the remote malicious file. For example, when analyzing the program code of a file or analyzing a link in the system registry.

So, for example, the need for additional analysis (cleaning an inactive OS) is connected with the fact that a malicious file can consist of several parts or have independent parts that can both recover a malicious file if it is deleted, contain and execute malicious load or unauthorized with the user actions (for example, to make calculations using computer resources for third parties) that will be executed on the OS regardless of the removal of the malicious file. There may also be various links from other files or the registry (for Windows) to the identified malicious file, which can also restore the malicious file or, if the file is deleted, can cause the inactive OS to fail when it is loaded, in the flesh until it “freezes” »OS (the inability to continue operating the OS associated, for example, with a looping command). So, in one example, a file link, in addition to a text pointer to the file to which the link was originally attached, may contain additional information related to the malicious file and which will allow you to restore the specified malicious file. In another example, a malicious program that has files distributed on the hard disk, among which one of the files may be a symbolic link (English Symbolic). A symbolic link can contain the path to any object (file, another link, directory, nonexistent file) that must be opened when accessing a symbolic link, and the object can be placed on a logical drive with another file system or on the network. In another example, when deleting a malicious file, the file responsible for the operation of some OS service was deleted, which will lead to disruption of the service. Therefore, it is necessary to perform additional verification (cleaning) of an inactive OS in order to detect traces of malicious activity of a malicious file.

In a preferred embodiment, the cleaning tool 230 performs an additional check of at least the registry of the inactive OS, objects (files, links), startup and shortcuts from the “desktop” folder, while they also use corresponding logical drive names for the inactive OS being tested when determining the full path to the location of objects. To do this, the cleaner 230, before additional verification, will match the logical drive names of all operating systems found on the computer. During the scan, an analysis of the objects is performed, which, for example, consists in identifying the full path to the remote malicious file in the program code of the file. When analyzing the registry, links to a remote malicious file are also detected.

Consider this example: a symbolic link was found on the logical drive “C:”, while the name of the logical drive corresponds to an inactive OS. But the search is performed in the active OS, which has its own enumeration of logical drives. When analyzing a symbolic link, a pointer to a file located on the logical drive “D:” was found (this name corresponds to an inactive OS). At the same time, for the active OS, the specified logical drive will be, for example, the logical drive "E:". At the same time, the logical drive “D:” of the active OS for an inactive OS can be, for example, like the logical drive “F:”. Therefore, if you do not perform the name matching for the active OS and the inactive OS being tested, then the tool 230 will go over and search in another data storage location and will not reveal anything. Therefore, the cleaning tool 230, for the correct passage through the link pointing to another part of the malicious file, will reconcile the names of logical drives of all operating systems found on the computer. After which additional analysis will be carried out.

Based on the results of an additional scan, the cleaning tool 230 deletes the found links or files, if they are also malicious, and / or the malicious file itself, which was detected by the file search tool 220 if the malicious file was not previously deleted.

In addition, the claimed invention (cleaning tool 230) can check for a possible error in the further operation of the inactive OS being checked after deleting the malicious file or before deleting it. To do this, the cleaning tool 230 also performs an analysis of the effect (for example, what function does the malicious file or files associated with it) of the malicious file on other files of the inactive OS and / or makes a request to the critical file control tool 240 to check for malicious criticality file for the tested inactive OS.

So, in one embodiment, in addition to the specified request, the cleaning tool 230 also transmits to the control tool 240 information about the malicious file received from the file search tool 220. In another embodiment, the information about the detected malicious file, the file search tool 220 itself transfers the critical control tool 240 files, in the case of the initial need to check the criticality of a detected malicious file. The need depends on the initial settings of the claimed invention. Control tool 240 is designed to check the detected malicious file for compliance with the list of critical OS files stored in the database 150. One of the verification options is to check using file hashes. So, the hash amount of a malicious file is generated or obtained as information from other means, after which a search is made for the presence of information about the mentioned file in the list of critical OS files. A critical file is a file, if deleted, the OS will crash. An OS crash can be either significant for the OS or not significant. A significant malfunction, for example, is a failure to boot the OS when the OS starts. An example of a minor malfunction is a malfunction in a service or in a failure to launch a driver to work with external devices (microphone, music speakers) or a user's application. When determining that a malicious file is a critical file for an inactive OS, the malicious file is replaced with a safe file with functionality responsible for the correct operation of the inactive OS. In other words, a safe file is an analogue of a malicious file only until it is infected with malicious activity. In the event that the malicious file has been deleted, the control tool 240 will install the appropriate safe version of such a file according to the location of the deleted malicious file for the inactive OS. In one embodiment, the database 150 contains backup copies of all critical files, information about which is in the list of critical OS files.

In one embodiment, the list of critical files initially contains critical files for all existing operating systems, while the specified list can be adapted for each computer when determining installed OS on the computer. Adaptation refers to the formation of a list of critical files of only those operating systems that are installed on the computer. To add to the list of critical files, the anti-virus tool 130 interacts with the anti-virus server 180.

In yet another embodiment, the monitoring tool 240 may check the file against the critical file of the inactive OS being verified by creating a virtual environment where the virtual environment corresponds to an inactive OS. Accordingly, in the generated virtual environment, the operation of the checked inactive OS with and without the corresponding file will be checked. After that, the criticality of the checked file will be determined. In addition, a virtual environment can be formed both within the framework of the active OS and remotely on a server (“cloud”) with which communication is carried out through a network, for example, the Internet.

In FIG. 4 shows an example of a method for listing operating systems during an anti-virus scan of inactive operating systems using the claimed invention. At 310, the number of hard drives installed on the computer is determined using the enumerator 210. It is worth noting that hereinafter at least one storage device can be used as a hard disk. As a result, the structure (analysis) of the structure of each physical disk is analyzed to determine the partitions of the physical disk and the number of logical disks into which the hard disk is divided. The analysis of the structure of each hard disk is performed using a set of drivers for various file systems, and the set of drivers, depending on the implementation of the invention, is either in the enumerator 210 itself or requested from the database 150. At 320, the enumeration list is determined using the enumerator 210 at least one physical disk, i.e. A list of logical drives into which at least one physical drive is partitioned. To this end, enumerator 210 uses the specified set of drivers for various types of file systems. When the list of logical drives is determined, then at step 330, all operating system boot loaders that are contained on the identified logical drives using the enumerator 210 are identified (searched). In addition, when the loader files are detected, the enumerator 210 can perform an analysis step file loader for integrity, i.e. the actual presence (presence) of the operating system on the computer of the corresponding file-loader, for example, by checking the availability of all the required data to load the corresponding OS (a list of such data is known in advance). Then, at step 340, the structure of each identified bootloader file is analyzed to determine the installed OS on the user's computer. When analyzing the structure of the file-loader, at least the type (name) of the OS and the storage location of the files of a particular OS (on which logical drive the OS is located) will be determined. In addition, for each operating system of the Microsoft Windows family (for example, Windows Vista, Windows XP, Windows 7), a registry is also searched. After determining all installed operating systems (in other words, forming the OS list), at step 350, for each inactive OS, the corresponding logical drive names from the list of logical drives are determined. So, for example, for Windows, the system registry will be analyzed, during which the names of logical drives for the specified Windows are determined. After determining for each inactive OS the corresponding names of logical drives, enumerator 210 at step 360 compares the names of the logical drives of various OSs, both inactive and active. As a rule, the active OS is one OS that is loaded at the time of the claimed invention. After that, a table of connection of the names of logical drives of all installed operating systems can be formed. At step 370, enumerator 210 transmits information about inactive operating systems to file search engine 220. In this case, the information includes both information about the inactive operating systems themselves and the names of logical drives corresponding to each inactive operating systems (for example, in the form of a table of communication between logical drive names for all operating systems )

In FIG. 5 presents a frequent case of implementing the method of searching for a malicious file and cleaning an inactive operating system of the consequences of deleting a malicious file during anti-virus scanning of inactive operating systems using the claimed invention.

At step 410, the need for anti-virus scanning of files for each identified inactive OS is determined, and the determination of the mentioned need is made based on at least one of the criteria listed above (in the description of Fig. 3). For example, such as a user’s request or by the date of the last anti-virus scan for the corresponding inactive OS. It should be noted that anti-virus scanning of files of an inactive OS or the most inactive OS itself generally means scanning of files related to autorun files and critical files of an inactive OS. After determining the inactive OS using the file search tool 220, the sequence of anti-virus scanning of inactive OS is determined at step 420. In the event that an anti-virus scan is required for only one inactive OS, step 420 may be skipped or the sequence will contain only one inactive OS. In another case, if there are at least two inactive OSs, the sequence will be built according to the criteria that determined the need for anti-virus scanning of inactive OS files. So, for example, if there is a user request, then the sequence will be determined in this request. If by the date of the last scan, then by the principle: the longer the inactive OS was not scanned, the higher the priority of the scan among the OS. Next, at step 430, files for which an anti-virus scan will be performed are detected for each inactive OS. To do this, determine the location of these files according to the names of logical disks of the inactive OS and their comparison with the names of logical disks of the active OS. Then, according to the location (full storage path) of each file, at step 440, an anti-virus scan of each file checked by the inactive OS is performed. In a preferred embodiment, anti-virus scanning of files that relate to autorun files that are necessary to run the inactive OS to be scanned, critical files and executable files that are stored in the autorun folders of computer user accounts is performed. At step 450, anti-virus scanning of files is performed using modern technical solutions and technologies contained, for example, in the software products of Kaspersky Lab JSC. If there is no malicious file in the inactive OS, the anti-virus scan ends. Otherwise, if at least one malicious file was found, then it is transferred to step 460. At step 460, the found malicious file is checked for its criticality with respect to the inactive OS being checked. Also, in the particular case of the implementation, the malicious file is checked for its compliance with the critical files of all OSs installed on the computer. In one embodiment, the criticality check of the file consists in comparing the detected malicious file with the list of critical files stored in the database 150 for all operating systems installed on the user's computer. In the event that the malicious file is not a critical file, this malicious file is deleted at step 470. Otherwise, the specified malicious file is quarantined and disinfected at step 480. The treatment consists in analyzing the file code and then identifying the malicious functionality and then deleting the found malicious functionality from the file. In the event that it is impossible to cure the specified file, the file is deleted by replacing the safe files, which also fulfills the purpose, but does not contain malicious functionality. In this case, the safe file is located at the location of the found malicious file. It is worth noting that the identification of critical files and their treatment or deletion will further avoid errors in the inactive OS when it is loaded.

At step 490, the checked inactive OS is cleaned up using the cleanup tool 230. The cleanup consists in searching for various data associated with the malicious file in order to eliminate traces of the malicious file, i.e. eliminate the possibility of recovering a malicious file or eliminate the error in the inactive OS when it is loaded into the processor. At step 490, cleaning is carried out according to the embodiments presented in the description of the cleaning agent 230 in FIG. 3. After that, the anti-virus scan in accordance with steps 440-490 is performed for the subsequent inactive OS, if it is determined that an anti-virus scan is necessary for two or more inactive OS.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims.

Claims (44)

1. The system of anti-virus scanning of files of the operating system that is installed on the computer and is not running at the time of the specified scan, i.e. inactive operating system, while the claimed system contains: a) a database associated with a tool for listing operating systems (OS) and a file search tool designed to store at least a set of drivers for various file systems and information designed to perform anti-virus scanning of inactive OS; b) an OS listing tool designed to search for at least one inactive OS installed on a computer, determine logical drive identifiers for each installed inactive OS, and transfer information about each inactive OS and specific logical drive identifiers corresponding to each inactive OS to a file search tool, while the OS listing facility: - Detects all hard drives installed on the computer; - parses the structure of each hard drive installed on the computer using a set of drivers for various file systems; - Defines a list of logical drives; - identifies files that perform OS boot (downloader files) on specific logical drives; - analyzes the structure of each identified file downloader, during which it determines the type of OS to which the file downloader belongs, and the location of the OS on logical disks; - generates a list of inactive OS, which contains at least one inactive OS; and - Defines the identifiers of logical drives for each inactive OS; c) a file search tool designed to identify at least one inactive OS that needs to be checked for malicious files and to perform anti-virus scanning of files of at least one inactive OS, and if there are several installed inactive OSs, an inactive OS for anti-virus scanning is selected At the same time, during the anti-virus scan of an inactive OS, the file search tool: - compares the identifiers of logical disks related to an inactive OS with the identifiers of logical disks related to an active OS, where the active OS is understood as the OS that was launched at the time of the specified check; - defines files that are related to an inactive OS in the active OS according to the full path of storing the specified files in the inactive OS through the associated identifiers of logical drives; - performs anti-virus scanning of certain files at specific storage addresses; - Detects and deletes at least one malicious file. 2. The system according to claim 1, in which the OS listing facility additionally, when analyzing the structure of the identified bootloader file, determines the full address of the file location. 3. The system according to claim 1, wherein the OS listing tool during the analysis of the structure of each identified bootloader file further includes an analysis of indirect features, according to which it determines the identifier of the operating system. 4. The system of claim 1, wherein logical disk identifiers for the Microsoft Windows operating system are understood to mean at least the logical disk names. 5. The system according to claim 1, in which information about inactive OS is understood as at least one or more of the following information: OS type, OS family name, OS version, OS capacity, and the location of the OS boot files. 6. The system of claim 1, wherein said file search tool only detects files for anti-virus scanning related to autorun files of the OS, system files of the OS, critical files of the OS and executable files stored in the autorun folders of computer users. 7. The system of claim 1, wherein the file search tool, upon receipt of information about more than one inactive OS, determines the sequence and time of anti-virus scanning of certain inactive OS. 8. The system of claim 1, wherein the file search tool, when determining more than one inactive operating system, determines the need for anti-virus scanning of each inactive operating system. 9. The system of claim 8, wherein the file search tool determines the need for an anti-virus scan using a request to a user or automatically. 10. The system of claim 9, wherein the file search tool, when automatically detecting an anti-virus scan, is guided by at least one of the following criteria: the date of the last anti-virus scan or the schedule of anti-virus scanning of inactive operating systems. 11. The method of anti-virus scanning of files of the operating system that is installed on the computer and is not running at the time of the specified scan, i.e. an inactive operating system, the method comprising the steps of: a) using the OS listing tool, search for at least one inactive OS installed on the computer, during which: - determine all the hard drives installed on the computer, - analyze the structure of each hard drive installed on the computer using a set of drivers for various file systems, - define a list of logical drives, - identify files that perform OS boot (downloader files) on certain logical drives, - analyze the structure of each identified file loader, during which determine the type of OS to which the file loader belongs, and the location of the OS on logical disks, - form a list of inactive OS, which contains at least one inactive OS, - determine the identifiers of logical drives for each installed inactive OS; b) using the file search tool, determine at least one inactive OS, which must be checked for malicious files, and scan files of at least one inactive operating system, and if there are several installed inactive OSs, an inactive OS is selected for anti-virus scanning , during the anti-virus scan of an inactive OS: - match the identifiers of logical disks related to an inactive OS with the identifiers of logical disks related to an active OS, where an active OS refers to the OS that was launched at the time of the specified check, - determine the files that are related to the inactive OS in the active OS according to the full path of storing the specified files in the inactive OS through the associated identifiers of logical drives, - they perform anti-virus scanning of certain files according to specific storage addresses, - identify and delete at least one malicious file. 12. The method according to p. 11, in which the hard drive is any storage device designed to store data, including the hard drive itself, a solid state drive and a network drive. 13. The method according to p. 11, in which the analysis of the structure of the file downloader further includes an analysis of indirect features, according to which determine the name of the operating system. 14. The method according to p. 11, in which when determining more than one inactive operating system, determine the sequence and time of the anti-virus scan of certain inactive operating systems. 15. The method according to p. 11, in which when determining more than one inactive operating system, determine the need for anti-virus scanning of each inactive operating system. 16. The method according to p. 15, in which the need for an anti-virus scan is determined using a request to the user or automatically. 17. The method according to p. 11, in which only files for anti-virus scanning are detected, related to autorun files of the OS, system files of the OS, critical files of the OS and executable files stored in the “startup” folders of computer users.

Images