Patent Grant
RE44131
1. Field of the Invention
The present invention relates to a storage device having a function for coping with a computer virus that has the ability to prevent infection with a computer virus and to properly deal with infection with a computer virus.
In recent years, computer systems using computer programs have prevailed in enterprises, households, and the like. Accordingly, the number of occurrences of computer viruses that destroy or damage the computer systems and that have an auto-proliferation ability has tended to increase markedly.
In particular, recently-procurable personal computers are interconnected over a network such as a local area network (LAN) and adopt the configuration enabling information exchange through data communications. The fear that a computer virus (hereinafter abbreviated to a virus) residing in one personal computer spreads into the other personal computers connected over the network is becoming more and more serious.
This makes it necessary to construct a storage device having the ability to freely use files while preventing the breeding of a virus and to delete a file infected with a virus or restore the infected file into an uninfected state.
2. Description of the Related Art
For a clear understanding of problems concerning viruses destroying computer systems, infection with a virus in a typical storage device will be described with reference to
A storage device 100 basically comprises, as shown in
The storage device 100 having the foregoing components is designed to be directly accessed by a driver under the control of an operating system in the personal computer 110 comprising a CPU 112 for processing various kinds of data, a RAM 114 for storing various kinds of data and programs, a ROM 116, and the like. In other words, the storage device yields such an environment in which; a file expanded in the personal computer 110, one running can readily destroy other files stored in the storage device.
On the other hand, a virus that intrudes from an external unit into a file via a LAN adapter 130, keyboard 140, display 150, or the like rewrites another file using a physical address of the file which is indicated by low-order address bits, or rewrites a system startup area such as a bootstrap using a physical address of the system startup area which is indicated by low-order address bits, and thus destroys an original program.
This poses a problem that files stored in a storage device are readily infected with a virus.
In an effort to cope with the above problem, a prior art system design is adopted such that if a virus checker (not shown) expanded in the personal computer 110 finds a file infected with a virus from among files expanded on the disk 105 in the storage device 100, all the files expanded on the disk are cleared and then originals of the files are installed again.
However, in the prior art, it is detected whether any of the files expanded on a disk in a storage device is infected with a virus. If any of the files is infected, the file is treated properly. The prior art does not adopt a method of actively preventing infection with a virus. There is therefore a problem that files expanded on the disk in the storage device are readily infected with a virus.
Moreover, in the prior art, when it is detected that any of files expanded on a disk in a storage device is infected with a virus, all the files expanded on the disk are cleared and then originals of the files are installed again. This poses a problem that a user is obliged to incur an enormous work load.
In the prior art, a file judged to be infected with a virus is cleared in its entirety. It cannot be analyzed as to what kind of virus destroyed the file. This poses a problem in that an anti-virus measure cannot be examined.
In view of the above-described problems, an object of the present invention is to provide a storage device having a function, for coping with a computer virus which has the ability to prevent infection with a virus and to properly deal with an infection of a virus.
To solve the above problems, a storage device having a function for coping with a computer virus in accordance with the present invention comprises: an infection management table means used to manage files stored on a disk and to see if the files are infected with a virus; a table registering means for receiving a result of detection from a virus checker for detecting if a file stored on the disk is infected with a virus, and for registering the result in the infection management table means; a judging means that when a use request is made externally for a file stored on the disk, references the infection management table means so as to judge if the file is infected with a virus; and a prohibiting means that when the judging means has judged that a file is infected with a virus, prohibits the use of the file.
In the storage device having the function of coping with a computer virus in accordance with the present invention, preferably, the virus checker is designed to be run by the storage device having a function for coping with a computer virus.
Furthermore, in the storage device having the function of coping with a computer virus in accordance with the present invention, the virus checker is designed to be activated at intervals of a specific cycle.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, the virus checker is designed to be activated in response to a command instruction.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, when a writing request is issued for a system startup area stored on a disk, the table registering means judges that a file which is stored on the disk and is a source of the writing request is infected with a virus and that registers the fact in the infection management table means.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes an invalidating means that when a writing request is issued for the system startup area stored on the disk, invalidates the writing request.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes a dedicated writing means for executing writing for the system startup area stored on the disk. When a writing request is issued for the system startup area stored on the disk, if the writing request specifies the use of the writing means, the invalidating means does not invalidate the writing request.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, when a writing request is issued for an executable file stored on a disk, the table registering means judges that a file which is stored on the disk and is a source of the writing request is infected with a virus and registers the fact in the infection management table means.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes a permitting means for determining whether a writing request made for a file that is registered as a virus-infected file by the table registering means and that is running should be permitted.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, when a writing request is permitted by the permitting means, if a file that is a destination of the writing request is rewritten, the table registering means judges that the file which is the destination of the writing request is also infected with a virus and registers the fact in the infection management table means.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, when the size of a file is varied by running the file, the table registering means judges that the file stored on the disk is infected with a virus and registers the fact in the infection management table means.
More particularly, in the storage device having the function of coping with a computer virus in accordance with the present invention, although a file stored on the disk is judged to be an executable file in terms of the file name, if the file is declared to be a data file, the table registering means judges that the file stored on the disk is infected with a virus and registers the fact in the infection management table means.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes a determining means for determining through interactive processing whether the use of a virus-infected file that is registered in the infection management table means should be permitted. The prohibiting means does not prohibit the use of a file which is permitted by the determining means.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes: a first managing means for managing original information of files stored on a disk; a second managing means for managing differential information brought about due to modification concerning the files stored on a disk, and history information concerning the differential information brought about due to modification; and a file registering means for merging the original information of a file which is managed by the first managing means and the differential information brought about due to modification which is managed by the second managing means so as to produce a file, and then registering the produced file on the disk.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, the first managing means manages original information that is confirmed not to be infected with a virus by the virus checker, and the second managing means manages differential information brought about due to modification which is confirmed not to be infected with a virus by the virus checker.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, as for a file which is stored on the disk, of which original information is not registered in the first managing means, and of which differential information brought about due to modification is not registered in the second managing means, the table registering means judges that the file stored on the disk is infected with a virus, and then registers the fact in the infection management table means.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes a restoring means for deleting a virus-infected file that is registered in the infection management table means from the disk, activating the file registering means, thus restoring the file, and then registering the file on the disk.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, the first managing means manages original information of the virus checker, and the second managing means manages differential information brought about due to modification concerning the virus checker and history information concerning the differential information brought about due to modification. The storage device includes a generating means for merging the original information of a virus checker which is managed by the first managing means with the differential information brought about due to modification concerning a virus checker which is managed by the second managing means so as to reproduce the virus checker.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, the generating means generates a virus checker at the time of running a virus checker.
More preferably, in the storage device having the function of coping with a computer virus in accordance with the present invention, the first managing means encodes and manages original information, and the second managing means encodes and manages differential information brought about due to modification. The storage device includes a decoding means for decoding encoded data managed by the first and second managing means, and an encoding means for executing inverse conversion that is inverse to conversion performed by the decoding means.
More preferably, the storage device having the function of coping with a computer virus in accordance with the present invention includes a saving means for saving a virus-infected file that is registered in the infection management table means and virus information concerning the file in an inexecutable area, and a reading means for reading the information saved in the inexecutable area under the condition that permission information for permitting access to the inexecutable area is given.
In the storage device having the function of coping with a computer virus in accordance with the present invention, the table registering means registers a virus-infected file detected by the virus checker in the infection management table means.
Furthermore, when a writing request is issued for a system startup area stored on a disk, since a normal file will not issue such a writing request, the table registering means judges that a file which is a source of the writing request is infected with a virus, and registers the fact in the infection management table means. This is intended to treat new, malign, or unusual kinds of viruses that cannot be detected by the virus checker. At this time, when a writing request is issued, the invalidating means invalidates the writing request. When the writing means is included, if the writing request specifies the use of the writing means, the invalidating means does not invalidate the writing request.
Moreover, when a writing request is issued for an executable file stored on a disk, since a normal file will not issue such a writing request, the table registering means judges that a file which is a source of the writing request is infected with a virus and registers the fact in the infection management table means. The permitting means determines through interactive processing whether the writing request should be permitted. When the permitting means permits the writing request, since the file is rewritten, the table registering means judges that the file which is stored on the disk and is a destination of the writing request is also infected with the virus and registers the fact in the infection management table means.
When the size of a file is varied by running the file, the table registering means judges that the file stored on the disk is infected with a virus and registers the fact in the infection management table means.
Although a file stored on a disk is judged to be an executable file in terms of the file name, if the file is declared to be a data file, the table registering means judges that the file stored on the disk is infected with a virus and registers the fact in the infection management table means.
As for a file which is stored on a disk, of which original information is not registered in the first managing means, and of which differential information brought about due to modification is not registered in the second managing means, the table registering means judges that the file stored on the disk is infected with a virus and registers the fact in the infection management table means.
As mentioned above, when a virus-infected file is registered in the infection management table means, if a data processing unit makes a use request for the file stored on the disk, the judging means references the infection management table means so as to judge if the file for which the use request is made is infected with a virus. On receipt of a result of the judgment, the prohibiting means prohibits the use of the file that is judged to be infected with a virus. At this time, the prohibiting means does not prohibit the use of a file which is permitted by the determining means.
The saving means saves, that is, stores temporarily a virus-infected file whose use is prohibited and virus information concerning the file in the inexecutable area. The reading means reads the saved information from the inexecutable area and outputs it as information used for virus analysis under the condition that permission information for permitting access to the inexecutable area is given.
On the other hand, the restoring means deletes a virus-infected file, which is registered in the infection management table means, from the disk, activates the file registering means, thus restores the file, and then registers the restored file on a disk.
As mentioned above, the storage device having the function of coping with a computer virus in accordance with the present invention is designed to actively prevent infection with a virus, prohibits the use of a virus-infected file and restores the virus-infected file automatically, and preserves information concerning infection with viruses so that the information cannot be accessed readily. Consequently, a storage device capable of properly dealing with infection with a virus can be constructed.
The above objects and features of the present invention will be more apparent from the following description of some preferred embodiments with reference to the accompanying drawings, wherein:
Hereinafter, the description of some preferred embodiments according to the present invention will be given with reference to the accompanying drawings.
In the drawing, reference numeral 1 denotes a storage device having the function of coping with a computer virus in accordance with the present invention. Reference numeral 2 denotes a data processing unit for executing data processing using a file stored in the storage device 1 having the function of coping with a computer virus.
The storage device 1 having the function of coping with a computer virus comprises a disk 10, first managing means 11, second managing means 12, file registering means 13, generating means 14, virus checker 15, infection management table means 16, table registering means 17, judging means 18, prohibiting means 19, determining means 20, restoring means 21, invalidating means 22, writing means 23, permitting means 24, inexecutable area 25, saving means 26, and reading means 27. Herein, the virus checker 15 may be expanded in the data processing unit 2.
The disk 10 stores files. The first managing means 11 manages original information of the files stored on the disk 10 or manages original information of the virus checker 15. The second managing means 12 manages differential information brought about due to modification; that is, information concerning upgraded versions of the files stored on the disk, and history information concerning the differential information brought about due to modification, or manages differential information brought about due to modification concerning the virus checker 15; that is, information concerning an upgraded version of the virus checker 15, and history information concerning the differential information brought about due to modification.
The first managing means 11 may encode and manage the original information of the files and virus checker 15 so as to prevent the original information from being rewritten. The second managing means 12 may encode and manage the differential information brought about due to modification concerning the files and virus checker 15 so as to prevent the information from being rewritten. At this time, a decoding means for decoding the encoded data and an encoding means for executing inverse conversion that is inverse to conversion performed by the decoding means are included in the second managing means 12.
The file registering means 13 merges the original information of a file which is managed by the first managing means 11 with the differential information brought about due to modification concerning the file which is managed by the second managing means 12 so as to reproduce the file, and then stores the file on the disk 10. The generating means 14 merges the original information of the virus checker 15 which is managed by the first managing means 11 with the differential information brought about due to modification concerning the virus checker 15 which is managed by the second managing means 12 so as to reproduce the virus checker 15.
The virus checker 15 is activated at intervals of a specific period or activated in response to a command instruction, and detects whether a file stored on the disk 10 is infected with a virus. The infection management table means 16 is used to manage files stored on the disk and to see if the files are infected with viruses. The table registering means 17 registers data in the infection management table means 16. The judging means 18 references the infection management table means 16 in response to a use request made for a file stored on the disk 10 by the data processing unit 2, and judges if the file is infected with a virus. When the judging means 18 judges that a file is infected with a virus, the prohibiting means 19 prohibits the use of the file.
The determining means 20 determines through interactive processing whether the use of a file registered in the infection management table means 16 should be permitted. The restoring means 21 deletes a virus-infected file, which is registered in the infection management table means 16, from the disk 10, activates the file registering means 13, thus restores the file, and then registers the restored file on the disk 10. When a writing request is issued for a system startup area stored on the disk 10, the invalidating means 22 invalidates the writing request. The writing means 23 is prepared as a dedicated writing facility and executes writing for the system startup area stored on the disk 10.
The permitting means 24 determines through interactive processing whether a writing request made for an executable file stored on the disk should be permitted. The inexecutable area 25 is prepared as an area inaccessible with a normal access request. The saving means 26 saves a virus-infected file registered in the infection management table means 16 and virus information concerning the file in the inexecutable area 25. The reading means 27 reads information saved in the inexecutable area 25 under the condition that permission information for permitting access to the inexecutable area 25 is given.
In the embodiment of the present invention shown in
Furthermore, when a writing request is issued for a system startup area stored on the disk 10, since a normal file will not issue such a writing request, the table registering means 17 judges that a file which is stored on the disk 10 and is a source of the writing request is infected with a virus, and registers the fact in the infection management table means 16. This is intended to treat new, malign, or unusual kinds of viruses that cannot be detected by the virus checker 15. When the writing request is issued, the invalidating means 22 invalidates the writing request. However, when the writing means 23 is included, if the writing request specifies the use of the writing means 23, the invalidating means 23 does not invalidate the writing request.
When a writing request is issued for an executable file stored on the disk 10, since a normal file will not issue such a writing request, the table registering means 17 judges that a file which is stored on the disk 10 and is a source of the writing request is infected with a virus, and registers the fact in the infection management table means 16. At this time, the permitting means 24 determines through interactive processing whether the writing request should be permitted. When the permitting means 24 permits the writing request, since the file is rewritten, the table registering means 17 judges that a file which is stored on the disk 10 and is a destination of the writing request is also infected with the virus, and registers the fact in the infection management table means 16.
Moreover, when the size of a file is varied by running the file, the table registering means 17 judges that the file stored on the disk 10 is infected with a virus, and registers the fact in the infection management table means 16.
Moreover, although a file stored on the disk is judged as an executable file in terms of the file name, if the file is declared to be a data file, the table registering means 17 judges that the file stored on the disk 10 is infected with a virus, and registers the fact in the infection management table means 16.
Moreover, as for a file which is stored on the disk 10, of which original information is not registered in the first managing means 11, and of which differential information brought about due to modification is not registered in the second managing means 12, the table registering means 17 judges that the file stored on the disk 10 is infected with a virus, and registers the fact in the infection management table means 16.
As mentioned above, when a virus-infected file is registered in the infection management table means 16, if the data processing unit 2 makes a use request for the file stored on the disk 10, the judging means 18 references the infection management table means 16 so as to judge if the file for which the use request is made is infected with a virus. On receipt of a result of the judgment, the prohibiting means 19 prohibits the use of the file that is judged to be infected with a virus by the judging means 18. At this time, the prohibiting means 19 does not prohibit the use of a file which is permitted by the determining means 20.
The saving means 26 saves the virus-infected file whose use is prohibited and virus information concerning the file in the inexecutable area 25 that cannot be accessed readily. The reading means 27 reads the saved information from the inexecutable area 25 under the condition that permission information for permitting access to the inexecutable area 25 is given, and outputs the read information as information used for virus analysis.
On the other hand, the restoring means 21 deletes a virus-infected file registered in the infection management table means 16 from the disk 10, activates the file registering means 13, thus restores the file, and registers the file on the disk 10.
As mentioned above, the storage device 1 having the function of coping with a computer virus shown in
A storage device having the function of coping with a computer virus in accordance with the present invention will be described below in detail in conjunction with several preferred embodiments that are more practical than the basic embodiment shown in
The storage device 1 having the function of coping with a computer virus in this embodiment is connected to a personal computer 2a. The storage device 1 includes a disk 30 for storing files that are objects of access obtained by the personal computer 2a as well as a ROM 31 for storing firmware or the like that executes access processing or anti-virus processing, a CPU 32 for running firmware stored in the ROM 31 and executing data transfer to or from the personal computer 2a, and a RAM 33 prepared as a work area used by firmware that is run by the CPU 32, and thus has the capability of a CPU.
The storage device 1 further includes an original information management file 34 used to manage original information of files stored on the disk 30 and original information of a virus checker prepared for inspection of the files stored on the disk. A version update information management file 35 is used to manage differential information brought about due to modification concerning a file stored on the disk 30 and history information concerning the differential information brought about due to modification, and to manage differential information brought about due to modification concerning the virus checker and history information concerning the differential information brought about due to modification. A file information management file 36 is used to manage the information indicating if the files are stored on the disk, and is used to determine if the original information stored in the original information management file 34, and the differential information (brought about due to modification and which is stored in the version upgrade information management file 35) are infected with viruses. The information indicates if the files to be managed are executable files or data files, and if the files to be managed belong to a bootstrap or an initial program loader (IPL). An inexecutable area 37 which is prepared as an area that becomes accessible only when a password and ID number agree with internal data, and in which a file infected with a virus and virus information concerning the file are saved, has a data structure shown in
The inexecutable area 37 shown in
Further included is a controller 38 for accessing a file stored on the disk, accessing original information managed in the original information management file 34, accessing the differential information brought about due to modification and history information which are managed in the version upgrade information management file 35, or accessing information saved in the inexecutable area 37.
Herein, the original information management file 34 and version upgrade information management file 35 are not designed to enable management of original information and differential information brought about due to modification from the viewpoint of a mere difference but may be designed to enable management of original information and differential information brought about due to modification on the basis of a relationship of succession including a parent-child relationship.
In the first preferred embodiment shown in
The storage device 1 having the function of coping with a computer virus in accordance with the present invention has, as mentioned above, the configuration including the original information management file 34 and version upgrade information management file 35.
The foregoing configuration is adopted for the following reasons: original information of a file stored on the disk 30 is stored in the original information management file 34; when the file is upgraded into a new version, differential information brought about due to modification concerning the upgraded version and history information concerning the differential information brought about due to modification are stored in the version upgrade information management file 35; and in case a file stored on the disk 30 is infected with a virus, the file can be restored by merging the original information of the file with differential information brought about due to modification. Moreover, since original information of a file and differential information brought about due to modification concerning the file are not expanded on the disk 30, it can be prevented that these kinds of information are infected with a virus.
A virus checker prepared for inspection of a file stored on a disk also has the possibility of being upgraded into a new version. The original information of the virus checker is stored in the original information management file 34. Differential information brought about due to modification concerning the upgraded version and history information concerning the differential information brought about due to modification are stored in the version upgrade information management file 35. Thus, the virus checker is managed.
Incidentally, when the original information management file 34 and version upgrade information management file 35 are constructed on the same medium, original information of files and a virus checker, differential information brought about due to modification concerning the files and virus checker, and history information concerning the differential information brought about due to modification can be managed totally. This is convenient in practice. In addition, the disk 30 and inexecutable area 37 may be constructed on the medium.
Original information of files and a virus checker which is stored in the original information management file 34, and differential information brought about due to modification concerning the files and virus checker and history information concerning the differential information brought about due to modification which are stored in the version upgrade information management file 35 must not be rewritten by the personal computer 2a.
The storage device 1 having the function of coping with a computer virus has the configuration in which original information 34a of files and a virus checker which is stored in the original information management file 34, and differential information brought about due to modification concerning the files and virus checker and history information concerning the differential information brought about due to modification which are stored in the version upgrade information management file 35 are encoded, and in which a decoding mechanism for decoding encoded data is made ready. As shown in
More particularly, the encoding mechanism and decoding mechanism are realized by firmware stored in an area 312, which is reserved in order to store firmware, in the ROM 31 in the storage device 1 having the function of coping with a computer virus. For realizing the mechanisms, as shown in
Furthermore, the storage device 1 having the function of coping with a computer virus in accordance with the present invention includes the file information management file 36 as mentioned above.
The file information management file 36 manages the information indicating if files stored on the disk 30, original information stored in the original information management file 34, and differential information brought about due to modification which is stored in the version upgrade information management file 35 are infected with viruses, the information indicating if these files to be managed are executable files or data files, and the information indicating that the files to be managed belong to a bootstrap or an IPL.
Specifically, the file information management file 36 manages, as shown in
Herein, in the storage area of an execution/date type flag, “1” is set relative to an executable file and “0” is set relative to a data file. In the storage area of a starting portion flag, “1” is set in case a file belongs to a bootstrap or IPL, and “0” is set in any other case. In the storage area of infection flag <1> or <2>, “1” is set when infection with a virus is detected, and “0” is set when infection with a virus it not detected. In the storage area of infection flag <3>, “1” is set when infection with a virus is suspected, and “0” is set when infection with a virus is not suspected. In the storage area of infection flag <4> or <5>, “1” is set when infection with a virus is suspected, and “0” is set when infection with a virus is neither detected nor suspected.
When activated, the storage device 1 having the function of coping with a computer virus initializes the infected-file storage area and virus information storage area (storage areas shown in
On the other hand, for registering original information of a purchased file in the original information management file 34 or registering differential information brought about due to modification concerning the file in the version upgrade information management file 35, the storage device 1 having the function of coping with a computer virus merges original information of a virus checker which is stored in the original information management file 34 with the latest differential information brought about due to modification concerning the virus checker which is stored in the version upgrade information management file 35. Thus, the virus checker is reproduced and expanded in the RAM 33.
As shown in the second example of a processing flow in
By contrast, when it is judged that a file is not infected with a virus, the file is stored in the original information management file 34 and version upgrade information management file 35 which are destinations of registration. History information is created and stored in the version upgrade information management file 35 (step S154). The file (when a registered file contains differential information brought about due to modification, the file is a file created by merging the information with original information) is then expanded on the disk 30. At the same time, data is registered in the file information management file 36 (step S155).
As mentioned above, original information of a file which is not infected with a virus is registered in the original information management file 34. Differential information brought about due to modification concerning the file which is not infected with a virus is registered in the version upgrade information management file 35. A file that contains the original information merged with the differential information brought about due to modification and that is not infected with a virus is then expanded on the disk 30. Herein, the reason why the system is designed so that a virus checker is not stored on the disk 30 in advance but produced prior to checking on infection with a virus is to prevent the virus checker itself from being infected with a virus.
In the second example of a processing flow in
As mentioned above, in this embodiment of the present invention, it is judged that a file being stored on the disk 30 and attempting to write a bootstrap or an IPL is infected with a virus. This is attributable to the fact that a normal file will not perform such writing.
As described later, since the present invention adopts the system design of prohibiting a file infected with a virus from running, a file attempting to write a bootstrap or IPL is prohibited from running. This means that the bootstrap or IPL cannot be registered. In the present invention, therefore, when a specific command instructing registration of the bootstrap or IPL is issued, the registration is permitted.
As shown in the third example of a processing flow in
Next, virus-infected file detection to be executed by the storage device 1 having the function of coping with a computer virus will be described. The detection falls into two procedures; a procedure to be executed using a virus checker, and a procedure to be executed by judging the attribute of a writing-destination file.
For detecting a virus-infected file using a virus checker, the storage device 1 having the function of coping with a computer virus first waits, as described in the fourth example of a processing flow shown in
Thereafter, one of the unprocessed files on the disk 30 is extracted at step S173. At step S174, the produced virus checker is used to check if the extracted file is infected with a virus. When it is judged by the checking that a file is infected with a virus, control is passed to step S175. “1” is recorded as infection flag <1> associated with the file in the file information management file 36, whereby it is registered that the file is infected with a virus. By contrast, when it is judged that the file is not infected with a virus, control is passed to step S176. “0” is recorded as infection flag <1>, whereby it is registered that the file is not infected with a virus.
At step S177, it is judged that all the files stored on the disk 30 have been processed. If it is judged that an unprocessed file is left, control is returned to step S173. If it is judged that no unprocessed file is left, control is passed to step S178. It is judged if a mode, in which original information stored in the original information management file 34 and differential information brought about due to modification which is stored in the version upgrade information management file 35 are also subjected to virus check, is designated. If the mode in which both the original information and differential information brought about due to modification are subjected to virus check is not designated, control is returned to step S171.
By contrast, if it is judged that the mode, in which both the original information stored in the original information management file 34 and the differential information brought about due to modification which is stored in the version upgrade information management file 35 are also subjected to virus check, is designated, control is passed to step S181 described in
If it is judged by the virus check that the file is not infected with a virus, control is passed to step S183. “0” is recorded as infection flags <4> and <5> associated with the file in the file information management file 36. It is thus registered that the file is not infected with a virus. By contrast, when it is judged that the file is infected with a virus, control is passed to step S184. “1” is recorded as infection flags <4> and <5> associated with the file in the file information management file 36. It is thus registered that the original information is infected with a virus.
At step S185, it is judged if all original information and differential information brought about due to modification have been processed. If it is judged that an unprocessed file is left, control is returned to step S181. If it is judged that no unprocessed file is left, control is returned to step S171 in
As mentioned above, the storage device 1 having the function of coping with a computer virus uses a virus checker to periodically check if files stored on the disk 30, original information stored in the original information management file 34, and differential information brought about due to modification which is stored in the version upgrade information management file 35 are infected with viruses. The results of the check are registered in the form of infection flags <1>, <4>, and <5> in the file information management file 36.
In the fourth example of a processing flow shown in
On the other hand, for detecting a virus-infected file by judging the attribute of a writing-destination file, when a writing request for a file stored on the disk 30 is issued from the personal computer 2a (the writing request is issued by a file loaded from the disk 30 to the personal computer 2a), as described in the fifth example of a processing flow in
If it is judged by the judgment at step S191 that the writing-destination file belongs to the bootstrap or IPL, control is passed to step S192. It is then judged that the file having issued the writing request is infected with a virus. “1” is recorded as infection flag <2> associated with the file in the file information management file 36, whereby it is registered that the file is infected with a virus. At step S193, it is reported to the personal computer 2a that the file which made the writing request is a file infected with a virus. The processing is then terminated without writing.
By contrast, if it is judged at step S191 that the writing-destination file does not belong to the bootstrap or IPL, control is passed to step S194. The value of an execution/data type flag in the file information management file 36 is referenced in order to judge if the writing-destination file is an executable file or data file. If it is judged that the writing-destination file is a data file, writing is executed for the file at step S195. The processing is then terminated.
By contrast, if it is judged at step S194 that the writing-destination file is an executable file, it is judged that it is highly probable that the file having issued the writing request is infected with a virus. Control is then passed to step S196. While the fact is being reported, a message asking if writing should be executed is output to the personal computer 2a. A response to the inquiry is duly received.
If it is judged at step S196 that the response from the personal computer 2a instructs that writing should not be executed, control is passed to step S197. “1” is recorded as infection flag <3> associated with the file, which has issued the writing request, in the file information management file 36, whereby it is registered that the file is infected with a virus. The processing is then terminated.
Herein, even when a file that is a source of a writing request writes itself, “1” is recorded as infection flag <3> associated with the file in the file information management file 36. This is attributable not only to the fact that it is highly probable that a file attempting to write an executable file is infected with a virus, but also to the system design of the present invention that upgrading a file into a new version is realized by registering differential information brought about due to modification in the version upgrade information management file 35 and that upgrading a file into a new version without following this procedure is illegal.
By the way, if it is judged at step S196 that a response from the personal computer 2a instructs that writing should be executed, although it is highly probable that the file that is a source of the writing request is infected with a virus, it is instructed to ignore the probability. Control is therefore passed to step S198. Writing is executed for the writing-destination file. At step S199, “1” is recorded as infection flags <3> associated with the writing-source and writing-destination files in the file information management file 36, whereby it is registered that the files are infected with a virus. The processing is then terminated.
As mentioned above, when a writing request is issued for a file stored on the disk 30, if the writing-destination file belongs to a bootstrap or IPL, or if the writing-destination file is an executable file, the storage device 1 having the function of coping with a computer virus judges that a file which is a source of the writing request is infected with a virus. The fact is registered in the form of infection flags <2> and <3> in the file information management file 36. If the writing-destination file belongs to the bootstrap or IPL, executing writing is disabled. If the writing-destination file is an executable file, it is determined through interactive processing if writing should be executed for the file. When writing is executed, it is judged that the writing-destination file will also be infected with a virus. The fact is registered in the form of infection flag <3> in the file information management file 36.
Next, processing to be executed for a virus-infected file by the storage device 1 having the function of coping with a computer virus will be described.
When receiving a loading request made for a file (executable file) stored on the disk 30 from the personal computer 2a, as described in the sixth example of a processing flow in
As mentioned above, the storage device 1 having the function of coping with a computer virus gives control so that a virus-infected file registered in the file information management file 36 will not be run. Consequently, a file that is detected to be infected with a virus by a virus checker will never be run. A file that has evaded checking by the virus checker and that is detected to be infected with a virus in terms of the attribute of a writing-destination file will not be rerun. Thus, proliferation of the virus can be reliably prevented.
In the sixth example of a processing flow in
On the other hand, when a command instructing restoration of a virus-infected file stored on the disk 30 is issued from the personal computer 2a, as described in the seventh example of a processing flow in
At step S213, infection flag <4> in the file information management file 36 is referenced, and original information of the deleted file, which is not infected with a virus, is read from the original information management file 34. Infection flag <5> in the file information management file 36 is referenced, and the latest differential information brought about due to modification concerning the deleted file, which is not infected with a virus, is read from the original information management file 34. The original information is then merged with the differential information brought about due to modification in order to restore the deleted file. The restored file is then expanded on the disk 30. At step S214, data of the restored file is registered in the file information management file 36. At step S215, it is judged if an unprocessed virus-infected file is left. If no unprocessed file is left, the processing is terminated. If an unprocessed file is left, control is returned to step S211.
As mentioned above, the storage device 1 having the function of coping with a computer virus deletes a file infected with a virus from the disk 30. Original information of the file and differential information brought about due to modification are used to restore the infected file into an uninfected one. The file not infected with a virus is then expanded on the disk 30.
In the seventh example of a processing flow in
When the seventh example of a processing flow in
Specifically, according to the eighth example of a processing flow in
At step S225, data of the deleted file is deleted from the file information management file 36. At step S226, infection flag <4> in the file information management file 36 is referenced, and original information of the deleted file which is not infected with a virus is read from the original information management file 34. Infection flag <5> in the file information management file 36 is referenced, and the latest differential information brought about due to modification concerning the deleted file which is not infected with a virus is read from the original information management file 34. The original information is then merged with the differential information brought about due to modification in order to restore the deleted file. The restored file is then expanded on the disk 30. At step S227, data of the restored file is registered in the file information management file 36. At step S228, it is judged if an unprocessed virus-infected file is left. If no unprocessed file is left, the processing is terminated. If an unprocessed file is left, control is returned to step S221.
As mentioned above, the storage device 1 having the function of coping with a computer virus deletes a file infected with a virus from the disk 30, restores the file into an uninfected one that is not infected with a virus using original information and differential information brought about due to modification concerning the file, and expands the restored file on the disk 30. At this time, the file infected with a virus and virus information concerning the file are saved in the inexecutable area 37.
The virus-infected file and virus information concerning the file, which are saved in the inexecutable area 37, become very useful information for analysis of an intruding virus. However, if anybody is allowed to access this kind of useful information, there arises a fear that the information may be rewritten by mistake.
When a command instructing reading of saved information from the inexecutable area 37 is issued from the personal computer 2a, as describe in the ninth example of a processing flow in
As mentioned above, the storage device 1 having the function of coping with a computer virus reads a virus-infected file and virus information, which are saved in the inexecutable area 37, under the condition that an ID number and password agree with internal data.
In the ninth example of a processing flow in
In the storage device 1 having the function of coping with a computer virus in accordance with the present invention shown in
In
The storage device 1 having the function of coping with a computer virus in accordance with the present invention, which has the configuration shown in
Moreover, the storage device 1 having the function of coping with a computer virus in accordance with the present invention, which has the configuration shown in
The storage device 1 having the function of coping with a computer virus in accordance with the present invention, which has the configuration shown in
Moreover, the storage device 1 having the function of coping with a computer virus in accordance with the present invention, which has the configuration shown in
In the aforesaid examples shown in
Checking if the size of a file is varied by running the file is achieved by, for example, merging original information managed in the original information management file 34 with differential information brought about due to modification which is managed in the version upgrade information management file 35 in order to produce a file, and by comparing the size of the produced file with the size of the file stored on the disk 30.
As described so far, in several preferred embodiments of a storage device 1 having the function of coping with a computer virus in accordance with the present invention, infection with a virus is prevented actively. The use of a file infected with a virus is prohibited, and the file is restored automatically. Furthermore, information concerning infection with viruses is preserved so that it cannot be accessed readily. Consequently, a storage device capable of properly dealing with infection with a virus can be constructed.
| Number | Date | Country | Kind |
|---|---|---|---|
| 7-136331 | Jun 1995 | JP | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 4926476 | Covey | May 1990 | A |
| 4962533 | Krueger et al. | Oct 1990 | A |
| 4975950 | Lentz | Dec 1990 | A |
| 4984272 | McIlroy et al. | Jan 1991 | A |
| 5050212 | Dyson | Sep 1991 | A |
| 5121345 | Lentz | Jun 1992 | A |
| 5144660 | Rose | Sep 1992 | A |
| 5208858 | Vollert et al. | May 1993 | A |
| 5265163 | Golding et al. | Nov 1993 | A |
| 5276735 | Boebert et al. | Jan 1994 | A |
| 5278901 | Shieh et al. | Jan 1994 | A |
| 5311591 | Fischer | May 1994 | A |
| 5313639 | Chao | May 1994 | A |
| 5319776 | Hile et al. | Jun 1994 | A |
| 5337360 | Fischer | Aug 1994 | A |
| 5343524 | Mu et al. | Aug 1994 | A |
| 5343527 | Moore | Aug 1994 | A |
| 5347578 | Duxbury | Sep 1994 | A |
| 5349655 | Mann | Sep 1994 | A |
| 5355414 | Hale et al. | Oct 1994 | A |
| 5359659 | Rosenthal | Oct 1994 | A |
| 5361359 | Tajalli et al. | Nov 1994 | A |
| 5379342 | Arnold et al. | Jan 1995 | A |
| 5379414 | Adams | Jan 1995 | A |
| 5390247 | Fischer | Feb 1995 | A |
| 5396609 | Schmidt et al. | Mar 1995 | A |
| 5402492 | Goodman et al. | Mar 1995 | A |
| 5406624 | Tulpan | Apr 1995 | A |
| 5408642 | Mann | Apr 1995 | A |
| 5412717 | Fischer | May 1995 | A |
| 5414833 | Hershey et al. | May 1995 | A |
| 5428795 | Johnson et al. | Jun 1995 | A |
| 5440723 | Arnold et al. | Aug 1995 | A |
| 5442706 | Kung | Aug 1995 | A |
| 5444850 | Chang | Aug 1995 | A |
| 5448668 | Perelson et al. | Sep 1995 | A |
| 5452442 | Kephart | Sep 1995 | A |
| 5473687 | Lipscomb et al. | Dec 1995 | A |
| 5473769 | Cozza | Dec 1995 | A |
| 5502815 | Cozza | Mar 1996 | A |
| 5511184 | Lin | Apr 1996 | A |
| 5530757 | Krawczyk | Jun 1996 | A |
| 5539828 | Davis | Jul 1996 | A |
| 5572590 | Chess | Nov 1996 | A |
| 5606609 | Houser et al. | Feb 1997 | A |
| 5606615 | Lapointe et al. | Feb 1997 | A |
| 5613002 | Kephart et al. | Mar 1997 | A |
| 5625692 | Herzberg et al. | Apr 1997 | A |
| 5651069 | Rogaway | Jul 1997 | A |
| 5659614 | Bailey, III | Aug 1997 | A |
| 5666411 | McCarty | Sep 1997 | A |
| 5675645 | Schwartz et al. | Oct 1997 | A |
| 5689247 | Welner | Nov 1997 | A |
| 5721877 | Heflinger et al. | Feb 1998 | A |
| 5724425 | Chang et al. | Mar 1998 | A |
| 5802275 | Blonder | Sep 1998 | A |
| 5809138 | Netiv | Sep 1998 | A |
| 5881151 | Yamamoto | Mar 1999 | A |
| 5930357 | Fukui | Jul 1999 | A |
| 6381694 | Yen | Apr 2002 | B1 |
| 20100235916 | Radatti | Sep 2010 | A1 |
| Number | Date | Country |
|---|---|---|
| 62-224843 | Oct 1987 | JP |
| 6-110718 | Apr 1994 | JP |
| 6-168114 | Jun 1994 | JP |
| 6-230959 | Aug 1994 | JP |
| 6-242957 | Sep 1994 | JP |
| 6-250861 | Sep 1994 | JP |
| 6-259012 | Sep 1994 | JP |
| 6-274419 | Sep 1994 | JP |
| 6-348486 | Dec 1994 | JP |
| 6-350784 | Dec 1994 | JP |
| 7-64786 | Mar 1995 | JP |
| 7-146788 | Jun 1995 | JP |
| 8-016386 | Jan 1996 | JP |
| 63-55631 | Mar 1998 | JP |
| 0 132 998 | Dec 1997 | KR |
| Entry |
|---|
| Secure Data Network Offers Automatic Back-Up service, Virus screening, In US, p. 1, Dated Nov. 28, 1989. |
| Kyodo News Service, Virusbuster Book 1, Aug. 25, 1993 (10 pages—cover page, pp. 5, 50-56 and 60) (Partial English Translation as identified of pp. 52, 53, and 60—5 pages). |
| Richard Ford, et al., “Virus Bulletin—The International Publication on Computer Virus Prevention, Recognition and Removal,” ISSN 0956-9979, Dec. 1994 (pp. 1-24). |
| Richard Ford, et al., “Virus Bulletin—The Authoritative International Publication on Computer Virus Prevention, Recognition and Removal,” ISSN 0956-9979, Jul. 1993 (pp. 1-24). |
| Paul Ferrill, et al., “Product Comparison: Network Virus Protection, An Ounce of Prevention,” Infoworld, Feb. 13, 1995, vol. 17, Issue 7, pp. 84- 99 (18 pages). |
| “MS-DOX/V FM V Sidebook 88SP-3060-1,” Fujitsu Ltd., 1994, 1st edition, pp. 19-36. |
| Ghannam M. Al-Dossary, “Computer Virus Prevention and Containment on Mainframes,” Proceeding of 1989 International Carnahan Conference on Security Technology (ICCST in Zurich), 1989, pp. 23-31. |
| Masaru Tanaka, “Special Security Method for PCLAN! Topical Security for PC LAN (2) Anit-Virus Software Challenging Network Viruses,” Computer and Network LAN, Ohmsha Ltd. Feb. 1, 1994. vol. 13, No. 2, pp. 52-56. |
| Mims, Bob; Deseret News; Data Vault Backs Up Data For Small Businesses, [online], Jun. 5, 1991 [retrieved on Jan. 20, 2010]. Retrieved from the Internet:<URL: www.deseretnews.com/article/165762/DATA-VAULT-BACKS-UP-DATA-FOR-SMALL-BUSINESSES.html>. (2 pages). |
| Newman, Richard; Disaster Recovery Journal; PC Backup Technology Arrives [online], circa 1988-1992 [retrieved on Jan. 20, 2011]. Retrieved from the Internet:<URL: http://www.drj.com/article-archives/data-processing-recovery/pc-backup-technology-arrives.html>. (3 pages). |
| Magid, Lawrence J.; Los Angeles Times; ‘Future’ Products Already Here [online], Feb. 22, 1990 [retrieved Jan. 20, 2011]. Retrieved from the Internet:<URL: http://articles.latimes.com/1990-02-22/business/fi-1323—1—secure-data-network>. (2 pages). |
| Coursey, David; Networking; ISDN Technology Boosts Remote LAN, PC Backup, Sep. 9, 1991, p. 33 (2 pages). |
| CBR Staff Writer; Computer Business Review; Secure Data Network Offers Automatic Back-Up Service, Virus Screening, In US, [online], Nov. 27, 1989 [retrieved Apr. 12, 2011]. Retrieved from the Internet:<URL: http://www.cbronline.com/news>. (2 pages). |
| Reed, Frank; Warren, Eric; Business Wire, New York; Secure Data Network Inc. Introduces Nation's First Online PC Data Backup And Retrieval Service, Oct. 31, 1989 (2 pages). |
| Joe Rizzo, “Antivirus Software Operating on Netware: Comparably Priced—Choice Depends on Reliability and Usability”, Nikkei Open Systems, Nikkei BP, Dec. 10, 1993, vol. 9, pp. 163-168. |
| Akira Watanabe, “Computer Virus Dictionary”, Ohmsha Ltd., Nov. 25, 1993, pp. 82-117. |
| Notice of Reasons for Rejection (Office Action) for corresponding Japanese Application No. 7-136331 dated Jul. 26, 2005. |
| Notice of Reasons for Rejection (Office Action) for corresponding Japanese Application No. 7-136331 dated Oct. 25, 2005. |
| Decision of Final Rejection (Office Action) for corresponding Japanese Application No. 7-136331 dated Feb. 7, 2006. |
| Office Action mailed Sep. 18, 1997 in corresponding U.S. Appl. No. 08/656,908. |
| Office Action mailed May 1, 1998 in corresponding U.S. Appl. No. 08/656,908. |
| Notice of Allowance mailed Dec. 21, 1998 in corresponding U.S. Appl. No. 08/656,908. |
| Peter Norton Symantec Corp., Norton Antivirus, 1992, Chapter 2, 3, 4, 6, B-4-B-7. |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 08656908 | Jun 1996 | US |
| Child | 09893445 | US |
