WO1993013477A1 - Computer protection device - Google Patents

Computer protection device Download PDF

Info

Publication number
WO1993013477A1
WO1993013477A1 PCT/US1992/011374 US9211374W WO9313477A1 WO 1993013477 A1 WO1993013477 A1 WO 1993013477A1 US 9211374 W US9211374 W US 9211374W WO 9313477 A1 WO9313477 A1 WO 9313477A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
disk
executable file
command
access
Prior art date
Application number
PCT/US1992/011374
Other languages
French (fr)
Inventor
Shmuel Y. Kedmi
Eliahu Dror Lenger
Original Assignee
Onyx Technologies (Usa) Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Onyx Technologies (Usa) Inc. filed Critical Onyx Technologies (Usa) Inc.
Publication of WO1993013477A1 publication Critical patent/WO1993013477A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware

Definitions

  • the present invention relates generally to hardware software for protecting data stored on a computer.
  • Computer viruses are computer programs which, witho the knowledge of a user, enter a computer and execute.
  • the programs often wreak havoc with the proper operation of t computer and can also alter stored data.
  • a computer virus program enters a computer as an u known add-on to an executable program.
  • the virus program is also execu ed, without the knowledge of the user.
  • the virus program typically ensur that it will be executed again, whether or not the user aga executes the desired executable program. It does this, f example, by copying itself into a new executable file and/ becoming a Terminate and Stay Resident (TSR) program, a progr which is always available.
  • TSR Terminate and Stay Resident
  • the interrupt vector is a coded list of addresses be referenced whenever an interrupt code is received. So typical interrupt codes relate to the pressing of a key on t keyboard and the movement of a mouse.
  • the addresses in the inte rupt vector are the first addresses in memory where operations be executed upon receipt of the appropriate code are stored.
  • a virus might alter or "redefine" the addresses of t interrupt vector such that the new addresses stored point addresses in memory where the virus has stored its own operatio to be executed when an interrupt code is received.
  • t virus operations include the operation the user expects to see well as other, undesired operations. Thus, for example, if t user causes a keypress interrupt, the typed key will be di played, as normally occurs, and, in addition, the operations the virus will be performed.
  • Anti-virus programs are well known in the art. Th are developed by analyzing the operation of a particular vir program or family of virus programs, much as an anti-viral dr is produced once the operating mode of a human virus or group viruses is understood. Thus, for each known virus program o group of programs, there is an anti-virus program.
  • Some anti-virus programs just identify that a viru exists on a user's machine. Others remove the virus upon discov ering it.
  • One method of identifying a virus is to check for an strange operational behavior, such as unexplained changes in th size of files, in the format of data, or in the interrupt vector
  • Another method is by identifying that there is a known string o bytes known to be a virus.
  • Anti-Virus Program manufactured by Iris Software . an Computers of Givatayim, Israel.
  • the Anti-Virus Program appear not to allow virus programs to install themselves on a hard dis of a computer and it does this by continuously checking th memory of the computer during operation.
  • the present invention operates without an knowledge of the characteristics of any virus programs.
  • apparatus for protectin access to at least one selected area of a disk includes apparatus for defining the selected area of the disk apparatus for determining that a disk access command has issue for at least a portion of the selected area and apparatus fo disabling the disk access command.
  • apparatus for protecting dat stored on a disk of a computer.
  • the apparatus includes apparatu for determining when the computer issues one of a predetermine set of commands and apparatus, responsive to the issued command for selectively interfering with the normal operation of th computer.
  • apparatus for protecting th operation of a computer having active mem ' ory includes apparatus for defining that at least one executable fil is clean, apparatus for determining when the computer is command ed to load a first executable file into the active memory, appa ratus for storing an interrupt vector from a previously loade executable file if the first executable file is not clean and fo enabling the first executable file to load and to execute an apparatus for restoring the stored interrupt vector once th first executable file finishes executing.
  • the disk access command is a selected one of write, read or format command.
  • the predetermined set of comman includes write, read, format and load commands.
  • the apparatus includes apparatus for identif ing a user and a classification level of the user.
  • the apparat also includes apparatus for classifying access levels for da stored in the at least one selected area.
  • the apparatus for disabling includes apparat for authorizing performance of the disk access command if t apparatus for identifying a user indicates that the user has classification level equivalent to or larger than the acces level for data to be accessed.
  • the apparatus includes apparatus for definin accompanying files to be opened when the first executable file i loaded and apparatus for closing the accompanying files if anoth er executable file is commanded to be loaded.
  • the disk forms part of a computer and - th apparatus for disabling or the apparatus for selectively inter fering include a stop and hold command to the computer.
  • the apparatus for disabling or the apparatus for selec tively interfering include a non-maskable interrupt to the com puter.
  • a further alternative for the apparatus for disabling o the apparatus for selectively interfering is 'an analog switch.
  • apparatus for protecting at least one selected area of a disk of a computer from undesired access operations including a disk controller and a bus.
  • the apparatus includes apparatus connected in parallel to the bus for determining that an undesired access command to a portion of the selected area of the disk has issued and apparatus for disa ⁇ bling the undesired access command.
  • a computer network including a multiplicity of computer workstations each usable by one use at one time and each having a workstation storage medium, a fil server for storing files accessible by each of the compute workstations, the file server having a server storage medium workstation protection apparatus for protecting access to a least one selected area of the workstation storage medium an server protection apparatus for protecting access to at least on selected area of the server storage medium.
  • the server protectio apparatus communicates with each of the workstation protectio apparatus to provide information regarding the selected area o the server storage medium.
  • the server protection apparatus and th workstation protection apparatus include apparatus for definin the at least one selected areas of the storage media, apparatu for determining that a disk access command has issued for a least a portion of the selected areas and apparatus for disablin the disk access command.
  • the server protection apparatus and' the workstation protection apparatus include apparatus for determin ⁇ ing when the computer issues one of a predetermined set of com ⁇ mands and apparatus, responsive to the issued command, for selec ⁇ tively interfering with the normal operation of the computer.
  • the workstations and the file server have active memories.
  • the server protection apparatus and the worksta ⁇ tion protection apparatus include apparatus for defining that at least one executable file is clean, apparatus for determining when the computer is commanded to load a first executable file into the active memory of one of the workstations, apparatus for storing an interrupt vector from a previously loaded executable file if the first executable file is not clean and for enabling the first executable file to load and to execute and apparatus for restoring the stored interrupt vector once the first executa ⁇ ble file finishes executing.
  • FIG. 1 is a general block diagram illustration o interaction of apparatus for data protection constructed an operative in accordance with the present invention with a comput er;
  • Fig. 2 is a block diagram illustration of the element of the apparatus for protection of Fig. 1;
  • FIG. 3 s a more detailed block diagram illustration o the interaction shown in Fig. 1;
  • Fig. 4 is a flow chart illustration of the overal operations of the apparatus of the present invention.
  • Fig. 5 s a flow chart illustration of the operation o identifying a load command, useful in the operations of Fig. 4;
  • Fig. 6 is a flow chart illustration of the operation o identifying the file name, useful in the operations of Fig. 4;
  • Fig. 7 is a flow chart illustration of the operatio of saving an interrupt vector, useful in the operations of Fig. 4;
  • Fig. 8 is a flow chart illustration of the operation o restoring an interrupt vector, useful in the operations of Fig. 4;
  • Fig. 9 is a flow chart illustration * of changing parame ⁇ ters of operation of the apparatus of Fig. 1, useful in the operations of Fig. 4;
  • Fig. 1G is a flow chart illustration of the operations of disabling the operation of the computer, useful in the opera ⁇ tions of Fig. 4;
  • Fig. 11 is a flow chart illustration of installation operations, useful in the operations of Fig. 4.
  • Fig. 12 is a block diagram illustration of a plurality of the apparatus of Fig. 2 connected together in a network.
  • Fig. 1 illustrates, i block diagram format, the operation of a protection device 10 o the present invention when operating to protect a computer 1 against the operation of a virus.
  • the computer 12 is typically personal computer and comprises a Central Processing Unit (CPU 14 having a low frequency clock 15, such as an 80286 CPU manufac tured by Intel of the U.S.A. with a 6 MHz clock, a Random Acces Memory (RAM) 16, a disk 18 and a disk controller 20, such as th 82064 controller also manufactured by Intel.
  • the disk 18 can b a hard disk or a floppy disk.
  • the elements of the personal computer com in a housing which is large enough to hold other elements, suc as a modem.
  • Computer 12 typically operates under an operatin system, such as the Disk Operating System (DOS) 22 of Microsof Inc. of the USA.
  • DOS stores information regarding each file o the disk 18 in a File Allocation Table (FAT) 24.
  • the FAT 24 typically includes a list, per file, of the portions of the dis 18, known as sectors, which are allocated to each file.
  • the protection device 10 is typically located within the housing of the computer 12 and typically communicates with the computer 12 via a bus 26 of computer 12.
  • Bus 26 can be any suitable bus, such as the Industrial Standard Architecture (ISA) AT bus.
  • Protection device 10 is operative to protect the com ⁇ puter 12 from unauthorized memory access , such as accessing the disk 18, and from the effects of redefinition of the interrupt vector.
  • the user de ⁇ fines, through protection device 10, a protected area 30 on disk 18.
  • the protection device 10 stores within itself a listing of the locations, or sectors, of the disk 18 which are within pro ⁇ tected area 30- This listing is known as the protected area FAT 32.
  • the user will store within the protect area 30 those files most important to him, such as those relati to his operating system, his most commonly used executable fil and any data which he desires not to be damaged.
  • t user will place in the protected area 30 only those files whi he knows are clean, or have no viruses attached to them.
  • protection device 10 detects a disk access co mand, either a write, read or format disk command, which addres es a section of the protected area 30t protection device 10 wi only enable the disk access if an authorized user authorizes it.
  • the protection device 10 monitors t commands of the CPU 14 for a load command in which an executab file, such as a program or a virus, is loaded into RAM 16.
  • the interrupt vector o the previously loaded file, assuming it was a file known to b clean, is saved before loading the new executable file.
  • the protection devic 10 retrieves the saved interrupt vector. In this manner, th changed interrupt vector will be active only as long as - th present executable file is executing.
  • data files which are typically opened whe a given executable file is executing can be indicated as such.
  • These "accompanying data files” are then opened upon loading o the executable file and are closed when the executable file ceases operating. Specifically, if an executable file is com manded to be loaded while the accompanying data files of previously loaded executable file are still open, the protectio unit 10 closes the accompanying data files before allowing th newly commanded executable file to load.
  • Protection device 10 typically comprises a manager 40 for manag- ing the operations of protection device 10, a protected area definition unit 42 for defining protected area 30 and for identi- fying the files which are to be placed in protected area 30, an a command recognition unit 44 for recognizing when one of predetermined set of commands is produced by the computer 12.
  • the manager 40 provides installation operations, an classification and identification of system users.
  • users can be classified by the level o access to the protected files in the protected area 30 permitte them. For instance, it may be desired to define two acces levels, one of "system operator" and one of a "regular operator".
  • the system operator is allowed to access system files, such a files pertaining to the operating system, and application files.
  • the regular operator is allowed to access only application files.
  • users are provided with user names and external means for identification 46, such as passwords, special codes or magnetic cards, such as credit cards.
  • the means for identification 46 are provided to an identification unit 48, such as a keyboard of computer 12 for receiving passwords and such as a magnetic card reader, such as those produced by Neuron Corporation of Tokyo, Japan, for receiv ⁇ ing magnetic cards.
  • the identification unit 48 compares the identification received to that expected for the specific user and notifies the manager 4 ⁇ whether or not there is a match. Without a match, the user cannot access the files in the protect ⁇ ed area 30. With a match, the user can access the files permitted for his access level.
  • protected area definition unit 42 enables the selected files to be defined as protected.
  • the definition opera ⁇ tion is performed as follows:
  • the protected area definition unit 42 requires that CPU 14 provide it with a copy of FAT 24. Unit 42 then searches FAT 24 for the sector or sectors on disk 18 in which the selected files are stored. These addresses are then stored in protected FAT 32 which, in turn, is stored in an Electronically Erasable Program ⁇ mable Read Only Memory (EEPROM) 68, shown in Fig. 3 and described in more detail hereinbelow.
  • EEPROM Electronically Erasable Program ⁇ mable Read Only Memory
  • the protected area definition unit 42 enables the us to define which files are to be protected and to provide class fication levels for them. For the example hereinabove, the syst files will have a level of "system operator only" and the appl cation files will have a level of "everyone allowed" .
  • Unit 42 also enables the user to indicate which ex cutable files are known to be clean, or free of viruses.
  • the protected FAT 3 also contains classificati level information and cleanliness status information for ea file protected.
  • the command recognition unit 44 monitors bus 26 fo commands, comparing every received command with the predetermine set of commands.
  • the predetermined set typically comprises an read, write or loading commands. These also include formattin commands which effectively rewrite the entire disk 18.
  • the comman recognition unit 44 determines if it is a load command. If so, unit 44 provides control to an interrupt vector protection uni 50. If not, indicating that a disk access operation is about t take place, unit 44 provides control to an 'address recognitio unit 52.
  • Address recognition unit 52 compares the address asso ⁇ ciated with the command to the sector addresses stored in the protected FAT 3 and checks the classification level for the addressed sector. If there is a match, indicating that the com ⁇ puter 12 is attempting to access protected area 30t unit 52 issues a stop command to a disk access protection unit ⁇ to disable the access attempt. Unit 52 then requests that the user provide authorization for the access of area 30. The user then has to provide its identification means 46 to identification unit 48.
  • Th user is thus notified as soon as a virus program attempts t write to the disk or an unauthorized user tries to access th area 30- If the user wishes to reenable disk access, he typicall has to restart, or "reboot" the computer 12.
  • the command recognition unit 44 identifies a loa command by identifying that a command to write to a predetermine address in RAM 16 has been issued.
  • the predetermined address i the address into which the first address of the executable fil to be loaded is stored.
  • the interrupt vector protection unit 50 first disable access to any accompanying data files of the previously loade executable file, herein called the "first" executable file. Uni 50 then identifies the executable file about to be loaded, hence forth called the "second" executable file, by comparing th addresses of the second executable file with those stored in th protected FAT 32.
  • unit 50 stops the operation of CPU 14, read the current interrupt vector which belongs to the previous exe cutable file and stores the interrupt vector in EEPROM 68 (Fig. 3) .
  • the CPU 14 is then released and control of the protectio unit 10 is returned to the command recognition unit 44 and th second executable file is allowed to execute.
  • the interrupt vector protection unit 0 When a new executable file, herein called the "third" executable file, is loaded after a second executable file whic was not clean, the interrupt vector protection unit 0 replace the interrupt vector of the second executable file, which ma have been defined to address undesirable operations, with th interrupt vector of the first executable file.
  • the replacement operation includes the steps of stop ping CPU 14, writing the stored interrupt vector into the inter rupt vector storage addresses in RAM 16, and releasing CPU 14.
  • unit 50 After replacing the interrupt vector, unit check that the third executable file is clean. If not, then unit 5 saves the interrupt vector, which is now that of the first exe cutable file. Unit 50 then proceeds as described hereinabove.
  • FIG. 3 illustrates, i block diagram format, the hardware elements of the present inven tion.
  • Protection device 10 typically comprises a microproces ⁇ sor 60 with a high frequency clock 62, such as the 8O386DX micro ⁇ processor manufactured by Intel of the USA with a 33 MHz clock, working in conjunction with a RAM 64.
  • Microprocessor 60 typically is associated with at least one input/output port 66 which is connected to bus 26.
  • Microprocessor 60 is further associated with Electroni ⁇ cally Erasable Programmable Read Only Memory (EEPROM) 68 for storing the predetermined set of commands, protected FAT 32, interrupt vectors, passwords and user names.
  • EEPROM Electroni ⁇ cally Erasable Programmable Read Only Memory
  • Microprocessor 60 in conjunction with RAM 64, typical ⁇ ly implements the manager 40, the protected area definition unit 42, the command recognition unit 44, the interrupt vector protec ⁇ tion unit 50 and the address recognition unit 52.
  • the disk access protection unit 5 ⁇ can be embodied in a number of ways.
  • Unit 5 ⁇ can be embodied as a hold and a stop command.
  • the hold command is transmitted, via bus 26, to the CPU 14 which causes the CPU 14 to stop its operation.
  • the stop command is sent, also via bus 26, to disk con ⁇ troller 20 to stop its operation.
  • This embodiment is operative for those disk controllers, such as the 82064 mentioned hereina ⁇ bove, which can respond to a stop command.
  • unit 54 can be embodied as an analo switch, such as the SN74ALS1244 manufactured by Texas Instrument of U.S.A., or as a mechanical relay. The switch or relay i connected to the power cable (not shown) of disk 18 and, whe activated, disconnects the power to disk 18.
  • unit ⁇ ca be embodied as a non-maskable interrupt which is sent directly t CPU 14.
  • the interrupt causes the CPU 14 to execute a routin stored therein which cancels the access command and/or reboot the system.
  • microprocessor 60 can provide a notice t CPU 14 that will indicate, upon rebooting, that the cause of th stopping of the computer 12 was a virus or unauthorized access and not something else.
  • unit 5 ⁇ can include combination of the above-described disabling methods and mecha nisms .
  • command recognition unit 44 address recognition unit 5 and dis access protection unit 54 are fast enough to finish performing i one clock cycle of computer 12.
  • the protectio device 10 of the present invention ensures that a virus whic tries to access protected area 30 generally will have no effect
  • the protection device 10 discovers the virus' as soon as it at tempts to access the data in the protected area 30, thereb indicating to the user which file or program is affected by th virus. Additionally, any changes to the interrupt vector create by the virus are effective only during the operating time of th virus.
  • th device 10 is a hardware device that operates in parallel to com puter 12 and is not operated by computer 12, thus making i difficult for a virus to overcome the operation of the device. Furthermore, the device 10 operates generally without any knowl- edge of the characteristics of virus programs.
  • protection devi 10 does not add a significant amount of time to the operation computer 12 since the microprocessor 60 operates in parallel bus 26.
  • the method of identifying unauthorized access describ hereinabove, can be applied to any suitable computer.
  • FIG. 4 - 11 illustrate the operations of the protection device 10.
  • the opera tions of Figs. 4 - 11 are typically performed in software store in the EEPROM 68 of protection device 10.
  • the figures are be lieved to be self-explanatory and therefore, in the interest o conciseness, they will not be described in great detail.
  • Fig. 4 describes the overall operations of the protec tion device 10
  • Fig. 5 describes the operation of identifying a loa command
  • Fig. 6 describes the operation of identifying the nam of a loaded executable file
  • Fig. 7 describes the operation of saving an interrup vector
  • Fig. 8 describes the operation of restoring an inter rupt vector
  • Fig. describes an update program for changing parame ⁇ ters of operation of the protection device 10, where typical parameters are the files which are in the protected area 30t the access levels of users, the classification levels of the protect ⁇ ed files, and the clean status of each file;
  • Fig. 10 describes the operations of disabling the operation of the computer
  • Fig. 11 describes installation operations. It will be noted that the update program illustrated in Fig. 9 is typically performed by software stored in the protected area 30 and loaded into RAM 16. The interface between the user and the software is through computer 12.
  • the program of Fig. 9 enables and disables access to accompanying files. Enabling is performed by modifyi the protected FAT 3 to include the accompanying files. Disabli is performed by modifying the protected FAT 32 to no long include the accompanying files.
  • the installation program whose operations are illus trated in Fig. 11 serves to identify the type of CPU 14, t peripheral apparatus attached to computer 12 and the version o the operating system under which everything operates. Further more, the program calls the software uses the update program o Fig. 9 n order to define the parameters of operation.
  • FIG. 12 illustrates plurality of computers connected together via a network 100
  • a multiplicity o workstations 102 which save their files onto a file server 104.
  • protectio devices are installed in each of workstations 102 and the fil server 104.
  • the protection devices on workstation 102 are labeled 106 and the protection device on the file serve is labeled 108.
  • the protection devices 106 and 108 operate generally a described hereinabove with the following exceptions:
  • the protection device 108 maintains a network-wid protected FAT 3 describing the status of the files stored o the file server 10 .
  • its protection device 106 checks the date o the protected FAT 32 of protection device 108. If the date i later than the date on the protected FAT 32 of the protectio device 106 of the workstation 102, the protection device 10 receives from protection device 108 a copy of its protected FA 32.
  • the protection devic 106 and 108 additionally comprise time clocks (not show which operate independently of the time clocks of t workstations.
  • the protection devices 106 monitor the time clock of the workstations 102 to ensure that the workstation tim matches the protection device time and to update the workstatio time if it does not match the protection device time.
  • the protection device 108 monitors the time of the file serve 104.

Abstract

An apparatus (10) for protecting access to at least one area of a disk includes an identification unit (48), a manager (40), a protection area definition unit (42), a command recognition unit (44), an interrupt vector protection unit (50), an address recognition unit (52), a protected FAT (32) and a disk access protection unit (54). These components function together to define a protected FAT (32) implemented on an EEPROM (Electrically Erasable Read-Only Memory). The protected FAT (32) stores the interrupt vectors of executable files, operating system files, and other files commonly attacked by viruses. Before a command is executed, its associated interrupt vectors are compared with the interrupt vectors stored in the protected FAT (32). If the interrupt vectors are the same, the command is executed. Otherwise, there could be an alteration of the executable file, and the command is not executed.

Description

COMPUTER PROTECTION DEVICE
FIELD OF THE INVENTION
The present invention relates generally to hardware software for protecting data stored on a computer.
BACKGROUND OF THE INVENTION
Computer viruses are computer programs which, witho the knowledge of a user, enter a computer and execute. The programs often wreak havoc with the proper operation of t computer and can also alter stored data.
A computer virus program enters a computer as an u known add-on to an executable program. When the user execut the desired executable program, the virus program is also execu ed, without the knowledge of the user. During execution of t desired executable program, the virus program typically ensur that it will be executed again, whether or not the user aga executes the desired executable program. It does this, f example, by copying itself into a new executable file and/ becoming a Terminate and Stay Resident (TSR) program, a progr which is always available.
Another method in which the virus ensures it will executed again is by redefining the interrupt vector of t computer. The interrupt vector is a coded list of addresses be referenced whenever an interrupt code is received. So typical interrupt codes relate to the pressing of a key on t keyboard and the movement of a mouse. The addresses in the inte rupt vector are the first addresses in memory where operations be executed upon receipt of the appropriate code are stored.
A virus might alter or "redefine" the addresses of t interrupt vector such that the new addresses stored point addresses in memory where the virus has stored its own operatio to be executed when an interrupt code is received. Typically, t virus operations include the operation the user expects to see well as other, undesired operations. Thus, for example, if t user causes a keypress interrupt, the typed key will be di played, as normally occurs, and, in addition, the operations the virus will be performed.
Anti-virus programs are well known in the art. Th are developed by analyzing the operation of a particular vir program or family of virus programs, much as an anti-viral dr is produced once the operating mode of a human virus or group viruses is understood. Thus, for each known virus program o group of programs, there is an anti-virus program.
Some anti-virus programs just identify that a viru exists on a user's machine. Others remove the virus upon discov ering it.
One method of identifying a virus is to check for an strange operational behavior, such as unexplained changes in th size of files, in the format of data, or in the interrupt vector Another method is by identifying that there is a known string o bytes known to be a virus.
Most anti-virus programs do not work against new an unknown virus programs or groups of programs. One anti-viru program which appears to protect against unknown virus program is the Anti-Virus Program manufactured by Iris Software . an Computers of Givatayim, Israel. The Anti-Virus Program appear not to allow virus programs to install themselves on a hard dis of a computer and it does this by continuously checking th memory of the computer during operation.
In addition to protection against undesired virus programs, computer users often need to protect their files from undesired access by other users of the computer. For example, some f les, such as system-wide files, should never be altered, except by certain authorized personnel. These files need protec¬ tion against reading, writing or copying. SUMMARY OF THE INVENTION
It is an object of the present invention to provide system and method for discovering the execution of a compute virus program and for protection data stored in a computer fro attack or damage. The present invention operates without an knowledge of the characteristics of any virus programs.
It is a further object of the present invention not t expose protected data to an unauthorized user.
There is therefore provided, in accordance with a embodiment of the present invention, apparatus for protectin access to at least one selected area of a disk. The apparatu includes apparatus for defining the selected area of the disk apparatus for determining that a disk access command has issue for at least a portion of the selected area and apparatus fo disabling the disk access command.
There is further provided, in accordance with an embod iment of the present invention, apparatus for protecting dat stored on a disk of a computer. The apparatus includes apparatu for determining when the computer issues one of a predetermine set of commands and apparatus, responsive to the issued command for selectively interfering with the normal operation of th computer.
There is still further provided, in accordance with a embodiment of the present invention, apparatus for protecting th operation of a computer having active mem'ory. The apparatu includes apparatus for defining that at least one executable fil is clean, apparatus for determining when the computer is command ed to load a first executable file into the active memory, appa ratus for storing an interrupt vector from a previously loade executable file if the first executable file is not clean and fo enabling the first executable file to load and to execute an apparatus for restoring the stored interrupt vector once th first executable file finishes executing.
Additionally, in accordance with an embodiment of th present invention, the disk access command is a selected one of write, read or format command. The predetermined set of comman includes write, read, format and load commands.
Furthermore, in accordance with an embodiment of t present invention, the apparatus includes apparatus for identif ing a user and a classification level of the user. The apparat also includes apparatus for classifying access levels for da stored in the at least one selected area.
Still further, in accordance with an embodiment of t present invention, the apparatus for disabling includes apparat for authorizing performance of the disk access command if t apparatus for identifying a user indicates that the user has classification level equivalent to or larger than the acces level for data to be accessed.
Moreover, in accordance with an embodiment of th present invention, the apparatus includes apparatus for definin accompanying files to be opened when the first executable file i loaded and apparatus for closing the accompanying files if anoth er executable file is commanded to be loaded.
Additionally, in accordance with an embodiment of th present invention, the disk forms part of a computer and - th apparatus for disabling or the apparatus for selectively inter fering include a stop and hold command to the computer. Alterna tively, the apparatus for disabling or the apparatus for selec tively interfering include a non-maskable interrupt to the com puter. A further alternative for the apparatus for disabling o the apparatus for selectively interfering is 'an analog switch.
There is further provided, in accordance with an embod¬ iment of the present invention, apparatus for protecting at least one selected area of a disk of a computer from undesired access operations, the computer including a disk controller and a bus. The apparatus includes apparatus connected in parallel to the bus for determining that an undesired access command to a portion of the selected area of the disk has issued and apparatus for disa¬ bling the undesired access command.
There is still further provided, in accordance with an embodiment of the present invention, a computer network including a multiplicity of computer workstations each usable by one use at one time and each having a workstation storage medium, a fil server for storing files accessible by each of the compute workstations, the file server having a server storage medium workstation protection apparatus for protecting access to a least one selected area of the workstation storage medium an server protection apparatus for protecting access to at least on selected area of the server storage medium. The server protectio apparatus communicates with each of the workstation protectio apparatus to provide information regarding the selected area o the server storage medium.
Additionally, in accordance with the network embodimen of the present invention, the server protection apparatus and th workstation protection apparatus include apparatus for definin the at least one selected areas of the storage media, apparatu for determining that a disk access command has issued for a least a portion of the selected areas and apparatus for disablin the disk access command.
Furthermore, in accordance with the network embodiment of the present invention, the server protection apparatus and' the workstation protection apparatus include apparatus for determin¬ ing when the computer issues one of a predetermined set of com¬ mands and apparatus, responsive to the issued command, for selec¬ tively interfering with the normal operation of the computer.
Finally, in accordance with the network embodiment of the present invention, the workstations and the file server have active memories. The server protection apparatus and the worksta¬ tion protection apparatus include apparatus for defining that at least one executable file is clean, apparatus for determining when the computer is commanded to load a first executable file into the active memory of one of the workstations, apparatus for storing an interrupt vector from a previously loaded executable file if the first executable file is not clean and for enabling the first executable file to load and to execute and apparatus for restoring the stored interrupt vector once the first executa¬ ble file finishes executing. BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be understood and appreciat from the following detailed description, taken in conjuncti with the drawings in which:
Fig. 1 is a general block diagram illustration o interaction of apparatus for data protection constructed an operative in accordance with the present invention with a comput er;
Fig. 2 is a block diagram illustration of the element of the apparatus for protection of Fig. 1;
Fig. 3 s a more detailed block diagram illustration o the interaction shown in Fig. 1;
Fig. 4 is a flow chart illustration of the overal operations of the apparatus of the present invention;
Fig. 5 s a flow chart illustration of the operation o identifying a load command, useful in the operations of Fig. 4;
Fig. 6 is a flow chart illustration of the operation o identifying the file name, useful in the operations of Fig. 4;
Fig. 7 is a flow chart illustration of the operatio of saving an interrupt vector, useful in the operations of Fig. 4;
Fig. 8 is a flow chart illustration of the operation o restoring an interrupt vector, useful in the operations of Fig. 4;
Fig. 9 is a flow chart illustration* of changing parame¬ ters of operation of the apparatus of Fig. 1, useful in the operations of Fig. 4;
Fig. 1G is a flow chart illustration of the operations of disabling the operation of the computer, useful in the opera¬ tions of Fig. 4;
Fig. 11 is a flow chart illustration of installation operations, useful in the operations of Fig. 4; and
Fig. 12 is a block diagram illustration of a plurality of the apparatus of Fig. 2 connected together in a network. DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Reference is now made to Fig. 1 which illustrates, i block diagram format, the operation of a protection device 10 o the present invention when operating to protect a computer 1 against the operation of a virus. The computer 12 is typically personal computer and comprises a Central Processing Unit (CPU 14 having a low frequency clock 15, such as an 80286 CPU manufac tured by Intel of the U.S.A. with a 6 MHz clock, a Random Acces Memory (RAM) 16, a disk 18 and a disk controller 20, such as th 82064 controller also manufactured by Intel. The disk 18 can b a hard disk or a floppy disk.
Typically, the elements of the personal computer com in a housing which is large enough to hold other elements, suc as a modem.
Computer 12 typically operates under an operatin system, such as the Disk Operating System (DOS) 22 of Microsof Inc. of the USA. DOS stores information regarding each file o the disk 18 in a File Allocation Table (FAT) 24. The FAT 24 typically includes a list, per file, of the portions of the dis 18, known as sectors, which are allocated to each file.
The protection device 10 is typically located within the housing of the computer 12 and typically communicates with the computer 12 via a bus 26 of computer 12. Bus 26 can be any suitable bus, such as the Industrial Standard Architecture (ISA) AT bus.
Protection device 10 is operative to protect the com¬ puter 12 from unauthorized memory access , such as accessing the disk 18, and from the effects of redefinition of the interrupt vector.
To protect unauthorized memory access, the user de¬ fines, through protection device 10, a protected area 30 on disk 18. The protection device 10 stores within itself a listing of the locations, or sectors, of the disk 18 which are within pro¬ tected area 30- This listing is known as the protected area FAT 32. Typically, the user will store within the protect area 30 those files most important to him, such as those relati to his operating system, his most commonly used executable fil and any data which he desires not to be damaged. Furthermore, t user will place in the protected area 30 only those files whi he knows are clean, or have no viruses attached to them.
If the protection device 10 detects a disk access co mand, either a write, read or format disk command, which addres es a section of the protected area 30t protection device 10 wi only enable the disk access if an authorized user authorizes it.
Furthermore, the protection device 10 monitors t commands of the CPU 14 for a load command in which an executab file, such as a program or a virus, is loaded into RAM 16.
If the loaded file is not known to be clean from vi ruses, there is a possibility that the viruses, if any, wil redefine the interrupt vector. Therefore, the interrupt vector o the previously loaded file, assuming it was a file known to b clean, is saved before loading the new executable file. When th present executable file finishes executing, the protection devic 10 retrieves the saved interrupt vector. In this manner, th changed interrupt vector will be active only as long as - th present executable file is executing.
If desired, data files which are typically opened whe a given executable file is executing, can be indicated as such. These "accompanying data files" are then opened upon loading o the executable file and are closed when the executable file ceases operating. Specifically, if an executable file is com manded to be loaded while the accompanying data files of previously loaded executable file are still open, the protectio unit 10 closes the accompanying data files before allowing th newly commanded executable file to load.
Reference is now made to Fig. 2 which illustrates, in block diagram format, the elements of the protection device 10. Protection device 10 typically comprises a manager 40 for manag- ing the operations of protection device 10, a protected area definition unit 42 for defining protected area 30 and for identi- fying the files which are to be placed in protected area 30, an a command recognition unit 44 for recognizing when one of predetermined set of commands is produced by the computer 12.
The manager 40 provides installation operations, an classification and identification of system users.
If desired, users can be classified by the level o access to the protected files in the protected area 30 permitte them. For instance, it may be desired to define two acces levels, one of "system operator" and one of a "regular operator". The system operator is allowed to access system files, such a files pertaining to the operating system, and application files. The regular operator is allowed to access only application files. For this purpose, users are provided with user names and external means for identification 46, such as passwords, special codes or magnetic cards, such as credit cards.
The means for identification 46 are provided to an identification unit 48, such as a keyboard of computer 12 for receiving passwords and such as a magnetic card reader, such as those produced by Neuron Corporation of Tokyo, Japan, for receiv¬ ing magnetic cards. The identification unit 48 compares the identification received to that expected for the specific user and notifies the manager 4θ whether or not there is a match. Without a match, the user cannot access the files in the protect¬ ed area 30. With a match, the user can access the files permitted for his access level.
If the identification unit 48 indicates that the user is authorized, then protected area definition unit 42 enables the selected files to be defined as protected. The definition opera¬ tion is performed as follows:
The protected area definition unit 42 requires that CPU 14 provide it with a copy of FAT 24. Unit 42 then searches FAT 24 for the sector or sectors on disk 18 in which the selected files are stored. These addresses are then stored in protected FAT 32 which, in turn, is stored in an Electronically Erasable Program¬ mable Read Only Memory (EEPROM) 68, shown in Fig. 3 and described in more detail hereinbelow. The protected area definition unit 42 enables the us to define which files are to be protected and to provide class fication levels for them. For the example hereinabove, the syst files will have a level of "system operator only" and the appl cation files will have a level of "everyone allowed" .
Unit 42 also enables the user to indicate which ex cutable files are known to be clean, or free of viruses.
Thus, the protected FAT 3 also contains classificati level information and cleanliness status information for ea file protected.
Since viruses typically attack executable files an operating system files, the user will typically select protectio for the entirety of his executable files as well as his operatin system files, partition table and boot sector. Protection ca also be placed on data which the user does not want to be altere or read.
The command recognition unit 44 monitors bus 26 fo commands, comparing every received command with the predetermine set of commands. The predetermined set typically comprises an read, write or loading commands. These also include formattin commands which effectively rewrite the entire disk 18.
If a received command is one of the set, the comman recognition unit 44 determines if it is a load command. If so, unit 44 provides control to an interrupt vector protection uni 50. If not, indicating that a disk access operation is about t take place, unit 44 provides control to an 'address recognitio unit 52.
Address recognition unit 52 compares the address asso¬ ciated with the command to the sector addresses stored in the protected FAT 3 and checks the classification level for the addressed sector. If there is a match, indicating that the com¬ puter 12 is attempting to access protected area 30t unit 52 issues a stop command to a disk access protection unit ^ to disable the access attempt. Unit 52 then requests that the user provide authorization for the access of area 30. The user then has to provide its identification means 46 to identification unit 48.
If the user is authorized to access the file, then th disk access is enabled and control is returned to command recog nition unit 44.
If the user cannot provide authorization or if a viru tried accessing the protected area 30, no action is taken. Th user is thus notified as soon as a virus program attempts t write to the disk or an unauthorized user tries to access th area 30- If the user wishes to reenable disk access, he typicall has to restart, or "reboot" the computer 12.
The command recognition unit 44 identifies a loa command by identifying that a command to write to a predetermine address in RAM 16 has been issued. The predetermined address i the address into which the first address of the executable fil to be loaded is stored.
The interrupt vector protection unit 50 first disable access to any accompanying data files of the previously loade executable file, herein called the "first" executable file. Uni 50 then identifies the executable file about to be loaded, hence forth called the "second" executable file, by comparing th addresses of the second executable file with those stored in th protected FAT 32.
If the second executable file is clean according to th protected FAT 32, access to its accompanying files is enabled, b placing the accompanying files into the protected FAT 32, an control is returned to the command recognition unit 44.
If the second executable file is not clean, indicatin that it contains either a virus or a program which the user i not protecting, then unit 50 stops the operation of CPU 14, read the current interrupt vector which belongs to the previous exe cutable file and stores the interrupt vector in EEPROM 68 (Fig. 3) . The CPU 14 is then released and control of the protectio unit 10 is returned to the command recognition unit 44 and th second executable file is allowed to execute.
When a new executable file, herein called the "third" executable file, is loaded after a second executable file whic was not clean, the interrupt vector protection unit 0 replace the interrupt vector of the second executable file, which ma have been defined to address undesirable operations, with th interrupt vector of the first executable file.
The replacement operation includes the steps of stop ping CPU 14, writing the stored interrupt vector into the inter rupt vector storage addresses in RAM 16, and releasing CPU 14.
After replacing the interrupt vector, unit check that the third executable file is clean. If not, then unit 5 saves the interrupt vector, which is now that of the first exe cutable file. Unit 50 then proceeds as described hereinabove.
Reference is now made to Fig. 3 which illustrates, i block diagram format, the hardware elements of the present inven tion.
Protection device 10 typically comprises a microproces¬ sor 60 with a high frequency clock 62, such as the 8O386DX micro¬ processor manufactured by Intel of the USA with a 33 MHz clock, working in conjunction with a RAM 64. Microprocessor 60 typically is associated with at least one input/output port 66 which is connected to bus 26.
Microprocessor 60 is further associated with Electroni¬ cally Erasable Programmable Read Only Memory (EEPROM) 68 for storing the predetermined set of commands, protected FAT 32, interrupt vectors, passwords and user names.
Microprocessor 60, in conjunction with RAM 64, typical¬ ly implements the manager 40, the protected area definition unit 42, the command recognition unit 44, the interrupt vector protec¬ tion unit 50 and the address recognition unit 52.
The disk access protection unit 5^ can be embodied in a number of ways. Unit 5^ can be embodied as a hold and a stop command. The hold command is transmitted, via bus 26, to the CPU 14 which causes the CPU 14 to stop its operation. At the same time, the stop command is sent, also via bus 26, to disk con¬ troller 20 to stop its operation. This embodiment is operative for those disk controllers, such as the 82064 mentioned hereina¬ bove, which can respond to a stop command. Alternatively, unit 54 can be embodied as an analo switch, such as the SN74ALS1244 manufactured by Texas Instrument of U.S.A., or as a mechanical relay. The switch or relay i connected to the power cable (not shown) of disk 18 and, whe activated, disconnects the power to disk 18.
For a bus 26 which has a non-maskable interrupt, suc as a microchannel bus or an Enhanced ISA (EISA) bus, unit ^ ca be embodied as a non-maskable interrupt which is sent directly t CPU 14. The interrupt causes the CPU 14 to execute a routin stored therein which cancels the access command and/or reboot the system.
Optionally, microprocessor 60 can provide a notice t CPU 14 that will indicate, upon rebooting, that the cause of th stopping of the computer 12 was a virus or unauthorized access and not something else.
It will be appreciated that unit 5^ can include combination of the above-described disabling methods and mecha nisms .
It will be appreciated that the combined operations o command recognition unit 44, address recognition unit 5 and dis access protection unit 54 are fast enough to finish performing i one clock cycle of computer 12.
It will further be appreciated that the protectio device 10 of the present invention ensures that a virus whic tries to access protected area 30 generally will have no effect The protection device 10 discovers the virus' as soon as it at tempts to access the data in the protected area 30, thereb indicating to the user which file or program is affected by th virus. Additionally, any changes to the interrupt vector create by the virus are effective only during the operating time of th virus.
The present invention is advantageous in that th device 10 is a hardware device that operates in parallel to com puter 12 and is not operated by computer 12, thus making i difficult for a virus to overcome the operation of the device. Furthermore, the device 10 operates generally without any knowl- edge of the characteristics of virus programs.
It will also be appreciated that the protection devi 10 does not add a significant amount of time to the operation computer 12 since the microprocessor 60 operates in parallel bus 26. The method of identifying unauthorized access, describ hereinabove, can be applied to any suitable computer.
Reference is now made to Figs. 4 - 11 which togeth illustrate the operations of the protection device 10. The opera tions of Figs. 4 - 11 are typically performed in software store in the EEPROM 68 of protection device 10. The figures are be lieved to be self-explanatory and therefore, in the interest o conciseness, they will not be described in great detail.
In general terms, the figures describe the following: Fig. 4 describes the overall operations of the protec tion device 10;
Fig. 5 describes the operation of identifying a loa command;
Fig. 6 describes the operation of identifying the nam of a loaded executable file;
Fig. 7 describes the operation of saving an interrup vector;
Fig. 8 describes the operation of restoring an inter rupt vector;
Fig. describes an update program for changing parame¬ ters of operation of the protection device 10, where typical parameters are the files which are in the protected area 30t the access levels of users, the classification levels of the protect¬ ed files, and the clean status of each file;
Fig. 10 describes the operations of disabling the operation of the computer; and
Fig. 11 describes installation operations. It will be noted that the update program illustrated in Fig. 9 is typically performed by software stored in the protected area 30 and loaded into RAM 16. The interface between the user and the software is through computer 12.
Furthermore, the program of Fig. 9 enables and disables access to accompanying files. Enabling is performed by modifyi the protected FAT 3 to include the accompanying files. Disabli is performed by modifying the protected FAT 32 to no long include the accompanying files.
The installation program whose operations are illus trated in Fig. 11 serves to identify the type of CPU 14, t peripheral apparatus attached to computer 12 and the version o the operating system under which everything operates. Further more, the program calls the software uses the update program o Fig. 9 n order to define the parameters of operation.
It is desired to execute the installation program, fro an external disk, after a low level format and after installin the operating system.
Reference is now made to Fig. 12 which illustrates plurality of computers connected together via a network 100 Typically, in network operations, there are a multiplicity o workstations 102 which save their files onto a file server 104.
In accordance with the present invention, protectio devices are installed in each of workstations 102 and the fil server 104. In Fig. 12, the protection devices on workstation 102 are labeled 106 and the protection device on the file serve is labeled 108.
The protection devices 106 and 108 operate generally a described hereinabove with the following exceptions:
The protection device 108 maintains a network-wid protected FAT 3 describing the status of the files stored o the file server 10 . Whenever one of the workstations 102 i started or "booted", its protection device 106 checks the date o the protected FAT 32 of protection device 108. If the date i later than the date on the protected FAT 32 of the protectio device 106 of the workstation 102, the protection device 10 receives from protection device 108 a copy of its protected FA 32.
Furthermore, whenever a user of one of the workstation 102 desires to change its protected FAT 32, and thus, the net work-wide FAT 32, the new, updated version of FAT 32 is broadcas to the remaining workstations 102.
It will be appreciated that the protection devic 106 and 108 additionally comprise time clocks (not show which operate independently of the time clocks of t workstations. The protection devices 106 monitor the time clock of the workstations 102 to ensure that the workstation tim matches the protection device time and to update the workstatio time if it does not match the protection device time. Similarly the protection device 108 monitors the time of the file serve 104.
It will be appreciated by persons skilled in the ar that the present invention is not limited to what has been par ticularly shown and described hereinabove. Rather, the scope o the present invention is defined only by the claims that follow:

Claims

1. Apparatus for protecting access to at least one selec ed area of a disk, the apparatus comprising: means for defining said at least one selected area o said disk; means for determining that a disk access command ha issued for at least a portion of said at least one selected area and means for disabling said disk access command.
2. Apparatus for protecting data stored on a disk of computer, the apparatus comprising: means for determining when said computer issues one o a predetermined set of commands; and means, responsive to said issued command, for selec tively interfering with the normal operation of said computer.
3. Apparatus for protecting the operation of a compute having active memory, the apparatus comprising: means for defining that at least one executable file i clean; means for determining when said computer is commande to load a first executable file into said active memory; means for storing an interrupt vector from a previousl loaded executable file if said first executable file is not clea and for enabling said first executable file to load and to exe cute; and means for restoring said stored interrupt vector onc said first executable file finishes executing.
4. Apparatus according to claim 1 and wherein said dis access command is a selected one of a write, read or forma command.
5. Apparatus according to claim 2 and wherein said prede termined set of commands includes write, read, format and loa commands.
6. Apparatus according to claim 1 and including means fo identifying a user and a classi ication level of said user.
7. Apparatus according to claim 1 and including means fo classifying access levels for data stored in said at least on selected area.
8. Apparatus according to ' claim 6 : an wherein said means for disabling include means for authorizin performance of said disk access command if said means for identi¬ fying a user indicate that said user has a classification level equivalent to or larger than said access level for data to be accessed.
9- Apparatus according to claim 2 and including means for identifying a user and a classification level of said user.
10. Apparatus according to claim 3 including means for defining accompanying files to be opened when said first executa¬ ble file is loaded and means for closing said accompanying files if another executable file is commanded to be loaded.
11. Apparatus according to .claim 1 wherein said disk forms part of a computer and wherein said means for disabling include a stop and hold command to said computer.
12. Apparatus according to claim 1 wherein said disk forms part of a computer and wherein said means for disabling include a non-maskable interrupt to said computer.
13- Apparatus according to claim 1 and wherein said means or disabling include an analog switch.
14. Apparatus according to claim 2 and wherein said means fo selectively interfering include a stop and hold command to sai computer.
15. Apparatus according to claim 2 and wherein said mean for selectively interfering include a non-maskable interrupt t said computer.
16. Apparatus according to claim 2 and wherein said mean for selectively interfering include an analog switch for disa bling operation of said disk.
17. Apparatus for protecting at least one selected area o a disk of a computer from undesired access operations, the com puter comprising a disk controller and a bus, the apparatu comprising: means connected in parallel to said bus for determinin that an undesired access command to a portion of said at leas one selected area of said disk has issued; and means for disabling said undesired access command.
18. A computer network comprising: a multiplicity of computer workstations each usable b one user at one time and each having a workstation storage medi¬ um; a file server for storing files accessible by each o said computer workstations, the file server having a server storage medium; workstation protection means for protecting access to at least one selected area of said workstation storage medium; and server protection means for protecting access to at least one selected area of said server storage medium, wherein said server protection means communicates with each of said workstation protection means to provide information regarding said at least one selected area of said server stora medium.
19- A computer network according to claim 18 and where said server protection means and said workstation protecti means comprise: means for defining said at least one selected areas said storage media; means for determining that a disk access command h issued for at least a portion of said at least one selecte areas; and means for disabling said disk access command.
20. A computer network according to claim 18 and wherei said server protection means and said workstation protectio means comprise: means for determining when said computer issues one o a predetermined set of commands; and means, responsive to said issued command, for selec tively interfering with the normal operation of said computer.
21. A computer network according to claim 18 wherein sai workstations and said file server have active memories and where in said server protection means and said workstation protectio means comprise: means for defining that at least one executable file is clean; means for determining when said computer is commanded to load a first executable file into said active memory of one of said workstation; means for storing an interrupt vector from a previously loaded executable file if said first executable file is not clean and for enabling said first executable file to load and to exe¬ cute; and means for restoring said stored interrupt vector once said first executable file finishes executing.
PCT/US1992/011374 1991-12-23 1992-12-23 Computer protection device WO1993013477A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US81273391A 1991-12-23 1991-12-23
US07/812,733 1991-12-23

Publications (1)

Publication Number Publication Date
WO1993013477A1 true WO1993013477A1 (en) 1993-07-08

Family

ID=25210463

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1992/011374 WO1993013477A1 (en) 1991-12-23 1992-12-23 Computer protection device

Country Status (1)

Country Link
WO (1) WO1993013477A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19635204A1 (en) * 1995-09-01 1997-05-15 Nat Semiconductor Corp Exception security device for processor
US6092161A (en) * 1996-03-13 2000-07-18 Arendee Limited Method and apparatus for controlling access to and corruption of information in a computer
WO2000065415A2 (en) * 1999-04-22 2000-11-02 The Dow Chemical Company Process control system with integrated safety control system
WO2002027445A2 (en) * 2000-09-29 2002-04-04 Steven Bress Write protection for computer long-term memory devices
CN1107263C (en) * 1995-01-24 2003-04-30 西南石油学院 Technology and hardware for prevention and treatment of computer virus
CN1108565C (en) * 1995-02-17 2003-05-14 罗建平 Method for solidifying hard-disc document of computer
CN1109300C (en) * 1997-07-31 2003-05-21 周恽 Method and appts. of transparent protection for computer rigid disk storage contents
WO2006059335A1 (en) * 2004-12-03 2006-06-08 Tedea Technological Dev And Au Method and system for securing data stored in a storage device
WO2007078648A1 (en) * 2005-12-19 2007-07-12 Intel Corporation Mechanism to control access to a storage device
US8090904B2 (en) 2008-02-01 2012-01-03 Cru Acquisition Group, Llc Reduced hard-drive-capacity detection device
US8984636B2 (en) 2005-07-29 2015-03-17 Bit9, Inc. Content extractor and analysis system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4757533A (en) * 1985-09-11 1988-07-12 Computer Security Corporation Security system for microcomputers
US5012514A (en) * 1990-06-26 1991-04-30 Paul Renton Hard drive security system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4757533A (en) * 1985-09-11 1988-07-12 Computer Security Corporation Security system for microcomputers
US5012514A (en) * 1990-06-26 1991-04-30 Paul Renton Hard drive security system

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1107263C (en) * 1995-01-24 2003-04-30 西南石油学院 Technology and hardware for prevention and treatment of computer virus
CN1108565C (en) * 1995-02-17 2003-05-14 罗建平 Method for solidifying hard-disc document of computer
DE19635204A1 (en) * 1995-09-01 1997-05-15 Nat Semiconductor Corp Exception security device for processor
US6092161A (en) * 1996-03-13 2000-07-18 Arendee Limited Method and apparatus for controlling access to and corruption of information in a computer
US6526488B1 (en) 1996-03-13 2003-02-25 Arendee Limited Computer systems
US6684309B2 (en) 1996-03-13 2004-01-27 Arendee Limited Method for controlling access to data by redirecting modifications of the data
CN1109300C (en) * 1997-07-31 2003-05-21 周恽 Method and appts. of transparent protection for computer rigid disk storage contents
US6647301B1 (en) 1999-04-22 2003-11-11 Dow Global Technologies Inc. Process control system with integrated safety control system
WO2000065415A2 (en) * 1999-04-22 2000-11-02 The Dow Chemical Company Process control system with integrated safety control system
WO2000065415A3 (en) * 1999-04-22 2001-11-15 Dow Chemical Co Process control system with integrated safety control system
WO2002027445A2 (en) * 2000-09-29 2002-04-04 Steven Bress Write protection for computer long-term memory devices
WO2002027445A3 (en) * 2000-09-29 2003-06-19 Steven Bress Write protection for computer long-term memory devices
US6813682B2 (en) 2000-09-29 2004-11-02 Steven Bress Write protection for computer long-term memory devices
WO2006059335A1 (en) * 2004-12-03 2006-06-08 Tedea Technological Dev And Au Method and system for securing data stored in a storage device
US8984636B2 (en) 2005-07-29 2015-03-17 Bit9, Inc. Content extractor and analysis system
WO2007078648A1 (en) * 2005-12-19 2007-07-12 Intel Corporation Mechanism to control access to a storage device
US7634629B2 (en) 2005-12-19 2009-12-15 Intel Corporation Mechanism to control access to a storage device
CN101416195B (en) * 2005-12-19 2010-10-27 英特尔公司 Computer system to control access to a storage device
US8090904B2 (en) 2008-02-01 2012-01-03 Cru Acquisition Group, Llc Reduced hard-drive-capacity detection device

Similar Documents

Publication Publication Date Title
US5657473A (en) Method and apparatus for controlling access to and corruption of information in computer systems
US6052781A (en) Multiple user computer including anti-concurrent user-class based disjunctive separation of plural hard drive operation
US5265163A (en) Computer system security device
JP2727520B2 (en) Memory card and operating method thereof
US3931504A (en) Electronic data processing security system and method
EP0197552B1 (en) Method of processing interrupts in a digital computer system
US7890726B1 (en) Flash memory protection scheme for secured shared BIOS implementation in personal computers with an embedded controller
EP0268138B1 (en) Implementing privilege on microprocessor systems for use in software asset protection
US5396609A (en) Method of protecting programs and data in a computer against unauthorized access and modification by monitoring address regions
US5657445A (en) Apparatus and method for limiting access to mass storage devices in a computer system
US5022077A (en) Apparatus and method for preventing unauthorized access to BIOS in a personal computer system
US5483649A (en) Personal computer security system
EP0842468B1 (en) Virus protection in computer systems
CN100389408C (en) Fixed disk data enciphering back-up and restoring method
US5432939A (en) Trusted personal computer system with management control over initial program loading
EP0422184A4 (en) Computer file protection system
NZ282954A (en) Data system; card reader provides secure access to a data storage system; non standard system calls detected during initialisation of system
EP1078311A1 (en) Protected storage device for computer system
WO1993013477A1 (en) Computer protection device
US6920566B2 (en) Secure system firmware by disabling read access to firmware ROM
US5881282A (en) Controlling ill-behaved computer add-on device through a virtual execution mode
EP0695986B1 (en) System and method for providing access protection on media storage devices
WO1993009498A1 (en) Method and system protecting data in storage device against computer viruses
JP3585510B2 (en) Program execution management device and program execution management method
KR19990079740A (en) How to secure your PC using boot sequence

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CA JP KR

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: CA