« PrécédentContinuer »
METHODS AND APPARATUS FOR PROTECTING AGAINST VIRUSES ON PARTITIONABLE MEDIA
 The present invention relates generally to computer systems and methods, and more particularly, to apparatus and methods for protecting against boot sector viruses on partitionable media. The present invention also relates to loading an operating system from a mass storage device, and specifically to protecting against viruses that install themselves into a boot sector of a mass storage device. The present invention also relates to electronic systems that load their operating system from mass storage devices, which a virus may infect.
 Before a computer can properly function, it loads an operating system into its working memory. The operating system (OS), such as Windows, Linux, Unix, VMS or any other operating system, provides the capability by which the user and applications interact with the computer hardware. This process is ordinarily carried out by a process called "bootstrapping," or "booting." Booting occurs automatically when a computer is powered on or can be specifically invoked by a user on a running computer.
 Typically, the booting process of a computer searches a storage medium (floppy disk, hard drive, or CD-ROM) for an operating system to be loaded, and this function is usually controlled by firmware stored in one or more flash memory components or chips in the computer that include the basic input/output system (BIOS). After locating a disk with a valid boot record, the BIOS program reads the data stored on the first sector of the disk and copies that data into specific locations in the computer's random access memory (RAM). In a typical, personal computer, this data constitutes a DOS Boot Record (DBR). Execution of code contained in the DOS Boot Record causes the computer to load the remaining files and code that comprise the operating system.
 The booting process for personal computers is initiated when the system software (BIOS) loads and executes a small program (boot sector code) from the first (boot) sector of a mass storage device, such as a hard drive, a floppy drive or a CD-ROM. The purpose of the boot sector program is to locate the operating system on the mass storage device, load it into memory and execute it. Once the operating system has been executed, the boot sector program is finished, and will not regain control.
 Computer viruses are sequences of computer instructions that are installed on computers without the consent of the computer user. Computer viruses can be harmless, destructive, or anywhere in between. A common location within a computer, especially a personal computer, to install a virus is the boot sector of a hard or floppy disk. The boot sector is a common target because it is easy to locate, usually located on sector 0 of the disk. In addition, several predetermined system files can be found by referencing pointers stored within sector 0 of the hard or floppy disk. Since these critical system files are also easily located the are also common targets for viruses.
 Viruses are typically undesired programs or segments of code, which are present in the computer system without a user's knowledge or consent. A common method
of virus infection is to replace the boot sector code with virus code so that the virus will be activated whenever the infected media is booted from. Typically, at the time of infection, the virus will move the original boot sector program to a hidden location on the drive, and will write a copy of itself into the boot sector. At boot time, if the boot disk is infected, the BIOS will unknowingly load and execute the virus from the boot sector. Once the virus has completed it's task, it typically will load and execute the original boot sector program from the hidden location on the disk. This will cause the operating system to be loaded, and will most likely not alert the user that a virus is present.
 The basic input/output system (BIOS) developed by the assignee of the present invention, known as the PhoenixBIOS, has a feature for protecting the boot sector from virus infection. The current virus protection involves runtime monitoring of interrupt 13h write requests. If a write request to the boot sector is made, the BIOS will warn the user about it, or reject the write operation. This method of virus protection may be thwarted by bypassing the interrupt 13h interface, and performing a controller level disk write operation.
 However, by bypassing the interrupt 13 interface and performing a controller level disk write, one can thwart this method of virus protection. In other words, in order to detect a virus being written to the boot sector, the Phoenix BIOS typically has to monitor interrupt 13h write requests. If the BIOS detects a write request to the boot sector, then the user will be warned that a disk write is about to occur at the boot sector.
 Since there is usually no valid reason to write to the boot sector, a write operation to the boot sector is likely a virus in the process of installing itself to the boot sector. Performing a direct controller level disk write and bypassing the interrupt 13h write request can thwart this method of virus protection. By not utilizing the interrupt 13h to perform a write request to the boot sector and writing the virus into the boot sector directly through the controller without the use of the BIOS code, the installation of the boot virus can avoid detection.
 There are several methods in the industry that attempt to prevent virus infections. One approach is that used by the Windows NT operating system. Windows NT stores part of the boot loader in a file on the disk and validates the boot sector contents from the boot loader. This is different from the present invention. The Windows NT operating system performs a checksum type calculation on the boot sector and compares the result to a stored value before executing the code in the boot sector. If the numbers do not match, then it is likely that the boot sector code has been replaced by an alternate code and the user is then warned.
 A computer search was performed on the present invention that resulted in several patents that somewhat relate to the present invention. These patents include U.S. Pat. No. 5,559,960 and U.S. Pat. No. 5,826,012. U.S. Pat. No. 5,559,960 entitled "Software anti-virus facility" discloses that a "virus-resistant disk has a "hidden partition" in which anti-virus software is stored; the hidden partition not only shields the software from many viruses, but provides storage space that does not reduce the disk's formatted or advertised capacity. The disk includes software to cause the
computer to execute the anti-virus software. The invention provides a hidden partition by utilizing storage space on the disk that is not reflected in the size and geometry information stored on the disk, e.g., in the BIOS Parameter Block." However, U.S. Pat. No. 5,559,960 does not disclose the use of BIOS that includes Master Boot Record code or that the computer system is booted to load an operating system from the mass storage device without executing the boot sector code so that viruses are not activated.
 U.S. Pat. No. 5,826,012 entitled "Boot-time antivirus and maintenance facility" discloses that a "computer storage medium has software executed at startup of the computer, before the computer executes an ultimate operating system. The software provides anti-virus, maintenance and/or repair functions. In one embodiment, the software is stored on a "hidden partition" of the storage medium; the hidden partition not only shields the software from many viruses, but provides storage space that does not reduce formatted or advertised capacity."
 It is also stated in U.S. Pat. No. 5,826,012 that the "invention provides a storage medium on which is stored anti-virus software and/or software designed to detect and repair damage to stored information, as well as instructions to cause a computer to execute the software whenever the disk is used to start the computer. The invention may be broadly applied to a variety of storage media amenable to selective actuation by a user—that is, designation by the user as a temporary or permanent "system" device from which the computer can boot." However, U.S. Pat. No. 5,826,012 does not disclose the use of BIOS that includes Master Boot Record code or that the computer system is booted to load an operating system from the mass storage device without executing the boot sector code so that viruses are not activated.
 It would be desirable to have virus protection apparatus and methods that improve upon the prior art solutions discussed above. It is an therefore an objective of the present invention to provide for apparatus and methods for protecting against boot sector viruses on partitionable media. It is a further objective of the present invention to provide for apparatus and methods for protecting against boot sector viruses by incorporating code to parse the partition table into the basic input/output system (BIOS).
SUMMARY OF THE INVENTION
 To accomplish the above and other objectives, the present invention provides for apparatus and methods that protect against boot sector viruses on partitioned media of a computer system by incorporating code to parse the partition table into system firmware (basic input/output system or BIOS). The present boot sector virus protection apparatus and methods provide for virus protection implemented by system firmware (BIOS).
 Exemplary boot sector virus protection apparatus and methods comprise a computer system having a nonvolatile memory and a mass storage device with a master boot record containing a partition table. The apparatus and methods store code in the nonvolatile memory that is capable of reading the partition table in the master boot record stored in the mass storage device or in a secure area of the mass storage device. The stored code is used to read the master boot record, locate the partition table in the
master boot table, locate a bootable partition within the partition table, and begin a boot process using the bootable partition. A checksum of the master boot record or its partition table, or a cyclic redundancy check of the master boot record or its partition table is preferably used.
 The present invention adds a new level of virus protection to the system firmware (BIOS) by eliminating the need to execute boot sector code when booting from a mass storage device, such as a hard drive, for example. This is accomplished by moving the functionality of the hard drive boot sector program, known as the Master Boot Record (MBR) into the system firmware (BIOS).
 The Master Boot Record is a 512 byte binary image that contains a 446 byte Master Boot Record code section, a 4 entry (64 byte) partition table, and a 2 byte validation signature. The purpose of the Master Boot Record code section is to locate and active partition table entry. If an active partition is found, the Master Boot Record code loads the first sector of the partition, and executes it.
 When a virus infects a hard drive boot sector, it typically replaces the Master Boot Record code with virus code, but leaves the partition table intact. The virus in most cases will copy the Master Boot Record code in an unused sector in the boot track, and use it to boot the operating system, after it has installed a runtime piece of virus code, such as an interrupt service routine (ISR).
 The present invention places the entire functionality of the Master Boot Record code into the system firmware (BIOS). Therefore, it is not necessary to execute the Master Boot Record code. This prevents and infected drive from spreading a virus.
 To augment the present invention, a checksum of the boot sector may be calculated and stored so that a warning may be given to a user in the event that the stored checksum does not match a checksum computed when booting the computer system.
 Various advantages of the boot sector virus protection method are as follows. The boot sector virus protection method stops virus infection because infected boot sectors are not executed. The boot sector virus protection method is nonexclusive of existing virus protection, so it may be used to augment existing Phoenix BIOS boot sector protection.
 The boot sector virus protection method is passive, in that it does not require a runtime component. The boot sector virus protection method is operating system independent, wherein the boot process up to the point of loading the operating system boot record is standard for all personal computer operating systems.
 The present invention is updateable. Since there is no runtime component, a setup feature may be used to copy the 446 byte code section of a Master Boot Record to an Extended System Configuration Data (ESCD) memory area, which is a storage area of memory for storing information about plug-and-play (PnP) devices, for example, in the BIOS, and which would become the boot loader for the BIOS. Windows and the BIOS have access to the Extended System Configuration Data memory area each time the computer re-booted.
 The present boot sector virus protection method does not involve active virus detection, and does not prohibit