| 摘要 |
A method for detecting the infection of executable computer software programs by memory resident computer software virus programs is provided. The invented method comprises comparing an initial state of an executable program to a final state of the program. If the final state of the program is different than the initial state, then the method generates an alarm signal to inform a user that the program has been modified by a virus and is infected. Particularly, as a program is called into memory, that state of the program is marked as the initial state. When execution of the program is completed, that state of the program is marked as the final state. Alternatively, at the moment when processing of the program commences, that state of the program is marked as the final state of the program. The method compares the final and initial states to determine if the two states match. If the two states are the same, then it is confirmed that the program was not modified and is not infected. If it is determined that the two states are different, then the method generates an alarm signal to inform the user that the program is infected. Additionally, if the final state does not match the initial state, a known backup and restore technique can be invoked by the method for restoring the infected program to its initial state.
|
