CN106446681B - Checking and killing virus method and apparatus - Google Patents
Checking and killing virus method and apparatus Download PDFInfo
- Publication number
- CN106446681B CN106446681B CN201510484452.6A CN201510484452A CN106446681B CN 106446681 B CN106446681 B CN 106446681B CN 201510484452 A CN201510484452 A CN 201510484452A CN 106446681 B CN106446681 B CN 106446681B
- Authority
- CN
- China
- Prior art keywords
- application program
- virus
- behavior sequence
- track
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention relates to a kind of checking and killing virus method and apparatus.It the described method comprises the following steps: the behavior sequence track of records application program;The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus;If successful match, determine the application program for virus;Remove the application program for being determined as virus.Above-mentioned checking and killing virus method, by the way that the behavior sequence tree of application program is matched with the behavior sequence tree of pre-stored virus, if successful match, then determine the application program for virus, remove the application program, it is not required to the information in terminal uploading to cloud, user information is prevented to be leaked, improve safety, and it is not required to for each virus document being stored in advance, then the file that will test again is compared with virus document, using the behavior sequence tree of virus, the behavior sequence tree for the application program that will test is compared with virus behavior sequence tree, it is versatile.
Description
Technical field
The present invention relates to computer safety fields, more particularly to a kind of checking and killing virus method and apparatus.
Background technique
With the development of network technology, the propagation of computer virus is also aggravating, safety and use of the virus to user information
Family property causes great harm, and how to carry out efficient killing to virus becomes everybody focus of attention.Traditional checking and killing virus
Mode mainly has cloud killing.Cloud killing needs to be stored with corresponding file beyond the clouds, and this document is out by differentiation
No the file on subscriber computer then to be calculated cryptographic Hash and uploads to cloud for virus, cloud is by the file cryptographic Hash of upload
It is compared with the cryptographic Hash of the file of cloud storage, judges whether this document is virus, is so needed subscriber computer
On the cryptographic Hash of file upload to cloud, privacy of user is easily stolen, and safety is low, and only the file that stores of cloud is
Can differentiate whether it is virus, poor universality.
Summary of the invention
Based on this, it is necessary to aiming at the problem that mode safety traditional cloud killing virus is low and poor universality, mention
For a kind of checking and killing virus method, safety and versatile can be improved.
In addition, there is a need to provide a kind of checking and killing virus device, safety and versatile can be improved.
A kind of checking and killing virus method, comprising the following steps:
The behavior sequence track of records application program;
The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus;
If the success of the behavior sequence path matching of the behavior sequence track of application program and pre-stored virus, determines
The application program is virus;
Remove the application program for being determined as virus.
A kind of checking and killing virus device, comprising:
Logging modle, the behavior sequence track for records application program;
Matching module, for by the behavior sequence track of the behavior sequence track of application program and pre-stored virus into
Row matching;
Determination module, if for the behavior sequence track of application program and the behavior sequence track of pre-stored virus
With success, then determine the application program for virus;
Module is removed, for removing the application program for being determined as virus.
Above-mentioned checking and killing virus method and apparatus, by by the behavior sequence track of application program and it is pre-stored virus
Behavior sequence track is matched, if successful match, determines that the application program for virus, removes the application program, be not required to by
Information in terminal uploads to cloud, and user information is prevented to be leaked, and improves safety, and be not required to by each virus document into
Row is stored in advance, and the file that then will test again, using the behavior sequence track of virus, will test compared with virus document
File behavior sequence track compared with virus behavior sequence track, it is versatile.
Detailed description of the invention
Fig. 1 is the schematic diagram of internal structure of terminal in one embodiment;
Fig. 2 is the schematic diagram of internal structure of server in one embodiment;
Fig. 3 is the flow chart of checking and killing virus method in one embodiment;
Fig. 4 is the flow chart of checking and killing virus method in another embodiment;
Fig. 5 is the schematic diagram of the behavior sequence tree of example;
Fig. 6 is the behavior sequence tree schematic diagram of pre-stored virus;
Fig. 7 is to match the behavior sequence tree of the example in Fig. 5 with the behavior sequence tree of the pre-stored virus in Fig. 6
Schematic diagram afterwards;
Fig. 8 is the structural block diagram of checking and killing virus device in one embodiment;
Fig. 9 is the structural block diagram of checking and killing virus device in another embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Fig. 1 is the schematic diagram of internal structure of terminal in one embodiment.As shown in Figure 1, the terminal includes total by system
Processor, storage medium, memory and network interface, voice collection device, display screen, loudspeaker and the input unit that line connects.
Wherein, the storage medium of terminal is stored with operating system, further includes a kind of checking and killing virus device, the checking and killing virus device is for real
A kind of existing checking and killing virus method.The processor supports the operation of entire terminal for providing calculating and control ability.In terminal
The operation for inside saving as the checking and killing virus device in storage medium provides environment, and network interface is used to carry out network with server logical
Letter such as sends request of data to server, receives the data etc. that server returns.The display screen of terminal can be liquid crystal display
Or electric ink display screen etc., input unit can be the touch layer covered on display screen, be also possible to set in terminal enclosure
Key, trace ball or the Trackpad set, are also possible to external keyboard, Trackpad or mouse etc..The terminal can be mobile phone, put down
Plate computer or personal digital assistant.It will be understood by those skilled in the art that structure shown in Fig. 1, only and the application
The block diagram of the relevant part-structure of scheme, does not constitute the restriction for the terminal being applied thereon to application scheme, specifically
Terminal may include perhaps combining certain components or with different component cloth than more or fewer components as shown in the figure
It sets.
Fig. 2 is the schematic diagram of internal structure of server in one embodiment.As shown in Fig. 2, the server includes passing through to be
Processor, storage medium, memory and the network interface of bus of uniting connection.Wherein, the storage medium of the server is stored with operation
System, database and checking and killing virus device store virulent behavior sequence track in database, which is used for
Realize a kind of checking and killing virus method for being suitable for server.The processor of the server is for providing calculating and control ability, branch
Support the operation of entire server.The operation that the checking and killing virus device in storage medium is saved as in the server provides environment.It should
The network interface of server is communicated for passing through network connection with external terminal accordingly, for example is received the data that terminal is sent and asked
It asks and to terminal returned data etc..Server can use the server set of the either multiple server compositions of independent server
Group realizes.It will be understood by those skilled in the art that structure shown in Figure 2, only part relevant to application scheme
The block diagram of structure, does not constitute the restriction for the server being applied thereon to application scheme, and specific server can wrap
It includes than more or fewer components as shown in the figure, perhaps combines certain components or with different component layouts.
Fig. 3 is the flow chart of checking and killing virus method in one embodiment.As shown in figure 3, the checking and killing virus method, runs on
In terminal in Fig. 1, comprising the following steps:
Step 302, the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refer in application program operational process sequentially in time and/or
Relevant information caused by logical order.For example, the behavior sequence track of application program may include application program process initiation,
Other behaviors of the process of application program, the process of application program created in system process a thread, creation thread after again
It creates an executable file, registration table or other behaviors etc. is written again.Process refers to is transporting in terminal or server system
A capable application program.Thread refers to a relatively independent, schedulable execution unit in process, is that system is independently dispatched
With the basic unit of assignment.Registration table refers to an important database in windows system, for storage system and applies journey
The setting information of sequence.
The step of behavior sequence track of records application program includes: the critical behavior track of records application program, the pass
Key action trail include process initiation, creation thread, creation executable file, write-in registration table in it is one or more.Pass through note
Record critical behavior track reduces record data, reduces the subsequent meter compared with the behavior sequence track of pre-stored virus
Calculation amount improves computational efficiency.
Step 304, by the behavior sequence track of application program and the progress of the behavior sequence track of pre-stored virus
Match.
Specifically, the behavior sequence track of virus is analyzed and stored first.By the behavior sequence track of application program and in advance
The behavior sequence track for first storing virus is compared, if the behavior sequence track of application program contains pre-stored virus
Behavior sequence track, then successful match determines the application program for virus, if the behavior sequence track of application program includes portion
Divide the behavior sequence track of pre-stored virus or the behavior sequence track not comprising pre-stored virus, then matches mistake
It loses, determining the application program not is virus.
The behavior sequence track of the pre-stored virus may include that process initiation, process create line in system process
The thread creation executable file and write-in registration table created in journey, system process.
In one embodiment, the behavior sequence track of pre-stored virus includes that system creation process, process are being
Thread, the thread creation executable file created in system process and write-in registration table are created in system process;
The behavior sequence track of the application program of acquisition includes receiving the trigger action to application file, according to triggering
The thread creation executable file that operating system creates process, process creates thread in system process, creates in system process
With write-in registration table;
The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus, is answered
With the behavior sequence track of pre-stored virus is contained in the behavior sequence track of program, that is, contain system creation into
Journey, process create thread, the thread creation executable file created in system process and write-in registration table in system process, then
Successful match determines the application program for virus.
Step 306, if the behavior sequence path matching of the behavior sequence track of application program and pre-stored virus at
Function then determines the application program for virus.
Step 308, the application program for being determined as virus is removed.
Specifically, be cleared to virus application program can for delete the application program process or rollback this using journey
The behavior of sequence.
The process for deleting application program, which refers to, opens process after application program launching is run, and deletes the process.Rollback is answered
Refer to the behavior sequence track according to the application program of record with the behavior of program, can be reversed operation, such as application program
Behavior sequence track is that a thread is created in system process, then the behavior of rollback application program is the thread for closing creation.
Above-mentioned checking and killing virus method, by by the behavior sequence of the behavior sequence track of application program and pre-stored virus
Column track is matched, if successful match, determines that the application program for virus, removes the application program, being not required to will be in terminal
Information upload to cloud, prevent user information to be leaked, improve safety, and be not required to carry out each virus document preparatory
Storage, the file that then will test again is compared with virus document, using the behavior sequence track of virus, the file that will test
Behavior sequence track compared with virus behavior sequence track, it is versatile.
In one embodiment, the behavior sequence track of pre-stored virus can be formed virus behavior sequence tree or
Person forms the behavior sequence chart of virus or forms the behavior sequence time shaft etc. of virus.
Specifically, the behavior sequence tree of virus refers to viral behavior logically relationship or time relationship formation sequence tree
Shape structure.The behavior sequence chart of virus refers to that the behavior sequence by virus is depicted as chart according to time or logical relation.Disease
The behavior sequence time shaft of poison refers to the behavior sequence that virus is shown according to time shaft form.
Fig. 4 is the flow chart of checking and killing virus method in another embodiment.The behavior sequence of pre-stored virus in Fig. 4
Column track forms the behavior sequence tree of virus.As shown in figure 4, a kind of checking and killing virus method, comprising:
Step 402, the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refer in application program operational process sequentially in time and/or
Relevant information caused by logical order.For example, the behavior sequence track of application program may include application program process initiation,
Other behaviors of the process of application program, the process of application program created in system process a thread, creation thread after again
It creates an executable file, registration table or other behaviors etc. is written again.Process refers to is transporting in terminal or server system
A capable application program.Thread refers to a relatively independent, schedulable execution unit in process, is that system is independently dispatched
With the basic unit of assignment.Registration table refers to an important database in windows system, for storage system and applies journey
The setting information of sequence.
The step of behavior sequence track of records application program includes: the critical behavior track of records application program, the pass
Key action trail include process initiation, creation thread, creation executable file, write-in registration table in it is one or more.Pass through note
Record critical behavior track reduces record data, reduces the subsequent meter compared with the behavior sequence track of pre-stored virus
Calculation amount improves computational efficiency.
Step 404, the behavior sequence tree of the application program is established according to the behavior sequence track of application program.
Specifically, application program is established into according to chronological order or logical order in the behavior sequence track of application program
Behavior sequence tree.
Step 406, the behavior sequence tree of application program is matched with the behavior sequence tree of pre-stored virus.
Specifically, the behavior sequence track of virus is analyzed and stored first, and is formed according to the behavior sequence track of virus
The behavior sequence tree of virus.The behavior sequence tree of application program is compared with the behavior sequence tree that virus is stored in advance, if
The behavior sequence tree of application program contains the behavior sequence tree of pre-stored virus, then successful match, determines this using journey
Sequence is virus, if the behavior sequence track of application program includes the behavior sequence tree of the pre-stored virus in part or do not include pre-
The behavior sequence tree of the virus first stored, then it fails to match, and determining the application program not is virus.
The behavior sequence tree of the pre-stored virus may include process initiation, process created in system process thread,
The thread creation executable file and write-in registration table created in system process.
In one embodiment, the behavior sequence tree of preformed virus includes system creation process, process in system
Thread, the thread creation executable file created in system process and write-in registration table are created in process;
The behavior sequence tree of the application program of foundation includes receiving the trigger action to application file, being grasped according to triggering
Make system creation process, process created in system process thread, the thread creation executable file created in system process and
Registration table is written;
The behavior sequence tree of application program is matched with the behavior sequence tree of preformed virus, be applied journey
The behavior sequence tree of preformed virus is contained in the behavior sequence tree of sequence, that is, contains system creation process, process exists
Thread, the thread creation executable file created in system process and write-in registration table are created in system process, then successful match,
Determine the application program for virus.
Step 408, if the behavior sequence tree successful match of the behavior sequence tree of application program and pre-stored virus,
Determine the application program for virus.
Step 410, the application program for being determined as virus is removed.
Specifically, be cleared to virus application program can for delete the application program process or rollback this using journey
The behavior of sequence.
The process for deleting application program, which refers to, opens process after application program launching is run, and deletes the process.Rollback is answered
Refer to the behavior sequence track according to the application program of record with the behavior of program, can be reversed operation, such as application program
Behavior sequence track is that a thread is created in system process, then the behavior of rollback application program is the thread for closing creation.
Above-mentioned checking and killing virus method, by by the behavior sequence of the behavior sequence tree of application program and pre-stored virus
Tree is matched, if successful match, is determined that the application program for virus, removes the application program, is not required to the letter in terminal
Breath uploads to cloud, prevents user information to be leaked, improves safety, and is not required in advance be deposited each virus document
Storage, the file that then will test again is compared with virus document, using the behavior sequence tree of virus, the application program that will test
Behavior sequence tree compared with virus behavior sequence tree, it is versatile, and by the behavior sequence tree of application program and virus row
It is matched for sequence tree, it is clear in structure, convenient for comparing.
It should be noted that the behavior sequence track of virus forms the behavior sequence chart of virus or forms the behavior of virus
Sequence time axis can also be used aforesaid way and be matched, and details are not described herein.
In one embodiment, above-mentioned checking and killing virus method further include: regularly update the behavior sequence track or fixed of virus
The behavior sequence tree of phase more new virus.
Specifically, behavior sequence track or the behavior sequence tree etc. of the virus on server can be regularly updated, terminal can be from
Server downloading updates behavior sequence track or the behavior sequence tree of local virus.Regularly update the behavior sequence rail of virus
Mark, can the new virus of killing, improve the accuracy rate of killing.
The working principle of checking and killing virus method is illustrated below with reference to specific example.By taking sample virus.exe as an example,
The behavior sequence track of sample virus.exe includes:
(1) it receives user and double-clicks virus.exe file;
(2) system creation process A;
(3) process A creates thread b in system process explorer;
Specifically, system process explorer is windows file management process, is acted on as Fileview etc..
(4) the thread b of system process explorer creates executable file c.exe at c:windows;
(5) system process explorer thread b be written registration table, i.e., system HKLM SOFTWARE
Wow6432Node Microsoft Windows CurrentVersion under Run registration table creation registry key rb value be c:
windows\c.exe。
Fig. 5 is the schematic diagram of the behavior sequence tree of example.As shown in figure 5, the behavior sequence track according to example forms reality
The behavior sequence tree of example.After user double-clicks virus.exe file, then process A starting creates thread in process explorer
B, then create file c.exe, write run and other behaviors.Run refer to the run item (startup item) for writing registration table.
Fig. 6 is the behavior sequence tree schematic diagram of pre-stored virus.As shown in fig. 6, the behavior sequence tree of virus includes
Process x starting, process x create thread x in explorer, creation file x.exe, write run, wherein x indicates any
Match.
Fig. 7 is to match the behavior sequence tree of the example in Fig. 5 with the behavior sequence tree of the pre-stored virus in Fig. 6
Schematic diagram afterwards.As shown in fig. 7, containing process A starting in the behavior sequence tree of example, process A is created in explorer
Thread b, creation file c.exe, run are write, unanimously with the behavior sequence tree of pre-stored virus, i.e. successful match, the reality
Example is virus.
Fig. 8 is the structural block diagram of checking and killing virus device in one embodiment.As shown in figure 8, a kind of checking and killing virus device, packet
It includes logging modle 810, matching module 820, determination module 830 and removes module 840.Wherein:
Logging modle 810 is used for the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refer in application program operational process sequentially in time and/or
Relevant information caused by logical order.For example, the behavior sequence track of application program may include application program process initiation,
Other behaviors of the process of application program, the process of application program created in system process a thread, creation thread after again
It creates an executable file, registration table or other behaviors etc. is written again.Process refers to is transporting in terminal or server system
A capable application program.Thread refers to a relatively independent, schedulable execution unit in process, is that system is independently dispatched
With the basic unit of assignment.Registration table refers to an important database in windows system, for storage system and applies journey
The setting information of sequence.
In the present embodiment, logging modle 810 is also used to the critical behavior track of records application program, the critical behavior track
Including one or more in process initiation, creation thread, creation executable file, write-in registration table.By recording critical behavior
Track reduces record data, reduces the subsequent calculation amount compared with the behavior sequence track of pre-stored virus, improves
Computational efficiency.
Matching module 820 is used for the behavior sequence track of the behavior sequence track of application program and pre-stored virus
It is matched.
Specifically, the behavior sequence track of virus is analyzed and stored first.By the behavior sequence track of application program and in advance
The behavior sequence track for first storing virus is compared, if the behavior sequence track of application program contains pre-stored virus
Behavior sequence track, then successful match determines the application program for virus, if the behavior sequence track of application program includes portion
Divide the behavior sequence track of pre-stored virus or the behavior sequence track not comprising pre-stored virus, then matches mistake
It loses, determining the application program not is virus.
The behavior sequence track of the pre-stored virus may include that process initiation, process create line in system process
Journey, creation executable file, the thread write-in registration table created in system process.
If determination module 830 is used for successful match, determine the application program for virus.
Specifically, the behavior sequence path matching of the behavior sequence track of application program and pre-stored virus success,
Then determine the application program for virus.
In one embodiment, the behavior sequence track of pre-stored virus includes that system creation process, process are being
Thread, the thread creation executable file created in system process and write-in registration table are created in system process;
The behavior sequence track for the application program that logging modle 810 obtains includes the triggering behaviour received to application file
The thread creation made, thread is created according to trigger action system creation process, process in system process, is created in system process
Executable file and write-in registration table;
Matching module 820 carries out the behavior sequence track of application program and the behavior sequence track of pre-stored virus
It matches, contains the behavior sequence track of pre-stored virus in the behavior sequence track for the program that is applied, that is, contain
System creation process, process create thread, the thread creation executable file created in system process and are write in system process
Enter registration table, then successful match, determination module 830 determines that the application program is virus.
Module 840 is removed to be used to remove the application program for being determined as virus.
Specifically, be cleared to virus application program can for delete the application program process or rollback this using journey
The behavior of sequence.
The process for deleting application program, which refers to, opens process after application program launching is run, and deletes the process.Rollback is answered
Refer to the behavior sequence track according to the application program of record with the behavior of program, can be reversed operation, such as application program
Behavior sequence track is that a thread is created in system process, then the behavior of rollback application program is the thread for closing creation.
Above-mentioned checking and killing virus device, by by the behavior sequence of the behavior sequence track of application program and pre-stored virus
Column track is matched, if successful match, determines that the application program for virus, removes the application program, being not required to will be in terminal
Information upload to cloud, prevent user information to be leaked, improve safety, and be not required to carry out each virus document preparatory
Storage, the file that then will test again is compared with virus document, using the behavior sequence track of virus, the file that will test
Behavior sequence track compared with virus behavior sequence track, it is versatile.
Fig. 9 is the structural block diagram of checking and killing virus device in another embodiment.As shown in figure 9, a kind of checking and killing virus device,
It further include establishing module 850, shape in addition to including logging modle 810, matching module 820, determination module 830 and removing module 840
At module 860 and update module 870.Wherein:
It establishes module 850 to be used for after the behavior sequence track of the records application program, according to the behavior of application program
The behavior sequence tree of the application program is established in sequence track.
Form the behavior sequence tree that module 860 is used to form the behavior sequence track of pre-stored virus virus.Disease
The behavior sequence tree of poison refers to viral behavior logically relationship or time relationship formation sequence tree structure.
Matching module 820 be also used to by the behavior sequence tree of the behavior sequence tree of application program and pre-stored virus into
Row matching.
Specifically, the behavior sequence track of virus is analyzed and stored first, and is formed according to the behavior sequence track of virus
The behavior sequence tree of virus.The behavior sequence tree of application program is compared with the behavior sequence tree that virus is stored in advance, if
The behavior sequence tree of application program contains the behavior sequence tree of pre-stored virus, then successful match, determines this using journey
Sequence is virus, if the behavior sequence track of application program includes the behavior sequence tree of the pre-stored virus in part or do not include pre-
The behavior sequence tree of the virus first stored, then it fails to match, and determining the application program not is virus.
The behavior sequence tree of the pre-stored virus may include process initiation, process created in system process thread,
The thread creation executable file and write-in registration table created in system process.
In one embodiment, the behavior sequence tree of preformed virus includes system creation process, process in system
Thread, the thread creation executable file created in system process and write-in registration table are created in process;
The behavior sequence tree for establishing the application program of the foundation of module 850 includes that the triggering received to application file is grasped
The thread creation made, thread is created according to trigger action system creation process, process in system process, is created in system process
Executable file and write-in registration table;
Matching module 820 is by the behavior sequence tree progress of the behavior sequence tree of application program and preformed virus
Match, the behavior sequence tree of preformed virus is contained in the behavior sequence tree for the program that is applied, that is, contains system wound
It builds process, process and creates thread, the thread creation executable file created in system process and write-in registration in system process
Table, then successful match, determination module 830 determine that the application program is virus.
If determination module 830 is also used to the behavior sequence tree of application program and the behavior sequence tree of pre-stored virus
With success, then determine the application program for virus.
Update module 870 is used to regularly update the behavior sequence track of virus.
Specifically, behavior sequence track or the behavior sequence tree etc. of the virus on server can be regularly updated, terminal can be from
Server downloading updates behavior sequence track or the behavior sequence tree of local virus.Regularly update the behavior sequence rail of virus
Mark, can the new virus of killing, improve the accuracy rate of killing.
In other embodiments, the behavior sequence track of pre-stored virus can be formed to the behavior sequence chart of virus
Or form the behavior sequence time shaft etc. of virus.
Specifically, the behavior sequence chart of virus refers to that the behavior sequence by virus is depicted as according to time or logical relation
Chart.The behavior sequence time shaft of virus refers to the behavior sequence that virus is shown according to time shaft form.
Above-mentioned checking and killing virus device, by by the behavior sequence of the behavior sequence tree of application program and pre-stored virus
Tree is matched, if successful match, is determined that the application program for virus, removes the application program, is not required to the letter in terminal
Breath uploads to cloud, prevents user information to be leaked, improves safety, and is not required in advance be deposited each virus document
Storage, the file that then will test again is compared with virus document, using the behavior sequence tree of virus, the application program that will test
Behavior sequence tree compared with virus behavior sequence tree, it is versatile, and by the behavior sequence tree of application program and virus row
It is matched for sequence tree, it is clear in structure, convenient for comparing.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read
In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage is situated between
Matter can be magnetic disk, CD, read-only memory (Read-Only Memory, ROM) etc..
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (15)
1. a kind of checking and killing virus method, comprising the following steps:
The behavior sequence track of records application program, the action trail of the application program be application program in the process of running by
According to relevant information caused by least one of time sequencing, logical order sequence;
The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus;
It is described if the behavior sequence track of the application program contains the behavior sequence track of the pre-stored virus
The success of the behavior sequence path matching of the behavior sequence track of application program and the pre-stored virus, determines the application
Program is virus;
If the behavior sequence track of the application program includes the behavior sequence track of the pre-stored virus in part or does not include
The behavior sequence track of the pre-stored virus, then it fails to match, and determining the application program not is virus;
Remove the application program for being determined as virus.
2. the method according to claim 1, wherein the step in the behavior sequence track of the records application program
After rapid, the method also includes:
The behavior sequence tree of the application program is established according to the behavior sequence track of application program;
The behavior sequence track of pre-stored virus is formed to the behavior sequence tree of virus;
The behavior sequence tree of application program is matched with the behavior sequence tree of pre-stored virus, if the row of application program
For the behavior sequence tree successful match of sequence tree and pre-stored virus, then determine the application program for virus.
3. the method according to claim 1, wherein the step of behavior sequence track of the records application program
Include:
The critical behavior track of records application program, the critical behavior track include process initiation, creation thread, create and can hold
It is one or more in style of writing part, write-in registration table.
4. the method according to claim 1, wherein the step of removing is determined as the application program of virus packet
It includes:
Delete the behavior of application program described in the process or rollback of the application program.
5. method according to claim 1 to 4, which is characterized in that the behavior of the pre-stored virus
Sequence track includes that thread, the thread creation created in system process are created in system process is executable for process initiation, process
Thread is created in file, system process, and registration table is written.
6. method according to claim 1 to 4, which is characterized in that the method also includes:
Regularly update the behavior sequence track of virus.
7. a kind of checking and killing virus device characterized by comprising
Logging modle, for the behavior sequence track of records application program, the action trail of the application program is application program
In the process of running sequentially in time, relevant information caused by least one of logical order sequence;
Matching module, for by the behavior sequence track progress of the behavior sequence track of application program and pre-stored virus
Match;
Determination module, if the behavior sequence track for the application program contains the behavior sequence of the pre-stored virus
Track is arranged, then the success of the behavior sequence path matching of the behavior sequence track of the application program and pre-stored virus, sentences
The fixed application program is virus;
If the behavior sequence track of the application program includes the behavior sequence track of the pre-stored virus in part or does not include
The behavior sequence track of the pre-stored virus, then it fails to match, and determining the application program not is virus;
Module is removed, for removing the application program for being determined as virus.
8. device according to claim 7, which is characterized in that described device further include:
Module is established, for after the behavior sequence track of the records application program, according to the behavior sequence of application program
The behavior sequence tree of the application program is established in track;
Module is formed, for the behavior sequence track of pre-stored virus to be formed to the behavior sequence tree of virus;
The matching module is also used to carry out the behavior sequence tree of application program and the behavior sequence tree of pre-stored virus
Matching;
If the behavior sequence tree that the determination module is also used to application program matches with the behavior sequence tree of pre-stored virus
Success, then determine the application program for virus.
9. device according to claim 7, which is characterized in that the logging modle is also used to the key of records application program
Action trail, the critical behavior track include process initiation, creation thread, creation executable file, are written one in registration table
Kind is a variety of.
10. device according to claim 7, which is characterized in that the removing module is also used to delete the application program
Process or rollback described in application program behavior.
11. device according to any one of claims 7 to 10, which is characterized in that the row of the pre-stored virus
It include that process initiation, process create thread in system process, the thread creation that creates in system process can be held for sequence track
The thread write-in registration table created in style of writing part, system process.
12. device according to any one of claims 7 to 10, which is characterized in that described device further include:
Update module, for regularly updating the behavior sequence track of virus.
13. a kind of storage medium is stored with computer program, when the computer program is executed by processor, so that the place
Device is managed to execute such as the step of any one of claims 1 to 6 the method.
14. a kind of terminal, including memory and processor, the memory is stored with computer program, the computer program
When being executed by the processor, so that the processor is executed such as the step of any one of claims 1 to 6 the method.
15. a kind of server, including memory and processor, the memory is stored with computer program, the computer journey
When sequence is executed by the processor, so that the processor is executed such as the step of any one of claims 1 to 6 the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510484452.6A CN106446681B (en) | 2015-08-07 | 2015-08-07 | Checking and killing virus method and apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510484452.6A CN106446681B (en) | 2015-08-07 | 2015-08-07 | Checking and killing virus method and apparatus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106446681A CN106446681A (en) | 2017-02-22 |
CN106446681B true CN106446681B (en) | 2019-09-17 |
Family
ID=58092138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510484452.6A Active CN106446681B (en) | 2015-08-07 | 2015-08-07 | Checking and killing virus method and apparatus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106446681B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108021802A (en) * | 2017-10-24 | 2018-05-11 | 努比亚技术有限公司 | A kind of system resource access control method, terminal and computer-readable recording medium |
CN108182360B (en) * | 2018-01-31 | 2023-09-19 | 腾讯科技(深圳)有限公司 | Risk identification method and equipment, storage medium and electronic equipment thereof |
CN109784053B (en) * | 2018-12-29 | 2021-04-27 | 360企业安全技术(珠海)有限公司 | Method and device for generating filter rule, storage medium and electronic device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
US7991880B2 (en) * | 2008-03-31 | 2011-08-02 | Nokia Corporation | Bionets architecture for building services capable of self-evolution |
CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
CN103825780A (en) * | 2014-02-26 | 2014-05-28 | 珠海市君天电子科技有限公司 | Tag-on program identification method, service and system |
-
2015
- 2015-08-07 CN CN201510484452.6A patent/CN106446681B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7991880B2 (en) * | 2008-03-31 | 2011-08-02 | Nokia Corporation | Bionets architecture for building services capable of self-evolution |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
CN103825780A (en) * | 2014-02-26 | 2014-05-28 | 珠海市君天电子科技有限公司 | Tag-on program identification method, service and system |
Also Published As
Publication number | Publication date |
---|---|
CN106446681A (en) | 2017-02-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11960441B2 (en) | Retention management for data streams | |
US12093387B2 (en) | Endpoint detection and response attack process tree auto-play | |
CN111801661A (en) | Transaction operations in a multi-host distributed data management system | |
Mahalik et al. | Practical mobile forensics | |
Tamma et al. | Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices | |
CN103092687B (en) | A kind of application program management apparatus and method | |
CN106708825B (en) | A kind of data file processing method and system | |
US20150347496A1 (en) | Snapshot management in hierarchical storage infrastructure | |
CN106446681B (en) | Checking and killing virus method and apparatus | |
CN110502487A (en) | A kind of buffer memory management method and device | |
US20170169069A1 (en) | Data integrity checking in a distributed filesystem using object versioning | |
CN106528071A (en) | Selection method and device for target code | |
US11150981B2 (en) | Fast recovery from failures in a chronologically ordered log-structured key-value storage system | |
CN111382126B (en) | System and method for deleting file and preventing file recovery | |
CN104461384B (en) | A kind of method for writing data and storage device | |
CN106021027A (en) | Terminal data processing method and system | |
CN109359092A (en) | File management method, desktop display method, device, terminal and medium | |
CN107391539B (en) | Transaction processing method, server and storage medium | |
CN104700030B (en) | A kind of viral data search method, device and server | |
CN114020403B (en) | Chain code management method and device of alliance chain and terminal equipment | |
CN108845956A (en) | The method and apparatus of Application testing | |
US10831794B2 (en) | Dynamic alternate keys for use in file systems utilizing a keyed index | |
CN111552956A (en) | Role authority control method and device for background management | |
Satrya et al. | A novel Android memory forensics for discovering remnant data | |
CN106557572A (en) | A kind of extracting method and system of Android application program file |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230705 Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |