[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106446681B - Checking and killing virus method and apparatus - Google Patents

Checking and killing virus method and apparatus Download PDF

Info

Publication number
CN106446681B
CN106446681B CN201510484452.6A CN201510484452A CN106446681B CN 106446681 B CN106446681 B CN 106446681B CN 201510484452 A CN201510484452 A CN 201510484452A CN 106446681 B CN106446681 B CN 106446681B
Authority
CN
China
Prior art keywords
application program
virus
behavior sequence
track
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510484452.6A
Other languages
Chinese (zh)
Other versions
CN106446681A (en
Inventor
崔精兵
吴彬
姜澎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201510484452.6A priority Critical patent/CN106446681B/en
Publication of CN106446681A publication Critical patent/CN106446681A/en
Application granted granted Critical
Publication of CN106446681B publication Critical patent/CN106446681B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention relates to a kind of checking and killing virus method and apparatus.It the described method comprises the following steps: the behavior sequence track of records application program;The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus;If successful match, determine the application program for virus;Remove the application program for being determined as virus.Above-mentioned checking and killing virus method, by the way that the behavior sequence tree of application program is matched with the behavior sequence tree of pre-stored virus, if successful match, then determine the application program for virus, remove the application program, it is not required to the information in terminal uploading to cloud, user information is prevented to be leaked, improve safety, and it is not required to for each virus document being stored in advance, then the file that will test again is compared with virus document, using the behavior sequence tree of virus, the behavior sequence tree for the application program that will test is compared with virus behavior sequence tree, it is versatile.

Description

Checking and killing virus method and apparatus
Technical field
The present invention relates to computer safety fields, more particularly to a kind of checking and killing virus method and apparatus.
Background technique
With the development of network technology, the propagation of computer virus is also aggravating, safety and use of the virus to user information Family property causes great harm, and how to carry out efficient killing to virus becomes everybody focus of attention.Traditional checking and killing virus Mode mainly has cloud killing.Cloud killing needs to be stored with corresponding file beyond the clouds, and this document is out by differentiation No the file on subscriber computer then to be calculated cryptographic Hash and uploads to cloud for virus, cloud is by the file cryptographic Hash of upload It is compared with the cryptographic Hash of the file of cloud storage, judges whether this document is virus, is so needed subscriber computer On the cryptographic Hash of file upload to cloud, privacy of user is easily stolen, and safety is low, and only the file that stores of cloud is Can differentiate whether it is virus, poor universality.
Summary of the invention
Based on this, it is necessary to aiming at the problem that mode safety traditional cloud killing virus is low and poor universality, mention For a kind of checking and killing virus method, safety and versatile can be improved.
In addition, there is a need to provide a kind of checking and killing virus device, safety and versatile can be improved.
A kind of checking and killing virus method, comprising the following steps:
The behavior sequence track of records application program;
The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus;
If the success of the behavior sequence path matching of the behavior sequence track of application program and pre-stored virus, determines The application program is virus;
Remove the application program for being determined as virus.
A kind of checking and killing virus device, comprising:
Logging modle, the behavior sequence track for records application program;
Matching module, for by the behavior sequence track of the behavior sequence track of application program and pre-stored virus into Row matching;
Determination module, if for the behavior sequence track of application program and the behavior sequence track of pre-stored virus With success, then determine the application program for virus;
Module is removed, for removing the application program for being determined as virus.
Above-mentioned checking and killing virus method and apparatus, by by the behavior sequence track of application program and it is pre-stored virus Behavior sequence track is matched, if successful match, determines that the application program for virus, removes the application program, be not required to by Information in terminal uploads to cloud, and user information is prevented to be leaked, and improves safety, and be not required to by each virus document into Row is stored in advance, and the file that then will test again, using the behavior sequence track of virus, will test compared with virus document File behavior sequence track compared with virus behavior sequence track, it is versatile.
Detailed description of the invention
Fig. 1 is the schematic diagram of internal structure of terminal in one embodiment;
Fig. 2 is the schematic diagram of internal structure of server in one embodiment;
Fig. 3 is the flow chart of checking and killing virus method in one embodiment;
Fig. 4 is the flow chart of checking and killing virus method in another embodiment;
Fig. 5 is the schematic diagram of the behavior sequence tree of example;
Fig. 6 is the behavior sequence tree schematic diagram of pre-stored virus;
Fig. 7 is to match the behavior sequence tree of the example in Fig. 5 with the behavior sequence tree of the pre-stored virus in Fig. 6 Schematic diagram afterwards;
Fig. 8 is the structural block diagram of checking and killing virus device in one embodiment;
Fig. 9 is the structural block diagram of checking and killing virus device in another embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Fig. 1 is the schematic diagram of internal structure of terminal in one embodiment.As shown in Figure 1, the terminal includes total by system Processor, storage medium, memory and network interface, voice collection device, display screen, loudspeaker and the input unit that line connects. Wherein, the storage medium of terminal is stored with operating system, further includes a kind of checking and killing virus device, the checking and killing virus device is for real A kind of existing checking and killing virus method.The processor supports the operation of entire terminal for providing calculating and control ability.In terminal The operation for inside saving as the checking and killing virus device in storage medium provides environment, and network interface is used to carry out network with server logical Letter such as sends request of data to server, receives the data etc. that server returns.The display screen of terminal can be liquid crystal display Or electric ink display screen etc., input unit can be the touch layer covered on display screen, be also possible to set in terminal enclosure Key, trace ball or the Trackpad set, are also possible to external keyboard, Trackpad or mouse etc..The terminal can be mobile phone, put down Plate computer or personal digital assistant.It will be understood by those skilled in the art that structure shown in Fig. 1, only and the application The block diagram of the relevant part-structure of scheme, does not constitute the restriction for the terminal being applied thereon to application scheme, specifically Terminal may include perhaps combining certain components or with different component cloth than more or fewer components as shown in the figure It sets.
Fig. 2 is the schematic diagram of internal structure of server in one embodiment.As shown in Fig. 2, the server includes passing through to be Processor, storage medium, memory and the network interface of bus of uniting connection.Wherein, the storage medium of the server is stored with operation System, database and checking and killing virus device store virulent behavior sequence track in database, which is used for Realize a kind of checking and killing virus method for being suitable for server.The processor of the server is for providing calculating and control ability, branch Support the operation of entire server.The operation that the checking and killing virus device in storage medium is saved as in the server provides environment.It should The network interface of server is communicated for passing through network connection with external terminal accordingly, for example is received the data that terminal is sent and asked It asks and to terminal returned data etc..Server can use the server set of the either multiple server compositions of independent server Group realizes.It will be understood by those skilled in the art that structure shown in Figure 2, only part relevant to application scheme The block diagram of structure, does not constitute the restriction for the server being applied thereon to application scheme, and specific server can wrap It includes than more or fewer components as shown in the figure, perhaps combines certain components or with different component layouts.
Fig. 3 is the flow chart of checking and killing virus method in one embodiment.As shown in figure 3, the checking and killing virus method, runs on In terminal in Fig. 1, comprising the following steps:
Step 302, the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refer in application program operational process sequentially in time and/or Relevant information caused by logical order.For example, the behavior sequence track of application program may include application program process initiation, Other behaviors of the process of application program, the process of application program created in system process a thread, creation thread after again It creates an executable file, registration table or other behaviors etc. is written again.Process refers to is transporting in terminal or server system A capable application program.Thread refers to a relatively independent, schedulable execution unit in process, is that system is independently dispatched With the basic unit of assignment.Registration table refers to an important database in windows system, for storage system and applies journey The setting information of sequence.
The step of behavior sequence track of records application program includes: the critical behavior track of records application program, the pass Key action trail include process initiation, creation thread, creation executable file, write-in registration table in it is one or more.Pass through note Record critical behavior track reduces record data, reduces the subsequent meter compared with the behavior sequence track of pre-stored virus Calculation amount improves computational efficiency.
Step 304, by the behavior sequence track of application program and the progress of the behavior sequence track of pre-stored virus Match.
Specifically, the behavior sequence track of virus is analyzed and stored first.By the behavior sequence track of application program and in advance The behavior sequence track for first storing virus is compared, if the behavior sequence track of application program contains pre-stored virus Behavior sequence track, then successful match determines the application program for virus, if the behavior sequence track of application program includes portion Divide the behavior sequence track of pre-stored virus or the behavior sequence track not comprising pre-stored virus, then matches mistake It loses, determining the application program not is virus.
The behavior sequence track of the pre-stored virus may include that process initiation, process create line in system process The thread creation executable file and write-in registration table created in journey, system process.
In one embodiment, the behavior sequence track of pre-stored virus includes that system creation process, process are being Thread, the thread creation executable file created in system process and write-in registration table are created in system process;
The behavior sequence track of the application program of acquisition includes receiving the trigger action to application file, according to triggering The thread creation executable file that operating system creates process, process creates thread in system process, creates in system process With write-in registration table;
The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus, is answered With the behavior sequence track of pre-stored virus is contained in the behavior sequence track of program, that is, contain system creation into Journey, process create thread, the thread creation executable file created in system process and write-in registration table in system process, then Successful match determines the application program for virus.
Step 306, if the behavior sequence path matching of the behavior sequence track of application program and pre-stored virus at Function then determines the application program for virus.
Step 308, the application program for being determined as virus is removed.
Specifically, be cleared to virus application program can for delete the application program process or rollback this using journey The behavior of sequence.
The process for deleting application program, which refers to, opens process after application program launching is run, and deletes the process.Rollback is answered Refer to the behavior sequence track according to the application program of record with the behavior of program, can be reversed operation, such as application program Behavior sequence track is that a thread is created in system process, then the behavior of rollback application program is the thread for closing creation.
Above-mentioned checking and killing virus method, by by the behavior sequence of the behavior sequence track of application program and pre-stored virus Column track is matched, if successful match, determines that the application program for virus, removes the application program, being not required to will be in terminal Information upload to cloud, prevent user information to be leaked, improve safety, and be not required to carry out each virus document preparatory Storage, the file that then will test again is compared with virus document, using the behavior sequence track of virus, the file that will test Behavior sequence track compared with virus behavior sequence track, it is versatile.
In one embodiment, the behavior sequence track of pre-stored virus can be formed virus behavior sequence tree or Person forms the behavior sequence chart of virus or forms the behavior sequence time shaft etc. of virus.
Specifically, the behavior sequence tree of virus refers to viral behavior logically relationship or time relationship formation sequence tree Shape structure.The behavior sequence chart of virus refers to that the behavior sequence by virus is depicted as chart according to time or logical relation.Disease The behavior sequence time shaft of poison refers to the behavior sequence that virus is shown according to time shaft form.
Fig. 4 is the flow chart of checking and killing virus method in another embodiment.The behavior sequence of pre-stored virus in Fig. 4 Column track forms the behavior sequence tree of virus.As shown in figure 4, a kind of checking and killing virus method, comprising:
Step 402, the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refer in application program operational process sequentially in time and/or Relevant information caused by logical order.For example, the behavior sequence track of application program may include application program process initiation, Other behaviors of the process of application program, the process of application program created in system process a thread, creation thread after again It creates an executable file, registration table or other behaviors etc. is written again.Process refers to is transporting in terminal or server system A capable application program.Thread refers to a relatively independent, schedulable execution unit in process, is that system is independently dispatched With the basic unit of assignment.Registration table refers to an important database in windows system, for storage system and applies journey The setting information of sequence.
The step of behavior sequence track of records application program includes: the critical behavior track of records application program, the pass Key action trail include process initiation, creation thread, creation executable file, write-in registration table in it is one or more.Pass through note Record critical behavior track reduces record data, reduces the subsequent meter compared with the behavior sequence track of pre-stored virus Calculation amount improves computational efficiency.
Step 404, the behavior sequence tree of the application program is established according to the behavior sequence track of application program.
Specifically, application program is established into according to chronological order or logical order in the behavior sequence track of application program Behavior sequence tree.
Step 406, the behavior sequence tree of application program is matched with the behavior sequence tree of pre-stored virus.
Specifically, the behavior sequence track of virus is analyzed and stored first, and is formed according to the behavior sequence track of virus The behavior sequence tree of virus.The behavior sequence tree of application program is compared with the behavior sequence tree that virus is stored in advance, if The behavior sequence tree of application program contains the behavior sequence tree of pre-stored virus, then successful match, determines this using journey Sequence is virus, if the behavior sequence track of application program includes the behavior sequence tree of the pre-stored virus in part or do not include pre- The behavior sequence tree of the virus first stored, then it fails to match, and determining the application program not is virus.
The behavior sequence tree of the pre-stored virus may include process initiation, process created in system process thread, The thread creation executable file and write-in registration table created in system process.
In one embodiment, the behavior sequence tree of preformed virus includes system creation process, process in system Thread, the thread creation executable file created in system process and write-in registration table are created in process;
The behavior sequence tree of the application program of foundation includes receiving the trigger action to application file, being grasped according to triggering Make system creation process, process created in system process thread, the thread creation executable file created in system process and Registration table is written;
The behavior sequence tree of application program is matched with the behavior sequence tree of preformed virus, be applied journey The behavior sequence tree of preformed virus is contained in the behavior sequence tree of sequence, that is, contains system creation process, process exists Thread, the thread creation executable file created in system process and write-in registration table are created in system process, then successful match, Determine the application program for virus.
Step 408, if the behavior sequence tree successful match of the behavior sequence tree of application program and pre-stored virus, Determine the application program for virus.
Step 410, the application program for being determined as virus is removed.
Specifically, be cleared to virus application program can for delete the application program process or rollback this using journey The behavior of sequence.
The process for deleting application program, which refers to, opens process after application program launching is run, and deletes the process.Rollback is answered Refer to the behavior sequence track according to the application program of record with the behavior of program, can be reversed operation, such as application program Behavior sequence track is that a thread is created in system process, then the behavior of rollback application program is the thread for closing creation.
Above-mentioned checking and killing virus method, by by the behavior sequence of the behavior sequence tree of application program and pre-stored virus Tree is matched, if successful match, is determined that the application program for virus, removes the application program, is not required to the letter in terminal Breath uploads to cloud, prevents user information to be leaked, improves safety, and is not required in advance be deposited each virus document Storage, the file that then will test again is compared with virus document, using the behavior sequence tree of virus, the application program that will test Behavior sequence tree compared with virus behavior sequence tree, it is versatile, and by the behavior sequence tree of application program and virus row It is matched for sequence tree, it is clear in structure, convenient for comparing.
It should be noted that the behavior sequence track of virus forms the behavior sequence chart of virus or forms the behavior of virus Sequence time axis can also be used aforesaid way and be matched, and details are not described herein.
In one embodiment, above-mentioned checking and killing virus method further include: regularly update the behavior sequence track or fixed of virus The behavior sequence tree of phase more new virus.
Specifically, behavior sequence track or the behavior sequence tree etc. of the virus on server can be regularly updated, terminal can be from Server downloading updates behavior sequence track or the behavior sequence tree of local virus.Regularly update the behavior sequence rail of virus Mark, can the new virus of killing, improve the accuracy rate of killing.
The working principle of checking and killing virus method is illustrated below with reference to specific example.By taking sample virus.exe as an example, The behavior sequence track of sample virus.exe includes:
(1) it receives user and double-clicks virus.exe file;
(2) system creation process A;
(3) process A creates thread b in system process explorer;
Specifically, system process explorer is windows file management process, is acted on as Fileview etc..
(4) the thread b of system process explorer creates executable file c.exe at c:windows;
(5) system process explorer thread b be written registration table, i.e., system HKLM SOFTWARE Wow6432Node Microsoft Windows CurrentVersion under Run registration table creation registry key rb value be c: windows\c.exe。
Fig. 5 is the schematic diagram of the behavior sequence tree of example.As shown in figure 5, the behavior sequence track according to example forms reality The behavior sequence tree of example.After user double-clicks virus.exe file, then process A starting creates thread in process explorer B, then create file c.exe, write run and other behaviors.Run refer to the run item (startup item) for writing registration table.
Fig. 6 is the behavior sequence tree schematic diagram of pre-stored virus.As shown in fig. 6, the behavior sequence tree of virus includes Process x starting, process x create thread x in explorer, creation file x.exe, write run, wherein x indicates any Match.
Fig. 7 is to match the behavior sequence tree of the example in Fig. 5 with the behavior sequence tree of the pre-stored virus in Fig. 6 Schematic diagram afterwards.As shown in fig. 7, containing process A starting in the behavior sequence tree of example, process A is created in explorer Thread b, creation file c.exe, run are write, unanimously with the behavior sequence tree of pre-stored virus, i.e. successful match, the reality Example is virus.
Fig. 8 is the structural block diagram of checking and killing virus device in one embodiment.As shown in figure 8, a kind of checking and killing virus device, packet It includes logging modle 810, matching module 820, determination module 830 and removes module 840.Wherein:
Logging modle 810 is used for the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refer in application program operational process sequentially in time and/or Relevant information caused by logical order.For example, the behavior sequence track of application program may include application program process initiation, Other behaviors of the process of application program, the process of application program created in system process a thread, creation thread after again It creates an executable file, registration table or other behaviors etc. is written again.Process refers to is transporting in terminal or server system A capable application program.Thread refers to a relatively independent, schedulable execution unit in process, is that system is independently dispatched With the basic unit of assignment.Registration table refers to an important database in windows system, for storage system and applies journey The setting information of sequence.
In the present embodiment, logging modle 810 is also used to the critical behavior track of records application program, the critical behavior track Including one or more in process initiation, creation thread, creation executable file, write-in registration table.By recording critical behavior Track reduces record data, reduces the subsequent calculation amount compared with the behavior sequence track of pre-stored virus, improves Computational efficiency.
Matching module 820 is used for the behavior sequence track of the behavior sequence track of application program and pre-stored virus It is matched.
Specifically, the behavior sequence track of virus is analyzed and stored first.By the behavior sequence track of application program and in advance The behavior sequence track for first storing virus is compared, if the behavior sequence track of application program contains pre-stored virus Behavior sequence track, then successful match determines the application program for virus, if the behavior sequence track of application program includes portion Divide the behavior sequence track of pre-stored virus or the behavior sequence track not comprising pre-stored virus, then matches mistake It loses, determining the application program not is virus.
The behavior sequence track of the pre-stored virus may include that process initiation, process create line in system process Journey, creation executable file, the thread write-in registration table created in system process.
If determination module 830 is used for successful match, determine the application program for virus.
Specifically, the behavior sequence path matching of the behavior sequence track of application program and pre-stored virus success, Then determine the application program for virus.
In one embodiment, the behavior sequence track of pre-stored virus includes that system creation process, process are being Thread, the thread creation executable file created in system process and write-in registration table are created in system process;
The behavior sequence track for the application program that logging modle 810 obtains includes the triggering behaviour received to application file The thread creation made, thread is created according to trigger action system creation process, process in system process, is created in system process Executable file and write-in registration table;
Matching module 820 carries out the behavior sequence track of application program and the behavior sequence track of pre-stored virus It matches, contains the behavior sequence track of pre-stored virus in the behavior sequence track for the program that is applied, that is, contain System creation process, process create thread, the thread creation executable file created in system process and are write in system process Enter registration table, then successful match, determination module 830 determines that the application program is virus.
Module 840 is removed to be used to remove the application program for being determined as virus.
Specifically, be cleared to virus application program can for delete the application program process or rollback this using journey The behavior of sequence.
The process for deleting application program, which refers to, opens process after application program launching is run, and deletes the process.Rollback is answered Refer to the behavior sequence track according to the application program of record with the behavior of program, can be reversed operation, such as application program Behavior sequence track is that a thread is created in system process, then the behavior of rollback application program is the thread for closing creation.
Above-mentioned checking and killing virus device, by by the behavior sequence of the behavior sequence track of application program and pre-stored virus Column track is matched, if successful match, determines that the application program for virus, removes the application program, being not required to will be in terminal Information upload to cloud, prevent user information to be leaked, improve safety, and be not required to carry out each virus document preparatory Storage, the file that then will test again is compared with virus document, using the behavior sequence track of virus, the file that will test Behavior sequence track compared with virus behavior sequence track, it is versatile.
Fig. 9 is the structural block diagram of checking and killing virus device in another embodiment.As shown in figure 9, a kind of checking and killing virus device, It further include establishing module 850, shape in addition to including logging modle 810, matching module 820, determination module 830 and removing module 840 At module 860 and update module 870.Wherein:
It establishes module 850 to be used for after the behavior sequence track of the records application program, according to the behavior of application program The behavior sequence tree of the application program is established in sequence track.
Form the behavior sequence tree that module 860 is used to form the behavior sequence track of pre-stored virus virus.Disease The behavior sequence tree of poison refers to viral behavior logically relationship or time relationship formation sequence tree structure.
Matching module 820 be also used to by the behavior sequence tree of the behavior sequence tree of application program and pre-stored virus into Row matching.
Specifically, the behavior sequence track of virus is analyzed and stored first, and is formed according to the behavior sequence track of virus The behavior sequence tree of virus.The behavior sequence tree of application program is compared with the behavior sequence tree that virus is stored in advance, if The behavior sequence tree of application program contains the behavior sequence tree of pre-stored virus, then successful match, determines this using journey Sequence is virus, if the behavior sequence track of application program includes the behavior sequence tree of the pre-stored virus in part or do not include pre- The behavior sequence tree of the virus first stored, then it fails to match, and determining the application program not is virus.
The behavior sequence tree of the pre-stored virus may include process initiation, process created in system process thread, The thread creation executable file and write-in registration table created in system process.
In one embodiment, the behavior sequence tree of preformed virus includes system creation process, process in system Thread, the thread creation executable file created in system process and write-in registration table are created in process;
The behavior sequence tree for establishing the application program of the foundation of module 850 includes that the triggering received to application file is grasped The thread creation made, thread is created according to trigger action system creation process, process in system process, is created in system process Executable file and write-in registration table;
Matching module 820 is by the behavior sequence tree progress of the behavior sequence tree of application program and preformed virus Match, the behavior sequence tree of preformed virus is contained in the behavior sequence tree for the program that is applied, that is, contains system wound It builds process, process and creates thread, the thread creation executable file created in system process and write-in registration in system process Table, then successful match, determination module 830 determine that the application program is virus.
If determination module 830 is also used to the behavior sequence tree of application program and the behavior sequence tree of pre-stored virus With success, then determine the application program for virus.
Update module 870 is used to regularly update the behavior sequence track of virus.
Specifically, behavior sequence track or the behavior sequence tree etc. of the virus on server can be regularly updated, terminal can be from Server downloading updates behavior sequence track or the behavior sequence tree of local virus.Regularly update the behavior sequence rail of virus Mark, can the new virus of killing, improve the accuracy rate of killing.
In other embodiments, the behavior sequence track of pre-stored virus can be formed to the behavior sequence chart of virus Or form the behavior sequence time shaft etc. of virus.
Specifically, the behavior sequence chart of virus refers to that the behavior sequence by virus is depicted as according to time or logical relation Chart.The behavior sequence time shaft of virus refers to the behavior sequence that virus is shown according to time shaft form.
Above-mentioned checking and killing virus device, by by the behavior sequence of the behavior sequence tree of application program and pre-stored virus Tree is matched, if successful match, is determined that the application program for virus, removes the application program, is not required to the letter in terminal Breath uploads to cloud, prevents user information to be leaked, improves safety, and is not required in advance be deposited each virus document Storage, the file that then will test again is compared with virus document, using the behavior sequence tree of virus, the application program that will test Behavior sequence tree compared with virus behavior sequence tree, it is versatile, and by the behavior sequence tree of application program and virus row It is matched for sequence tree, it is clear in structure, convenient for comparing.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage is situated between Matter can be magnetic disk, CD, read-only memory (Read-Only Memory, ROM) etc..
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.

Claims (15)

1. a kind of checking and killing virus method, comprising the following steps:
The behavior sequence track of records application program, the action trail of the application program be application program in the process of running by According to relevant information caused by least one of time sequencing, logical order sequence;
The behavior sequence track of application program is matched with the behavior sequence track of pre-stored virus;
It is described if the behavior sequence track of the application program contains the behavior sequence track of the pre-stored virus The success of the behavior sequence path matching of the behavior sequence track of application program and the pre-stored virus, determines the application Program is virus;
If the behavior sequence track of the application program includes the behavior sequence track of the pre-stored virus in part or does not include The behavior sequence track of the pre-stored virus, then it fails to match, and determining the application program not is virus;
Remove the application program for being determined as virus.
2. the method according to claim 1, wherein the step in the behavior sequence track of the records application program After rapid, the method also includes:
The behavior sequence tree of the application program is established according to the behavior sequence track of application program;
The behavior sequence track of pre-stored virus is formed to the behavior sequence tree of virus;
The behavior sequence tree of application program is matched with the behavior sequence tree of pre-stored virus, if the row of application program For the behavior sequence tree successful match of sequence tree and pre-stored virus, then determine the application program for virus.
3. the method according to claim 1, wherein the step of behavior sequence track of the records application program Include:
The critical behavior track of records application program, the critical behavior track include process initiation, creation thread, create and can hold It is one or more in style of writing part, write-in registration table.
4. the method according to claim 1, wherein the step of removing is determined as the application program of virus packet It includes:
Delete the behavior of application program described in the process or rollback of the application program.
5. method according to claim 1 to 4, which is characterized in that the behavior of the pre-stored virus Sequence track includes that thread, the thread creation created in system process are created in system process is executable for process initiation, process Thread is created in file, system process, and registration table is written.
6. method according to claim 1 to 4, which is characterized in that the method also includes:
Regularly update the behavior sequence track of virus.
7. a kind of checking and killing virus device characterized by comprising
Logging modle, for the behavior sequence track of records application program, the action trail of the application program is application program In the process of running sequentially in time, relevant information caused by least one of logical order sequence;
Matching module, for by the behavior sequence track progress of the behavior sequence track of application program and pre-stored virus Match;
Determination module, if the behavior sequence track for the application program contains the behavior sequence of the pre-stored virus Track is arranged, then the success of the behavior sequence path matching of the behavior sequence track of the application program and pre-stored virus, sentences The fixed application program is virus;
If the behavior sequence track of the application program includes the behavior sequence track of the pre-stored virus in part or does not include The behavior sequence track of the pre-stored virus, then it fails to match, and determining the application program not is virus;
Module is removed, for removing the application program for being determined as virus.
8. device according to claim 7, which is characterized in that described device further include:
Module is established, for after the behavior sequence track of the records application program, according to the behavior sequence of application program The behavior sequence tree of the application program is established in track;
Module is formed, for the behavior sequence track of pre-stored virus to be formed to the behavior sequence tree of virus;
The matching module is also used to carry out the behavior sequence tree of application program and the behavior sequence tree of pre-stored virus Matching;
If the behavior sequence tree that the determination module is also used to application program matches with the behavior sequence tree of pre-stored virus Success, then determine the application program for virus.
9. device according to claim 7, which is characterized in that the logging modle is also used to the key of records application program Action trail, the critical behavior track include process initiation, creation thread, creation executable file, are written one in registration table Kind is a variety of.
10. device according to claim 7, which is characterized in that the removing module is also used to delete the application program Process or rollback described in application program behavior.
11. device according to any one of claims 7 to 10, which is characterized in that the row of the pre-stored virus It include that process initiation, process create thread in system process, the thread creation that creates in system process can be held for sequence track The thread write-in registration table created in style of writing part, system process.
12. device according to any one of claims 7 to 10, which is characterized in that described device further include:
Update module, for regularly updating the behavior sequence track of virus.
13. a kind of storage medium is stored with computer program, when the computer program is executed by processor, so that the place Device is managed to execute such as the step of any one of claims 1 to 6 the method.
14. a kind of terminal, including memory and processor, the memory is stored with computer program, the computer program When being executed by the processor, so that the processor is executed such as the step of any one of claims 1 to 6 the method.
15. a kind of server, including memory and processor, the memory is stored with computer program, the computer journey When sequence is executed by the processor, so that the processor is executed such as the step of any one of claims 1 to 6 the method.
CN201510484452.6A 2015-08-07 2015-08-07 Checking and killing virus method and apparatus Active CN106446681B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510484452.6A CN106446681B (en) 2015-08-07 2015-08-07 Checking and killing virus method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510484452.6A CN106446681B (en) 2015-08-07 2015-08-07 Checking and killing virus method and apparatus

Publications (2)

Publication Number Publication Date
CN106446681A CN106446681A (en) 2017-02-22
CN106446681B true CN106446681B (en) 2019-09-17

Family

ID=58092138

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510484452.6A Active CN106446681B (en) 2015-08-07 2015-08-07 Checking and killing virus method and apparatus

Country Status (1)

Country Link
CN (1) CN106446681B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108021802A (en) * 2017-10-24 2018-05-11 努比亚技术有限公司 A kind of system resource access control method, terminal and computer-readable recording medium
CN108182360B (en) * 2018-01-31 2023-09-19 腾讯科技(深圳)有限公司 Risk identification method and equipment, storage medium and electronic equipment thereof
CN109784053B (en) * 2018-12-29 2021-04-27 360企业安全技术(珠海)有限公司 Method and device for generating filter rule, storage medium and electronic device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
US7991880B2 (en) * 2008-03-31 2011-08-02 Nokia Corporation Bionets architecture for building services capable of self-evolution
CN102622536A (en) * 2011-01-26 2012-08-01 中国科学院软件研究所 Method for catching malicious codes
CN103825780A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Tag-on program identification method, service and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7991880B2 (en) * 2008-03-31 2011-08-02 Nokia Corporation Bionets architecture for building services capable of self-evolution
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102622536A (en) * 2011-01-26 2012-08-01 中国科学院软件研究所 Method for catching malicious codes
CN103825780A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Tag-on program identification method, service and system

Also Published As

Publication number Publication date
CN106446681A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
US11960441B2 (en) Retention management for data streams
US12093387B2 (en) Endpoint detection and response attack process tree auto-play
CN111801661A (en) Transaction operations in a multi-host distributed data management system
Mahalik et al. Practical mobile forensics
Tamma et al. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices
CN103092687B (en) A kind of application program management apparatus and method
CN106708825B (en) A kind of data file processing method and system
US20150347496A1 (en) Snapshot management in hierarchical storage infrastructure
CN106446681B (en) Checking and killing virus method and apparatus
CN110502487A (en) A kind of buffer memory management method and device
US20170169069A1 (en) Data integrity checking in a distributed filesystem using object versioning
CN106528071A (en) Selection method and device for target code
US11150981B2 (en) Fast recovery from failures in a chronologically ordered log-structured key-value storage system
CN111382126B (en) System and method for deleting file and preventing file recovery
CN104461384B (en) A kind of method for writing data and storage device
CN106021027A (en) Terminal data processing method and system
CN109359092A (en) File management method, desktop display method, device, terminal and medium
CN107391539B (en) Transaction processing method, server and storage medium
CN104700030B (en) A kind of viral data search method, device and server
CN114020403B (en) Chain code management method and device of alliance chain and terminal equipment
CN108845956A (en) The method and apparatus of Application testing
US10831794B2 (en) Dynamic alternate keys for use in file systems utilizing a keyed index
CN111552956A (en) Role authority control method and device for background management
Satrya et al. A novel Android memory forensics for discovering remnant data
CN106557572A (en) A kind of extracting method and system of Android application program file

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230705

Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors

Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.

Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd.

Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District

Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.