CN103679031A - File virus immunizing method and device - Google Patents
File virus immunizing method and device Download PDFInfo
- Publication number
- CN103679031A CN103679031A CN201310683012.4A CN201310683012A CN103679031A CN 103679031 A CN103679031 A CN 103679031A CN 201310683012 A CN201310683012 A CN 201310683012A CN 103679031 A CN103679031 A CN 103679031A
- Authority
- CN
- China
- Prior art keywords
- behavior
- file
- operation behavior
- information
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a file virus immunizing method and device. The method comprises the steps that after a detection notice task of a virus detecting engine is sent out, an operation action request related to a file is captured through a monitoring technology; according to the operation action request, behavior recognition is conducted and information of an operation behavior is obtained, wherein the information of the operation behavior comprises a behavior initiating progress, an action corresponding to the behavior and/or an object corresponding to the behavior; according to the information of the operation behavior, whether the behavior is an abnormal behavior caused by a virus or not is judged; if the operation behavior is the abnormal behavior caused by the virus, prompting information is sent out to a user through a prompting interface of the virus detecting engine or the operation behavior is captured. According to the scheme, monitoring of the file to be immunized does not depend on an existing characteristic base and has real-time performance, the file information, the initiating process and action characteristics are combined in judging of virus behaviors and the judging accuracy is effectively improved.
Description
Technical field
The present invention relates to computer security technique field, be specifically related to a kind of file virus immunization method and device.
Background technology
Along with the development of computer technology, types of applications program has penetrated into the every field of production, life, for user brings great convenience, has improved production efficiency.The execution of application program depends on all kinds of computer documentss, for example, and text, executable file, dynamic link library file etc.These file record data results, or for storage program information.File may be infected by virus or rogue program, affects the execution of application program, or wherein storage personal data illegally read, revised, user's interests are on the hazard.
Present stage prevents that virus or rogue program from mainly depending on traditional feature database pattern, carries out real time scan based on feature database to working procedure.The condition code of the rogue program sample that feature database Shi You manufacturer collects forms, in killing process, engine meeting file reading also mates with all condition codes in feature database, if find to be hit by program code, just can judge that this document program is infected by virus or rogue program.Feature database coupling is an effective technology of killing known malicious program, but along with rogue program quantity is geometric growth, generation and the renewal of feature database have hysteresis quality.In addition, the real time execution of scanning also can consume a large amount of system resource.
Summary of the invention
In view of the above problems, the present invention has been proposed to a kind of a kind of file virus immunization method and device that overcomes the problems referred to above or address the above problem is at least in part provided.
According to an aspect of the present invention, provide a kind of file virus immunization method, having comprised: after the detection notice task of virus detection engine is sent, by monitoring technique, intercepted and captured the operation behavior request relevant with file; According to operation behavior request, carry out behavior identification, obtain the information of operation behavior, the information of operation behavior comprises behavior initiation process and corresponding action and/or object corresponding to behavior of behavior; According to the information of operation behavior, the decision operation behavior abnormal behaviour that virus causes of whether serving as reasons; If this operation behavior is the abnormal behaviour being caused by virus, to user, sends information or tackle this operation behavior.
According to a further aspect in the invention, provide a kind of file virus immune apparatus, having comprised: monitoring module, be suitable for receiving the detection notice that virus detects engine, by monitoring technique, intercept and capture the operation behavior request relevant with file; Identification module, is suitable for, according to operation behavior request, carrying out behavior identification, obtains the information of operation behavior, and the information of described operation behavior comprises behavior initiation process and corresponding action and/or object corresponding to behavior of behavior; Judge module, is suitable for the information according to operation behavior, the decision operation behavior abnormal behaviour that virus causes of whether serving as reasons; Processing module, is suitable in the situation that judge module is judged operation behavior is the abnormal behaviour being caused by virus, and the prompting circle user oriented that detects engine by virus sends information or tackles described operation behavior.
According to file virus immunization method of the present invention and device, after the detection notice task of virus detection engine is sent, when the operation behavior request monitoring file, obtain the information of the operation behaviors such as initiation process, behavior respective action and object of action of the behavior, the information of comprehensive aforesaid operations behavior, whether judge the operation behavior of specific file is the abnormal behaviour that virus causes, then, and interception abnormal behaviour or provide information by the prompting circle user oriented that virus detects engine.According to this scheme, the monitoring for the treatment of immune file does not rely on and existing feature database, has real-time, and the judgement of virus behavior is combined to fileinfo, initiation process, action feature, has effectively improved the accuracy of judgement.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 shows the process flow diagram of file virus immunization method according to an embodiment of the invention;
Fig. 2 shows the process flow diagram of file virus immunization method in accordance with another embodiment of the present invention;
Fig. 3 shows the process flow diagram of file virus immunization method in accordance with another embodiment of the present invention;
Fig. 4 shows the process flow diagram of file virus immunization method in accordance with another embodiment of the present invention;
Fig. 5 shows the structured flowchart of file virus immune apparatus in accordance with another embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
The embodiment of the present invention can be applied to computer system/server, and it can operation together with numerous other universal or special computingasystem environment or configuration.The example of well-known computing system, environment and/or the configuration that is suitable for using together with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, minicomputer system, large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Conventionally, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is to be carried out by the teleprocessing equipment linking by communication network.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.
In the present invention, said file comprises the data file being stored on memory device, conventionally leave in specific file or catalogue, and the device file of computer realization external device management.
Fig. 1 shows the process flow diagram of file virus immunization method according to an embodiment of the invention, and as shown in Figure 1, the method comprises the steps:
Step S110, after the detection notice task of virus detection engine is sent, by monitoring technique, intercepts and captures the operation behavior request relevant with file.
Common computer operating system, as Windows etc., is all that developer provides multiple application development interface (API), and various application layer programs all realize by calling corresponding API, and virus and rogue program are no exception.Therefore, in fact monitoring is exactly the call request that monitoring can realize the api function of file operation to the operation behavior request of file.
Step S120, according to operation behavior request, carries out behavior identification, obtains the information of operation behavior.
Here, the information of operation behavior comprises: initiate the process of the behavior, and the object that the action that operation behavior is corresponding and/or behavior are corresponding, particularly, this step can comprise:
When monitoring the API of programmed request call operation file, obtain the process of initiating this request, i.e. the initiation process of this operation behavior;
According to the type of API or title, learn the file operation action that this API is corresponding, be action corresponding to this operation behavior.For example, a certain this api function of programmed request call CreateFile, and this api function be Windows system for creating the function of file, can learn that action corresponding to operation behavior is to create a new file;
Resolve the parameter of the api function that this application requests calls, obtain operand and operand information, operand information comprises: file extension, file path, file attribute etc.
Step S130, according to the information of operation behavior, the decision operation behavior abnormal behaviour that virus causes of whether serving as reasons.
Consider the operation behavior described in step S120 and initiate process, action corresponding to operation behavior, and object corresponding to behavior judges.Several possible situations are: the process that specified file is operated is suspicious malicious process; Normal procedure has been carried out operation to possible malicious file, for example, read the file under non-designated catalogue or carried out script file; And process carried out abnormal action to specified file, for example, revised the registration table associations of file.
Step S140, if operation behavior is the abnormal behaviour being caused by virus, sends information or interception operation behavior to user.
For definite virus behavior, can directly tackle; For virus behavior that cannot be directly definite, can send information to user, according to user feedback, select interception or do not tackle.
The method providing according to the above embodiment of the present invention, after the detection notice task of virus detection engine is sent, monitor the operation behavior request to file, obtain the information of the operation behaviors such as initiation process, behavior respective action and object of action of the behavior, comprehensive aforesaid operations information, whether be abnormal behaviour that virus cause, then, tackle abnormal behaviour or provide information to user if judging the operation behavior of specific file.According to this scheme, the monitoring for the treatment of immune file does not rely on and existing feature database, has real-time, and the judgement of virus behavior is combined to fileinfo, initiation process, action feature, has effectively improved the accuracy of judgement.
Fig. 2 shows the process flow diagram of file virus immunization method according to another embodiment of the present invention, and as shown in Figure 2, the method comprises the steps:
Step S200, receives the detection notice that virus detects engine.
When method provided by the invention is applied to client, by virus scan application program, realize, scanning application program adopts engine scan mode to scan file conventionally, the antivirus engine that can adopt can comprise: cloud killing engine, QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, little red umbrella antivirus engine etc. are existing already present antivirus engine arbitrarily.In virus scan application program, may be integrated with a plurality of antivirus engines.Between a plurality of engines, for example between the first antivirus engine and the second antivirus engine, can adopt the mode of parallel killing, when the first antivirus engine is in killing process, can be by not determining that file be input to and carry out killing in the second antivirus engine in the file of killing, and needn't wait until the complete all killing files for the treatment of of the first antivirus engine killing, then carry out killing by the second antivirus engine.
The first antivirus engine can comprise: for the cloud killing engine of killing PE type file, and/or QVM engine.
The second antivirus engine is the engine of the non-PE file virus of killing.The second antivirus engine mainly refers to the antivirus engine that other file the definite file except after the first antivirus engine killing is scanned, it should be noted that, this second antivirus engine can have the ability of all types file being carried out to killing, while adopting the mode of parallel killing in the present embodiment, can reduce the killing quantity of each antivirus engine, thereby improve killing speed, to effectively utilize system resource.In the present embodiment, the second antivirus engine can comprise at least one antivirus engine, and for example, this second antivirus engine can be Bit Defender antivirus engine, and/or little red umbrella antivirus engine, and/or other existing already present antivirus engine etc.
Step S210, by monitoring technique, intercepts and captures the operation behavior request relevant with file.
In the present embodiment and following examples, the api function that the Windows system of take provides is example, and specific implementation process is described.Those skilled in the art can adopt other modes or different functions to realize identical object in different systems.
First, the monitoring technique in this step comprises file monitor technology.For file monitor technology, the respective action of the operation behavior that can monitor comprises: read file, written document, revised file, deleted file, execute file and/or create file.By catching (hook) concrete api function, realize the monitoring to file, for example, the file that Windows system is pointed to position by WriteFile function to file pointer is write data, by ReadFile function sense data from file, these two functions not only can read the file of writing disk, also can receive and send the data of network, and device file, the data of equipment such as read and write serial port, USB, parallel port.Monitoring to operation behaviors such as deleted file, establishment files also realizes in a similar manner, repeats no more herein.
Monitoring technique also comprises registry monitoring technology.Particularly, for registry monitoring technology, action corresponding to the operation behavior of monitoring comprises: the list item associated with the configuration information of file in edit the registry.In registration table, record the configuration information of application program, in registration table, comprise with the list item of file configuration information association: file extension and application program associated, the acquiescence of file is opened program, and executable file is write to starting up's item etc.Application program is normally existing factually by revising key assignments item number to the modification of associated list item.The api function of a plurality of Registries is provided in Windows system, and RegSetValue function for example, for arranging the list item of appointment and the default value of subitem.Like file monitor technology type, catch (hook) this function, analyze its parameter, obtain the operation behavior information needing.
Monitoring technique also comprises Network Monitoring Technology.For Network Monitoring Technology, action corresponding to the operation behavior of monitoring comprises: upload file and/or download file.
Monitoring technique also comprises to be monitored the occupation condition of program, and the content of monitoring specifically comprises: active client is from starting the resource occupation information start each program of moving to current time.
Step S220, according to operation behavior request, carries out behavior identification, obtains the information of operation behavior.
Here, the information of operation behavior comprises: initiate the process of the behavior, and the object that the action that operation behavior is corresponding and/or behavior are corresponding, particularly, this step can comprise:
When monitoring the API of programmed request call operation file, obtain the process of initiating this request, i.e. the initiation process of this operation behavior;
According to the type of API or title, learn the file operation action that this API is corresponding, be action corresponding to this operation behavior.For example, a certain this api function of programmed request call CreateFile, and this api function be Windows system for creating the function of file, can learn that action corresponding to operation behavior is to create a new file;
Resolve the parameter of the api function that this application requests calls, obtain operand and operand information, operand information comprises: file extension, file path, file attribute etc.
When the occupation condition of program is monitored, behavior in this step identification also comprises: obtain active client from starting the resource occupation information that starts each program of moving to current time; According to the resource occupation information of each program and the available resource information of active client, calculate respectively the resources occupation rate of each program.
This can not have virus but because resource occupation causes the problem that line speed is slack-off or networking speed is slack-off for client, the automatic high startup item process of recognition resource occupancy, and initiatively to user, point out, make user forbid the startup item random start that these resources occupation rates are high according to demand, or, directly forbid the startup item random start that these resources occupation rates are high.
Occupation condition comprises the situation that takies to the network bandwidth.For example, suppose to take 120K/s by calculating Test.exe program, if the predetermined threshold value of current network bandwidth usage is 90%, current Test.exe program takies 120K/s and meets 124K/s*90%, so check whether Test.exe program is the subprocess of startup item program or startup item, if so, can in subsequent step, point out the startup item of user Test.exe program to take Internet resources.User selects to forbid this startup item of random start according to prompting, so this startup item can be prevented from opening when in active client startup next time.
Step S230, corresponding action and/or process white list corresponding to object corresponding to behavior of behavior that information that whether process belong to operation behavior comprises initiated in behavior that the information of query manipulation behavior comprises, if, decision behavior is not the abnormal behaviour being caused by virus, execution step S240, otherwise execution step S250.
First process white list comprises the corresponding white list of the object corresponding with operation behavior.Take file monitor technology as example, and in this step, object corresponding to said operation behavior be monitored file.Content in its corresponding process white list is determined according to the information of this document, is mainly the type according to file.File for particular type, in its corresponding process white list, preserve the process of the normal procedure that server counts, for example, to doc file, in its corresponding process white list, should comprise the corresponding process of the common word processors such as word.exe and wps.exe.
Process white list also comprises software and the associated process with digital signature trusty, can also store the information relevant to each digital signature, for example, the legal form of the digital signature of being promulgated by company trusty, when a software or associated process will be installed or move on client device, judge whether this software has digital signature and whether this digital signature is consistent with the relevant information of a certain digital signature in described software list, for example, whether the form of digital signature that judges this software is identical with a certain legal form recording in described software list.If this judgment result is that, be to be judged as this software in described process white list.
For example, the judgement of digital signature trusty is processed can be divided into three steps: the one, judge whether this software has digital signature; The 2nd, judge integrality and the consistance of this digital signature, that is, the digital certificate of whether being held by this signer is signed and issued; The 3rd, whether judgement is held by the legal person who generally acknowledges for the digital certificate of signing; For example, if signer is Microsoft, judge whether its certificate authority people is " Microsoft Code Signing PCA ", and whether holder of certificate's title is " Microsoft Corporation ".If these three conditions all meet, be judged as YES digital signature trusty, otherwise must be fly-by-night digital signature.For example, condition one and two all meets, but the CompanyName in certificate information with do not mate normally or inconsistent, being judged as this digital signature is illegal (because having the deception of social engineering (social engineering) to be adopted widely).
Process white list also comprises the effective process of signature sign.The signature-related information of the unknown program file that client is downloaded according to this locality, generates and the unique corresponding signature sign of unknown program file.
Signature identification document feature can calculated field, can calculated field comprise and in PE file, remove PE verification section, signature section and signature contents remainder.Wherein, when the above-mentioned file size obtaining does not reach 8 integral multiple, the figure place that it is differed from 0 polishing, so that calculate it.
Again, to calculating by calculated field, using result of calculation as signature sign.
Alternatively, can calculated field as digest value, adopt SHA1 algorithm to calculate it, obtain and the unique corresponding signature sign of unknown program file.
Client, after generating the signature sign of unknown program file, sends inquiry request to server end.Wherein, inquiry request carries the signature sign of this unknown program file and the part or all of file characteristic of this unknown program file.Server end receives after inquiry request, in process white list, the signature sign in inquiry request is mated, and obtains and the corresponding checking and killing method of sign of signing.Killing is mainly: scanning/acts of determination and repair action etc.Wherein, scanning/acts of determination comprises the scanning of the context environmental of program file attribute and program file and judgement, and when being judged to be rogue program, carries out the corresponding operation of repairing.
Or, analyze alternative document and registry information under this process file catalogue, if there is complete auxiliary file, as common dll file, dat file etc. or there is complete registry information, can think that this process is the process of regular software, joins this process in process white list.
Process white list also comprises and the corresponding white list of operation behavior respective action.For example, for download behavior, with the process white list of file similarly, in the process white list corresponding with download action, also comprise the security procedure having counted, browser process for example, the process of common download software etc.Or, further, the assigned operation of specified file is set to process white list.
Alternatively, in this step, also can realize by the mode of query procedure blacklist same object.Correspondingly, what in blacklist, preserve is non-security procedure and suspicious process, and for example, known virus or rogue program process, do not have the process of digital signature, or process file is an independent executable file.This step can be:
Corresponding action and/or process blacklist corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises initiated in behavior that the information of query manipulation behavior comprises, if, judge that described operation behavior is the abnormal behaviour being caused by virus, execution step S250, otherwise execution step S240.
Above-mentioned query script can complete in Local Black/white list, also can complete beyond the clouds, and wherein, the black/white name single database in high in the clouds is more complete.Usually, white list safeguarded in client by user conventionally, and user joins the process that is defined as non-malice in white list and preserves, can the relevant information such as filename, file path, signature and signature sign of record the process in white list; Blacklist is safeguarded by antivirus software provider conventionally, according to monitoring, definite malicious process is joined in blacklist and is preserved.A kind of querying method is that elder generation is inquired about in local white list, if do not obtain Query Result, then inquires about to high in the clouds blacklist.The file blacklist in high in the clouds is preserved progress information in advance, as the corresponding relation of the eigenwert of process file and level of security information, the definite level of security information of server end can be self-defined, such as comprising the ranks such as safe, dangerous, unknown, also can adopt the modes such as one-level, secondary, three grades to distinguish, as long as can embody whether safe condition of each module.Or described level of security information comprises: safe class, unknown grade, suspicious grade, highly suspicious grade and malice grade, wherein, malice grade is highest ranking, safe class is the lowest class.For example, can arrange when grade is 10-20 is safe class, is unknown grade when grade is 30-40, is suspicious grade and highly suspicious grade when grade is 50-60, and it is malice grade that grade is greater than at 70 o'clock.
Step S240, the operation behavior that executable operations behavior request comprises.
For this situation, after the Hook Function of the embodiment of the present invention is finished, corresponding instruction is gone to carry out in the original entry address that jumps to this document behavior request corresponding A PI.
Step S250, sends information or interception operation behavior to user.
Can point out user in the mode of desktop appointed area Pop-up message window, for example, display message on the prompting interface of viral engine.By the operation information obtaining in step S220, as process title, process path, corresponding executable file title, and concrete action etc. shows user, supply customer analysis to make decision, can also be according to existing statistics, the danger classes, the safety that provide process and corresponding application program are commented grading information and are provided corresponding suggestion to user.To user, send information a kind of mutual means are also provided, this can be for the renewal of black/white list, select the process of carrying out to add in local white list user, make the local white list that user can customized personal, or add up beyond the clouds the selection of a large number of users, local white list upgrades in time.
Fig. 3 shows the process flow diagram of file virus immunization method according to another embodiment of the present invention, and as shown in Figure 3, the method comprises the steps:
Step S300, receives the detection notice task that virus detects engine.
Step S310, by monitoring technique, intercepts and captures the operation behavior request relevant with file.
Step S320, according to operation behavior request, carries out behavior identification, obtains the information of operation behavior.
Particular content about step S300-S320 can, referring to the description of corresponding step S210 and step S220, repeat no more herein.
Step S330, whether action corresponding to behavior that the information of decision operation behavior comprises is abnormal operation, if so, decision behavior is the abnormal behaviour being caused by virus.
In the operation behavior of normal procedure, also may include dangerous play, for example, the file of process is revised by virus, has carried out abnormal operation, at this moment, only by progress information, cannot realize immunity.Abnormal operation comprises: the action of reading file, written document, revised file, deleted file, execute file and/or establishment file of carrying out in incorrect installation directory or user's config directory; Or list item associated with the configuration information of file in edit the registry maybe writes starting up's item by the executable file of release to reduce file security grade.The present embodiment is by judging that abnormal operation is to causing rogue program or the virus of this class behavior to carry out immunity.
Particularly, for wanting immune file virus, analyze the action feature of this viroid, count the rule of its action, while finding legal action from the operation requests of monitoring, operation behavior is tackled.Office macrovirus take below as example, specific implementation process is described.
In actual applications, research that can be to the macrovirus sample of a large amount of Microsoft Office, collect and obtain following known macrovirus action:
1, the action of edit the registry, object: in edit the registry, safe class setting is reduced safe class setting, or in edit the registry starting up's item so that the executable file of release is write to starting up's item etc.;
2, propagate action, it utilizes infection template to propagate, for example, to template directory written document etc.; Wherein, different Microsoft office has different infection templates, Windows7 system for example, under default situations:
The infection template file of MicrosoftWord be C: Users [user name] AppData Roaming Microsoft Templates normal.dot
The infection template directory of Excel: C: Users [user name] AppData Roaming Microsoft Excel xlstart and Excel installation directory office11 xlstart
Action while 3, showing effect, comprising:
3.1, at certain time period bullet window;
3.2, repeat replication worksheet, affects software and normally uses;
3.3, discharge executable file, specifically can comprise: create file, written document, execute file etc.
For Office process, above-mentioned action all belongs to abnormal operation, and corresponding operation behavior may be the abnormal behaviour that virus causes.Further, can also come in conjunction with corresponding object decision behavior whether to serve as reasons abnormal behaviour that virus causes.Table 1 show common macrovirus behavior and the behavior corresponding object.
With the 1st in table 1,2 kinds of situations are example, in actual applications, can read in advance registration table, obtain template file and the template directory of Office, for example, in win7 system, under default situations, the template file of Word is: C: Users [user name] AppData Roaming Microsoft Templates normal.dot, the template directory of Excel is: C: Users [user name] AppData Roaming Microsoft Excel xlstart, or the installation directory of Excel office11 xlstart.Conventionally under the template directory (xlstart catalogue) of Excel, be not allow storing documents, therefore if the information of operation behavior shows that corresponding document behavior is for file under xlstart catalogue, therefore can determine that corresponding document operation behavior is the abnormal behaviour that macrovirus causes.
Table 1
For process or the file of the other types beyond Office, abnormal operation also comprises: to the network address upload file in URL blacklist and/or download file etc.
Step S340, sends information or interception operation behavior to user.
About this step, can, referring to the description of step S250, repeat no more herein.
Fig. 4 shows file virus immunization method according to another embodiment of the present invention, and as shown in Figure 4, the method comprises the steps:
Step S400, receives the detection notice task that virus detects engine.
Step S410, by monitoring technique, intercepts and captures the operation behavior request relevant with file.
Step S420, according to operation behavior request, carries out behavior identification, obtains the information of operation behavior.
Particular content about step S400-S420 can, referring to the description of corresponding step S210 and step S220, repeat no more herein.
Step S430, whether object corresponding to behavior that the information of decision operation behavior comprises belongs to file blacklist, and if so, decision behavior is the abnormal behaviour being caused by virus, execution step S440.
For Partial security process, the normal behaviour of its execution also may have menace.The present embodiment is applicable to this situation to carry out immunity.For example, a certain process that is arranged in process white list has been carried out by the executable file of virus infections, and process itself and act of execution are no problem, but may access alternative document again after this document operation, causes more file infected, has formed viral propagation.Similarly, read the script file of strange position or be also potential hazardous act to behaviors such as non-designated catalogue written documents.In the present embodiment, what in file blacklist, preserve is the information of the non-security file corresponding with the specific behavior of specific process, comprises filename, extension name, file path etc., and these information exchanges are crossed step S420 and obtained.CAD script file take below as example, describe the process of file virus immunity in detail.
When the script file operation behavior request of CAD process initiation is read operation behavior request, can determine that whether script file operation requests is legal according to the catalogue at script file place corresponding to read request.The file that for example CAD process is asked is if be positioned at the installation directory of CAD software, think that this operation requests is legal, because generally, be positioned at the script file under CAD software installation directory, be the necessary supportive script file of CAD running software, it is legal that the request that CAD process reads these script files can be defined as; And if the script file that CAD process is asked is positioned at the catalogue of drawing file place catalogue or other users establishment, think that this operation requests is illegal, this be because, at the create directory script file of lower existence of drawing file catalogue or other users, it may be the script file of malice, for example, take the script file that lsp is extension name.Corresponding to behavior of CAD process, file blacklist comprises the create directory script file that lsp is extension name of take of lower existence of drawing file catalogue or other users.
When the script file operation requests of CAD process initiation is write operation requests, the directory information that can write script file according to write operation requests determines that whether this request is legal, if write catalogue, be the config directory of CAD installation directory, user's config directory or third party's plug-in unit, this thinks that this operation requests is illegal., for the write operation of CAD process, in file blacklist, should comprise above-mentioned config directory.
With the process white list described in step S230 similarly, the blacklist in this step also can comprise local file blacklist and high in the clouds file blacklist, wherein, the blacklist database in high in the clouds is more complete.A kind of querying method is, first at local search, if do not obtain Query Result, then to inquire about to high in the clouds.Wherein, the blacklist in high in the clouds is preserved the corresponding relation of documentary eigenwert and level of security information in advance, the definite level of security information of server end can be self-defined, such as comprising the ranks such as safe, dangerous, unknown, also can adopt the modes such as one-level, secondary, three grades to distinguish, as long as can embody whether safe condition of each module.Or described level of security information comprises: safe class, unknown grade, suspicious grade, highly suspicious grade and malice grade, wherein, malice grade is highest ranking, safe class is the lowest class.For example, can arrange when grade is 10-20 is safe class, is unknown grade when grade is 30-40, is suspicious grade and highly suspicious grade when grade is 50-60, and it is malice grade that grade is greater than at 70 o'clock.
Step S440, sends information or interception operation behavior to user.
This step can be undertaken by the mode of describing in step S250.For the behavior to non-designated catalogue writing in files, interception mode can also comprise: establishment security catalog or the file identical with directory name in virus or rogue program data or filename under this catalogue; For file or catalogue are added the authority etc. of denied access.
The method providing according to the above embodiment of the present invention, after the detection notice task of virus detection engine is sent, monitor the operation behavior request to file, obtain the information of the operation behaviors such as initiation process, behavior respective action and object of action of the behavior, by to initiation process, abnormal operation, and suspicious obj ect file is carried out comprehensive analysis, whether the process of judging is the abnormal behaviour that virus causes to the operation behavior of specific file, then, tackle abnormal behaviour or to user, provide information by modes such as viral engine prompting interfaces.According to this scheme, the monitoring for the treatment of immune file does not rely on and existing feature database, there is real-time, and the judgement of virus behavior is combined to fileinfo, initiation process, action feature, can be in this locality and/or high in the clouds judge, for user provides more choices, effectively improved efficiency and the accuracy of judgement.
Fig. 5 shows the structured flowchart of file virus immune apparatus according to another embodiment of the present invention, and as shown in Figure 5, this device comprises: monitoring module 510, identification module 520, judge module 530 and processing module 540.
For file monitor technology, the respective action of the operation behavior that monitoring module 510 can be monitored comprises: read file, written document, revised file, deleted file, execute file and/or create file.Monitoring module 510 is realized the monitoring to file by catching (hook) concrete api function, for example, the file that Windows system is pointed to position by WriteFile function to file pointer is write data, by ReadFile function sense data from file, these two functions not only can read the file of writing disk, also can receive and send the data of network, and device file, the data of equipment such as read and write serial port, USB, parallel port.Monitoring to operation behaviors such as deleted file, establishment files also realizes in a similar manner, repeats no more herein.
For registry monitoring technology.Action corresponding to operation behavior that monitoring module 510 can be monitored comprises: the list item associated with the configuration information of file in edit the registry.In registration table, record the configuration information of application program, in registration table, comprise with the list item of file configuration information association: file extension and application program associated, the acquiescence of file is opened program, and executable file is write to starting up's item etc.Application program is normally existing factually by revising key assignments item number to the modification of associated list item.
The api function of a plurality of Registries is provided in Windows system, and RegSetValue function for example, for arranging the list item of appointment and the default value of subitem.Like file monitor technology type, this function of monitoring module 510hook, analyzes its parameter, obtains the operation behavior information needing.
For Network Monitoring Technology, the action corresponding to operation behavior of monitoring module 510 monitoring comprises: upload file and/or download file.
Particularly, when monitoring module 510 monitors the API of programmed request call operation file, identification module 520 obtains the process of initiating this request, i.e. the initiation process of this operation behavior.Identification module 520 learns according to the type of API or title the file operation action that this API is corresponding, is action corresponding to this operation behavior.For example, a certain this api function of programmed request call CreateFile, and this api function be Windows system for creating the function of file, identification module 520 can learn that action corresponding to operation behavior is to create a new file; Identification module 520 can also be resolved the parameter of the api function that this application requests calls, and obtains operand and operand information, and operand information comprises: file extension, file path, file attribute etc.
If monitoring module 510 is intercepted and captured the operation behavior request relevant with file by file monitor technology, action corresponding to described behavior that identification module 520 obtains comprises: the action of reading file, written document, revised file, deleted file, execute file and/or establishment file;
If monitoring module 510 is intercepted and captured the operation behavior request relevant with file by registry monitoring technology, action corresponding to behavior that identification module 520 obtains comprises: the action of the list item associated with the configuration information of file in edit the registry;
If monitoring module 510 is intercepted and captured the operation behavior request relevant with file by Network Monitoring Technology, action corresponding to behavior that identification module 520 obtains comprises: the action of upload file and/or download file.
If the occupation condition of 510 pairs of programs of monitoring module is monitored, identification module 520 is also suitable for: obtain active client from starting the resource occupation information start each program of moving to current time; According to the resource occupation information of each program and the available resource information of active client, calculate respectively the resources occupation rate of each program.
Particularly, at this moment judge module 530 is suitable for: judge whether action corresponding to behavior is the action of reading file, written document, revised file, deleted file, execute file and/or establishment file of carrying out in incorrect installation directory or user's config directory; Or, judge whether action corresponding to behavior is that list item associated with the configuration information of file in edit the registry maybe writes starting up's item by the executable file of release to reduce file security grade; Or, judge that action corresponding to described behavior is whether to network address upload file and/or download file in URL blacklist.
The device providing according to the above embodiment of the present invention, monitoring module is after receiving the detection notice of virus detection engine, while monitoring the operation behavior request to file, identification module obtains the initiation process of the behavior, the information of the operation behaviors such as behavior respective action and object of action, judge module passes through initiation process, abnormal operation, and suspicious obj ect file is carried out comprehensive analysis, whether the process of judging is the abnormal behaviour that virus causes to the operation behavior of specific file, then, processing module is tackled abnormal behaviour or is provided information by viral engine prompting circle user oriented.According to this scheme, the monitoring for the treatment of immune file does not rely on and existing feature database, there is real-time, and the judgement of virus behavior is combined to fileinfo, initiation process, action feature, can be in this locality and/or high in the clouds judge, for user provides more choices, effectively improved efficiency and the accuracy of judgement.
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the instructions that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the file virus immune apparatus of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
The invention discloses:
A1, a kind of file virus immunization method, comprising:
After the detection notice task of virus detection engine is sent, by monitoring technique, intercept and capture the operation behavior request relevant with file;
According to described operation behavior request, carry out behavior identification, obtain the information of described operation behavior, the information of described operation behavior comprises behavior initiation process and corresponding action and/or object corresponding to behavior of behavior;
According to the information of described operation behavior, judge the abnormal behaviour of whether serving as reasons described operation behavior virus causing;
If described operation behavior is the abnormal behaviour being caused by virus, to user, sends information or tackle described operation behavior.
A2, according to the method described in A1, described monitoring technique comprises: file monitor technology, registry monitoring technology or Network Monitoring Technology.
A3, according to the method described in A2, if described monitoring technique is file monitor technology, action corresponding to described behavior comprises: read file, written document, revised file, deleted file, execute file and/or create file;
If described monitoring technique is registry monitoring technology, action corresponding to described behavior comprises: the list item associated with the configuration information of file in edit the registry;
If described monitoring technique is Network Monitoring Technology, action corresponding to described behavior comprises: upload file and/or download file.
A4, according to the method described in A2, described monitoring technique also comprises to be monitored the occupation condition of program, described according to operation behavior request, carries out behavior identification, the information that obtains described operation behavior specifically comprises:
Obtain active client from starting the resource occupation information start each program of moving to current time;
According to the resource occupation information of each program and the available resource information of active client, calculate respectively the resources occupation rate of each program.
A5, according to the method described in A1-A3 any one, the process white list of action corresponding to the behavior of appointment and/or object corresponding to behavior is preserved in this locality and/or high in the clouds;
Described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Inquire about behavior that the information of described operation behavior comprises and initiate corresponding action and/or process white list corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises, if so, judge that described operation behavior is not the abnormal behaviour being caused by virus;
Described method also comprises: if described operation behavior is not the abnormal behaviour being caused by virus, carry out described operation behavior.
A6, according to the method described in A1-A3 any one, the process blacklist of action corresponding to the behavior of appointment and/or object corresponding to behavior is preserved in this locality and/or high in the clouds;
Described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Inquire about behavior that the information of described operation behavior comprises and initiate corresponding action and/or process blacklist corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises, if not, judge that described operation behavior is the abnormal behaviour being caused by virus.
A7, according to the method described in A1-A3 any one, described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Judge whether action corresponding to behavior that the information of described operation behavior comprises is abnormal operation, if so, judges that described operation behavior is the abnormal behaviour being caused by virus.
A8, according to the method described in A7, described abnormal operation comprises:
The action of reading file, written document, revised file, deleted file, execute file and/or establishment file of carrying out in incorrect installation directory or user's config directory;
Or list item associated with the configuration information of file in edit the registry maybe writes starting up's item by the executable file of release to reduce file security grade;
Or, to network address upload file and/or the download file in URL blacklist.
A9, according to the method described in A1-A3 any one, described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Judge that whether object corresponding to behavior that the information of described operation behavior comprises belongs to the file blacklist that preserve in this locality and/or high in the clouds, if so, judges that described operation behavior is the abnormal behaviour being caused by virus.
B10, a kind of file virus immune apparatus, comprising:
Monitoring module, is suitable for receiving the detection notice that virus detects engine, by monitoring technique, intercepts and captures the operation behavior request relevant with file;
Identification module, is suitable for, according to described operation behavior request, carrying out behavior identification, obtains the information of described operation behavior, and the information of described operation behavior comprises behavior initiation process and corresponding action and/or object corresponding to behavior of behavior;
Judge module, is suitable for the information according to described operation behavior, judges the abnormal behaviour of whether serving as reasons described operation behavior virus causing;
Processing module, is suitable in the situation that described judge module is judged described operation behavior is the abnormal behaviour being caused by virus, and the prompting circle user oriented that detects engine by virus sends information or tackles described operation behavior.
B11, according to the device described in B10, described monitoring module is specifically suitable for: by file monitor technology, registry monitoring technology or Network Monitoring Technology, intercept and capture the operation behavior request relevant with file.
B12, according to the device described in B10, if described monitoring module is intercepted and captured the operation behavior request relevant with file by described file monitor technology, action corresponding to described behavior that described identification module obtains comprises: the action of reading file, written document, revised file, deleted file, execute file and/or establishment file;
If described monitoring module is intercepted and captured the operation behavior request relevant with file by described registry monitoring technology, action corresponding to described behavior that described identification module obtains comprises: the action of the list item associated with the configuration information of file in edit the registry;
If described monitoring module is intercepted and captured the operation behavior request relevant with file by described Network Monitoring Technology, action corresponding to described behavior that described identification module obtains comprises: the action of upload file and/or download file.
B13, according to the device described in B11, described monitoring module is also suitable for the occupation condition of program to monitor, described identification module is specifically suitable for:
Obtain active client from starting the resource occupation information start each program of moving to current time;
According to the resource occupation information of each program and the available resource information of active client, calculate respectively the resources occupation rate of each program.
B14, according to the device described in B10-B12 any one, the process white list of action corresponding to the behavior of appointment and/or object corresponding to behavior is preserved in this locality and/or high in the clouds;
Described judge module is specifically suitable for: inquire about behavior that the information of described operation behavior comprises and initiate corresponding action and/or process white list corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises, if so, judge that described operation behavior is not the abnormal behaviour being caused by virus;
Described processing module is also suitable for: in the situation that described judge module is judged described operation behavior, be not the abnormal behaviour being caused by virus, carry out described operation behavior.
B15, according to the device described in B10-B12 any one, the process blacklist of action corresponding to the behavior of appointment and/or object corresponding to behavior is preserved in this locality and/or high in the clouds;
Described judge module is specifically suitable for: inquire about behavior that the information of described operation behavior comprises and initiate corresponding action and/or process blacklist corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises, if not, judge that described operation behavior is the abnormal behaviour being caused by virus.
B16, according to the device described in B10-B12 any one, described judge module is specifically suitable for:
Judge whether action corresponding to behavior that the information of described operation behavior comprises is abnormal operation, if so, judges that described operation behavior is the abnormal behaviour being caused by virus.
B17, according to the device described in B16, described judge module is specifically suitable for:
Judge whether action corresponding to described behavior is the action of reading file, written document, revised file, deleted file, execute file and/or establishment file of carrying out in incorrect installation directory or user's config directory;
Or, judge whether action corresponding to described behavior is that list item associated with the configuration information of file in edit the registry maybe writes starting up's item by the executable file of release to reduce file security grade;
Or, judge that action corresponding to described behavior is whether to network address upload file and/or download file in URL blacklist.
B18, according to the device described in B10-B12 any one, described judge module is specifically suitable for: judge whether object corresponding to behavior that the information of described operation behavior comprises belongs to the file blacklist that preserve in this locality and/or high in the clouds, if so, judge that described operation behavior is the abnormal behaviour being caused by virus.
Claims (10)
1. a file virus immunization method, comprising:
After the detection notice task of virus detection engine is sent, by monitoring technique, intercept and capture the operation behavior request relevant with file;
According to described operation behavior request, carry out behavior identification, obtain the information of described operation behavior, the information of described operation behavior comprises behavior initiation process and corresponding action and/or object corresponding to behavior of behavior;
According to the information of described operation behavior, judge the abnormal behaviour of whether serving as reasons described operation behavior virus causing;
If described operation behavior is the abnormal behaviour being caused by virus, to user, sends information or tackle described operation behavior.
2. method according to claim 1, described monitoring technique comprises: file monitor technology, registry monitoring technology or Network Monitoring Technology.
3. method according to claim 2, if described monitoring technique is file monitor technology, action corresponding to described behavior comprises: read file, written document, revised file, deleted file, execute file and/or create file;
If described monitoring technique is registry monitoring technology, action corresponding to described behavior comprises: the list item associated with the configuration information of file in edit the registry;
If described monitoring technique is Network Monitoring Technology, action corresponding to described behavior comprises: upload file and/or download file.
4. method according to claim 2, described monitoring technique also comprises to be monitored the occupation condition of program, described according to operation behavior request, carries out behavior identification, and the information that obtains described operation behavior specifically comprises:
Obtain active client from starting the resource occupation information start each program of moving to current time;
According to the resource occupation information of each program and the available resource information of active client, calculate respectively the resources occupation rate of each program.
5. according to the method described in claim 1-3 any one, the process white list of action corresponding to the behavior of appointment and/or object corresponding to behavior is preserved in this locality and/or high in the clouds;
Described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Inquire about behavior that the information of described operation behavior comprises and initiate corresponding action and/or process white list corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises, if so, judge that described operation behavior is not the abnormal behaviour being caused by virus;
Described method also comprises: if described operation behavior is not the abnormal behaviour being caused by virus, carry out described operation behavior.
6. according to the method described in claim 1-3 any one, the process blacklist of action corresponding to the behavior of appointment and/or object corresponding to behavior is preserved in this locality and/or high in the clouds;
Described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Inquire about behavior that the information of described operation behavior comprises and initiate corresponding action and/or process blacklist corresponding to object corresponding to behavior of behavior that information that whether process belong to described operation behavior comprises, if not, judge that described operation behavior is the abnormal behaviour being caused by virus.
7. according to the method described in claim 1-3 any one, described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Judge whether action corresponding to behavior that the information of described operation behavior comprises is abnormal operation, if so, judges that described operation behavior is the abnormal behaviour being caused by virus.
8. method according to claim 7, described abnormal operation comprises:
The action of reading file, written document, revised file, deleted file, execute file and/or establishment file of carrying out in incorrect installation directory or user's config directory;
Or list item associated with the configuration information of file in edit the registry maybe writes starting up's item by the executable file of release to reduce file security grade;
Or, to network address upload file and/or the download file in URL blacklist.
9. according to the method described in claim 1-3 any one, described according to the information of described operation behavior, judge that the abnormal behaviour of whether serving as reasons described operation behavior virus causing specifically comprises:
Judge that whether object corresponding to behavior that the information of described operation behavior comprises belongs to the file blacklist that preserve in this locality and/or high in the clouds, if so, judges that described operation behavior is the abnormal behaviour being caused by virus.
10. a file virus immune apparatus, comprising:
Monitoring module, is suitable for receiving the detection notice that virus detects engine, by monitoring technique, intercepts and captures the operation behavior request relevant with file;
Identification module, is suitable for, according to described operation behavior request, carrying out behavior identification, obtains the information of described operation behavior, and the information of described operation behavior comprises behavior initiation process and corresponding action and/or object corresponding to behavior of behavior;
Judge module, is suitable for the information according to described operation behavior, judges the abnormal behaviour of whether serving as reasons described operation behavior virus causing;
Processing module, is suitable in the situation that described judge module is judged described operation behavior is the abnormal behaviour being caused by virus, and the prompting circle user oriented that detects engine by virus sends information or tackles described operation behavior.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310683012.4A CN103679031B (en) | 2013-12-12 | 2013-12-12 | A kind of immune method and apparatus of file virus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310683012.4A CN103679031B (en) | 2013-12-12 | 2013-12-12 | A kind of immune method and apparatus of file virus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103679031A true CN103679031A (en) | 2014-03-26 |
CN103679031B CN103679031B (en) | 2017-10-31 |
Family
ID=50316541
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310683012.4A Active CN103679031B (en) | 2013-12-12 | 2013-12-12 | A kind of immune method and apparatus of file virus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103679031B (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
CN105389521A (en) * | 2015-12-18 | 2016-03-09 | 北京金山安全管理系统技术有限公司 | Method for safely protecting file in computer system |
CN105653974A (en) * | 2015-12-23 | 2016-06-08 | 北京奇虎科技有限公司 | Document protection method and device |
CN105760759A (en) * | 2015-12-08 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Method and system for protecting documents based on process monitoring |
CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
CN106022118A (en) * | 2016-05-20 | 2016-10-12 | 北京金山安全软件有限公司 | Security protection processing method and device |
CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
CN106709334A (en) * | 2015-11-17 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Method, device and system for detecting intrusive script files |
CN106778232A (en) * | 2016-12-26 | 2017-05-31 | 努比亚技术有限公司 | A kind of information analysis method and electronic equipment |
CN106874759A (en) * | 2016-09-26 | 2017-06-20 | 深圳市安之天信息技术有限公司 | A kind of recognition methods of wooden horse act of randomization and system |
CN107102937A (en) * | 2016-02-19 | 2017-08-29 | 腾讯科技(深圳)有限公司 | A kind of ui testing method and apparatus |
CN107851157A (en) * | 2015-06-27 | 2018-03-27 | 迈可菲有限责任公司 | The detection of Malware |
CN107871079A (en) * | 2017-11-29 | 2018-04-03 | 深信服科技股份有限公司 | A kind of suspicious process detection method, device, equipment and storage medium |
CN108121913A (en) * | 2017-09-26 | 2018-06-05 | 江苏神州信源系统工程有限公司 | A kind of operation management method and device |
CN109241734A (en) * | 2018-08-10 | 2019-01-18 | 航天信息股份有限公司 | A kind of securing software operational efficiency optimization method and system |
CN109446030A (en) * | 2018-11-12 | 2019-03-08 | 北京芯盾时代科技有限公司 | A kind of behavior monitoring method and device |
CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
CN109815701A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Detection method, client, system and the storage medium of software security |
CN111095250A (en) * | 2017-05-30 | 2020-05-01 | 赛姆普蒂夫技术公司 | Real-time detection and protection against malware and steganography in kernel mode |
CN114861183A (en) * | 2022-06-07 | 2022-08-05 | 珠海豹好玩科技有限公司 | Document macro security detection method and device, electronic equipment and storage medium |
CN114900326A (en) * | 2022-03-30 | 2022-08-12 | 深圳市国电科技通信有限公司 | Method, system and storage medium for monitoring and protecting terminal instruction operation |
CN115114622A (en) * | 2021-03-23 | 2022-09-27 | 奇安信科技集团股份有限公司 | Virus scanning and displaying method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7917955B1 (en) * | 2005-01-14 | 2011-03-29 | Mcafee, Inc. | System, method and computer program product for context-driven behavioral heuristics |
CN102194072A (en) * | 2011-06-03 | 2011-09-21 | 奇智软件(北京)有限公司 | Method, device and system used for handling computer virus |
CN102629310A (en) * | 2012-02-29 | 2012-08-08 | 卡巴斯基实验室封闭式股份公司 | System and method for protecting computer system from being infringed by activities of malicious objects |
CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
CN102867146A (en) * | 2012-09-18 | 2013-01-09 | 珠海市君天电子科技有限公司 | Method and system for preventing computer virus from frequently infecting systems |
-
2013
- 2013-12-12 CN CN201310683012.4A patent/CN103679031B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7917955B1 (en) * | 2005-01-14 | 2011-03-29 | Mcafee, Inc. | System, method and computer program product for context-driven behavioral heuristics |
CN102194072A (en) * | 2011-06-03 | 2011-09-21 | 奇智软件(北京)有限公司 | Method, device and system used for handling computer virus |
CN102629310A (en) * | 2012-02-29 | 2012-08-08 | 卡巴斯基实验室封闭式股份公司 | System and method for protecting computer system from being infringed by activities of malicious objects |
CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
CN102867146A (en) * | 2012-09-18 | 2013-01-09 | 珠海市君天电子科技有限公司 | Method and system for preventing computer virus from frequently infecting systems |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
CN107851157A (en) * | 2015-06-27 | 2018-03-27 | 迈可菲有限责任公司 | The detection of Malware |
CN106709334A (en) * | 2015-11-17 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Method, device and system for detecting intrusive script files |
CN105760759A (en) * | 2015-12-08 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Method and system for protecting documents based on process monitoring |
CN105389521A (en) * | 2015-12-18 | 2016-03-09 | 北京金山安全管理系统技术有限公司 | Method for safely protecting file in computer system |
CN105653974A (en) * | 2015-12-23 | 2016-06-08 | 北京奇虎科技有限公司 | Document protection method and device |
CN105653974B (en) * | 2015-12-23 | 2019-07-23 | 北京奇虎科技有限公司 | A kind of document means of defence and device |
CN107102937B (en) * | 2016-02-19 | 2021-03-02 | 腾讯科技(深圳)有限公司 | User interface testing method and device |
CN107102937A (en) * | 2016-02-19 | 2017-08-29 | 腾讯科技(深圳)有限公司 | A kind of ui testing method and apparatus |
CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
CN106022118A (en) * | 2016-05-20 | 2016-10-12 | 北京金山安全软件有限公司 | Security protection processing method and device |
CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
CN106874759A (en) * | 2016-09-26 | 2017-06-20 | 深圳市安之天信息技术有限公司 | A kind of recognition methods of wooden horse act of randomization and system |
CN106874759B (en) * | 2016-09-26 | 2020-04-28 | 深圳市安之天信息技术有限公司 | Identification method and system for Trojan horse randomized behavior |
CN106778232A (en) * | 2016-12-26 | 2017-05-31 | 努比亚技术有限公司 | A kind of information analysis method and electronic equipment |
CN111095250A (en) * | 2017-05-30 | 2020-05-01 | 赛姆普蒂夫技术公司 | Real-time detection and protection against malware and steganography in kernel mode |
CN108121913A (en) * | 2017-09-26 | 2018-06-05 | 江苏神州信源系统工程有限公司 | A kind of operation management method and device |
CN107871079A (en) * | 2017-11-29 | 2018-04-03 | 深信服科技股份有限公司 | A kind of suspicious process detection method, device, equipment and storage medium |
CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
CN109472144B (en) * | 2017-12-29 | 2021-09-28 | 北京安天网络安全技术有限公司 | Method, device and storage medium for operating file by defending virus |
CN109241734A (en) * | 2018-08-10 | 2019-01-18 | 航天信息股份有限公司 | A kind of securing software operational efficiency optimization method and system |
CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
CN109446030A (en) * | 2018-11-12 | 2019-03-08 | 北京芯盾时代科技有限公司 | A kind of behavior monitoring method and device |
CN109815701A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Detection method, client, system and the storage medium of software security |
CN115114622A (en) * | 2021-03-23 | 2022-09-27 | 奇安信科技集团股份有限公司 | Virus scanning and displaying method and system |
CN114900326A (en) * | 2022-03-30 | 2022-08-12 | 深圳市国电科技通信有限公司 | Method, system and storage medium for monitoring and protecting terminal instruction operation |
CN114861183A (en) * | 2022-06-07 | 2022-08-05 | 珠海豹好玩科技有限公司 | Document macro security detection method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN103679031B (en) | 2017-10-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103679031A (en) | File virus immunizing method and device | |
US11455400B2 (en) | Method, system, and storage medium for security of software components | |
CN102332072B (en) | System and method for detection of malware and management of malware-related information | |
US11086983B2 (en) | System and method for authenticating safe software | |
US9614867B2 (en) | System and method for detection of malware on a user device using corrected antivirus records | |
CN106295333B (en) | method and system for detecting malicious code | |
CN103281325A (en) | Method and device for processing file based on cloud security | |
CN109344611B (en) | Application access control method, terminal equipment and medium | |
MXPA06001211A (en) | End user data activation. | |
CN103001947A (en) | Program processing method and program processing system | |
US11811811B1 (en) | File scanner to detect malicious electronic files | |
CN103390130A (en) | Rogue program searching and killing method and device based on cloud security as well as server | |
CN103761478A (en) | Judging method and device of malicious files | |
CN102999720A (en) | Program identification method and system | |
CN103473501A (en) | Malware tracking method based on cloud safety | |
CN103679027A (en) | Searching and killing method and device for kernel level malware | |
CN111538978A (en) | System and method for executing tasks based on access rights determined from task risk levels | |
US10275596B1 (en) | Activating malicious actions within electronic documents | |
CN102999721A (en) | Program processing method and system | |
US20230038774A1 (en) | System, Method, and Apparatus for Smart Whitelisting/Blacklisting | |
CN111753304A (en) | System and method for performing tasks on a computing device based on access rights | |
US20220237289A1 (en) | Automated malware classification with human-readable explanations | |
US11436331B2 (en) | Similarity hash for android executables | |
RU2697951C2 (en) | System and method of terminating functionally restricted application, interconnected with website, launched without installation | |
Magklaras et al. | Insider threat specification as a threat mitigation technique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |