[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN103679031B - A kind of immune method and apparatus of file virus - Google Patents

A kind of immune method and apparatus of file virus Download PDF

Info

Publication number
CN103679031B
CN103679031B CN201310683012.4A CN201310683012A CN103679031B CN 103679031 B CN103679031 B CN 103679031B CN 201310683012 A CN201310683012 A CN 201310683012A CN 103679031 B CN103679031 B CN 103679031B
Authority
CN
China
Prior art keywords
behavior
file
operation behavior
information
virus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310683012.4A
Other languages
Chinese (zh)
Other versions
CN103679031A (en
Inventor
禹健文
邹贵强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310683012.4A priority Critical patent/CN103679031B/en
Publication of CN103679031A publication Critical patent/CN103679031A/en
Application granted granted Critical
Publication of CN103679031B publication Critical patent/CN103679031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses the method and apparatus that a kind of file virus is immunized, wherein, method includes:After the detection notice task of Viral diagnosis engine is sent, by monitoring technology, the operation behavior request relevant with file is intercepted and captured;Asked according to operation behavior, carry out Activity recognition, obtain the information of operation behavior, the information of operation behavior includes behavior and initiates process and the corresponding action of behavior and/or the corresponding object of behavior;Whether according to the information of operation behavior, it is the abnormal behaviour caused by virus to judge operation behavior;If the operation behavior is the abnormal behaviour caused by virus, prompt message is issued the user with by the prompting interface of Viral diagnosis engine or the operation behavior is intercepted.According to the program, treat the monitoring of immune file independent of with existing feature database, combine fileinfo, initiation process, action feature with real-time, and to the judgement of virus behavior, effectively increase the accuracy of judgement.

Description

A kind of immune method and apparatus of file virus
Technical field
The present invention relates to computer security technique field, and in particular to a kind of file virus immunization method and device.
Background technology
With the development of computer technology, types of applications program has penetrated into production, the every field of life, be user with Carry out great convenience, improve production efficiency.The execution of application program depends on all kinds of computer documents, for example, text is literary Part, executable file, dynamic link library file etc..These file record data results, or for storage program information.File May illegally be read by virus or rogue program infection, the execution of influence application program, or the personal data wherein stored, Modification, makes the interests of user be on the hazard.
Prevent virus or rogue program from depending on traditional feature database pattern at this stage, feature based storehouse is to operation journey Sequence carries out real time scan.The condition code for the rogue program sample that feature database is collected into by manufacturer is constituted, during killing, engine File can be read and matched with all condition codes in feature database, if it find that being hit by program code, it is possible to sentence Determine this document program to be infected by virus or rogue program.Feature database matching is an effective technology of killing known malicious program, But as rogue program quantity is in geometric growth, the generation of feature database has hysteresis quality with updating.In addition, the real time execution of scanning Also substantial amounts of system resource can be consumed.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State a kind of file virus immunization method and device of problem.
According to an aspect of the invention, there is provided a kind of file virus immunization method, including:In Viral diagnosis engine After detection notice task is sent, by monitoring technology, the operation behavior request relevant with file is intercepted and captured;Please according to operation behavior Ask, carry out Activity recognition, obtain the information of operation behavior, the information of operation behavior includes behavior and initiates process and behavior correspondence Action and/or the corresponding object of behavior;Whether according to the information of operation behavior, it is different caused by virus to judge operation behavior Chang Hangwei;If the operation behavior is the abnormal behaviour caused by virus, issues the user with prompt message or intercept the operation row For.
According to another aspect of the present invention there is provided a kind of file virus immune apparatus, including:Monitoring module, suitable for connecing The detection notice of Viral diagnosis engine is received, the operation behavior relevant with file is intercepted and captured by monitoring technology and asked;Identification module, is fitted Asked according to operation behavior, carry out Activity recognition, obtain the information of operation behavior, the information of the operation behavior includes behavior Initiation process and the corresponding action of behavior and/or the corresponding object of behavior;Judge module, suitable for the letter according to operation behavior Whether breath, it is the abnormal behaviour caused by virus to judge operation behavior;Processing module, suitable for judging operation row in judge module To be that caused by virus in the case of abnormal behaviour, prompt message is issued the user with by the prompting interface of Viral diagnosis engine Or intercept the operation behavior.
According to the file virus immunization method and device of the present invention, after the detection notice task of Viral diagnosis engine is sent, When monitoring the operation behavior request to file, initiation process, behavior respective action and object of action of the behavior etc. are obtained The information of operation behavior, the information of summary operation behavior judges whether to the operation behavior of specific file be that virus is led The abnormal behaviour of cause, then, intercepts abnormal behaviour or provides a user prompt message by the prompting interface of Viral diagnosis engine. According to the program, treat the monitoring of immune file independent of with existing feature database, with real-time, and to virus behavior Judgement combine fileinfo, initiation process, action feature, effectively increase the accuracy of judgement.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the flow chart of file virus immunization method according to an embodiment of the invention;
Fig. 2 shows the flow chart of file virus immunization method in accordance with another embodiment of the present invention;
Fig. 3 shows the flow chart of file virus immunization method in accordance with another embodiment of the present invention;
Fig. 4 shows the flow chart of file virus immunization method in accordance with another embodiment of the present invention;
Fig. 5 shows the structured flowchart of file virus immune apparatus in accordance with another embodiment of the present invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
The embodiment of the present invention can apply to computer system/server, and it can be with numerous other universal or special calculating System environments or configuration are operated together.Suitable for be used together with computer system/server well-known computing system, ring The example of border and/or configuration includes but is not limited to:Personal computer system, server computer system, thin client, thick client Machine, hand-held or laptop devices, the system based on microprocessor, set top box, programmable consumer electronics, NetPC Network PC, Minicomputer system, large computer system and distributed cloud computing technology environment including any of the above described system, etc..
Computer system/server can be in computer system executable instruction (such as journey performed by computer system Sequence module) general linguistic context under describe.Generally, program module can include routine, program, target program, component, logic, number According to structure etc., they perform specific task or realize specific abstract data type.Computer system/server can be with Implement in distributed cloud computing environment, in distributed cloud computing environment, task is by by the long-range of communication network links Manage what equipment was performed.In distributed cloud computing environment, program module, which can be located at, includes the Local or Remote meter of storage device On calculation system storage medium.
Described file includes the data file of storage on a storage device in the present invention, is commonly stored in specific file In folder or catalogue, and computer realizes the device file of external device management.
Fig. 1 shows the flow chart of file virus immunization method according to an embodiment of the invention, as shown in figure 1, should Method comprises the following steps:
Step S110, after the detection notice task of Viral diagnosis engine is sent, by monitoring technology, intercepting and capturing have with file The operation behavior request of pass.
Common computer operating system, such as Windows, are all provided with a variety of application developments for developer and connect Mouth (API), various application layer programs are all by calling corresponding API to realize, virus and rogue program are no exception.Cause This, it is actually the call request that monitoring can realize the api function of file operation to monitor the operation behavior request to file.
Step S120, is asked according to operation behavior, is carried out Activity recognition, is obtained the information of operation behavior.
Here, the information of operation behavior includes:Initiate the process of the behavior, the corresponding action of operation behavior and/or behavior Corresponding object, specifically, the step can include:
When monitoring the API of programmed request call operation file, the process for initiating the request, i.e. the operation row are obtained For initiation process;
The corresponding file operation actions of the API are learnt according to API type or title, are that the operation behavior is corresponding dynamic Make.For example, a certain this api function of programmed request call CreateFile, and to be Windows systems be used to create the api function The function of file is built, then can learn that the corresponding action of operation behavior is to create a new file;
The parameter for the api function that the application requests are called is parsed, operation object and operation object information, behaviour is obtained Include as object information:File extension, file path, file attribute etc..
Step S130, whether according to the information of operation behavior, it is the abnormal behaviour caused by virus to judge operation behavior.
Consider the operation behavior described in step S120 and initiate process, the corresponding action of operation behavior, and behavior Corresponding object is judged.Several possible situations are:The process operated to specified file is suspicious malicious process; Normal procedure performs operation to possible malicious file, for example, have read the file under non-designated catalogue or perform script text Part;And process performs abnormal action to specified file, for example, it have modified the registration table associations of file.
Step S140, if operation behavior is the abnormal behaviour caused by virus, issues the user with prompt message or interception Operation behavior.
For the virus behavior of determination, can directly it intercept;, can be to user for the virus behavior that can not directly determine Prompt message is sent, according to user feedback, selection is intercepted or do not intercepted.
The method provided according to the above embodiment of the present invention, after the detection notice task of Viral diagnosis engine is sent, prison The operation behavior request to file is controlled, the operation row such as initiation process, behavior respective action and object of action of the behavior is obtained For information, summary operation information judges whether to the operation behavior of specific file be abnormal behaviour caused by virus, Then, intercept abnormal behaviour or provide a user prompt message.According to the program, treat the monitoring of immune file independent of with Existing feature database, fileinfo, initiation process, action feature are combined with real-time, and to the judgement of virus behavior, Effectively increase the accuracy of judgement.
Fig. 2 shows the flow chart of file virus immunization method according to another embodiment of the present invention, as shown in Fig. 2 should Method comprises the following steps:
Step S200, receives the detection notice of Viral diagnosis engine.
When the method that the present invention is provided is applied to client, realized by virus scan application program, scan application program Generally file is scanned using engine scan mode, the antivirus engine that can be used can include:Cloud killing engine, QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, any existing already present antivirus such as small red umbrella antivirus engine Engine.Multiple antivirus engines may be integrated with virus scan application program.Between multiple engines, such as the first antivirus engine and Can be by the way of parallel killing between second antivirus engine, i.e., can be by when the first antivirus engine is during killing File is input in the second antivirus engine not determining in the file of killing carries out killing, without when the first antivirus engine Killing it is complete it is all treat killing file, then killing is carried out by the second antivirus engine.
First antivirus engine can include:For the cloud killing engine of killing PE type files, and/or QVM engines.
Second antivirus engine is the engine of the non-PE file virus of killing.Second antivirus engine is referred mainly to except process first is killed Antivirus engine that other files beyond determination file after malicious engine killing are scanned is, it is necessary to explanation, and this second is killed Malicious engine can have to all types file carry out killing ability, when in the present embodiment when by the way of parallel killing, The killing quantity of each antivirus engine can be reduced, so that killing speed is improved, effectively to utilize system resource.This implementation The second antivirus engine can include at least one antivirus engine in example, for example, second antivirus engine can be Bit Defender antivirus engines, and/or small red umbrella antivirus engine, and/or other existing already present antivirus engines etc..
Step S210, by monitoring technology, intercepts and captures the operation behavior request relevant with file.
In the present embodiment and following examples, by taking the api function that Windows systems are provided as an example, illustrate specific implementation Process.Those skilled in the art can realize identical purpose in different systems using other modes or different functions.
First, the monitoring technology in the step includes file monitor technology.For file monitor technology, the behaviour that can be monitored Making the respective action of behavior includes:Read file, written document, modification file, deletion file, execution file and/or establishment file.It is logical Cross the specific api function of capture (hook) and realize monitoring to file, for example, Windows systems by WriteFile functions to The file that file pointer points to position writes data, data is read from file by ReadFile functions, the two functions are not only The file of write magnetic disk can be read, the data of network, and device file can also be received and send, such as read and write serial port, The data of the equipment such as USB, parallel port.The monitoring for deleting the operation behaviors such as file, establishment file is also realized in a similar manner, herein Repeat no more.
Monitoring technology also includes registry monitoring technology.Specifically, for registry monitoring technology, the operation behavior of monitoring Corresponding action includes:The list item associated in edit the registry with the configuration information of file.Record has application program in registration table Configuration information, the list item associated with file configuration information in registration table includes:File extension is associated with application program, i.e., The acquiescence of file opens program, and executable file is write into starting up etc..Modification of the application program to association list item Realized typically by modification key assignments item data.The api function of multiple Registries is provided in Windows systems, for example RegSetValue functions, the default value for setting the list item specified and subitem.With file monitor technology similarly, capture (hook) function, analyzes its parameter, the operation behavior information needed.
Monitoring technology also includes Network Monitoring Technology.For Network Monitoring Technology, the corresponding action of operation behavior of monitoring Including:Upper transmitting file and/or download file.
Monitoring technology also includes being monitored the occupation condition of program, and the content of monitoring is specifically included:Current visitor The resource occupation information for each program that since family end run starting to current time.
Step S220, is asked according to operation behavior, is carried out Activity recognition, is obtained the information of operation behavior.
Here, the information of operation behavior includes:Initiate the process of the behavior, the corresponding action of operation behavior and/or behavior Corresponding object, specifically, the step can include:
When monitoring the API of programmed request call operation file, the process for initiating the request, i.e. the operation row are obtained For initiation process;
The corresponding file operation actions of the API are learnt according to API type or title, are that the operation behavior is corresponding dynamic Make.For example, a certain this api function of programmed request call CreateFile, and to be Windows systems be used to create the api function The function of file is built, then can learn that the corresponding action of operation behavior is to create a new file;
The parameter for the api function that the application requests are called is parsed, operation object and operation object information, behaviour is obtained Include as object information:File extension, file path, file attribute etc..
When being monitored to the occupation condition of program, the Activity recognition in the step also includes:Obtain existing customer Hold the resource occupation information for each program run since starting to current time;According to the resource occupation information of each program With the available resource information of active client, the resources occupation rate of each program is calculated respectively.
This can be for client no viral but because resource occupation causes to go to slow or networking speed is slack-off The problem of, the high startup item process of automatic identification resources occupation rate, and actively pointed out to user, allow user according to need The startup item random start for forbidding these resources occupation rates high is sought, or, the startup item for directly forbidding these resources occupation rates high Random start.
Occupation condition includes the occupancy situation to the network bandwidth.For example, it is assumed that being accounted for by calculating Test.exe programs With 120K/s, if the predetermined threshold value of current network bandwidth occupancy is 90%, current Test.exe programs take 120K/s and met 124K/s*90%, in being to look at whether Test.exe programs are the subprocess of startup item program or startup item, if so, then may be used To point out the startup item of user's Test.exe programs to take Internet resources in subsequent step.User according to prompting selection forbid with Machine starts the startup item, and then the startup item can be prevented from opening when in active client startup next time.
The information whether process belongs to operation behavior is initiated in step S230, the behavior that the information of inquiry operation behavior is included Comprising behavior it is corresponding action and/or the corresponding process white list of the corresponding object of behavior, if so, then decision behavior It is not the abnormal behaviour caused by virus, performs step S240, otherwise performs step S250.
Process white list includes the white list corresponding to object corresponding with operation behavior first.Using file monitor technology as Example, then the corresponding object of operation behavior described in the step is monitored file.In its corresponding process white list Depending on information of the content according to this document, mainly according to the type of file.For certain types of file, its corresponding process The process for the normal procedure that server statistics go out is preserved in white list, for example, to doc files, its corresponding process white list In should include the corresponding process of the common word processor such as word.exe and wps.exe.
Process white list also includes software and associated process with digital signature trusty, can also store and each number The related information of word signature, for example, the legal form for the digital signature promulgated by company trusty, when a software or correlation When process will be installed or run on a client device, judge whether whether the software have digital signature and the digital signature It is consistent with the relevant information of a certain digital signature in the software list, for example, judging the form of the digital signature of the software It is whether identical with a certain legal form recorded in the software list.If the judged result is yes, it is judged as that this is soft Part is in the process white list.
For example, the judgement processing of digital signature trusty can be divided into three steps:One is to judge whether the software has numeral Signature;Two be the integrality and uniformity for judging the digital signature, i.e. whether the digital certificate held by the signer is signed and issued 's;Three be to judge whether held by generally acknowledged legal person for the digital certificate signed;If for example, signer is that Microsoft is public Department, then judge its certificate authority people whether be " Microsoft Code Signing PCA ", holder of certificate's title whether be “Microsoft Corporation”.If these three conditions are satisfied by, digital signature trusty is judged as YES, it is on the contrary It must be then fly-by-night digital signature.For example, condition one and two is satisfied by, but the CompanyName in certificate information with it is normal Mismatch or inconsistent, then be judged as that the digital signature is illegal (because there is social engineering (social Engineering deception) has been widely adopted).
Process white list also includes the effective process of signature mark.Client is according to the unknown program file being locally-downloaded Signature-related information, generation is identified with the unique corresponding signature of unknown program file.
Signature mark file characteristic can calculated field, can calculated field include PE files in remove PE verification section, signature Section and signature contents remainder.Wherein, it is when the above-mentioned file size of acquisition is not up to 8 integral multiple, it is poor 0 polishing of digit, in order to calculate it.
Again, pair can calculated field calculate, be used as signature to identify result of calculation.
Alternatively, can calculated field as digest value, it is calculated using SHA1 algorithms, obtained and unknown program The unique corresponding signature mark of file.
Client sends inquiry request to server end after the signature mark of generation unknown program file.Wherein, inquire about Request carries the signature mark of the unknown program file and the part or all of file characteristic of the unknown program file.Service Device termination is received after inquiry request, and the signature mark in inquiry request is matched in process white list, obtains and signs The corresponding checking and killing method of mark.Killing is mainly:Scanning/acts of determination and repair action etc..Wherein, scanning/acts of determination Including the scanning and judgement to program file attribute and the context environmental of program file, and when being determined as rogue program, hold Row is corresponding to repair operation.
Or, the alternative document and registry information under the process file catalogue are analyzed, if with complete supporting File, such as common dll files, dat files or with complete registry information, it is believed that the process is regular soft The process of part, the process is added in process white list.
Process white list also includes and the white list corresponding to operation behavior respective action.For example, for downloading behavior, with The process white list of file similarly, in process white list corresponding with download action also includes the security procedure counted, Such as browser process, process of common download software etc..Or, further, the assigned operation of specified file is set into Journey white list.
Alternatively, same purpose can also be realized by way of query procedure blacklist in this step.Correspondingly, What is preserved in blacklist is non-security procedure and suspicious process, for example, as it is known that virus or rogue program process, without numeral The process of signature, or process file are a single executable file.Then the step can be:
The information whether the behavior initiation process that the information of inquiry operation behavior is included belongs to the operation behavior is wrapped The corresponding action of behavior contained and/or the corresponding process blacklist of the corresponding object of behavior, if so, then judging the operation behavior It is the abnormal behaviour caused by virus, performs step S250, otherwise performs step S240.
Above-mentioned query process can be completed in Local Black/white list, can also be completed beyond the clouds, wherein, high in the clouds it is black/ White list database is more complete.Usually, white list is generally safeguarded by user in client, and user will determine as non-evil The process of meaning, which is added in white list, to be preserved, can be with the related filename of record the process, file path, signature in white list And the information such as mark of signing;Blacklist generally safeguarded by antivirus software provider, according to monitoring by the malicious process of determination It is added in blacklist and is preserved.A kind of querying method is first to be inquired about in local white list, if not obtaining inquiry knot Really, then to high in the clouds blacklist inquire about.The file blacklist in high in the clouds has pre-saved progress information, the characteristic value of such as process file and The corresponding relation of security level information, the security level information that server end is determined can be with self-defined, such as including safety, danger The rank such as dangerous, unknown, it would however also be possible to employ one-level, two grades, the mode such as three-level make a distinction, as long as can embody each module is No safe condition.Or, the security level information includes:It is safe class, unknown grade, suspicion level, highly suspicious Grade and malice grade, wherein, malice grade is highest ranking, and safe class is the lowest class.For example, can set the grade to be It is safe class during 10-20, is unknown grade when grade is 30-40, is suspicion level when grade is 50-60 and highly suspicious etc. Level, grade is malice grade when being more than 70.
Step S240, performs the operation behavior that operation behavior request bag contains.
In this case, after the Hook Function of the embodiment of the present invention is finished, this document behavior request is jumped to Corresponding A PI original entry address is gone to perform corresponding instruction.
Step S250, issues the user with prompt message or intercepts operation behavior.
User can be pointed out in the mode of desktop designated area Pop-up message window, for example, in prompting circle of antivirus engine Message is shown on face.The operation information that will be obtained in step S220, such as process title, process path, corresponding executable file Title, and specific action etc. show user, for customer analysis to make decision, can also according to existing statistical result, Danger classes, the safety for providing process and corresponding application program comment grading information and provide a user corresponding suggestion.Xiang Yong Family sends prompt message and also provides a kind of means of interaction, and this can be used for the renewal of black/white list, and user is selected to perform Process add in local white list, user is customized the local white list of personalization, or count a large amount of use beyond the clouds The selection at family, upgrade in time local white list.
Fig. 3 shows the flow chart of file virus immunization method according to another embodiment of the present invention, as shown in figure 3, should Method comprises the following steps:
Step S300, receives the detection notice task of Viral diagnosis engine.
Step S310, by monitoring technology, intercepts and captures the operation behavior request relevant with file.
Step S320, is asked according to operation behavior, is carried out Activity recognition, is obtained the information of operation behavior.
Particular content on step S300-S320 can be found in corresponding step S210 and step S220 description, herein Repeat no more.
Step S330, judges whether the corresponding action of behavior that the information of operation behavior is included is abnormal operation, if so, Then decision behavior is the abnormal behaviour caused by virus.
Dangerous play may also be included in the operation behavior of normal procedure, for example, the file of process is changed by virus, held Abnormal operation is gone, at this moment, can not only have been realized by progress information immune.Abnormal operation includes:In incorrect installation directory Or reading file, written document, modification file, deletion file, execution file and/or the establishment file performed in user configuring catalogue Action;Or, the list item associated in edit the registry with the configuration information of file is to reduce file security grade or by release Executable file write-in starting up.The present embodiment is by judging abnormal operation to can result in the rogue program of this class behavior Or virus is immunized.
Specifically, for the file virus to be immunized, the action feature of this viroid is analyzed, the rule of its action are counted Then, when finding legal action from the operation requests of monitoring, operation behavior is intercepted.Below with the grand diseases of Office Exemplified by poison, illustrate specific implementation process.
In actual applications, research that can be to a large amount of Microsoft Office macrovirus sample, collection obtain as Lower known macrovirus action:
1st, the action of edit the registry, purpose:Safe class sets to reduce safe class setting in edit the registry, or Starting up by the executable file of release to write starting up etc. in edit the registry;
2nd, propagation is acted, and it is propagated using template is infected, such as to template directory written document etc.;Wherein, it is different Microsoft office have under different infection templates, such as Windows7 systems, default situations:
MicrosoftWord infection template file is C:\Users\【User name】\AppData\Roaming\ Microsoft\Templates\normal.dot
Excel infection template directory:C:\Users\【User name】\AppData\Roaming\Microsoft\ Excel xlstart and Excel installation directories office11 xlstart
Acted when the 3rd, breaking out, including:
3.1st, in some period pop-up;
3.2nd, repeat replication worksheet, influence software is normally used;
3.3rd, executable file is discharged, can specifically be included:Establishment file, written document, execution file etc..
For Office processes, above-mentioned action belongs to abnormal operation, caused by corresponding operation behavior is probably virus Abnormal behaviour.Further, it can be combined with corresponding object and come whether decision behavior is the abnormal row caused by virus For.Table 1 shows common macrovirus behavior and the behavior corresponding object.
By taking the 1st, 2 kind of situation in table 1 as an example, in actual applications, registration table can be read in advance, obtain Office's Template file and template directory, for example Word template file is under win7 systems, default situations:C:\Users\【User Name】AppData Roaming Microsoft Templates normal.dot, Excel template directory is:C:\ Users\【User name】AppData Roaming Microsoft Excel xlstart, or Excel installation directory office11\xlstart.It is not allow storage file under usual Excel template directory (xlstart catalogues), therefore if The information of operation behavior shows corresponding document behavior for file under xlstart catalogues, therefore can determine that corresponding document is grasped As behavior be macrovirus caused by abnormal behaviour.
Table 1
For the other kinds of process or file beyond Office, abnormal operation also includes:To in URL blacklists Transmitting file and/or download file etc. in network address.
Step S340, issues the user with prompt message or intercepts operation behavior.
The description as described in the step can be found in step S250, here is omitted.
Fig. 4 shows file virus immunization method according to another embodiment of the present invention, as shown in figure 4, this method includes Following steps:
Step S400, receives the detection notice task of Viral diagnosis engine.
Step S410, by monitoring technology, intercepts and captures the operation behavior request relevant with file.
Step S420, is asked according to operation behavior, is carried out Activity recognition, is obtained the information of operation behavior.
Particular content on step S400-S420 can be found in corresponding step S210 and step S220 description, herein Repeat no more.
Step S430, judges whether the corresponding object of behavior that the information of operation behavior is included belongs to file blacklist, If so, then decision behavior is the abnormal behaviour caused by virus, step S440 is performed.
For Partial security process, its normal behaviour performed is also likely to be with menace.The present embodiment is applied to Such case is immunized.For example, a certain process in process white list performs the executable text being infected Part, process is in itself and process performing has no problem, but may access alternative document again after this document operation, causes more files It is infected, form the propagation of virus.Similarly, read the script file of strange position or gone to non-designated catalogue written document etc. To be also potential hazardous act.In the present embodiment, what is preserved in file blacklist is the specific behavior pair with specific process The information for the non-security file answered, including filename, extension name, file path etc., these information are obtained by step S420.Under Face describes the immune process of file virus in detail by taking CAD script files as an example.
, can be according to read request when the script file operation behavior request that CAD processes are initiated is read operation behavior request Catalogue where corresponding script file determines whether script file operation requests are legal.The file that for example CAD processes are asked If positioned at the installation directory of CAD software, then it is assumed that the operation requests are legal, because generally, positioned at CAD software peace The script file under catalogue is filled, is the necessary supportive script file of CAD software operation, CAD processes read these scripts It is legal that the request of file can be defined as;And if the script file asked of CAD processes be located at drawing file where catalogue or The catalogue that person's other users are created, then it is assumed that the operation requests are illegal, because, created in drawing file catalogue or other users The script file existed under catalogue is built, it may be possible to the script file of malice, for example, using lsp as the script file of extension name.It is then right Should in the behavior of CAD processes, lower presence that file blacklist includes drawing file catalogue or other users create directory with Lsp is the script file of extension name.
When the script file operation requests that CAD processes are initiated are write operation requests, it can be write according to write operation requests The directory information of script file determines whether the request legal, if write-in catalogue be CAD installation directories, user configuring catalogue or The config directory of third party's plug-in unit, then this think that the operation requests are illegal.Then for the write operation of CAD processes, file blacklist In should include above-mentioned config directory.
With the process white list described in step S230 similarly, the blacklist in the step can also include local file Blacklist and high in the clouds file blacklist, wherein, the black list database in high in the clouds is more complete.A kind of querying method is, first at this Ground is inquired about, if not obtaining Query Result, then is inquired about to high in the clouds.Wherein, the blacklist in high in the clouds pre-saves documentary feature The corresponding relation of value and security level information, the security level information that server end is determined can with self-defined, for example including safety, The rank such as dangerous, unknown, it would however also be possible to employ one-level, two grades, the mode such as three-level make a distinction, as long as each module can be embodied Whether safe condition.Or, the security level information includes:Safe class, unknown grade, suspicion level, highly may be used Grade and malice grade are doubted, wherein, malice grade is highest ranking, and safe class is the lowest class.For example, grade can be set It is safe class during for 10-20, is unknown grade when grade is 30-40, is suspicion level when grade is 50-60 and highly suspicious Grade, grade is malice grade when being more than 70.
Step S440, issues the user with prompt message or intercepts operation behavior.
The step can be carried out by way of described in step S250.Row for writing from file to non-designated catalogue For interception mode can also include:Created under the catalogue and virus or the directory name in rogue program data or file famous prime minister Same security catalog or file;Authority for file or catalogue addition denied access etc..
The method provided according to the above embodiment of the present invention, after the detection notice task of Viral diagnosis engine is sent, prison The operation behavior request to file is controlled, the operation row such as initiation process, behavior respective action and object of action of the behavior is obtained For information, by the way that to initiating process, abnormal operation, and the analysis that suspicious obj ect file is integrated judges process Whether it is abnormal behaviour caused by virus to the operation behavior of specific file, then, intercepts abnormal behaviour or pass through antivirus engine The modes such as prompting interface provide a user prompt message.According to the program, treat the monitoring of immune file independent of with it is existing Feature database, combine fileinfo, initiation process, action feature with real-time, and to the judgement of virus behavior, can be with Judged in local and/or high in the clouds, provided the user more selections, effectively increase the efficiency and accuracy of judgement.
Fig. 5 shows the structured flowchart of file virus immune apparatus according to another embodiment of the present invention, as shown in figure 5, The device includes:Monitoring module 510, identification module 520, judge module 530 and processing module 540.
Monitoring module 510 is suitable to the detection notice for receiving Viral diagnosis engine, intercepts and captures relevant with file by monitoring technology Operation behavior request.Monitoring module 510 is particularly adapted to:Pass through file monitor technology, registry monitoring technology or network monitoring Technology intercepts and captures the operation behavior request relevant with file.
For file monitor technology, the respective action for the operation behavior that monitoring module 510 can be monitored includes:Reading file, Written document, modification file, deletion file, execution file and/or establishment file.Monitoring module 510 is specific by capturing (hook) Api function realize monitoring to file, for example, Windows systems point to position by WriteFile functions to file pointer File write data, data are read from file by ReadFile functions, the two functions can not only read write magnetic disk File, can also receive and send the data of network, and device file, the number of equipment such as read and write serial port, USB, parallel port According to.Here is omitted is also realized in a similar manner to the monitoring for deleting the operation behaviors such as file, establishment file.
For registry monitoring technology.The corresponding action of operation behavior that monitoring module 510 can be monitored includes:Modification registration The list item associated in table with the configuration information of file.In registration table record have in the configuration information of application program, registration table with text The list item of part configuration information association includes:File extension is associated with application program, i.e., the acquiescence of file opens program, and By executable file write-in starting up etc..Application program is to associating the modification of list item typically by modification key assignments item data Realize.
The api function of multiple Registries, such as RegSetValue functions, for setting are provided in Windows systems Put the default value of the list item specified and subitem.With file monitor technology similarly, the monitoring module 510hook functions, analyze it Parameter, the operation behavior information needed.
For Network Monitoring Technology, the corresponding action of operation behavior that monitoring module 510 is monitored includes:Upper transmitting file and/ Or download file.
Monitoring module 510 is further adapted for being monitored the occupation condition of program.
Identification module 520 is suitable to be asked according to operation behavior, carries out Activity recognition, obtains the information of operation behavior, operates The information of behavior includes behavior and initiates process and the corresponding action of behavior and/or the corresponding object of behavior.
Specifically, when monitoring module 510 monitors the API of programmed request call operation file, identification module 520 is obtained Take the initiation process of the process, the i.e. operation behavior of initiating the request.Identification module 520 is learnt according to API type or title The corresponding file operation actions of the API, are the corresponding action of the operation behavior.For example, a certain programmed request call This api function of CreateFile, and to be Windows systems be used for the function of establishment file, then identification module to the api function 520 can learn that the corresponding action of operation behavior is to create a new file;Identification module 520 can also parse the application program The parameter of the api function of request call, obtains operation object and operation object information, and operation object information includes:File expands Open up name, file path, file attribute etc..
If monitoring module 510 is intercepted and captured the operation behavior relevant with file by file monitor technology and asked, identification module The corresponding action of the 520 obtained behaviors includes:Read file, written document, modification file, delete file, perform file and/or The action of establishment file;
If monitoring module 510 is intercepted and captured the operation behavior relevant with file by registry monitoring technology and asked, mould is recognized The corresponding action of behavior that block 520 is obtained includes:The action of the list item associated in edit the registry with the configuration information of file;
If monitoring module 510 is intercepted and captured the operation behavior relevant with file by Network Monitoring Technology and asked, identification module The corresponding action of 520 obtained behaviors includes:Upper transmitting file and/or the action for downloading file.
If monitoring module 510 is monitored to the occupation condition of program, identification module 520 is further adapted for:Obtain and work as The resource occupation information for each program that since preceding client run starting to current time;Accounted for according to the resource of each program With information and the available resource information of active client, the resources occupation rate of each program is calculated respectively.
Judge module 530 is suitable to the information of operation behavior obtained according to identification module 520, judge operation behavior whether be The abnormal behaviour caused by virus.
Judge module 530 is particularly adapted to:The behavior that the information of inquiry operation behavior is included initiates whether process belongs to behaviour Make the corresponding action of behavior and/or the corresponding process white list of the corresponding object of behavior that the information of behavior is included, if so, then Decision behavior is not the abnormal behaviour caused by virus.
Judge module 530 can also be judged by way of query procedure blacklist, specifically, judge module 530 The behavior that the information of inquiry operation behavior is included initiates whether process belongs to the behavior correspondence that the information of operation behavior is included Action and/or the corresponding process blacklist of the corresponding object of behavior, if it is not, then decision behavior is different caused by virus Chang Hangwei.
Judge module 530 is further adapted for:Judge whether the corresponding action of behavior that the information of operation behavior is included is abnormal Action, if so, then decision behavior is the abnormal behaviour caused by virus.
Specifically, at this moment judge module 530 is suitable to:Judge whether the corresponding action of behavior is in incorrect installation directory Or reading file, written document, modification file, deletion file, execution file and/or the establishment file performed in user configuring catalogue Action;Or, judge whether the corresponding action of behavior is the list item that associates with the configuration information of file in edit the registry to drop The executable file of release is write starting up by low file security grade;Or, judge the corresponding action of the behavior Whether in the network address into URL blacklists transmitting file and/or download file.
Judge module 530 is further adapted for:Judge whether the corresponding object of behavior that the information of the operation behavior is included belongs to The file blacklist preserved in local and/or high in the clouds, if so, then judging that the operation behavior is the abnormal row caused by virus For.
Processing module 540 is suitable to judge that operation behavior is the feelings of the abnormal behaviour caused by virus in judge module 530 Under condition, prompt message is issued the user with by the prompting interface of antivirus engine or operation behavior is intercepted.
Processing module 540 can be believed in desktop designated area Pop-up message window, the operation that identification module 520 is obtained Breath, such as process title, process path, corresponding executable file title, and specific action etc. show user, for user point Analysis is to make decision, and processing module 540 can also provide the danger of process and corresponding application program according to existing statistical result Dangerous grade, safety comment grading information and provide a user corresponding suggestion.Processing module 540 is by showing that risk information is also provided A kind of means of interaction, this can be used for the renewal of black/white list, select the process performed to add local white list user In, user is customized the local white list of personalization, or the selection of a large number of users is counted beyond the clouds, upgrade in time name It is single.
Processing module 540 is further adapted for:Judge that the operation behavior is not the abnormal row caused by virus in judge module For in the case of, operation behavior is performed.
The device provided according to the above embodiment of the present invention, monitoring module is receiving the detection notice of Viral diagnosis engine Afterwards, when monitoring the operation behavior request to file, identification module obtains the initiation process, behavior respective action and row of the behavior For the information of the operation behaviors such as object, judge module is by the way that to initiating process, abnormal operation, and suspicious obj ect file are carried out Comprehensive analysis, whether to the operation behavior of specific file be virus caused by abnormal behaviour, then, handle mould if judging process Block intercepts abnormal behaviour or provides a user prompt message by antivirus engine prompting interface.According to the program, immune text is treated The monitoring of part independent of with existing feature database, with real-time, and fileinfo, hair are combined to the judgement of virus behavior Process, action feature are played, can be judged in local and/or high in the clouds, provided the user more selections, effectively increased The efficiency and accuracy of judgement.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place is provided, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself All as the separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can or similar purpose identical, equivalent by offer alternative features come generation Replace.
Although in addition, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of be the same as Example does not mean in of the invention Within the scope of and form different embodiments.For example, in the following claims, times of embodiment claimed One of meaning mode can be used in any combination.
The present invention all parts embodiment can be realized with hardware, or with one or more processor run Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) realize one in file virus immune apparatus according to embodiments of the present invention The some or all functions of a little or whole parts.The present invention is also implemented as performing method as described herein Some or all equipment or program of device (for example, computer program and computer program product).It is such to realize The program of the present invention can be stored on a computer-readable medium, or can have the form of one or more signal.This The signal of sample can be downloaded from internet website and obtained, and either provided or carried in any other form on carrier signal For.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and coming real by means of properly programmed computer It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.
The invention discloses:
A1, a kind of file virus immunization method, including:
After the detection notice task of Viral diagnosis engine is sent, by monitoring technology, the operation relevant with file is intercepted and captured Behavior is asked;
Asked according to the operation behavior, carry out Activity recognition, obtain the information of the operation behavior, the operation behavior Information include behavior initiate process and behavior it is corresponding action and/or the corresponding object of behavior;
Whether according to the information of the operation behavior, it is the abnormal behaviour caused by virus to judge the operation behavior;
If the operation behavior is the abnormal behaviour caused by virus, issues the user with prompt message or intercept the behaviour Make behavior.
A2, the method according to A1, the monitoring technology include:File monitor technology, registry monitoring technology or net Network monitoring technology.
A3, the method according to A2, if the monitoring technology is file monitor technology, the behavior is corresponding to act bag Include:Read file, written document, modification file, deletion file, execution file and/or establishment file;
If the monitoring technology is registry monitoring technology, corresponding act of the behavior includes:In edit the registry with The list item of the configuration information association of file;
If the monitoring technology is Network Monitoring Technology, corresponding act of the behavior includes:Upper transmitting file and/or download File.
A4, the method according to A2, the monitoring technology also include being monitored the occupation condition of program, institute State and asked according to operation behavior, carry out Activity recognition, the information for obtaining the operation behavior is specifically included:
Obtain the resource occupation information for each program that since active client ran starting to current time;
According to the resource occupation information and the available resource information of active client of each program, the money of each program is calculated respectively Source occupancy.
Preserve the corresponding action of the behavior specified in A5, the method according to any one of A1-A3, local and/or high in the clouds And/or the process white list of the corresponding object of behavior;
Whether the information according to the operation behavior, it is the abnormal behaviour caused by virus to judge the operation behavior Specifically include:
Inquire about the behavior that the information of the operation behavior included and initiate the information whether process belongs to the operation behavior Comprising behavior it is corresponding action and/or the corresponding process white list of the corresponding object of behavior, if so, then judging the operation Behavior is not the abnormal behaviour caused by virus;
Methods described also includes:If the operation behavior is not the abnormal behaviour caused by virus, the operation is performed Behavior.
Preserve the corresponding action of the behavior specified in A6, the method according to any one of A1-A3, local and/or high in the clouds And/or the process blacklist of the corresponding object of behavior;
Whether the information according to the operation behavior, it is the abnormal behaviour caused by virus to judge the operation behavior Specifically include:
Inquire about the behavior that the information of the operation behavior included and initiate the information whether process belongs to the operation behavior Comprising behavior it is corresponding action and/or the corresponding process blacklist of the corresponding object of behavior, if it is not, then judging the operation Behavior is the abnormal behaviour caused by virus.
A7, the method according to any one of A1-A3, the information according to the operation behavior judge the operation Whether behavior is that abnormal behaviour is specifically included caused by virus:
Judge whether the corresponding action of behavior that the information of the operation behavior is included is abnormal operation, if so, then sentencing The fixed operation behavior is the abnormal behaviour caused by virus.
A8, the method according to A7, the abnormal operation include:
Reading file, written document, modification file, the deletion text performed in incorrect installation directory or user configuring catalogue Part, the action for performing file and/or establishment file;
Or, the list item associated in edit the registry with the configuration information of file with reduce file security grade or will release Executable file write-in starting up;
Or, to the network address in URL blacklists on transmitting file and/or download file.
A9, the method according to any one of A1-A3, the information according to the operation behavior judge the operation Whether behavior is that abnormal behaviour is specifically included caused by virus:
Judge whether the corresponding object of behavior that the information of the operation behavior is included belongs to local and/or high in the clouds preservation File blacklist, if so, then judging that the operation behavior is the abnormal behaviour caused by virus.
B10, a kind of file virus immune apparatus, including:
Monitoring module, the detection notice suitable for receiving Viral diagnosis engine intercepts and captures relevant with file by monitoring technology Operation behavior is asked;
Identification module, suitable for being asked according to the operation behavior, carries out Activity recognition, obtains the letter of the operation behavior Breath, the information of the operation behavior includes behavior and initiates process and the corresponding action of behavior and/or the corresponding object of behavior;
Judge module, whether suitable for the information according to the operation behavior, it is to be caused by virus to judge the operation behavior Abnormal behaviour;
Processing module, suitable for judging that the operation behavior is the abnormal behaviour caused by virus in the judge module In the case of, prompt message is issued the user with by the prompting interface of Viral diagnosis engine or the operation behavior is intercepted.
B11, the device according to B10, the monitoring module are particularly adapted to:Supervised by file monitor technology, registration table Control technology or Network Monitoring Technology intercept and capture the operation behavior request relevant with file.
B12, the device according to B10, have if the monitoring module is intercepted and captured by the file monitor technology with file The operation behavior request of pass, the corresponding action of the behavior that the identification module is obtained includes:Read file, written document, modification File, the action deleted file, perform file and/or establishment file;
If the monitoring module is intercepted and captured the operation behavior relevant with file by the registry monitoring technology and asked, described The corresponding action of the behavior that identification module is obtained includes:The list item associated in edit the registry with the configuration information of file Action;
If the monitoring module is intercepted and captured the operation behavior relevant with file by the Network Monitoring Technology and asked, described to know The corresponding action of the behavior that other module is obtained includes:Upper transmitting file and/or the action for downloading file.
B13, the device according to B11, the monitoring module are further adapted for being monitored the occupation condition of program, The identification module is particularly adapted to:
Obtain the resource occupation information for each program that since active client ran starting to current time;
According to the resource occupation information and the available resource information of active client of each program, the money of each program is calculated respectively Source occupancy.
B14, the device according to any one of B10-B12, it is corresponding dynamic that the behavior specified is preserved in local and/or high in the clouds The process white list of work and/or the corresponding object of behavior;
The judge module is particularly adapted to:Inquire about the behavior that the information of the operation behavior included and initiate whether process belongs to The corresponding action of behavior included in the information of the operation behavior and/or the white name of the corresponding process of the corresponding object of behavior It is single, if so, then judging that the operation behavior is not the abnormal behaviour caused by virus;
The processing module is further adapted for:The judge module judge the operation behavior be not caused by virus it is different In the case of Chang Hangwei, the operation behavior is performed.
B15, the device according to any one of B10-B12, it is corresponding dynamic that the behavior specified is preserved in local and/or high in the clouds The process blacklist of work and/or the corresponding object of behavior;
The judge module is particularly adapted to:Inquire about the behavior that the information of the operation behavior included and initiate whether process belongs to The corresponding action of behavior included in the information of the operation behavior and/or the black name of the corresponding process of the corresponding object of behavior It is single, if it is not, then judging that the operation behavior is the abnormal behaviour caused by virus.
B16, the device according to any one of B10-B12, the judge module are particularly adapted to:
Judge whether the corresponding action of behavior that the information of the operation behavior is included is abnormal operation, if so, then sentencing The fixed operation behavior is the abnormal behaviour caused by virus.
B17, the device according to B16, the judge module are particularly adapted to:
Judge whether the corresponding action of the behavior performs in incorrect installation directory or user configuring catalogue Read file, written document, modification file, the action deleted file, perform file and/or establishment file;
Or, whether judge the corresponding action of the behavior is the table associated with the configuration information of file in edit the registry To reduce file security grade or the executable file of release write into starting up;
Or, judge the corresponding action of the behavior whether transmitting file and/or lower published article in the network address into URL blacklists Part.
B18, the device according to any one of B10-B12, the judge module are particularly adapted to:Judge the operation behavior The corresponding object of behavior that is included of information whether belong to the file blacklist that local and/or high in the clouds is preserved, if so, then judging The operation behavior is the abnormal behaviour caused by virus.

Claims (10)

1. a kind of file virus immunization method, including:
After the detection notice task of Viral diagnosis engine is sent, by monitoring technology, the operation behavior relevant with file is intercepted and captured Request;
Asked according to the operation behavior, carry out Activity recognition, obtain the information of the operation behavior, the letter of the operation behavior Breath includes behavior and initiates process and the corresponding action of behavior object corresponding with behavior, wherein, the monitoring technology includes:Text Part monitoring technology, registry monitoring technology or Network Monitoring Technology;If the monitoring technology is file monitor technology, the behavior Corresponding action includes:Read file, written document, modification file, deletion file, execution file and/or establishment file;If the prison Control technology is registry monitoring technology, and corresponding act of the behavior includes:Configuration information in edit the registry with file is closed The list item of connection;If the monitoring technology is Network Monitoring Technology, corresponding act of the behavior includes:Upper transmitting file and/or under Published article part;
Whether according to the information of the operation behavior, it is the abnormal behaviour caused by virus to judge the operation behavior;
If the operation behavior is the abnormal behaviour caused by virus, issues the user with prompt message or intercept the operation row For;
Wherein, whether the information according to the operation behavior, it is the abnormal row caused by virus to judge the operation behavior To specifically include:Judge whether the corresponding action of behavior that the information of the operation behavior is included is abnormal operation, if so, then It is the abnormal behaviour caused by virus to judge the operation behavior;The abnormal operation includes:In incorrect installation directory or What is performed in user configuring catalogue reads the dynamic of file, written document, modification file, deletion file, execution file and/or establishment file Make;Or, the list item associated in edit the registry with the configuration information of file with reduce file security grade or by release can Perform file write-in starting up;Or, to the network address in URL blacklists on transmitting file and/or download file.
2. according to the method described in claim 1, the monitoring technology also includes being monitored the occupation condition of program, It is described to be asked according to operation behavior, Activity recognition is carried out, the information for obtaining the operation behavior is specifically included:
Obtain the resource occupation information for each program that since active client ran starting to current time;
According to the resource occupation information and the available resource information of active client of each program, the resource that each program is calculated respectively is accounted for With rate.
3. according to the method described in claim 1, the corresponding action of the behavior specified and/or row are preserved in local and/or high in the clouds For the process white list of corresponding object;
Whether the information according to the operation behavior, it is that abnormal behaviour is specific caused by virus to judge the operation behavior Including:
The behavior that the information of the operation behavior included is inquired about to initiate process and whether belong to the information of the operation behavior to be wrapped The corresponding action of behavior contained and/or the corresponding process white list of the corresponding object of behavior, if so, then judging the operation behavior It is not the abnormal behaviour caused by virus;
Methods described also includes:If the operation behavior is not the abnormal behaviour caused by virus, the operation behavior is performed.
4. according to the method described in claim 1, the corresponding action of the behavior specified and/or row are preserved in local and/or high in the clouds For the process blacklist of corresponding object;
Whether the information according to the operation behavior, it is that abnormal behaviour is specific caused by virus to judge the operation behavior Including:
The behavior that the information of the operation behavior included is inquired about to initiate process and whether belong to the information of the operation behavior to be wrapped The corresponding action of behavior contained and/or the corresponding process blacklist of the corresponding object of behavior, if it is not, then judging the operation behavior It is the abnormal behaviour caused by virus.
5. whether according to the method described in claim 1, the information according to the operation behavior, judge the operation behavior For caused by virus abnormal behaviour specifically include:
Judge whether the corresponding object of behavior that the information of the operation behavior is included belongs to local and/or high in the clouds preservation text Part blacklist, if so, then judging that the operation behavior is the abnormal behaviour caused by virus.
6. a kind of file virus immune apparatus, including:
Monitoring module, the detection notice suitable for receiving Viral diagnosis engine, the operation relevant with file is intercepted and captured by monitoring technology Behavior is asked;
Identification module, suitable for being asked according to the operation behavior, carries out Activity recognition, obtains the information of the operation behavior, institute Stating the information of operation behavior includes behavior initiation process and the corresponding action of behavior object corresponding with behavior;
Wherein, the monitoring module is particularly adapted to:Cut by file monitor technology, registry monitoring technology or Network Monitoring Technology Obtain the operation behavior request relevant with file;If the monitoring module intercepts and captures relevant with file by the file monitor technology Operation behavior is asked, and the corresponding action of the behavior that the identification module is obtained includes:Read file, written document, modification file, Delete file, perform the action of file and/or establishment file;If the monitoring module is intercepted and captured by the registry monitoring technology The operation behavior request relevant with file, the corresponding action of the behavior that the identification module is obtained includes:Edit the registry In the action of list item that is associated with the configuration information of file;If the monitoring module is intercepted and captured and text by the Network Monitoring Technology The relevant operation behavior request of part, the corresponding action of the behavior that the identification module is obtained includes:Upper transmitting file and/or under The action of published article part;
Judge module, whether suitable for the information according to the operation behavior, it is different caused by virus to judge the operation behavior Chang Hangwei;
Processing module, suitable for judging that the operation behavior is the situation of the abnormal behaviour caused by virus in the judge module Under, prompt message is issued the user with by the prompting interface of Viral diagnosis engine or the operation behavior is intercepted;
Wherein, the judge module is particularly adapted to:Judging the corresponding action of behavior that the information of the operation behavior is included is No is abnormal operation, if so, then judging that the operation behavior is the abnormal behaviour caused by virus;
The judge module is further particularly adapted to:Judge whether the corresponding action of the behavior is in incorrect installation directory Or reading file, written document, modification file, deletion file, execution file and/or the establishment file performed in user configuring catalogue Action;Or, whether judge the corresponding action of the behavior is the list item associated with the configuration information of file in edit the registry To reduce file security grade or the executable file of release write into starting up;Or, judge that the behavior is corresponding Action whether in the network address into URL blacklists transmitting file and/or download file.
7. device according to claim 6, the monitoring module is further adapted for being monitored the occupation condition of program, The identification module is particularly adapted to:
Obtain the resource occupation information for each program that since active client ran starting to current time;
According to the resource occupation information and the available resource information of active client of each program, the resource that each program is calculated respectively is accounted for With rate.
8. the corresponding action of the behavior specified and/or row are preserved in device according to claim 6, local and/or high in the clouds For the process white list of corresponding object;
The judge module is particularly adapted to:Inquire about the behavior that the information of the operation behavior included and initiate whether process belongs to institute The corresponding action of behavior and/or the corresponding process white list of the corresponding object of behavior that the information of operation behavior is included are stated, if It is then to judge that the operation behavior is not the abnormal behaviour caused by virus;
The processing module is further adapted for:Judge that the operation behavior is not the abnormal row caused by virus in the judge module For in the case of, the operation behavior is performed.
9. the corresponding action of the behavior specified and/or row are preserved in device according to claim 6, local and/or high in the clouds For the process blacklist of corresponding object;
The judge module is particularly adapted to:Inquire about the behavior that the information of the operation behavior included and initiate whether process belongs to institute The corresponding action of behavior and/or the corresponding process blacklist of the corresponding object of behavior that the information of operation behavior is included are stated, if No, then it is the abnormal behaviour caused by virus to judge the operation behavior.
10. device according to claim 6, the judge module is particularly adapted to:Judge the information institute of the operation behavior Comprising the corresponding object of behavior whether belong to the file blacklist that local and/or high in the clouds is preserved, if so, then judging the operation Behavior is the abnormal behaviour caused by virus.
CN201310683012.4A 2013-12-12 2013-12-12 A kind of immune method and apparatus of file virus Active CN103679031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310683012.4A CN103679031B (en) 2013-12-12 2013-12-12 A kind of immune method and apparatus of file virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310683012.4A CN103679031B (en) 2013-12-12 2013-12-12 A kind of immune method and apparatus of file virus

Publications (2)

Publication Number Publication Date
CN103679031A CN103679031A (en) 2014-03-26
CN103679031B true CN103679031B (en) 2017-10-31

Family

ID=50316541

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310683012.4A Active CN103679031B (en) 2013-12-12 2013-12-12 A kind of immune method and apparatus of file virus

Country Status (1)

Country Link
CN (1) CN103679031B (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105095741A (en) * 2014-05-13 2015-11-25 北京奇虎测腾科技有限公司 Behavior monitoring method and behavior monitoring system of application program
US20160381051A1 (en) * 2015-06-27 2016-12-29 Mcafee, Inc. Detection of malware
CN106709334A (en) * 2015-11-17 2017-05-24 阿里巴巴集团控股有限公司 Method, device and system for detecting intrusive script files
CN105760759A (en) * 2015-12-08 2016-07-13 哈尔滨安天科技股份有限公司 Method and system for protecting documents based on process monitoring
CN105389521B (en) * 2015-12-18 2019-08-23 北京金山安全管理系统技术有限公司 The method that file carries out safeguard protection in a kind of pair of computer system
CN105653974B (en) * 2015-12-23 2019-07-23 北京奇虎科技有限公司 A kind of document means of defence and device
CN107102937B (en) * 2016-02-19 2021-03-02 腾讯科技(深圳)有限公司 User interface testing method and device
CN105893846A (en) * 2016-04-22 2016-08-24 北京金山安全软件有限公司 Method and device for protecting target application program and electronic equipment
CN106022118A (en) * 2016-05-20 2016-10-12 北京金山安全软件有限公司 Security protection processing method and device
CN106548070A (en) * 2016-07-18 2017-03-29 北京安天电子设备有限公司 A kind of method and system that blackmailer's virus is defendd in stand-by time
CN106874759B (en) * 2016-09-26 2020-04-28 深圳市安之天信息技术有限公司 Identification method and system for Trojan horse randomized behavior
CN106778232A (en) * 2016-12-26 2017-05-31 努比亚技术有限公司 A kind of information analysis method and electronic equipment
JP2020522808A (en) * 2017-05-30 2020-07-30 サイエンプティブ テクノロジーズ インコーポレイテッド Real-time detection of malware and steganography in kernel mode and protection from malware and steganography
CN108121913A (en) * 2017-09-26 2018-06-05 江苏神州信源系统工程有限公司 A kind of operation management method and device
CN107871079A (en) * 2017-11-29 2018-04-03 深信服科技股份有限公司 A kind of suspicious process detection method, device, equipment and storage medium
CN109472144B (en) * 2017-12-29 2021-09-28 北京安天网络安全技术有限公司 Method, device and storage medium for operating file by defending virus
CN109241734A (en) * 2018-08-10 2019-01-18 航天信息股份有限公司 A kind of securing software operational efficiency optimization method and system
CN109492391B (en) * 2018-11-05 2023-02-28 腾讯科技(深圳)有限公司 Application program defense method and device and readable medium
CN109446030A (en) * 2018-11-12 2019-03-08 北京芯盾时代科技有限公司 A kind of behavior monitoring method and device
CN109815701B (en) * 2018-12-29 2022-04-22 奇安信安全技术(珠海)有限公司 Software security detection method, client, system and storage medium
CN115114622A (en) * 2021-03-23 2022-09-27 奇安信科技集团股份有限公司 Virus scanning and displaying method and system
CN114900326B (en) * 2022-03-30 2024-08-27 深圳市国电科技通信有限公司 Method, system and storage medium for monitoring and protecting terminal instruction operation
CN114861183A (en) * 2022-06-07 2022-08-05 珠海豹好玩科技有限公司 Document macro security detection method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7917955B1 (en) * 2005-01-14 2011-03-29 Mcafee, Inc. System, method and computer program product for context-driven behavioral heuristics
CN102194072A (en) * 2011-06-03 2011-09-21 奇智软件(北京)有限公司 Method, device and system used for handling computer virus
CN102629310A (en) * 2012-02-29 2012-08-08 卡巴斯基实验室封闭式股份公司 System and method for protecting computer system from being infringed by activities of malicious objects
CN102646173A (en) * 2012-02-29 2012-08-22 成都新云软件有限公司 Safety protection control method and system based on white and black lists
CN102867146A (en) * 2012-09-18 2013-01-09 珠海市君天电子科技有限公司 Method and system for preventing computer virus from frequently infecting systems

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7917955B1 (en) * 2005-01-14 2011-03-29 Mcafee, Inc. System, method and computer program product for context-driven behavioral heuristics
CN102194072A (en) * 2011-06-03 2011-09-21 奇智软件(北京)有限公司 Method, device and system used for handling computer virus
CN102629310A (en) * 2012-02-29 2012-08-08 卡巴斯基实验室封闭式股份公司 System and method for protecting computer system from being infringed by activities of malicious objects
CN102646173A (en) * 2012-02-29 2012-08-22 成都新云软件有限公司 Safety protection control method and system based on white and black lists
CN102867146A (en) * 2012-09-18 2013-01-09 珠海市君天电子科技有限公司 Method and system for preventing computer virus from frequently infecting systems

Also Published As

Publication number Publication date
CN103679031A (en) 2014-03-26

Similar Documents

Publication Publication Date Title
CN103679031B (en) A kind of immune method and apparatus of file virus
US12079757B2 (en) Endpoint with remotely programmable data recorder
US11636206B2 (en) Deferred malware scanning
Arshad et al. SAMADroid: a novel 3-level hybrid malware detection model for android operating system
US10762206B2 (en) Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
US10419222B2 (en) Monitoring for fraudulent or harmful behavior in applications being installed on user devices
KR101558715B1 (en) System and Method for Server-Coupled Malware Prevention
US20110041179A1 (en) Malware detection
CN110071924B (en) Big data analysis method and system based on terminal
JP2020181567A (en) System and method for performing task on computing device based on access right
US20220237289A1 (en) Automated malware classification with human-readable explanations
Al Shamsi Mapping, Exploration, and Detection Strategies for Malware Universe
Irolla Formalization of Neural Network Applications to Secure 3D Mobile Applications
Marcelli et al. Machine Learning and other Computational-Intelligence Techniques for Security Applications.
Milošević Malware detection at runtime for resource-constrained mobile devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220725

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.