[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN1581088A - Method and device for preventing computer virus - Google Patents

Method and device for preventing computer virus Download PDF

Info

Publication number
CN1581088A
CN1581088A CN 03143793 CN03143793A CN1581088A CN 1581088 A CN1581088 A CN 1581088A CN 03143793 CN03143793 CN 03143793 CN 03143793 A CN03143793 A CN 03143793A CN 1581088 A CN1581088 A CN 1581088A
Authority
CN
China
Prior art keywords
file
application
information
application program
application file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 03143793
Other languages
Chinese (zh)
Other versions
CN1329828C (en
Inventor
李刚
夏泉源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB031437931A priority Critical patent/CN1329828C/en
Publication of CN1581088A publication Critical patent/CN1581088A/en
Application granted granted Critical
Publication of CN1329828C publication Critical patent/CN1329828C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

本发明提供了一种防止计算机病毒的方法,该方法包括步骤:建立包含未感染病毒的应用程序文件信息的原始信息文件;当应用程序文件请求运行时,提取该应用程序文件的信息生成新的信息文件;比较新旧信息文件,并根据比较结果控制该应用程序文件运行。本发明还提供了一种实现上述方法的装置,该装置包括:控制装置、检测装置和信息生成装置,当有应用程序文件请求运行时,由控制装置控制检测装置调动信息生成装置完成对该程序文件是否已被改变的检测,并根据检测结果控制该应用程序文件的运行。利用本发明,可以有效地控制通过感染计算机应用程序的程序文件进行传播的病毒,无须频繁升级,尤其是对还未发现的新病毒起到了很好的防护作用,简单有效。

Figure 03143793

The invention provides a method for preventing computer viruses, the method comprises the steps of: establishing an original information file containing information of an application program file not infected with a virus; when the application program file requests to run, extracting the information of the application program file to generate a new Information files; compare the old and new information files, and control the operation of the application file according to the comparison result. The present invention also provides a device for implementing the above method, which includes: a control device, a detection device and an information generation device. When an application program file is requested to run, the control device controls the detection device to mobilize the information generation device to complete the program. Detect whether the file has been changed, and control the operation of the application file according to the detection result. The invention can effectively control the virus spreading through the program file infecting the computer application program without frequent upgrades, and especially plays a very good protective effect on the undiscovered new virus, which is simple and effective.

Figure 03143793

Description

一种防止计算机病毒的方法及装置Method and device for preventing computer virus

技术领域technical field

本发明涉及计算机病毒防治技术,具体涉及一种防止计算机病毒的方法及装置。The invention relates to computer virus prevention technology, in particular to a method and device for preventing computer viruses.

背景技术Background technique

随着计算机技术的发展,计算机病毒的种类及危害也越来越多,它造成硬件损坏、数据丢失,或不能正常使用等,已经给计算机用户带来很大影响和损失。计算机病毒具有很强的传播性和感染性,主要通过网络传播或是通过感染计算机中的可执行程序进行传播。目前对计算机病毒多采用防病毒软件进行查杀,防病毒软件一般由病毒检查引擎(Scan Engine)和病毒特征库(Virus Definition)组成。病毒检查引擎对计算机文件按照病毒特征库中的病毒特征码对计算机协调中的文件进行检查,如果发现有对应的特征码存在,则表明该文件被特定的病毒感染,防病毒软件采用相关措施对病毒进行清除。利用防病毒软件进行计算机病毒的防治,需要频繁更新病毒特征库,因为每种新的计算机病毒都会有不同于已知病毒的特征码,在新的病毒产生后,通过对其分析,才能找出它的特征码,将其添加到原有病毒特征库中,不断地升级防病毒软件才能查杀新的病毒。由此可见,这种方法总是滞后于新病毒的出现,对于潜伏在正常的程序或数据文件中还未发作的新病毒则无法查找到,无法做到对新病毒的预防,一旦新的病毒达到发作条件,就会对计算机系统造成破坏,轻则影响系统的正常运行,重则导致系统瘫痪,甚至破坏系统硬件部分,造成严重的经济损失。With the development of computer technology, there are more and more types and hazards of computer viruses, which cause hardware damage, data loss, or abnormal use, etc., which have brought great impact and losses to computer users. Computer viruses are highly contagious and contagious, and are mainly spread through the network or by infecting executable programs in computers. At present, antivirus software is mostly used to check and kill computer viruses, and antivirus software is generally composed of a virus inspection engine (Scan Engine) and a virus signature database (Virus Definition). The virus checking engine checks the computer files according to the virus signature codes in the virus signature database, and checks the files under computer coordination. If a corresponding signature code is found, it indicates that the file is infected by a specific virus, and the antivirus software adopts relevant measures to detect Viruses are removed. Using anti-virus software to prevent and control computer viruses requires frequently updating the virus signature database, because each new computer virus will have a signature code different from known viruses. After the new virus is generated, it can be found out by analyzing it Its signature code is added to the original virus signature database, and new viruses can only be checked and killed by constantly upgrading the antivirus software. It can be seen that this method always lags behind the emergence of new viruses, and cannot find new viruses that have not yet taken place in normal programs or data files, and cannot prevent new viruses. When the attack conditions are met, it will cause damage to the computer system, affecting the normal operation of the system at least, and causing system paralysis or even destroying the hardware of the system, causing serious economic losses.

发明内容Contents of the invention

本发明的目的在于克服上述现有技术的缺点,提供一种防止计算机病毒的方法和装置,禁止被感染计算机病毒的应用程序运行,从而切断病毒通过感染应用程序的程序文件而进行的传播。The purpose of the present invention is to overcome the above-mentioned shortcoming of prior art, provide a kind of method and device for preventing computer virus, prohibit the operation of the application program that is infected by computer virus, thereby cut off the spread that virus carries out through the program file that infects application program.

本发明提供了一种防止计算机病毒的方法,所述方法包括步骤:The invention provides a method for preventing computer viruses, said method comprising the steps of:

建立包含未感染病毒的应用程序文件信息的原始信息文件;Create an original information file containing information about the application file that is not infected with a virus;

当所述应用程序文件请求运行时,提取所述应用程序文件的信息,以生成新的信息文件;When the application file requests to run, extract the information of the application file to generate a new information file;

判断所述新的信息文件和所述原始信息文件是否相同;judging whether the new information file is the same as the original information file;

如果相同,则表明所述应用程序文件正常,正常启动所述应用程序文件;If the same, it indicates that the application file is normal, and the application file is started normally;

如果不相同,则表明所述应用程序文件有可能感染病毒,禁止启动所述应用程序文件运行。If not, it indicates that the application program file may be infected with a virus, and it is forbidden to start the application program file to run.

优选地,所述建立包含未感染病毒的应用程序文件信息的原始信息文件的步骤包括:使用预定的算法为所述未感染病毒的应用程序文件生成一个校验和文件,作为该应用程序文件的原始信息文件。Preferably, the step of creating the original information file containing the information of the application program file not infected with the virus comprises: using a predetermined algorithm to generate a checksum file for the application program file not infected with the virus, as the Raw information file.

优选地,所述当所述应用程序文件请求运行时,提取所述应用程序文件的信息,以生成新的信息文件的步骤包括步骤:Preferably, when the application file requests to run, the step of extracting the information of the application file to generate a new information file includes the steps of:

向系统登记需要获取所述应用程序文件运行的通知;Registering with the system for notifications of the need to obtain execution of said application file;

当所述应用程序文件请求运行时,获取所述应用程序文件运行的通知;When the application program file requests to run, obtain a notification of the application program file running;

根据所述通知建立所述应用程序文件的新的信息文件。A new information file of the application program file is created based on the notification.

进一步地,所述根据所述通知建立所述应用程序文件的新的信息文件的步骤包括步骤:Further, the step of creating a new information file of the application file according to the notification includes the steps of:

判断是否存在对应于所述应用程序文件的原始信息文件;judging whether there is an original information file corresponding to the application file;

如果存在所述应用程序文件的原始信息文件,则建立所述应用程序文件的新的信息文件;If there is an original information file of the application file, then establishing a new information file of the application file;

如果不存在所述应用程序文件的原始信息文件,则向所述系统返回错误信息。If the original information file of the application program file does not exist, an error message is returned to the system.

优选地,所述如果存在所述应用程序文件的原始信息文件,则建立所述应用程序文件的新的信息文件的步骤包括:使用与建立所述应用程序文件的原始信息文件相同的算法为所述应用程序文件生成一个新的校验和文件,作为该应用程序文件的新的信息文件。Preferably, if the original information file of the application file exists, the step of creating a new information file of the application file includes: using the same algorithm as that used to create the original information file of the application file for all The above application program file generates a new checksum file as the new information file of the application program file.

优选地,所述如果不存在所述应用程序文件的原始信息文件,则向所述系统返回错误信息的步骤包括:所述系统收到所述错误信息后,禁止启动所述应用程序文件。Preferably, if the original information file of the application file does not exist, the step of returning an error message to the system includes: after the system receives the error message, prohibiting the application file from starting.

本发明还提供了一种实现上述方法的装置,所述装置包括:The present invention also provides a device for realizing the above method, the device comprising:

信息生成装置,用于读取所述应用程序文件,并按预定的算法生成包含所述应用程序文件信息的原始信息文件,当所述应用程序文件申请运行时,生成包含该应用程序文件信息的新的信息文件;An information generating device, configured to read the application file, and generate an original information file containing the information of the application file according to a predetermined algorithm, and generate an original information file containing the information of the application file when the application file is applied for running. new information files;

检测装置,用于根据所述信息生成装置中生成的所述信息文件检测所述应用程序文件是否被改变;detection means, for detecting whether the application program file has been changed according to the information file generated by the information generation means;

控制装置,用于接收所述检测装置对需要检测的所述应用程序文件的登记和撤消;并且当所述应用程序文件请求运行时,通知所述检测装置对所述应用程序文件进行检测,并根据所述检测装置的检测结果控制所述应用程序文件的运行。The control device is used to receive the registration and cancellation of the application file that needs to be detected by the detection device; and when the application file requests to run, notify the detection device to detect the application file, and The operation of the application program file is controlled according to the detection result of the detection device.

其中,所述信息生成装置进一步包括:信息生成控制装置,用于根据系统需要,按照预定的算法控制生成所述信息文件的内容。Wherein, the information generation device further includes: an information generation control device, configured to control and generate the content of the information file according to a predetermined algorithm according to system requirements.

优选地,所述检测装置进一步包括:Preferably, the detection device further includes:

登记/撤消装置,用于在所述系统启动时向所述控制装置登记所述应用程序文件的原始信息文件,以使所述控制装置在有应用程序文件请求运行时发送通知给所述检测装置,在所述系统停止运行时向所述控制装置撤消该登记;registration/revocation means, for registering the original information file of the application program file with the control means when the system is started, so that the control means sends a notification to the detection means when there is an application file request to run , canceling the registration to the control device when the system ceases to operate;

消息交互/处理装置,用于与所述控制装置进行消息交互并根据所述控制装置的消息完成对所述信息生成装置的控制;A message interaction/processing device, configured to perform message interaction with the control device and complete the control of the information generation device according to the message from the control device;

校验装置,用于在应用程序文件请求运行时,比较所述信息生成装置生成的所述应用程序文件的新的信息文件和对应于所述应用程序文件的原始信息文件。The verifying means is used for comparing the new information file of the application file generated by the information generating means with the original information file corresponding to the application file when the application file is requested to run.

优选地,所述消息交互/处理装置包括:Preferably, the message interaction/processing device includes:

通知处理装置,用于在所述检测装置收到所述控制装置的应用程序文件运行通知后控制所述信息生成装置调用所述信息生成控制装置生成所述应用程序文件的新的信息文件;Notification processing means, configured to control the information generation means to invoke the information generation control means to generate a new information file of the application file after the detection means receives the application file running notification from the control means;

校验结果传送装置,用于将所述校验装置的校验结果传送给所述控制装置。The verification result transmission device is used to transmit the verification result of the verification device to the control device.

利用本发明,可以有效地控制通过感染计算机应用程序的程序文件进行传播的病毒,无须频繁升级,尤其是对还未发现的新病毒起到了很好的防护作用,简单有效。The invention can effectively control the virus transmitted by infecting the program file of the computer application program without frequent upgrades, and especially plays a very good protective effect on the new virus that has not been discovered yet, which is simple and effective.

附图说明Description of drawings

图1是本发明的优选实施例防止计算机病毒的方法的步骤的流程图;Fig. 1 is the flowchart of the step of the method for preventing computer virus in the preferred embodiment of the present invention;

图2是本发明防止计算机病毒的装置的组成方框图。Fig. 2 is a compositional block diagram of the device for preventing computer viruses of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本发明,下面结合附图和实施方式对本发明作进一步的详细说明:In order to make those skilled in the art better understand the present invention, the present invention will be described in further detail below in conjunction with accompanying drawing and embodiment:

由于通过感染可执行程序进行传播的病毒必须将自己寄生在可执行程序的程序文件中,因此通过对未感染病毒前的可执行程序文件生成对应的校验和文件,在程序执行时再校验、比较,则可发现其是否受到病毒感染,从而控制阻止了病毒的发作。Since the virus that spreads by infecting the executable program must parasitize itself in the program file of the executable program, the corresponding checksum file is generated for the executable program file before being infected with the virus, and then verified when the program is executed , comparison, it can be found whether it is infected by the virus, thereby controlling and preventing the outbreak of the virus.

参照图1,图1描绘了本发明的优选实施例防止计算机病毒的方法的步骤的流程:With reference to Fig. 1, Fig. 1 has described the flow process of the step of the method that preferred embodiment of the present invention prevents computer virus:

首先,在步骤10,在系统运行前,使用预定的算法为需要执行的应用程序的程序文件生成一个校验和文件,此时的应用程序文件为未感染病毒的文件;First, in step 10, before the system runs, use a predetermined algorithm to generate a checksum file for the program file of the application program that needs to be executed, and the application program file at this time is a file that is not infected with a virus;

进到步骤11,向系统登记需要获取该应用程序文件运行的通知;Proceed to step 11 and register with the system to obtain the notification that the application file is running;

然后,到步骤12,等待获取该应用程序文件运行的通知;Then, go to step 12 and wait for the notification that the application file is running;

进到步骤13,当所述应用程序文件请求运行时,收到该应用程序文件运行的通知;Proceed to step 13, when the application file requests to run, receive a notification that the application file is running;

收到该应用程序文件运行的通知后,首先需要进到步骤14,搜索该应用程序文件对应的校验和文件是否存在;After receiving the notification that the application file is running, you first need to go to step 14 to search whether the checksum file corresponding to the application file exists;

如果该应用程序文件对应的校验和文件不存在,则进到步骤18,向操作系统返回失败消息,操作系统收到此消息后,禁止该应用程序文件,防止其中可能存在的病毒发作,从而防止计算机资源遭受破坏;If the checksum file corresponding to this application program file does not exist, then proceed to step 18, and return a failure message to the operating system. After the operating system receives this message, the application program file is prohibited to prevent the outbreak of viruses that may exist therein, thereby Protect computer resources from damage;

然后,返回步骤12,等待下一个程序运行通知;Then, return to step 12 and wait for the next program running notification;

如果该应用程序文件对应的校验和文件存在,则进到步骤15,获取该应用程序文件,按照既定的算法计算该应用程序文件的新的校验和;If the checksum file corresponding to the application file exists, proceed to step 15 to obtain the application file, and calculate the new checksum of the application file according to a predetermined algorithm;

然后,进到步骤16,比较计算后的该应用程序文件的新的校验和与该应用程序文件对应的校验和文件中保存的校验和是否一致;Then, proceed to step 16, compare whether the new checksum of the application file after the calculation is consistent with the checksum stored in the checksum file corresponding to the application file;

如果一致,则表明该应用程序文件没有变化,进到步骤17,向操作系统返回成功消息,允许应用程序正常启动运行;If consistent, it shows that the application program file has not changed, proceed to step 17, return a success message to the operating system, and allow the application program to start and run normally;

如果不一致,则表明该应用程序文件已经改变,可能被病毒感染,进到步骤18,向操作系统返回失败消息,操作系统收到此消息后,禁止该应用程序文件,防止其中可能存在的病毒发作,从而防止计算机资源遭受破坏。If inconsistent, then show that this application program file has changed, may be infected by virus, advances to step 18, returns failure message to operating system, after operating system receives this message, prohibits this application program file, prevents the outbreak of virus that may exist wherein , thereby preventing corruption of computer resources.

本发明还提供了一种实现防止计算机病毒的方法相应的装置,下面参照图2做详细描述。The present invention also provides a device corresponding to the method for preventing computer viruses, which will be described in detail below with reference to FIG. 2 .

图2是本发明防止计算机病毒的装置的组成方框图:Fig. 2 is the composition block diagram of the device that the present invention prevents computer virus:

该装置由三部分组成,分别是控制装置10、检测装置20和信息生成装置30。其中,检测装置20包括:登记/撤消装置201、通知处理装置202、校验结果传送装置203和校验装置204,在本发明中,通知处理装置202和校验结果传送装置203集成为消息交互/处理装置;信息生成装置30包括:信息生成控制装置301。下面分别介绍各组成部分的技术特征:The device is composed of three parts, namely a control device 10 , a detection device 20 and an information generation device 30 . Wherein, the detection device 20 includes: a registration/cancellation device 201, a notification processing device 202, a verification result transmission device 203, and a verification device 204. In the present invention, the notification processing device 202 and the verification result transmission device 203 are integrated into a message interaction /processing device; the information generation device 30 includes: an information generation control device 301 . The technical characteristics of each component are introduced as follows:

控制装置10,用于在系统启动时接受检测装置20中的登记/撤消装置201对包含应用程序文件原始信息的原始信息文件的登记及系统停止运行后对该登记的撤消;并且当有应用程序文件请求运行时,通知检测装置20对该应用程序文件进行检测,并根据检测装置20中的校验结果传送装置203传送的检测结果控制所述应用程序文件的运行。The control device 10 is used to accept the registration of the registration/revocation device 201 in the detection device 20 to the registration of the original information file containing the original information of the application program file and the cancellation of the registration after the system stops running when the system starts; and when there is an application program When the file is requested to run, the detection device 20 is notified to detect the application program file, and the operation of the application program file is controlled according to the detection result transmitted by the verification result transmission device 203 in the detection device 20 .

信息生成装置30,用于读取应用程序文件,并按预定的算法生成包含该应用程序文件信息的信息文件;并且当有应用程序文件申请运行时,生成包含该应用程序文件信息的新的信息文件。其中,信息生成控制装置301用于根据系统需要,按照预定的算法控制生成所述信息文件的内容。The information generation device 30 is used to read the application program file, and generate an information file containing the application program file information according to a predetermined algorithm; and when there is an application program file application for running, generate a new information file containing the application program file information document. Wherein, the information generation control means 301 is used to control and generate the content of the information file according to a predetermined algorithm according to the requirements of the system.

检测装置20,用于根据信息生成装置30中生成的信息文件检测请求运行的应用程序文件是否已被改变。其中包括:The detection means 20 is configured to detect whether the application program file requested to run has been changed according to the information file generated by the information generation means 30 . These include:

登记/撤消装置201,耦合到控制装置10,用于在系统启动时向控制装置10登记应用程序文件的原始信息文件,以使控制装置10在有应用程序文件请求运行时发送通知给检测装置20,在系统停止运行时向控制装置10撤消该登记;The registration/cancellation device 201 is coupled to the control device 10, and is used to register the original information file of the application program file with the control device 10 when the system starts, so that the control device 10 sends a notification to the detection device 20 when there is an application program file request to run , cancel the registration to the control device 10 when the system stops running;

通知处理装置202,耦合到控制装置10,用于在检测装置20收到控制装置10的应用程序文件运行通知后控制信息生成装置30调用信息生成控制装置301生成该应用程序文件的新的信息文件;The notification processing device 202 is coupled to the control device 10, and is used for controlling the information generation device 30 to call the information generation control device 301 to generate a new information file of the application file after the detection device 20 receives the application program file running notification of the control device 10 ;

校验装置204,耦合到信息生成装置30,用于在应用程序文件请求运行时,比较信息生成装置10生成的所述应用程序文件的新的信息文件和对应于所述应用程序文件的原始信息文件;Checking means 204, coupled to the information generating means 30, for comparing the new information file of the application file generated by the information generating means 10 with the original information corresponding to the application file when the application file is requested to run document;

校验结果传送装置203,用于传送校验装置204的比较结果给控制装置10。The checking result transmitting means 203 is used for transmitting the comparison result of the checking means 204 to the control means 10 .

下面通过一个实例详细说明本发明装置的详细工作过程:The detailed work process of device of the present invention is described in detail below by an example:

首先,使用信息生成装置30为未感染病毒的可执行程序文件mspaint.exe由信息生成控制装置301提供的CRC32算法计算生成校验和文件mspaint.CRC32,并由登记/撤消装置201向控制装置10登记该文件;First, use the information generation device 30 to calculate and generate the checksum file mspaint.CRC32 by the CRC32 algorithm provided by the information generation control device 301 for the executable program file mspaint.exe that is not infected with viruses, and send it to the control device 10 by the registration/revocation device 201 register the document;

当启动被感染的mspaint.exe文件时,由控制装置10通知检测装置20,检测装置20收到通知后,查找是否存在mspaint.CRC32文件,如果不存在,则发送查找失败消息给控制装置10,控制装置10收到此消息后,禁止mspaint.exe文件运行;如果mspaint.CRC32文件存在,则由通知处理装置203控制信息生成装置30读取文件mspaint.exe的内容,并调用信息生成控制装置301提供的CRC32算法对该文件内容进行CRC32校验计算,将计算得出校验和传送给校验装置204,由校验装置204将该校验和与保存在mspaint.CRC32中的校验和进行比较。如果比较结果不一致,则发送失败消息给控制装置10,控制装置10收到此消息后,通知操作系统禁止mspaint.exe运行;如果比较结果一致,则发送成功消息给控制装置10,控制装置10收到此消息后,允许mspaint.exe正常运行。该装置退出时,调用登记/撤消模块向操作系统取消登记。When starting the infected mspaint.exe file, the detection device 20 is notified by the control device 10. After the detection device 20 receives the notification, it searches whether there is a mspaint.CRC32 file. If it does not exist, it sends a search failure message to the control device 10. After the control device 10 receives this message, the operation of the mspaint.exe file is prohibited; if the mspaint.CRC32 file exists, the notification processing device 203 controls the information generation device 30 to read the content of the file mspaint.exe, and calls the information generation control device 301 The provided CRC32 algorithm performs CRC32 verification calculation on the content of the file, and transmits the calculated checksum to the verification device 204, and the verification device 204 compares the checksum with the checksum stored in mspaint.CRC32 Compare. If the comparison result is inconsistent, then send a failure message to the control device 10, after the control device 10 receives this message, notify the operating system to prohibit mspaint.exe from running; if the comparison result is consistent, then send a success message to the control device 10, and the control device 10 receives After seeing this message, allow mspaint.exe to run normally. When the device exits, the registration/deregistration module is invoked to cancel the registration with the operating system.

该装置可以检测Kziz(圣诞CIH)、I-Worm.Klez.E蠕虫等感染可执行程序文件的病毒,他们在感染可执行程序文件时都将改写文件的内容,该装置不区别具体是哪种病毒感染,安装该装置后,系统中需要执行的应用程序文件必须在未感染病毒前使用该装置中的信息生成装置生成包含该应用程序文件信息的原始信息文件,每个应用程序文件对应一个唯一的原始信息文件,例如,上例中mspaint.exe文件对应的信息文件为mspaint.CRC32,并将这些原始信息文件保存在系统中。当有应用程序文件需要运行时,由该装置中的信息生成装置生成该请求运行的应用程序文件的新的信息文件时所采用的算法由信息生成装置中的信息生成控制装置提供,并且与生成该应用程序文件的原始信息文件时采用的算法保持一致。这样,通过对该应用程序文件的新旧信息的比较,可以获知该应用程序文件是否已被修改,从而控制该应用程序文件是否运行。有效地避免了一些计算机病毒通过感染应用程序而进行的传播,以及病毒发作给系统造成的破坏。The device can detect Kziz (Christmas CIH), I-Worm.Klez.E worms and other viruses that infect executable program files. When they infect executable program files, they will rewrite the contents of the file. The device does not distinguish which one Virus infection, after installing the device, the application files that need to be executed in the system must use the information generation device in the device to generate the original information file containing the application file information before being infected with the virus, and each application file corresponds to a unique For example, the information file corresponding to the mspaint.exe file in the above example is mspaint.CRC32, and these original information files are saved in the system. When there is an application program file to run, the algorithm adopted by the information generation device in the device to generate the new information file of the application program file requested to run is provided by the information generation control device in the information generation device, and is related to the generation The algorithm adopted by the original information file of the application file remains the same. In this way, by comparing the old and new information of the application program file, it can be known whether the application program file has been modified, so as to control whether the application program file is running. Effectively avoid the spread of some computer viruses by infecting application programs, and the damage to the system caused by virus outbreaks.

虽然通过实施例描绘了本发明,本领域普通技术人员知道,本发明有许多变形和变化而不脱离本发明的精神,例如,在本发明中由信息生成装置生成应用程序的信息文件时可以有各种不同的方法,同样,信息生成控制装置所提供的算法也可以有多种形式,希望所附的权利要求包括这些变形和变化而不脱离本发明的精神。Although the present invention has been described by the embodiments, those skilled in the art know that the present invention has many modifications and changes without departing from the spirit of the present invention. For example, in the present invention, there may be Various methods, similarly, the algorithm provided by the information generation control device can also have various forms, and it is hoped that the appended claims include these deformations and changes without departing from the spirit of the present invention.

Claims (10)

1、一种防止计算机病毒的方法,其特征在于,所述方法包括步骤:1, a kind of method for preventing computer virus, it is characterized in that, described method comprises steps: 建立包含未感染病毒的应用程序文件信息的原始信息文件;Create an original information file containing information about the application file that is not infected with a virus; 当所述应用程序文件请求运行时,提取所述应用程序文件的信息,以生成新的信息文件;When the application file requests to run, extract the information of the application file to generate a new information file; 判断所述新的信息文件和所述原始信息文件是否相同;judging whether the new information file is the same as the original information file; 如果相同,则表明所述应用程序文件正常,正常启动所述应用程序文件;If the same, it indicates that the application file is normal, and the application file is started normally; 如果不相同,则表明所述应用程序文件有可能感染病毒,禁止启动所述应用程序文件运行。If not, it indicates that the application program file may be infected with a virus, and it is forbidden to start the application program file to run. 2、如权利要求1所述的防止计算机病毒的方法,其特征在于,所述建立包含未感染病毒的应用程序文件信息的原始信息文件的步骤包括:使用预定的算法为所述未感染病毒的应用程序文件生成一个校验和文件,作为该应用程序文件的原始信息文件。2. The method for preventing computer viruses as claimed in claim 1, characterized in that the step of establishing the original information file containing the information of the application program file information not infected with the virus comprises: using a predetermined algorithm for the The application file generates a checksum file as the original information file of the application file. 3、如权利要求2所述的防止计算机病毒的方法,其特征在于,所述当所述应用程序文件请求运行时,提取所述应用程序文件的信息,以生成新的信息文件的步骤包括步骤:3. The method for preventing computer viruses as claimed in claim 2, wherein the step of extracting the information of the application file to generate a new information file when the application file requests to run comprises the steps of : 向系统登记需要获取所述应用程序文件运行的通知;Registering with the system for notifications of the need to obtain execution of said application file; 当所述应用程序文件请求运行时,获取所述应用程序文件运行的通知;When the application program file requests to run, obtain a notification of the application program file running; 根据所述通知建立所述应用程序文件的新的信息文件。A new information file of the application program file is created based on the notification. 4、如权利要求3所述的防止计算机病毒的方法,其特征在于,所述根据所述通知建立所述应用程序文件的新的信息文件的步骤包括步骤:4. The method for preventing computer viruses as claimed in claim 3, wherein said step of establishing a new information file of said application file according to said notification comprises the steps of: 判断是否存在对应于所述应用程序文件的原始信息文件;judging whether there is an original information file corresponding to the application file; 如果存在所述应用程序文件的原始信息文件,则建立所述应用程序文件的新的信息文件;If there is an original information file of the application file, then establishing a new information file of the application file; 如果不存在所述应用程序文件的原始信息文件,则向所述系统返回错误信息。If the original information file of the application program file does not exist, an error message is returned to the system. 5、如权利要求4所述的防止计算机病毒的方法,其特征在于,所述如果存在所述应用程序文件的原始信息文件,则建立所述应用程序文件的新的信息文件的步骤包括:使用与建立所述应用程序文件的原始信息文件相同的算法为所述应用程序文件生成一个新的校验和文件,作为该应用程序文件的新的信息文件。5. The method for preventing computer viruses as claimed in claim 4, wherein if the original information file of the application program file exists, the step of establishing a new information file of the application program file comprises: using The same algorithm used to create the original information file of the application file generates a new checksum file for the application file as the new information file of the application file. 6、如权利要求4所述的防止计算机病毒的方法,其特征在于,所述如果不存在所述应用程序文件的原始信息文件,则向所述系统返回错误信息的步骤包括:所述系统收到所述错误信息后,禁止启动所述应用程序文件。6. The method for preventing computer viruses as claimed in claim 4, wherein if the original information file of the application file does not exist, the step of returning an error message to the system comprises: the system receiving After receiving the error message, it is prohibited to start the application file. 7、一种防止计算机病毒的装置,其特征在于,所述装置包括:7. A device for preventing computer viruses, characterized in that the device includes: 信息生成装置,用于读取所述应用程序文件,并按预定的算法生成包含所述应用程序文件信息的原始信息文件,当所述应用程序文件申请运行时,生成包含该应用程序文件信息的新的信息文件;An information generating device, configured to read the application file, and generate an original information file containing the information of the application file according to a predetermined algorithm, and generate an original information file containing the information of the application file when the application file is applied for running. new information files; 检测装置,用于根据所述信息生成装置中生成的所述信息文件检测所述应用程序文件是否被改变;detection means for detecting whether the application program file has been changed according to the information file generated by the information generation means; 控制装置,用于接收所述检测装置对需要检测的所述应用程序文件的登记和撤消;并且当所述应用程序文件请求运行时,通知所述检测装置对所述应用程序文件进行检测,并根据所述检测装置的检测结果控制所述应用程序文件的运行。The control device is used to receive the registration and cancellation of the application file that needs to be detected by the detection device; and when the application file requests to run, notify the detection device to detect the application file, and The operation of the application program file is controlled according to the detection result of the detection device. 8、如权利要求7所述的防止计算机病毒的装置,其特征在于,所述信息生成装置进一步包括:信息生成控制装置,用于根据系统需要,按照预定的算法控制生成所述信息文件的内容。8. The device for preventing computer viruses according to claim 7, wherein the information generation device further comprises: an information generation control device, which is used to control and generate the content of the information file according to a predetermined algorithm according to the needs of the system . 9、如权利要求7所述的防止计算机病毒的装置,其特征在于,所述检测装置进一步包括:9. The device for preventing computer viruses according to claim 7, wherein the detection device further comprises: 登记/撤消装置,用于在所述系统启动时向所述控制装置登记所述应用程序文件的原始信息文件,以使所述控制装置在有应用程序文件请求运行时发送通知给所述检测装置,在所述系统停止运行时向所述控制装置撤消该登记;registration/revocation means, for registering the original information file of the application program file with the control means when the system is started, so that the control means sends a notification to the detection means when there is an application file request to run , canceling the registration to the control device when the system ceases to operate; 消息交互/处理装置,用于与所述控制装置进行消息交互并根据所述控制装置的消息完成对所述信息生成装置的控制;A message interaction/processing device, configured to perform message interaction with the control device and complete the control of the information generation device according to the message from the control device; 校验装置,用于在应用程序文件请求运行时,比较所述信息生成装置生成的所述应用程序文件的新的信息文件和对应于所述应用程序文件的原始信息文件。The verifying means is used for comparing the new information file of the application file generated by the information generating means with the original information file corresponding to the application file when the application file is requested to run. 10、如权利要求9所述的防止计算机病毒的装置,其特征在于,所述消息交互/处理装置包括:10. The device for preventing computer viruses as claimed in claim 9, wherein the message interaction/processing device comprises: 通知处理装置,用于在所述检测装置收到所述控制装置的应用程序文件运行通知后控制所述信息生成装置调用所述信息生成控制装置生成所述应用程序文件的新的信息文件;Notification processing means, configured to control the information generation means to invoke the information generation control means to generate a new information file of the application file after the detection means receives the application file running notification from the control means; 校验结果传送装置,用于将所述校验装置的校验结果传送给所述控制装置。The verification result transmission device is used to transmit the verification result of the verification device to the control device.
CNB031437931A 2003-08-06 2003-08-06 Method and device for preventing computer virus Expired - Fee Related CN1329828C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB031437931A CN1329828C (en) 2003-08-06 2003-08-06 Method and device for preventing computer virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB031437931A CN1329828C (en) 2003-08-06 2003-08-06 Method and device for preventing computer virus

Publications (2)

Publication Number Publication Date
CN1581088A true CN1581088A (en) 2005-02-16
CN1329828C CN1329828C (en) 2007-08-01

Family

ID=34579525

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB031437931A Expired - Fee Related CN1329828C (en) 2003-08-06 2003-08-06 Method and device for preventing computer virus

Country Status (1)

Country Link
CN (1) CN1329828C (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100353277C (en) * 2005-07-27 2007-12-05 毛德操 Implementing method for controlling computer virus through proxy technique
CN100389372C (en) * 2005-08-16 2008-05-21 联想(北京)有限公司 System and method in use for ensuring program runs in oringinal state
WO2009049554A1 (en) * 2007-10-15 2009-04-23 Beijing Rising International Software Co., Ltd. Method and apparatus for safeguarding automatically harmful computer program
WO2010009625A1 (en) * 2008-07-24 2010-01-28 成都市华为赛门铁克科技有限公司 Computer file detecting method and device
WO2010012175A1 (en) * 2008-07-31 2010-02-04 华为技术有限公司 Method and device for inspecting file
CN103632089A (en) * 2013-12-16 2014-03-12 北京网秦天下科技有限公司 Security detection method, device and system of application installation package
CN103853975A (en) * 2012-11-28 2014-06-11 联想(北京)有限公司 Information processing method and electronic device
US8898775B2 (en) 2007-10-15 2014-11-25 Bejing Rising Information Technology Co., Ltd. Method and apparatus for detecting the malicious behavior of computer program

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5050212A (en) * 1990-06-20 1991-09-17 Apple Computer, Inc. Method and apparatus for verifying the integrity of a file stored separately from a computer
US5473769A (en) * 1992-03-30 1995-12-05 Cozza; Paul D. Method and apparatus for increasing the speed of the detecting of computer viruses
US5613002A (en) * 1994-11-21 1997-03-18 International Business Machines Corporation Generic disinfection of programs infected with a computer virus
CN1107263C (en) * 1995-01-24 2003-04-30 西南石油学院 Technology and hardware for prevention and treatment of computer virus
CN1241124C (en) * 2001-09-14 2006-02-08 北京瑞星科技股份有限公司 Method for fully controlling files in computer system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100353277C (en) * 2005-07-27 2007-12-05 毛德操 Implementing method for controlling computer virus through proxy technique
CN100389372C (en) * 2005-08-16 2008-05-21 联想(北京)有限公司 System and method in use for ensuring program runs in oringinal state
WO2009049554A1 (en) * 2007-10-15 2009-04-23 Beijing Rising International Software Co., Ltd. Method and apparatus for safeguarding automatically harmful computer program
US8561192B2 (en) 2007-10-15 2013-10-15 Beijing Rising Information Technology Co., Ltd. Method and apparatus for automatically protecting a computer against a harmful program
US8898775B2 (en) 2007-10-15 2014-11-25 Bejing Rising Information Technology Co., Ltd. Method and apparatus for detecting the malicious behavior of computer program
WO2010009625A1 (en) * 2008-07-24 2010-01-28 成都市华为赛门铁克科技有限公司 Computer file detecting method and device
WO2010012175A1 (en) * 2008-07-31 2010-02-04 华为技术有限公司 Method and device for inspecting file
CN103853975A (en) * 2012-11-28 2014-06-11 联想(北京)有限公司 Information processing method and electronic device
CN103632089A (en) * 2013-12-16 2014-03-12 北京网秦天下科技有限公司 Security detection method, device and system of application installation package

Also Published As

Publication number Publication date
CN1329828C (en) 2007-08-01

Similar Documents

Publication Publication Date Title
US7802300B1 (en) Method and apparatus for detecting and removing kernel rootkits
US9015829B2 (en) Preventing and responding to disabling of malware protection software
US8819835B2 (en) Silent-mode signature testing in anti-malware processing
EP2469445B1 (en) Optimization of anti-malware processing by automated correction of detection rules
US8230511B2 (en) Trusted operating environment for malware detection
US8677481B1 (en) Verification of web page integrity
US8104088B2 (en) Trusted operating environment for malware detection
US8719935B2 (en) Mitigating false positives in malware detection
RU2487405C1 (en) System and method for correcting antivirus records
US8352522B1 (en) Detection of file modifications performed by malicious codes
AU2010306623B2 (en) Detecting and responding to malware using link files
CN102208002B (en) Novel computer virus scanning and killing device
US20070180528A1 (en) System and method for reducing antivirus false positives
US20050172337A1 (en) System and method for unpacking packed executables for malware evaluation
WO2012107255A1 (en) Detecting a trojan horse
JP6238093B2 (en) Malware risk scanner
JP2010262609A (en) Efficient technique for dynamic analysis of malware
US9251350B2 (en) Trusted operating environment for malware detection
CN1581088A (en) Method and device for preventing computer virus
CN1282083C (en) Computer memory virus monitoring method and method for operation with virus
CN102984134B (en) Safety defense system
CN101046836A (en) System and method for removing ROOTKIT
CN105844161A (en) Security defense method, device and system
CN102467623B (en) Method and device for monitoring file execution
CN1641516A (en) Method for ensuring system safety for window operating system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070801

Termination date: 20200806