CN101382984A - Method for scanning and detecting generalized unknown virus - Google Patents
Method for scanning and detecting generalized unknown virus Download PDFInfo
- Publication number
- CN101382984A CN101382984A CNA200710030109XA CN200710030109A CN101382984A CN 101382984 A CN101382984 A CN 101382984A CN A200710030109X A CNA200710030109X A CN A200710030109XA CN 200710030109 A CN200710030109 A CN 200710030109A CN 101382984 A CN101382984 A CN 101382984A
- Authority
- CN
- China
- Prior art keywords
- virus
- file
- scanning
- changes
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The invention relates to a method for scanning and detecting a generalized unknown virus. Namely, a virus surface behavior characteristic database is constructed via relative specificity changes generated by a system due to virus activities of a computer virus; a suspicious virus is scanned; meanwhile, by carrying out detection to mass normal programs, a fake virus surface behavior characteristic database is constructed to conduct the secondary detection to suspicious documents affected by the virus so as to exclude normal programs. And document surface characteristics and document content characteristics of the suspicious virus scanned are automatically extracted to establish a temporary characteristic code database so as to carry out overall scan and detection to the system and to remove residual virions. The detected suspicious document affected by the virus is conducted with relative process. The method can detect most of the known virus and the generalized unknown virus, without depending on the characteristic code database, and has noticeable advantages of a lower updated-frequency database, quicker scan and detection speed and less occupied resource, compared with the existing scan and detection technology.
Description
Technical field
The present invention relates to a kind of method of scanning and detecting generalized unknown virus, compare with existing anticomputer virus technology, the present invention can scan under the situation that does not rely on the condition code database and detect most known viruse and sensu lato unknown virus.
Background technology
Under the situation of current rapid development of information technology, though numerous anticomputer viral products occurred, they scanning detect known computer virus aspect play a part really certain, but they can not effectively resist unknown virus, and unknown virus has become the important threat of information security.
Existing computer virus scanning detection technology mainly is divided into three kinds: heuristic code scans technology, condition code scanning technique, the technology of supplemental characteristic sign indicating number scanning.
(1) heuristic code scans technology: prevent true or decompiler with the dynamic height that ad hoc fashion realizes, by decompiling to relevant instruction sequence, limited weighted calculation judges whether to reach virus instruction thresholding, progressively understands and determine the real motivation that it is contained.Only effective to the unknown virus that partly has typical viral instruction sequence, can't discern for unknown virus with certain logic complexity.
(2) condition code scanning technique: mainly comprise wide spectrum condition code scanning technique and non-wide spectrum condition code scanning technique.According to the condition code in the virus characteristic storehouse known computer virus is scanned, can not scan unknown virus, the anti-virus ability depends on the size and upgrading frequency of virus base.
(3) technology of supplemental characteristic sign indicating number scanning: mainly comprise virtual machine exuviating technology and shell feature database scanning technique.They all are to the execution body that the has added shell processing that shells, and carry out condition code scanning again, and just condition code virus killing technology is auxiliary.Be merely able to detect the unknown mutation of part of known viruse, can not scan the unknown virus that makes new advances.
Summary of the invention
The present invention can effectively address the above problem, can under the situation that does not rely on the condition code database, scan and detect most known viruse and sensu lato unknown virus, remedy the defective of current computer virus scan detection technique, defended computing machine and user's information security.
The present invention relates to a kind of method of scanning and detecting generalized unknown virus, it is characterized in that:
Go out the virus surface behavioral characteristic database according to computer virus surface behavior latent structure, construct pseudo-viral surface behavior property data base simultaneously, when scanning-detecting system viral, carrying out twocouese judges, both judged whether a virus, also judged whether a normal procedure according to the viral surface behavior property data base of puppet according to the virus surface behavioral characteristic database.Said method can scan most of known viruse and the generalized unknown virus that has activated in the system of detecting or had potential activation possibility.Scan detected suspected virus file according to said method, extract its surperficial file characteristic and file content feature automatically, and form an interim condition code database, computer system is comprehensively scanned detection.This method can scan and detect the similar virus of suspected virus file all in system, comprises the similar virus with potential activation possibility.
In the present invention, sensu lato unknown virus comprises all traditional viruses, wooden horse, worm, spy's program, rogue program, rogue's program.
In the present invention, the surface behavior feature of computer virus is meant computer virus generation virus behavior and the variation that causes system to produce, and normal procedure seldom can cause the generation of this variation, and the characteristic set of these system change is called the virus surface behavioural characteristic.The minority normal procedure makes phylogenetic this variation be called the pseudo-viral surface behavior feature of normal procedure.The virus surface behavioural characteristic is the general character of computer virus, and relative fixed in considerable time can not change, so the needs of virus surface behavioral characteristic database upgrading frequency is very low.
In the present invention, the virus that has activated is meant the virus that is loaded in the internal memory, and the virus with potential activation possibility is meant the virus that can move with system or some program automatically, also refers to the virus of moving automatically under certain specific environment of system.
The present invention is based on a kind of method of scanning and detecting generalized unknown virus, it is characterized in that, comprise following process:
1. the structure of virus surface behavioral characteristic database
By a large amount of computer virus samples is analyzed and researched, gather them to system registry, internal memory, system's special area, the variation that the network port produced, and with normal procedure variations that these zones produce are compared, take out the relative specificity that computer virus wherein produces and change, make up the virus surface behavioral characteristic database.
The system registry variation comprises a conventional variation that starts, and unconventional startup item changes, and the system service item changes, and its virus surface behavioural characteristic mainly comprises:
1) revised normal value, the normal value of subitem own is empty, is suspected virus as long as increased value.
2) pretend to be system file.
3) in special folder, for example at Local Settings or TEMP or DRIVERS or Internet Explorer file.
4) there is not version information, and in the WINDOWS file.
5) has hiding attribute.
6) extension name or filename are unusual.
Installed System Memory changes and to comprise the variation that enter the mouth of process module file changing features, crucial API (WINDOWS application program common interface), remote thread variation.
The virus surface behavioural characteristic of process module file changing features comprises:
1) pretends to be system file.
2) has hiding attribute.
3) have a plurality of sizes identical but process or module that filename is inequality.
The virus surface behavioural characteristic that crucial API (WINDOWS application program common interface) inlet changes comprises:
1) the inner hook of user's attitude API (USER MODE INLINE HOOK).
2) the inner hook of kernel state API (KERNEL MODE INLINE HOOK).
3) kernel state system form hook (SSDT HOOK).
4) kernel state bottom document system routine hook (FSD HOOK).
5) the inner hook of kernel state bottom document system routine (FSD INLINE HOOK).
The virus surface behavioural characteristic that remote thread changes comprises:
1) extra remote thread appears.
System's special area variation comprises that the startup file folder changes, and the system volume root directory changes, and the system core file changes.The virus surface behavioural characteristic that the startup file folder changes comprises:
1) there is the executable file that does not have copyright information in the file.
2) there is executable file in the startup file folder with hiding attribute.
The virus surface behavioural characteristic that the system volume root directory changes comprises:
1) there is the AUTORUN configuration file in the system volume root directory, there is automatic operation information: open=hereof, shell open Command=, shell explore Command=, shell find Command=, these programs of attempting operation automatically are the suspected virus file.
The virus surface behavioural characteristic that the system core file changes comprises:
1) in WINDOWS or SYSTEM32 or SYSTEM file, pretends to be system file.
The virus surface behavioural characteristic that the network port changes comprises:
1) opens or connect a port that is of little use.
2) with the backstage mode operation and open or connect FTP service or TELNET service or mail service or WWW serve port.
Virus surface behavioral characteristic database interrecord structure comprises virus surface behavioural characteristic LSN, virus surface behavioural characteristic type, virus surface behavioural characteristic subtype, virus surface behavioural characteristic sequence number, registration table scanning pattern, system's special area scanning pattern, process module scanning pattern, system service scanning pattern, network port scanning pattern, the additional scanning value may need to be used for system's normal value of comparison.
2. the structure of pseudo-viral surface behavior property data base
According to the virus surface behavioral characteristic database a large amount of normal procedures is tested, the normal procedure that triggers the virus surface behavioural characteristic is added into pseudo-viral surface behavior property data base.
Normal procedure is meant the program that can normally not move in being subjected to the system of virus infections, and this program itself is not virus, is not revised by virus.Normal procedure comprises intrinsic program of normal system and normal software program.
Pseudo-viral surface behavior property data base interrecord structure comprises the file characteristic structure, condition code structure, pseudo-viral surface behavior feature sequence number.The file characteristic structure comprises file attribute, and FileVersion is described, PE document entry, file size.The condition code structure comprises the first sample offset position, the first sampling condition code, the second sample offset position, the second sampling condition code.
3. surface behavior mark scanning testing process
According to the virus surface behavioral characteristic database, to system registry, internal memory, system's special area, the network port carries out analysis scan, if trigger the representative record in the virus surface behavioral characteristic database, then further inquires about pseudo-viral surface behavior property data base, if it promptly determines that it is the suspected virus file at the record that the viral surface behavior property data base of puppet does not meet.
Installed System Memory scanning relates to the method for a kind of detection function entry address hook (HOOK): under the normal condition, the entry address of certain function is in certain fixing module, and the memory address range of a module is that its memory base address is to its memory base address sum big or small with it.By traveling through the memory address range of all modules, if the entry address of certain function in an extra module memory address realm, then this module is the suspected virus file.
Installed System Memory scanning relates to the method for a kind of detection function inlet home address hook (INLINE HOOK): in the preceding several bytes that do not have to read under the system environments of infective virus the normal function porch, several bytes compare before directly reading the inlet that needs scanning function during scanning, if it is unusual, then in unusual preceding several bytes, search JMP instruction (it is encoded to 0xE9), if JMP instructs existence, 4 bytes behind the JMP are the address of redirect, if the address value of redirect is in the memory address range of certain module, promptly this module is the suspected virus file.
Installed System Memory scanning relates to the method that a kind of system's hook (HOOK) resets: scan module is when calling certain crucial api function, the preceding several bytes and the normal value that read its function entrance earlier compare, if unusual, then normal value is recovered by directly writing the internal memory mode, call this function again.
4. detect the processing of virus
File type according to the detected suspected virus of scanning stops its process or thread, isolates or thoroughly deletion according to predefined mode.
If suspected virus is a process type, then stops its process, otherwise stop its main thread.The mode that the present invention stops process is to insert a DLL (dynamic link libraries) to target process by remote thread, makes and himself withdraws from.
Partition method of the present invention is by self-defining secret key and reversible data encryption algorithm the content of virus document to be encrypted.
5. system scans testing process comprehensively
Automatically the paper surface feature and the file content feature of the suspected virus that scanned of extraction form an interim condition code database, and computer system is comprehensively scanned detection, remain in virion in the system so that remove it.
Interim condition code database record structure comprises: file characteristic structure, condition code structure, representative record sequence number, the entry position of next bar record.The file characteristic structure comprises FileVersion description, PE document entry.The condition code structure comprises the first sample offset position, the first sampling condition code, the second sample offset position, the second sampling condition code.The first sample offset position is with respect to PE file header RAV inlet, skew 1/3; The first sampling condition code is 16 bytes.The second sample offset position is with respect to PE file header RAV inlet, skew 2/3; The second sampling condition code is 16 bytes.
Embodiment
Main innovation thought of the present invention is: do not rely on the virus signature database, construct the virus surface behavioral characteristic database according to the relative specificity variation that computer virus generation virus behavior causes system to produce, carry out the scanning of computer virus is detected, make up pseudo-viral surface behavior property data base simultaneously the suspected virus file is carried out the secondary judgement, so that get rid of normal procedure.And automatically the paper surface feature and the file content feature of the suspected virus that scanned of extraction form an interim condition code database, and computer system is comprehensively scanned detection, remain in virion in the system so that remove it.
The present invention can scan under database upgrade frequency very low condition and detect most known viruse and generalized unknown virus, and the scanning detection speed is very fast, the specificity height, and it is few to take resource, compare with existing computer virus scanning detection technology, remarkable advantages is arranged.
Step 1: the structure of virus surface behavioral characteristic database
By a large amount of computer virus samples is analyzed and researched, gather them to system registry, internal memory, system's special area, the variation that the network port produced, and with normal procedure variations that these zones produce are compared, take out the relative specificity that computer virus wherein produces and change, make up the virus surface behavioral characteristic database.
1.1 computer virus changes the relative specificity that system produces
The relative specificity that computer virus produces system changes and is divided into four classes greatly: system registry changes class, and Installed System Memory changes class, and system's special area changes class, network port variation class.
1.1.1 system registry changes class
The system registry variation mainly comprises:
1.1.1.1 the conventional item that starts scans:
The conventional item that starts comprises:
(1)SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(2)SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
(3)SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
(4)SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(5)Software\Microsoft\Windows\CurrentVersion\RunServices
(6)Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
(7)SOFTWARE\Microsoft\Windows
NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURREN
TVERSION\Run
(8)SOFTWARE\Microsoft\Windows
NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURREN
TVERSION\Runonce
(9)SOFTWARE\Microsoft\Windows
NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURREN
TVERSION\RunonceEx
The suspected virus feature comprises in these startup items:
1) pretends to be system file.
2) in special folder, for example at Local Settings or TEMP or DRIVERS or Internet Explorer file.
3) there is not version information, and in the WINDOWS file.
4) has hiding attribute.
A 1.1.1.2 unconventional startup scanning
Unconventional startup item comprises:
(1)SOFTWARE\Microsoft\Windows?NT\CurrentVersion\Winlogon\UIHost
(2)SOFTWARE\Microsoft\Windows?NT\CurrentVersion\Winlogon\Shell
(3)Software\Microsoft\Windows?NT\CurrentVersion\Windows\Load
(4)Software\Microsoft\Windows?NT\CurrentVersion\Windows\Run
(5)Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
(6)SOFTWARE\Microsoft\Windows?NT\CurrentVersion\Windows\Appinit_Dlls
(7)SOFTWARE\Microsoft\Windows?NT\CurrentVersion\Winlogon\AppSetup
(8)SOFTWARE\Microsoft\Windows?NT\CurrentVersion\Winlogon\Notify
(9)SOFTWARE\Microsoft\Windows?NT\CurrentVersion\Winlogon\Userinit
(10)SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
(11)Software\Microsoft\Windows?NT\CurrentVersion\Image?File?Execution
The suspected virus feature comprises in these startup items:
1) revised normal value, the normal value of subitem own is empty, is suspected virus as long as increased value.
2) pretend to be system file.
3) in special folder, for example at Local Settings or TEMP or DRIVERS or Internet Explorer file.
4) there is not version information, and in the WINDOWS file.
5) has hiding attribute.
(12)Software\Microsoft\Internet?Explorer\UrlSearchHooks
(13)SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
(14)Software\Microsoft\Windows\CurrentVersion\Explorer\Browser?Helper?Objects
(15)Software\Microsoft\Windows\CurrentVersion\Explorer\Shel?lExecuteHooks
(16)SOFTWARE\Microsoft\Active?Setup\Installed?Components
The suspected virus feature comprises in these startup items:
1) pretends to be system file.
2) in special folder, for example at Local Settings or TEMP or DRIVERS or Internet Explorer file.
3) there is not version information, and in the WINDOWS file.
4) has hiding attribute.
5) extension name or filename are unusual.
1.1.1.3 system service item scanning
The system service item comprises:
(1)SYSTEM\CurrentControlSet\Services\…\ImagePath
The suspected virus feature comprises in these startup items:
1) pretends to be system file.
2) in the special folder, for example at Local Settings or TEMP or DRIVERS or Internet Explorer file.
3) there is not version information, and in the WINDOWS file, not in the DRIVERS file.
4) has hiding attribute.
5) extension name or filename are unusual.
(2)SYSTEM\CurrentControlSet\Services\…\Parameters\ServiceDll
The suspected virus feature comprises in these startup items:
1) pretends to be system file.
2) in the special folder, for example at Local Settings or TEMP or DRIVERS or Internet Explorer file.
3) there is not version information.
4) has hiding attribute.
5) extension name or filename are unusual.
1.1.2 Installed System Memory changes class
The Installed System Memory variation comprises:
1.1.2.1 process module file changing features
The suspected virus feature comprises:
1) pretends to be system file.
2) has hiding attribute.
3) have a plurality of sizes identical but process or module that filename is inequality.
1.1.2.2 changing the suspected virus feature, crucial API (WINDOWS application program common interface) inlet comprises:
1) the inner hook scanning of user's attitude scanning: API.If several code byte contain jump instruction JMP before the API of certain module inlet,, determine the suspected virus module according to the address of redirect promptly by the suspected virus file modification.Need the API of scanning to comprise: CreateProcess, DeleteFile, RegCreateKey, RegCreateKeyEx, OpenProcess, SetValueKey, TerminateProcess, TerminateThread, FindFirstFile, FindNextFile, CreateRemoteThread, FindFirstFileEx, GetModuleFileName, Module32First, Module32Next, MoveFileEx, Process32First, Process32Next, SetSystemTime, WriteFile, RegDeleteKey, RegDeleteValue, RegEnumKey, RegEnumKeyEx, RegEnumValue, RegQueryInfoKey, RegQueryValue, RegQueryValueEx, RegSetValue, RegSetValueEx.
2) kernel state scanning: be divided into SSTD scanning and NATIVE API INLINE HOOK scanning
SSTD scanning: i.e. system's form address scan, if the suspected virus module promptly by the suspected virus file modification, is determined according to its address in the address that NATIVE is API (kernel application interface) not in kernel module ntoskrnl.exe address realm.
NATIVE API INLINE HOOK scanning: the i.e. inner hook scanning of NATIVE API.If several code byte contain jump instruction JMP before the inlet of kernel application interface,, determine the suspected virus module according to the address of redirect promptly by the suspected virus file modification.Need the NATIVE API of scanning to comprise: NtCreateFile, NtCreateKey, NtCreateProcess, NtCreateProcessEx, NtDeleteFile, NtDeleteKey, NtDeleteValueKey, NtFsControlFile, NtLoadDriver, NtOpenProcess, NtOpenProcessTokenEx, NtOpenThread, NtSetInformationFile, NtSetSystemTime, NtSetValueKey, NtShutdownSystem, NtTerminateProcess, NtTerminateThread, NtUnloadDriver, NtVdmControl, NtWriteFile, NtCreateUserProcess, NtCreateThreadEx, NtQuerySystemInformation, NtCreateSetion, NtOpenSetion, NtQueryDirectoryFile
3) kernel file system scan: scanning of bottom document system core routine address and INLINE HOOK scanning thereof
Bottom document system core routine address scanning: the DriverObject territory MajorFunction[IRP_MJ_CREATE of scanning fastfat.sys or ntfs.sys], MajorFunction[IRP_MJ_SET_INFORMATION], MajorFunction[IRP_MJ_WRITE], MajorFunction[IRP_MJ_DEVICE_CONTROL], MajorFunction[IRP_MJ_QUERY_INFORMATION], MajorFunction[IRP_MJ_SHUTDOWN] routine address, if it is not in fastfat.sys or ntfs.sys address realm, promptly, determine the suspected virus module according to its address by the suspected virus file modification.
Bottom document system core routine address INLINE HOOK scanning: if inlet code byte the day before yesterday of the crucial routine address of MajorFunction function contains jump instruction JMP, promptly, determine the suspected virus module according to the address of redirect by the suspected virus file modification.Need the routine address of scanning to comprise: MajorFunction[IRP_MJ_CREATE], MajorFunction[IRP_MJ_SET_INFORMATION], MajorFunction[IRP_MJ_WRITE], MajorFunction[IRP_MJ_DEVICE_CONTROL], MajorFunction[IRP_MJ_QUERY_INFORMATION], MajorFunction[IRP_MJ_SHUTDOWN].
1.1.2.3 remote thread changes
1) the original startup thread except that process belongs to the remote thread under the normal condition, does not have other remote thread, if exist, the module at its corresponding address place is the suspected virus file.
1.1.3 system's special area changes class
System's special area variation comprises:
1.1.3.1 the startup file folder changes
1) there is the executable file that does not have copyright information in the startup file folder.
2) there is executable file in the startup file folder with hiding attribute.
1.1.3.2 the system volume root directory changes
1) there is the AUTORUN configuration file in the system volume root directory, there is automatic operation information: open=hereof, shell open Command=, shell explore Command=, shell find Command=, these programs of attempting operation automatically are the suspected virus file.
1.1.3.3 the system core file changes
1) in WINDOWS or SYSTEM32 or SYSTEM file, pretends to be system file.
1.1.4 the network port changes class
Network port variation comprises;
1) opens or connect a port that is of little use.
2) with the backstage mode operation and open or connect FTP service or TELNET service or mail service or WWW serve port.
1.2 the structure of virus surface behavioral characteristic database
The virus surface behavioral characteristic database comprises database header and data-base recording, and database header comprises the database sign, the database effect and, data-base recording number, the 1st database entry position, the document misregistration value of every record.Article one, virus surface behavioral characteristic database interrecord structure is as follows:
typedef?struct_VIRUS_FACE_ACT_DB{
Number, // virus surface behavioural characteristic LSN
Type, // virus surface behavioural characteristic type, i.e. a kind of in four types
Sub_type, // virus surface behavioural characteristic subtype
Feature_number, // virus surface behavioural characteristic sequence number, each feature all has a unique fixing sequence number in each subtype
Reg_scan_path, // registration table scanning pattern, this can be sky for other type
Area_scan_path, // system special area scanning pattern, this can be sky for other type
Process_scan_path, // process module scanning pattern can be sky
Services_scan_path, // system service scanning pattern, this can be sky for other type
Port_scan_path, // network port scanning pattern can be sky
Scan_value, // additional scanning value is used for the further location that may need
Normal_value // may need to be used for system's normal value of comparison
}VIRUS_FACE_ACT_DB
For example need to detect SOFTWARE Microsoft Windows NT CurrentVersion Winlogon Shell whether increased a bonus values, suppose it is article one record, its normal value is Explorer.exe, it is its being recorded as in the surface behavior property data base { 1,1,2,1, SOFTWARE Microsoft WindowsNT CurrentVersion Winlogon Shell, null, null, null, null, null, Explorer.exe}
The structure of the pseudo-viral surface behavior property data base of step 2.
According to the virus surface behavioral characteristic database a large amount of normal procedures is tested, the normal procedure that triggers the virus surface behavioural characteristic is added into pseudo-viral surface behavior property data base.
2.1 the structure of pseudo-viral surface behavior property data base
Pseudo-viral surface behavior property data base comprises database header and data-base recording, and database header comprises the database sign, the database effect and, data-base recording number, the 1st database entry position, the document misregistration value of every record.Article one, the viral surface behavior property data base of puppet interrecord structure is as follows:
typedef?struct_FALSE_VIRUS_FACE_ACT_DB{
FILE_FEATURE file_feature, // file characteristic structure
CODE code, // condition code structure
Number_face_act, // pseudo-viral surface behavior feature sequence number, mark triggers which rule
}FALSE_VIRUS_FACE_ACT_DB;
typedef?struct_FILE_FEATURE{
Base_attribute, // file attribute
File_version, // FileVersion is described
Perva, //the PE document entry
Size // file size
}FILE_FEATURE
typedef?struct_CODE{
Offest1, // the first sample offset position (with respect to PE file header RAV inlet)
Code1, // the first sampling condition code
Offest2, // the second sample offset position (with respect to PE file header RAV inlet)
Code2 // second sampling the condition code
}CODE
2.2 a large amount of normal procedures is tested
Guaranteeing that operating system does not have under the condition that infective virus and normal procedure to be tested do not revised by virus, the operation normal procedure, and write down the variation that it produces system.If it triggers a virus surface behavioural characteristic at least, promptly read its paper surface feature (content of FILE_FEATURE structure) and file content feature (content of CODE), add pseudo-viral surface behavior property data base to.A normal procedure can have many viral surface behavior representative records of puppet.Normal procedure comprises intrinsic program of system and software program, because the virus surface behavioural characteristic has higher specificity for virus, the record quantity of pseudo-viral surface behavior property data base is generally little.
Step 3. surface behavior mark scanning testing process
According to the virus surface behavioral characteristic database, to system registry, internal memory, system's special area, the network port carries out analysis scan, if trigger the representative record in the virus surface behavioral characteristic database, then further inquires about pseudo-viral surface behavior property data base, if it promptly determines that it is the suspected virus file at the record that the viral surface behavior property data base of puppet does not meet.
Scanning is divided into kernel state scanning and the scanning of user's attitude, and process is as follows:
3.1 kernel state scanning: comprise SSTD scanning and NATIVE API INLINE HOOK scanning.
3.1.1 SSTD scanning:, search out the address of PsLoadedModuleList by the driverObject pointer of driver inlet DriverEntry.Obtain the imageBase and the imageSize of all driver modules that loaded by the link.Flink territory of PsLoadedModuleList.If KeServiceDescriptorTable.ServiceDescriptor[0 at SSTD (System Service Dispatch Table)] certain address value among the .ServiceTable is between the imageBase of certain driver module value and imageBase+imageSize value, and promptly this driver module is the suspected virus file.
3.1.2 NATIVE API INLINE HOOK scanning: in the system that is not subjected to virus infections, in reading in the nuclear state NT series need preceding 10 bytes of inlet of scanning function, these 10 bytes are the inlet normal value, be kept among the normal_value of VIRUS_FACE_ACT_DB (virus surface behavioral characteristic database), in directly reading during scanning in the nuclear state NT series need preceding 10 bytes of inlet of scanning function, compare, if it is unusual, then in 10 unusual bytes, search JMP instruction (it is encoded to 0xE9), 4 bytes behind the JMP are the address of redirect, if the address value of redirect is between the imageBase of certain driver module value and imageBase+imageSize value, promptly this driver module is the suspected virus file.
3.1.3 kernel file system scan: obtain fastfat.sys or the ntfs.sys plot in kernel, obtain RVA according to plot and PE file header structure, be the inlet DriverEntry of driver fastfat.sys or ntfs.sys, locate the MajorFunction series function in DriverObject territory then.For crucial routine address scanning, if crucial routine address value is between the imageBase of certain driver module value and imageBase+imageSize value, and outside fastfat.sys or ntfs.sys plot scope, promptly this driver module is the suspected virus file.For crucial routine address INLINE HOOK scanning, in the system that is not subjected to virus infections, preceding 10 bytes of inlet of crucial routine address in the nuclear state in reading, these 10 bytes are the inlet normal value, be kept among the normal_value of VIRUS_FACE_ACT_DB (virus surface behavioral characteristic database), preceding 10 bytes of inlet of crucial routine address in the nuclear state in directly reading during scanning, compare, if it is unusual, then in 10 unusual bytes, search JMP instruction (it is encoded to 0xE9), 4 bytes behind the JMP are the address of redirect, if the address value of redirect is between the imageBase of certain driver module value and imageBase+ imageSize value, promptly this driver module is the suspected virus file.
The scanning 3.2 user's attitude API enters the mouth: sweep object is the api function of user's attitude, and principle is similar to 3.1.1 and 3.1.2.
3.3 other scanning of user's attitude: comprise that the HOOK of system (hook) resets, system registry table scan, the mark scanning of process module file, remote thread scanning, system's special area scanning, network port scanning.
This step process is as follows:
3.3.1 system HOOK (hook) resets:, when carrying out other scanning of user's attitude, must carry out the HOOK reset operation earlier in order to resist HOOK (hook) technology that virus may exist.Scan module is when certain crucial api function of invoke user attitude, preceding 10 bytes and the normal value that read its function entrance earlier compare, if it is unusual, then attempt opening the process at module place with the PROCESS_VM_WRITE parameter, by the function entrance place of WriteProcessMemory, and then call this api function with the normal value write memory.
3.3.2 system registry table scan: call REG series registry operations function and finish scanning visit to registration table.
3.3.3 process module file mark scanning: the function that calls traversal process module is finished enumerating the process module.
3.3.4 remote thread scanning: the invokes thread enumeration function is enumerated all threads of a process, utilizes the parent process parameter of thread to judge.
3.3.5 system's special area scanning: call file associative operation function and scan.
3.3.6 network port scanning: related by process and port detects the port of all processes connections.Call the AllocateAndGetTcpExTableFromStack interface and can obtain the tcp port mapping table, call the AllocateAndGetUdpExTableFromStack interface and can obtain the udp port mapping table by process ID by process ID.
Step 4. detects the processing of virus
File type according to the detected suspected virus of scanning stops its process or thread, isolates or thoroughly deletion according to predefined mode.
4.1 the file type according to suspected virus stops its operation:
If suspected virus is a process type, then stops its process, otherwise stop its main thread.Take the method for following forced termination process among the present invention: construct a DLL (dynamic link libraries) in advance, making first instruction of its inlet DLLMAIN is the ExitProcess function, adopt remote thread to be inserted into the target suspected virus of the process that will stop this DLL then, make its automatic end process.
4.2 the suspected virus file is deleted or is isolated:
4.2.1 the deletion of suspected virus file:
Attempt direct deleted file, and call the MOVEFILEEX function it is write registration table, delete when being labeled as system start-up, and utilize one with system start-up automatically actuated self driver when restarting systems, attempt deleting this document once more.
4.2.2 the isolation of suspected virus file:
The isolation of suspected virus file is by reading the content of suspected virus file, utilize a self-defining secret key and reversible data encryption algorithm that its file content is encrypted, and be saved in viral isolated area, utilize the method deletion virus document of 4.2.1 at last.Also then utilize secret key and data encryption algorithm that it is deciphered during original.A file structure in the virus isolated area is as follows:
typedef?struct_ISOLATE_INFO{
Path, // original route
Size, // original size
Date, // isolation time
Id, // file ID
The original content of content // encryption
}ISOLATE_INFO
Step 5. system scans testing process comprehensively
Automatically the paper surface feature and the file content feature of the suspected virus that scanned of extraction form an interim condition code database, and computer system is comprehensively scanned detection, remain in virion in the system so that remove it.
5.1 the structure of interim condition code database: comprise database header and data-base recording, database header comprises the database sign, the database effect and, data-base recording number, the 1st database entry position.Article one, interim condition code database record structure is as follows:
typedef?struct_TEMP_VIRUS_CODE_DB{
FILE_FEATURE file_feature, // file characteristic structure is considered the changeability of virus size, in this structure not with size as an index.
CODE code, // condition code structure
Id, // representative record sequence number
The entry position of Next_entry//next bar record
}TEMP_VIRUS_CODE_DB;
typedef?struct_FILE_FEATURE{
File_version, // FileVersion is described
Perva, //the PE document entry
}FILE_FEATURE
typedef?struct_CODE{
Offest1, // the first sample offset position is with respect to PE file header RAV inlet, skew 1/3
Code1, // the first sampling condition code, 16 bytes
Offest2, // the second sample offset position is with respect to PE file header RAV inlet, skew 2/3
Code2 // second sampling the condition code, 16 bytes
}CODE
5.2 comprehensively scanning detects: load the condition code database to internal memory, by all executable files in the recursive algorithm traversal computing machine, to each the bar record in the interim condition code database of each executable file trial coupling, if file content feature of this document (CODE part content) and paper surface feature (content of FILE_FEATURE part) are identical with a certain record in the database, then the match is successful, to its execution in step 4.1 and step 4.2.
The present invention is a kind of computer virus scanning detection method of novelty, construct the virus surface behavioral characteristic database by the relative specificity variation that computer virus generation virus behavior causes system to produce, carry out the scanning of computer virus is detected, make up pseudo-viral surface behavior property data base simultaneously the suspected virus file is carried out the secondary judgement, so that get rid of normal procedure.And automatically the paper surface feature and the file content feature of the suspected virus that scanned of extraction form an interim condition code database, and computer system is comprehensively scanned detection, remain in virion in the system so that remove it.
Because the virus surface behavioural characteristic is the general character of most of computer virus, these features have relative fixed, in the quite a while, can not change, so the present invention can scan under database upgrade frequency very low condition and detects most known viruse and generalized unknown virus.And the scanning detection speed is very fast, the specificity height, and it is few to take resource, compares with existing computer virus scanning detection technology, and the present invention has remarkable advantages, is worthy of popularization, and can defend computing machine and user's information security to a certain extent.
Claims (10)
1. the method for a scanning and detecting generalized unknown virus is characterized in that:
Go out the virus surface behavioral characteristic database according to computer virus surface behavior latent structure, construct pseudo-viral surface behavior property data base simultaneously, when scanning-detecting system viral, carrying out twocouese judges, both judged whether a virus, also judged whether a normal procedure according to the viral surface behavior property data base of puppet according to the virus surface behavioral characteristic database; Said method can scan most of known viruse and the generalized unknown virus that has activated in the system of detecting or had potential activation possibility; Scan detected suspected virus file according to said method, automatically extract its surperficial file characteristic and file content feature, and form an interim condition code database, computer system is comprehensively scanned detection, can scan and detect the similar virus of suspected virus file all in system, comprise similar virus with potential activation possibility; Detected suspected virus file is handled accordingly;
In the present invention, sensu lato unknown virus comprises all traditional viruses, wooden horse, worm, spy's program, rogue program, rogue's program;
In the present invention, the surface behavior feature of computer virus is meant computer virus generation virus behavior and the variation that causes system to produce, and normal procedure seldom can cause the generation of this variation, and the characteristic set of these system change is called the virus surface behavioural characteristic.The minority normal procedure makes phylogenetic this variation be called the pseudo-viral surface behavior feature of normal procedure;
In the present invention, the virus that has activated is meant the virus that is loaded in the internal memory, and the virus with potential activation possibility is meant the virus that can move with system or some program automatically, also refers to the virus of moving automatically under certain specific environment of system.
2. described according to claim 1, the method for scanning and detecting generalized unknown virus is characterized in that, the variation that produces the virus surface behavioural characteristic comprises: system registry changes, and internal memory changes, and system's special area changes, and the network port changes.
3. described according to claim 2, system registry changes, and it is characterized in that, the system registry variation comprises that the conventional item that starts changes, and unconventional startup item changes, and the system service item changes, and its virus surface behavioural characteristic mainly comprises:
1) revised normal value, the normal value of subitem own is empty, is suspected virus as long as increased value;
2) pretend to be system file;
3) in special folder, for example at Local Settings or TEMP or DRIVERS or InternetExplorer file;
4) there is not version information, and in the WINDOWS file;
5) has hiding attribute;
6) extension name or filename are unusual.
4. described according to claim 2, internal memory changes, and it is characterized in that, Installed System Memory changes and comprises the variation that enter the mouth of process module file changing features, crucial API (WINDOWS application program common interface), remote thread variation;
The virus surface behavioural characteristic of process module file changing features comprises:
1) pretends to be system file;
2) has hiding attribute;
3) have a plurality of sizes identical but process or module that filename is inequality;
The virus surface behavioural characteristic that crucial API (WINDOWS application program common interface) inlet changes comprises:
1) the inner hook of user's attitude API (USER MODE INLINE HOOK);
2) the inner hook of kernel state API (KERNEL MODE INLINE HOOK);
3) kernel state system form hook (SSDT HOOK);
4) kernel state bottom document system routine hook (FSD HOOK);
5) the inner hook of kernel state bottom document system routine (FSD INLINE HOOK);
The virus surface behavioural characteristic that remote thread changes comprises:
1) extra remote thread appears.
5. described according to claim 2, system's special area changes, and it is characterized in that, system's special area variation comprises that the startup file folder changes, and the system volume root directory changes, and the system core file changes;
The virus surface behavioural characteristic that the startup file folder changes comprises:
1) there is the executable file that does not have copyright information in the file;
2) there is executable file in the startup file folder with hiding attribute;
The virus surface behavioural characteristic that the system volume root directory changes comprises:
1) there is the AUTORUN configuration file in the system volume root directory, there is automatic operation information: open=hereof, shell open Command=, shell explore Command=, shell find Command=, these programs of attempting operation automatically are the suspected virus file;
The virus surface behavioural characteristic that the system core file changes comprises:
1) in WINDOWS or SYSTEM32 or SYSTEM file, pretends to be system file.
6. described according to claim 2, the network port changes, and it is characterized in that, the virus surface behavioural characteristic that the network port changes comprises:
1) opens or connect a port that is of little use;
2) with the backstage mode operation and open or connect FTP service or TELNET service or mail service or WWW serve port.
7. described according to claim 1, a kind of method of scanning and detecting generalized unknown virus, it is characterized in that, virus surface behavioral characteristic database interrecord structure comprises virus surface behavioural characteristic LSN, virus surface behavioural characteristic type, virus surface behavioural characteristic subtype, virus surface behavioural characteristic sequence number, the registration table scanning pattern, system's special area scanning pattern, process module scanning pattern, the system service scanning pattern, network port scanning pattern, the additional scanning value may need to be used for system's normal value of comparison; Pseudo-viral surface behavior property data base interrecord structure comprises the file characteristic structure, condition code structure, pseudo-viral surface behavior feature sequence number; The file characteristic structure comprises file attribute, and FileVersion is described, PE document entry, file size; The condition code structure comprises the first sample offset position, the first sampling condition code, the second sample offset position, the second sampling condition code; Interim condition code database record structure comprises: file characteristic structure, condition code structure, representative record sequence number, the entry position of next bar record; The file characteristic structure comprises FileVersion description, PE document entry; The condition code structure comprises the first sample offset position, the first sampling condition code, the second sample offset position, the second sampling condition code; The first sample offset position is with respect to PE file header RAV inlet, skew 1/3; The first sampling condition code is 16 bytes; The second sample offset position is with respect to PE file header RAV inlet, skew 2/3; The second sampling condition code is 16 bytes.
8. described according to claim 1, a kind of method of scanning and detecting generalized unknown virus is characterized in that, its step comprises:
1) structure of virus surface behavioral characteristic database
By a large amount of computer virus samples is analyzed and researched, gather them to system registry, internal memory, system's special area, the variation that the network port produced, and with normal procedure variations that these zones produce are compared, take out the relative specificity that computer virus wherein produces and change, make up the virus surface behavioral characteristic database;
2) structure of pseudo-viral surface behavior property data base
According to the virus surface behavioral characteristic database a large amount of normal procedures is tested, the normal procedure that triggers the virus surface behavioural characteristic is added into pseudo-viral surface behavior property data base;
Normal procedure is meant the program that can normally not move in being subjected to the system of virus infections, and this program itself is not virus, is not revised by virus.Normal procedure comprises intrinsic program of normal system and normal software program;
3) surface behavior mark scanning testing process
According to the virus surface behavioral characteristic database, to system registry, internal memory, system's special area, the network port carries out analysis scan, if trigger the representative record in the virus surface behavioral characteristic database, then further inquires about pseudo-viral surface behavior property data base, if it promptly determines that it is the suspected virus file at the record that the viral surface behavior property data base of puppet does not meet;
4) detect viral processing procedure
File type according to the detected suspected virus of scanning stops its process or thread, isolates or thoroughly deletion according to predefined mode;
5) system scans testing process comprehensively
Automatically the paper surface feature and the file content feature of the suspected virus that scanned of extraction form an interim condition code database, and computer system is comprehensively scanned detection, remain in virion in the system so that remove it.
9. described according to claim 8, detect viral processing procedure, it is characterized in that, in the processing of virus,, then stop its process, otherwise stop its main thread if suspected virus is a process type; The mode of termination process is to insert a DLL (dynamic link libraries) to target process by remote thread, makes and himself withdraws from.
10. described according to claim 8, surface behavior mark scanning testing process is characterized in that, in Installed System Memory scanning, the method for detection function inlet hook is:
Link up with (HOOK) for the function entrance address: under the normal condition, the entry address of certain function is in certain fixing module, and the memory address range of a module is that its memory base address is to its memory base address sum big or small with it, by traveling through the memory address range of all modules, if the entry address of certain function is in an extra module memory address realm, then this module is the suspected virus file;
Link up with (INLINE HOOK) for the function entrance home address: in the preceding several bytes that do not have to read under the system environments of infective virus the normal function porch, several bytes compare before directly reading the inlet that needs scanning function during scanning, if it is unusual, then in unusual preceding several bytes, search JMP instruction (it is encoded to 0xE9), if JMP instructs existence, 4 bytes behind the JMP are the address of redirect, if the address value of redirect is in the memory address range of certain module, promptly this module is the suspected virus file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200710030109XA CN101382984A (en) | 2007-09-05 | 2007-09-05 | Method for scanning and detecting generalized unknown virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200710030109XA CN101382984A (en) | 2007-09-05 | 2007-09-05 | Method for scanning and detecting generalized unknown virus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101382984A true CN101382984A (en) | 2009-03-11 |
Family
ID=40462818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA200710030109XA Pending CN101382984A (en) | 2007-09-05 | 2007-09-05 | Method for scanning and detecting generalized unknown virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101382984A (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102346830A (en) * | 2011-09-23 | 2012-02-08 | 重庆大学 | Gradient histogram-based virus detection method |
| CN102760218A (en) * | 2011-12-16 | 2012-10-31 | 哈尔滨安天科技股份有限公司 | Virus characteristic library sharing method and device based on dynamic link library |
| CN102841999A (en) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | Method and device for detecting macro virus of files |
| CN103428195A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Unknown virus detecting method |
| CN103632095A (en) * | 2013-11-15 | 2014-03-12 | 北京奇虎科技有限公司 | Extension package safety detection method and device |
| CN103699837A (en) * | 2012-09-27 | 2014-04-02 | 腾讯科技(深圳)有限公司 | Method for scanning files and terminal equipment |
| CN103699838A (en) * | 2013-12-02 | 2014-04-02 | 百度国际科技(深圳)有限公司 | Identification method and equipment of viruses |
| CN103714269A (en) * | 2013-12-02 | 2014-04-09 | 百度国际科技(深圳)有限公司 | Virus identification method and device |
| WO2014059933A1 (en) * | 2012-10-17 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Method and user device for processing virus files |
| WO2014067408A1 (en) * | 2012-10-29 | 2014-05-08 | Tencent Technology (Shenzhen) Company Limited | Device, system and method for processing virus files |
| CN103886258A (en) * | 2014-03-10 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for detecting viruses |
| CN103888447A (en) * | 2014-03-03 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for checking and killing viruses |
| CN104243407A (en) * | 2013-06-13 | 2014-12-24 | 华为技术有限公司 | Generation method and device for malicious software network intrusion detection feature codes |
| CN105653905A (en) * | 2015-12-28 | 2016-06-08 | 西北大学 | Software protection method based on API (Application Program Interface) security attribute hiding and attack threat monitoring |
| CN105681417A (en) * | 2016-01-15 | 2016-06-15 | 重庆泛涵数码科技有限责任公司 | File transmission system and method capable of computer virus isolation |
| CN106845223A (en) * | 2016-12-13 | 2017-06-13 | 北京三快在线科技有限公司 | Method and apparatus for detecting malicious code |
| CN107346389A (en) * | 2017-06-20 | 2017-11-14 | 北京东方棱镜科技有限公司 | The detection method and system of mobile terminal abnormal behaviour |
| CN108985063A (en) * | 2018-07-13 | 2018-12-11 | 南方电网科学研究院有限责任公司 | A kind of malicious code obscures detection method, system, computer equipment, medium |
| CN109918912A (en) * | 2019-03-27 | 2019-06-21 | 深信服科技股份有限公司 | A kind of Ile repair method and relevant device for computer virus |
| CN109951731A (en) * | 2017-12-21 | 2019-06-28 | 深圳Tcl数字技术有限公司 | Solve method, system and the storage medium of External memory equipment multiple scanning |
| CN110826065A (en) * | 2019-10-30 | 2020-02-21 | 亚信科技(成都)有限公司 | Scanning method, device and system |
-
2007
- 2007-09-05 CN CNA200710030109XA patent/CN101382984A/en active Pending
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102346830A (en) * | 2011-09-23 | 2012-02-08 | 重庆大学 | Gradient histogram-based virus detection method |
| CN102760218A (en) * | 2011-12-16 | 2012-10-31 | 哈尔滨安天科技股份有限公司 | Virus characteristic library sharing method and device based on dynamic link library |
| CN102841999A (en) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | Method and device for detecting macro virus of files |
| CN102841999B (en) * | 2012-07-16 | 2016-12-21 | 北京奇虎科技有限公司 | A kind of file method and a device for detecting macro virus |
| WO2014048203A1 (en) * | 2012-09-27 | 2014-04-03 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for scanning files |
| CN103699837B (en) * | 2012-09-27 | 2016-12-21 | 腾讯科技(深圳)有限公司 | A kind of method of scanning file and terminal unit |
| CN103699837A (en) * | 2012-09-27 | 2014-04-02 | 腾讯科技(深圳)有限公司 | Method for scanning files and terminal equipment |
| US9754107B2 (en) | 2012-10-17 | 2017-09-05 | Tencent Technology (Shenzhen) Company Limited | Method and user device for processing virus files |
| WO2014059933A1 (en) * | 2012-10-17 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Method and user device for processing virus files |
| CN103778370A (en) * | 2012-10-17 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Virus file processing method and client device |
| CN103778370B (en) * | 2012-10-17 | 2016-08-24 | 腾讯科技(深圳)有限公司 | Virus document processing method and client device |
| US9705912B2 (en) | 2012-10-29 | 2017-07-11 | Tencent Technology (Shenzhen) Company Limited | Device, system and method for processing virus files |
| WO2014067408A1 (en) * | 2012-10-29 | 2014-05-08 | Tencent Technology (Shenzhen) Company Limited | Device, system and method for processing virus files |
| CN103793647A (en) * | 2012-10-29 | 2014-05-14 | 腾讯科技(深圳)有限公司 | System and method for processing virus files |
| CN103793647B (en) * | 2012-10-29 | 2016-09-28 | 腾讯科技(深圳)有限公司 | Virus document processing system and method |
| CN103428195B (en) * | 2012-12-27 | 2016-09-07 | 北京安天电子设备有限公司 | A kind of method of unknown virus detection |
| CN103428195A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Unknown virus detecting method |
| CN104243407A (en) * | 2013-06-13 | 2014-12-24 | 华为技术有限公司 | Generation method and device for malicious software network intrusion detection feature codes |
| CN103632095B (en) * | 2013-11-15 | 2016-08-31 | 北京奇虎科技有限公司 | A kind of expanding packet safety detection method and device |
| CN103632095A (en) * | 2013-11-15 | 2014-03-12 | 北京奇虎科技有限公司 | Extension package safety detection method and device |
| US10229267B2 (en) | 2013-12-02 | 2019-03-12 | Baidu International Technology (Shenzhen) Co., Ltd. | Method and device for virus identification, nonvolatile storage medium, and device |
| CN103699838B (en) * | 2013-12-02 | 2018-05-04 | 百度国际科技(深圳)有限公司 | The recognition methods of virus and equipment |
| CN103714269A (en) * | 2013-12-02 | 2014-04-09 | 百度国际科技(深圳)有限公司 | Virus identification method and device |
| CN103699838A (en) * | 2013-12-02 | 2014-04-02 | 百度国际科技(深圳)有限公司 | Identification method and equipment of viruses |
| CN103888447B (en) * | 2014-03-03 | 2017-05-24 | 珠海市君天电子科技有限公司 | Method and device for checking and killing viruses |
| CN103888447A (en) * | 2014-03-03 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for checking and killing viruses |
| CN103886258A (en) * | 2014-03-10 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and device for detecting viruses |
| CN105653905A (en) * | 2015-12-28 | 2016-06-08 | 西北大学 | Software protection method based on API (Application Program Interface) security attribute hiding and attack threat monitoring |
| CN105653905B (en) * | 2015-12-28 | 2018-07-24 | 西北大学 | A kind of method for protecting software hidden based on API security attributes with attack threat monitoring |
| CN105681417A (en) * | 2016-01-15 | 2016-06-15 | 重庆泛涵数码科技有限责任公司 | File transmission system and method capable of computer virus isolation |
| CN105681417B (en) * | 2016-01-15 | 2018-08-14 | 重庆泛涵数码科技有限责任公司 | Computer virus off-limit file Transmission system and method |
| CN106845223A (en) * | 2016-12-13 | 2017-06-13 | 北京三快在线科技有限公司 | Method and apparatus for detecting malicious code |
| CN106845223B (en) * | 2016-12-13 | 2020-08-04 | 北京三快在线科技有限公司 | Method and apparatus for detecting malicious code |
| CN107346389A (en) * | 2017-06-20 | 2017-11-14 | 北京东方棱镜科技有限公司 | The detection method and system of mobile terminal abnormal behaviour |
| CN107346389B (en) * | 2017-06-20 | 2021-02-19 | 北京东方棱镜科技有限公司 | Method and system for detecting abnormal behavior of mobile terminal |
| CN109951731A (en) * | 2017-12-21 | 2019-06-28 | 深圳Tcl数字技术有限公司 | Solve method, system and the storage medium of External memory equipment multiple scanning |
| CN109951731B (en) * | 2017-12-21 | 2021-06-15 | 深圳Tcl数字技术有限公司 | Method, system and storage medium for solving repeated scanning of external storage device |
| CN108985063A (en) * | 2018-07-13 | 2018-12-11 | 南方电网科学研究院有限责任公司 | A kind of malicious code obscures detection method, system, computer equipment, medium |
| CN109918912A (en) * | 2019-03-27 | 2019-06-21 | 深信服科技股份有限公司 | A kind of Ile repair method and relevant device for computer virus |
| CN109918912B (en) * | 2019-03-27 | 2023-09-05 | 深信服科技股份有限公司 | File repair method for computer viruses and related equipment |
| CN110826065A (en) * | 2019-10-30 | 2020-02-21 | 亚信科技(成都)有限公司 | Scanning method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101382984A (en) | Method for scanning and detecting generalized unknown virus | |
| Corina et al. | Difuze: Interface aware fuzzing for kernel drivers | |
| Chen et al. | SODA: A Generic Online Detection Framework for Smart Contracts. | |
| US7779472B1 (en) | Application behavior based malware detection | |
| Lanzi et al. | K-Tracer: A System for Extracting Kernel Malware Behavior. | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| Wang et al. | Detecting stealth software with strider ghostbuster | |
| CN101373501B (en) | Method for capturing dynamic behavior aiming at computer virus | |
| US7093239B1 (en) | Computer immune system and method for detecting unwanted code in a computer system | |
| US8661541B2 (en) | Detecting user-mode rootkits | |
| US8898775B2 (en) | Method and apparatus for detecting the malicious behavior of computer program | |
| US8566944B2 (en) | Malware investigation by analyzing computer memory | |
| US8046831B2 (en) | Automating software security restrictions on system resources | |
| CN100481101C (en) | Method for computer safety start | |
| US7730530B2 (en) | System and method for gathering exhibited behaviors on a .NET executable module in a secure manner | |
| US11822654B2 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
| US20130247186A1 (en) | System to Bypass a Compromised Mass Storage Device Driver Stack and Method Thereof | |
| JP2019067372A (en) | System and method for detection of malicious code in address space of process | |
| CN101438529A (en) | Proactive computer malware protection through dynamic translation | |
| CN101183414A (en) | Program detection method, device and program analyzing method | |
| US20190138715A1 (en) | Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation | |
| Hahn et al. | Robust static analysis of portable executable malware | |
| Sun et al. | API monitoring system for defeating worms and exploits in MS-Windows system | |
| RU2665910C1 (en) | System and method of detecting the harmful code in the address process space | |
| Neugschwandtner et al. | d Anubis–Dynamic Device Driver Analysis Based on Virtual Machine Introspection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| DD01 | Delivery of document by public notice |
Addressee: Jiang Qiyu Document name: Notification that Application Deemed to be Withdrawn |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090311 |