CN102902913B - Prevent the security method of software in malicious sabotage computer - Google Patents
Prevent the security method of software in malicious sabotage computer Download PDFInfo
- Publication number
- CN102902913B CN102902913B CN201210349015.XA CN201210349015A CN102902913B CN 102902913 B CN102902913 B CN 102902913B CN 201210349015 A CN201210349015 A CN 201210349015A CN 102902913 B CN102902913 B CN 102902913B
- Authority
- CN
- China
- Prior art keywords
- computer
- software
- damage
- relevant information
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides the security method of a kind of software prevented in malicious sabotage computer, it at least includes: 1) extract the relevant information of at least one software in computer, wherein, described software includes the first process operating in described computer, the program being arranged on described computer or is stored in the folders/files in described computer;2) from each described relevant information, determine at least one relevant information, and using determined by software corresponding to relevant information saved from damage object as to save from damage;3) unlatching saves, to described, at least one second process that object is monitored from damage, to prevent user from described object of saving from damage is carried out malicious operation.Thereby, it is possible to effectively defence user's malicious sabotage to critical software.
Description
Technical field
The present invention relates to the defence method of a kind of computer, particularly relate to the security method of a kind of software prevented in malicious sabotage computer.
Background technology
In today that network is prevailing, the safety of data is increasingly paid close attention to by enterprise.At present, the mode improving data safety installs monitoring or encryption software the most in a computer, provides the user corresponding data with authority based on user.But, using monitoring or the enterprise of encryption software, part employee can have the psychology of repulsion due to a variety of causes to this software, and destroyed the operation of this software, system of the most directly reforming by various methods, thoroughly avoids data to be monitored with this.
In order to solve the problems referred to above, use software in each computer of remote-control during at present conventional way installs and uninstalls the destruction privately avoiding user.But this kind of mode only protects and install and uninstall software, other destruction operations to user are the most helpless so that monitoring or the encryption software of the units up to ten thousand of enterprise procurement do not play any effect, seem chicken ribs.
Accordingly, it would be desirable to the method for the existing software prevented in malicious sabotage computer is improved, in order to the software in omnibearing protection computer, so that monitoring or encryption software can be properly functioning.
Summary of the invention
The shortcoming of prior art in view of the above, it is an object of the invention to provide the security method of a kind of software prevented in malicious sabotage computer, the problem destroying software for solving user's malicious operation in prior art.
For achieving the above object and other relevant purposes, the present invention provides the security method of a kind of software prevented in malicious sabotage computer, it at least includes: 1) extract the relevant information of at least one software in computer, wherein, described software at least includes following one: the first process, the program being arranged on described computer that operate in described computer or be stored in the folders/files in described computer;2) from each described relevant information, determine at least one relevant information, and using determined by software corresponding to relevant information saved from damage object as to save from damage;3) unlatching saves, to described, at least one second process that object is monitored from damage, to prevent user from described object of saving from damage is carried out malicious operation.
Preferably, described relevant information at least includes following one: the folder information/fileinfo of the progress information of described first process, the registry information of described program or described folders/files.
Preferably, it is characterised in that described step 1) also includes: each described relevant information extracted is sent to the network equipment.
Preferably, described step 2) also include: from each described relevant information, determined at least one relevant information by the described network equipment, and determined relevant information is back to described computer;And by described computer using determined by software corresponding to relevant information saved from damage object as to save from damage.
Preferably, described step 3) also includes: described second process is multiple, and monitors each other between described second process, and at the end of monitoring the second process described at least one of which, other described second processes restart this described second process terminated.
Preferably, described step 3) also includes: when last described, the second process receives END instruction, forbids computer described in described user operation.
Preferably, the mode of computer described in described user operation of forbidding at least includes following one: makes described computer blue screen, make described computer restart.
Preferably, described step 3) also includes: is monitored described user to the described operation saving object from damage by described second process based on the rule of saving from damage corresponding to the described type saving object from damage, and stops this malicious operation when having monitored malicious operation.
Preferably, described step 3) also includes: by user's operation to the file that described computer is stored described in described second process monitoring, forbids that at least one file with default file suffix is performed.
As mentioned above, the security method preventing software in malicious sabotage computer of the present invention, have the advantages that the relevant information by extracting all kinds of softwares in described computer, and choose the software corresponding to relevant information described at least one of which and save from damage, it is possible to effectively defence user's malicious sabotage to critical software;Additionally, each second process being used for monitoring monitors each other, when at least one prime number second process is moved to end, other second processes can restart described second process being moved to end, so can effectively prevent user for malicious operation critical software FEFO save described second process of this critical software from damage;Further, terminating the situation of the most described second process for user, last described second process is when receiving END instruction, and described second process forbids the every operation of user simultaneously, to avoid user's malicious sabotage to critical software;Additionally, described second process also defends to preset the execution of the file of suffix, in order to prevent user from utilizing the Hacker Program of corresponding suffix to destroy the critical software in described computer.
Accompanying drawing explanation
Fig. 1 is shown as the flow chart of the security method preventing software in malicious sabotage computer of the present invention.
Fig. 2 is shown as the flow chart of a kind of preferred implementation of the security method preventing software in malicious sabotage computer of the present invention.
Element numbers explanation
S1 ~ S3, S21 ~ S23 step
Detailed description of the invention
Below by way of specific instantiation, embodiments of the present invention being described, those skilled in the art can be understood other advantages and effect of the present invention easily by the content disclosed by this specification.The present invention can also be carried out by the most different detailed description of the invention or apply, and the every details in this specification can also carry out various modification or change based on different viewpoints and application under the spirit without departing from the present invention.
Fig. 1 is shown as the flow chart that the present invention a kind of prevents the security method of software in malicious sabotage computer.Wherein, described security method is mainly performed by safety system, and described safety system is to install application module in a computer.This computer is a kind of automatically, can to carry out the modernization intelligent electronic device of massive values computation and various information processing at high speed according to the program being previously stored, and its hardware includes but not limited to microprocessor, FPGA, DSP, embedded device etc..
In step sl, the relevant information of at least one software during described safety system extracts described computer.Wherein, described software includes any program, script or configuration file etc. that can operate in described computer, and it includes but not limited to: at least one operate in the first process in described computer, being arranged in the program of described computer, the file being stored in described computer or file.Wherein, the process etc. needed for described first process includes process that the program being currently running opened, operating system.Described relevant information includes any information that can reflect described software, and it includes but not limited to: the progress information of described first process, the registry information being arranged on the program of described computer or the folder information/fileinfo of folders/files being stored in described computer.
Specifically, described step S1 at least includes step S11.
In step s 11, described safety system operates in the progress information of described first process of at least one in described computer in extracting described computer.Wherein, described progress information includes but not limited to: the process name of described first process, handle count, Thread Count etc..
Such as, described safety system travels through all first processes in the task manager of described computer, and obtains the progress information of each described first process current from described task manager.
And for example, all first processes in described safety system search task management device comprise the progress information of appointment information.
Preferably, described step S1 also includes: step S12.
In step s 12, described safety system also extracts the registry information of at least one program in computer.Wherein, described registry information includes but not limited to: the numerical value etc. corresponding to the title of described program, the type of described program, described type.
Such as, described safety system travels through the program listing of the registration table of described computer, and obtains whole registry information of each program in described program listing.
And for example, described safety system registry information based on all programs in default conditional search registration table.
It is further preferable that described step S1 also includes: step S13.
In step s 13, at least one file of being stored or the folder information of file or fileinfo during described safety system extracts the hard disk of computer.Wherein, described folder information includes but not limited to that Folder Name, described fileinfo include but not limited to file name, file name suffix etc..
Such as, the file that stored in the described safety system scanning each hard disk of described computer, and obtain the folder information of each file and the fileinfo of file being stored in described file.
And for example, described safety system, based on default condition, searches for the file in each hard disk of described computer, to obtain qualified folder information or fileinfo.
It should be noted that it should be appreciated by those skilled in the art that above-mentioned steps S11, S12 and S13 not necessarily continuously perform, it is also possible to perform simultaneously, described step S11, S12 and S13 the most not Exactly-once, can repeat.
In step s 2, described safety system determines at least one relevant information from each described relevant information, and using determined by software corresponding to relevant information saved from damage object as to save from damage.
Specifically, each described relevant information extracted is mated by described safety system by default rule, determines at least one relevant information that the match is successful.
Such as, the process name in each described progress information that described safety system will be extracted mates with the process name preset, and is saved from damage object using the first process obtained corresponding to the progress information comprising described process name as to save from damage.
Preferably, as in figure 2 it is shown, described step S2 includes step S21, step S22 and step S23.
In the step s 21, each described relevant information extracted is sent to the network equipment by described safety system.Wherein, the described network equipment is with described compunication, and can to process the electronic equipment of data or information, and it includes but not limited to: embedded system, the network equipment etc..
In step S22, the described network equipment determines at least one relevant information from each described relevant information, and determined relevant information is back to described computer.
It should be noted that, those skilled in the art should understand that, the described network equipment determines that from each described relevant information the mode of at least one relevant information determines that the mode of at least one relevant information is same or similar with aforementioned described safety system from each described relevant information, is not described in detail in this.
In step S23, described safety system using determined by software corresponding to relevant information saved from damage object as to save from damage.
Such as, progress information a1, a2, a3 of being extracted are sent to the described network equipment by described safety system, the described network equipment extracts corresponding process title from each progress information, and default process title is mated with each process title extracted, progress information a1, a2 that the process title of choosing can be mated, and selected progress information a1, a2 are returned to described safety system, save each self-corresponding first process of progress information a1, a2 from damage for described safety system.
It should be noted that, those skilled in the art should understand that, the above-mentioned network equipment determines that the mode of the relevant information of software is only for example, it is true that the described network equipment is it may also be determined that the registry information of program and/or the folder information/fileinfo of folders/files.
It can further be stated that, those skilled in the art should understand that, the described network equipment determines that the mode of the registry information of program and/or the folder information/fileinfo of folders/files and aforementioned network equipment determine that the mode of the progress information of described first process is same or similar, is not described in detail in this.
In step s3, described safety system is opened and is saved, to described, at least one second process that object is monitored from damage, to prevent user from described object of saving from damage is carried out malicious operation.Wherein, described second process can be one, can also be multiple.
Specifically, described safety system opens corresponding second process based on the described kind saving object from damage, and monitored described user to the described operation saving object from damage by described second process based on the rule of saving from damage corresponding to each described type, and stop this malicious operation when having monitored malicious operation.
Wherein, the rule of saving from damage corresponding to each described type includes but not limited to: saves object described in deletion disabled from damage, forbid saving object etc. from damage described in amendment.
Such as, save object from damage determined by described safety system to include: the first process b1, program b2, file b3 under C dish, the most described safety system is based on the default rule forbidding deleting the first process saved from damage, open the second process B1 monitoring described first process b1, and by second process B1 monitoring user's operation to task manager, the first process b1 in user chooses described task manager, and when clicking on end process button, described second process B1 monitors this operation, and determine that this operation is malicious operation, then intercept and capture this operation, make this operation invalid, to forbid terminating the first process b1;Described safety system forbids revising, deleting the rule of the program saved from damage based on default, open the second process B2 monitoring described program b2, and by second process B2 monitoring user's operation to the registry information corresponding to program b2, numerical value in user revises the registry information of described program b2, the most described second process B2 monitors this operation, and determines that this operation is malicious operation, then intercept and capture this operation, make this operation invalid, in order to forbid that the registry information of described program b2 is modified;Described safety system is based on default deletion disabled, the file saved from damage of amendment or the rule of file, open the second process B3 of the monitoring each fdisk of described computer, and by second process B31 monitoring user's operation to the file b3 under C dish, when user deletes the operation of the file b3 ' being positioned under file b3, described second process B3 monitors this operation, and determines that this operation is malicious operation, then intercept and capture this operation, make this operation invalid, in order to file b3 ' described in deletion disabled.
Preferably, described safety system opens second process, wherein, described second process monitors described user to saving the operation of object described in all from damage based on the rule of saving from damage corresponding to the kind of default each described software, and stops this malicious operation when having monitored malicious operation.
It should be noted that, above-mentioned second process monitors the described user operation to saving object described in all from damage based on the rule of saving from damage corresponding to the kind of default each described software, and stop the mode of this malicious operation when monitoring malicious operation and monitor the described user operation to saving object described in all from damage based on the rule of saving from damage corresponding to the kind of default each described software described in abovementioned steps S3, and stop the mode of this malicious operation same or similar when monitoring malicious operation, it is not described in detail in this.
As a kind of preferred version, described step S3 also includes, described second process that described safety system is opened is multiple, and monitor each other between described second process, at the end of monitoring the second process described at least one of which, other described second processes restart this described second process terminated.
It should be noted that it should be appreciated by those skilled in the art that the mode monitored each other between described second process is same or similar with the first mode gone down town that aforementioned described second process monitoring is saved from damage, it is not described in detail in this.
Such as, described safety system opens three the second processes c1, c2, c3, and second process c1 monitor the second process c2, the second process c2 monitors the second process c3, the second process c3 monitors the second process c1, then at the end of the second process c2 monitors the second process c3, described second process c2 restarts described second process c3.
It is further preferable that described step S3 also includes that described safety system, when second process receives END instruction last described, forbids computer described in described user operation.Wherein, forbid that described in described user operation, the mode of computer includes but not limited to: make described computer blue screen, make described computer restart.
Such as, described safety system only opens described second process, when described user carries out end operation by task manager to described second process, described second process is based on described end operation, restart described computer, with after preventing the second process described in described user's FEFO to determined by save object from damage and carry out malicious operation.
And for example, described safety system opens multiple described second process, when described user carries out end operation by the instruction that pressure terminates to all described second processes, each described second process searches current task manager when receiving end operation, to determine whether that also other described second process is being run, during until last described second process receives END instruction, start the program making described computer blue screen, to forbid that described user carries out any operation to described computer.
As another preferred version, described second process that described safety system is opened also monitors the described user operation to the file that described computer is stored, and forbids that at least one file with default file suffix is performed.Wherein, the suffix of described default file includes but not limited to: bat, msi, iso, exe etc..
Wherein, the mode of the operation of the file that described computer is stored is included but not limited to by user described in described second process monitoring: 1) the directly monitoring described user operation to the file that described computer is stored.2) by all first processes of task manager monitoring described computer, described second process determines whether the suffix of run program comprises default file suffixes, if comprising, then forcing to terminate this document, if not comprising, then allowing the operation of each described first process.
In sum, the security method preventing software in malicious sabotage computer of the present invention, by extracting the relevant information of all kinds of softwares in described computer, and choose the software corresponding to relevant information described at least one of which and save from damage, it is possible to effectively defence user's malicious sabotage to critical software;Additionally, each second process being used for monitoring monitors each other, when at least one prime number second process is moved to end, other second processes can restart described second process being moved to end, so can effectively prevent user for malicious operation critical software FEFO save described second process of this critical software from damage;Further, terminating the situation of the most described second process for user, last described second process is when receiving END instruction, and described second process forbids the every operation of user simultaneously, to avoid user's malicious sabotage to critical software;Additionally, described second process also defends to preset the execution of the file of suffix, in order to prevent user from utilizing the Hacker Program of corresponding suffix to destroy the critical software in described computer.So, the present invention effectively overcomes various shortcoming of the prior art and has high industrial utilization.
The principle of above-described embodiment only illustrative present invention and effect thereof, not for limiting the present invention.Above-described embodiment all can be modified under the spirit and the scope of the present invention or change by any person skilled in the art.Therefore, art has all equivalence modification or changes that usually intellectual is completed under without departing from disclosed spirit and technological thought such as, must be contained by the claim of the present invention.
Claims (8)
1. the security method of the software prevented in malicious sabotage computer, it is characterised in that at least include:
Step 1) extract the relevant information of at least one software in computer, wherein, described software at least includes following one: the first process operating in described computer, the program being arranged on described computer, the folders/files that is stored in described computer;
Step 2) from each described relevant information, determine at least one relevant information, and using determined by software corresponding to relevant information saved from damage object as to save from damage;
Step 3) open and save, to described, multiple second processes that object is monitored from damage, to prevent user from described object of saving from damage is carried out malicious operation;
Described step 3) also include: and monitor each other between the plurality of second process, at the end of monitoring the second process described at least one of which, other second processes restart this described second process terminated.
The security method of the software prevented in malicious sabotage computer the most according to claim 1, it is characterized in that, described relevant information at least includes following one: the folder information/fileinfo of the progress information of described first process, the registry information of described program or described folders/files.
The security method of the software prevented in malicious sabotage computer the most according to claim 1, it is characterised in that described step 1) also include: each described relevant information extracted is sent to the network equipment.
The security method of the software prevented in malicious sabotage computer the most according to claim 3, it is characterized in that, described step 2) also include: from each described relevant information, determined at least one relevant information by the described network equipment, and determined relevant information is back to described computer;And by described computer using determined by software corresponding to relevant information saved from damage object as to save from damage.
The security method of the software prevented in malicious sabotage computer the most according to claim 1, it is characterised in that described step 3) also include: when second process receives END instruction last described, forbid computer described in described user operation.
The security method of the software prevented in malicious sabotage computer the most according to claim 5, it is characterised in that the mode of computer described in described user operation of forbidding at least includes following one: makes described computer blue screen, make described computer restart.
The security method of the software prevented in malicious sabotage computer the most according to claim 1, it is characterized in that, described step 3) also include: monitored described user to the described operation saving object from damage by described second process based on the rule of saving from damage corresponding to the described kind saving object from damage, and stop this malicious operation when having monitored malicious operation.
The security method of the software prevented in malicious sabotage computer the most according to claim 1, it is characterized in that, described step 3) also include: by user's operation to the file that described computer is stored described in described second process monitoring, forbid that at least one file with default file suffix is performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210349015.XA CN102902913B (en) | 2012-09-19 | 2012-09-19 | Prevent the security method of software in malicious sabotage computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210349015.XA CN102902913B (en) | 2012-09-19 | 2012-09-19 | Prevent the security method of software in malicious sabotage computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102902913A CN102902913A (en) | 2013-01-30 |
| CN102902913B true CN102902913B (en) | 2016-08-03 |
Family
ID=47575140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210349015.XA Expired - Fee Related CN102902913B (en) | 2012-09-19 | 2012-09-19 | Prevent the security method of software in malicious sabotage computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102902913B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9411959B2 (en) * | 2014-09-30 | 2016-08-09 | Juniper Networks, Inc. | Identifying an evasive malicious object based on a behavior delta |
| CN106096391B (en) * | 2016-06-02 | 2019-05-03 | 珠海豹趣科技有限公司 | A kind of course control method and user terminal |
| CN106203107A (en) * | 2016-06-29 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for preventing system menu from being maliciously modified and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895540A (en) * | 2010-07-12 | 2010-11-24 | 中兴通讯股份有限公司 | Daemon system and method for application service |
| CN101894243A (en) * | 2010-06-24 | 2010-11-24 | 北京安天电子设备有限公司 | Immunization method of malicious plugins aiming at network browser |
| CN102222183A (en) * | 2011-04-28 | 2011-10-19 | 奇智软件(北京)有限公司 | Mobile terminal software package safety detection method and system thereof |
| CN102629310A (en) * | 2012-02-29 | 2012-08-08 | 卡巴斯基实验室封闭式股份公司 | System and method for protecting computer system from being infringed by activities of malicious objects |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8528087B2 (en) * | 2006-04-27 | 2013-09-03 | Robot Genius, Inc. | Methods for combating malicious software |
-
2012
- 2012-09-19 CN CN201210349015.XA patent/CN102902913B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894243A (en) * | 2010-06-24 | 2010-11-24 | 北京安天电子设备有限公司 | Immunization method of malicious plugins aiming at network browser |
| CN101895540A (en) * | 2010-07-12 | 2010-11-24 | 中兴通讯股份有限公司 | Daemon system and method for application service |
| CN102222183A (en) * | 2011-04-28 | 2011-10-19 | 奇智软件(北京)有限公司 | Mobile terminal software package safety detection method and system thereof |
| CN102629310A (en) * | 2012-02-29 | 2012-08-08 | 卡巴斯基实验室封闭式股份公司 | System and method for protecting computer system from being infringed by activities of malicious objects |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102902913A (en) | 2013-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Falliere et al. | W32. stuxnet dossier | |
| EP3472746B1 (en) | Systems and methods for remediating memory corruption in a computer application | |
| JP6212548B2 (en) | Kernel-level security agent | |
| Wang et al. | Detecting stealth software with strider ghostbuster | |
| US7669059B2 (en) | Method and apparatus for detection of hostile software | |
| CN101359355B (en) | Method for raising user's authority for limitation account under Windows system | |
| US8898775B2 (en) | Method and apparatus for detecting the malicious behavior of computer program | |
| US10810027B2 (en) | Capturing components of an application using a sandboxed environment | |
| CN104008330B (en) | Based on file is centrally stored and anti-data-leakage system of isolation technology and its method | |
| CN102880817A (en) | Running protection method for computer software product | |
| JP2010146457A (en) | Information processing system and program | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| CN102902913B (en) | Prevent the security method of software in malicious sabotage computer | |
| CN108256332A (en) | A kind of method of the BIOS startup passwords setting based on IPMI orders | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| KR101974989B1 (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
| JP6164508B2 (en) | Data processing system security apparatus and security method | |
| US10223092B2 (en) | Capturing and deploying applications using maximal and minimal sets | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN105453104B (en) | System protection file security control device and management method | |
| JP2008176352A (en) | Computer program, computer device and operation control method | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| US10223413B2 (en) | Capturing components of an application using a static post-installation analysis of the system | |
| CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
| CN102222185A (en) | Method for preventing operating system starting file from being infected |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160803 Termination date: 20190919 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |