CN105608372B - A kind of detection application is by the method and apparatus of antivirus software report poison - Google Patents
A kind of detection application is by the method and apparatus of antivirus software report poison Download PDFInfo
- Publication number
- CN105608372B CN105608372B CN201610028702.XA CN201610028702A CN105608372B CN 105608372 B CN105608372 B CN 105608372B CN 201610028702 A CN201610028702 A CN 201610028702A CN 105608372 B CN105608372 B CN 105608372B
- Authority
- CN
- China
- Prior art keywords
- pop
- antivirus software
- application
- detection
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The present invention provides a kind of detection applications by the method and apparatus of antivirus software report poison.It is detected application the method comprise the steps that executing in pop-up detection environment, whether is had according to pop-up configuration information detection antivirus software whether complete for the pop-up of the detected application or the file of the detection detected application;Determine the detected application whether by antivirus software report poison based on testing result.As can be seen from the above technical solutions, the present invention is detected application by detecting to execute in environment in pop-up, and malicious pop-up is reported by detection and detects the integrality of application file, so as to close to being equipped with antivirus software and executing the true environment for the client applied, detect client application whether by antivirus software report poison automatically and effectively.
Description
[technical field]
The present invention relates to field of computer technology more particularly to a kind of detection application by the method and dress of antivirus software report poison
It sets.
[background technique]
Internet is a white war, and the application product of client usually can be malicious by certain antivirus software reports,
And client application usually will not be continued to apply by client again after report poison.
There are two types of situations by antivirus software report poison for client application:
One is antivirus software malice to report poison, or wrong report;
Another kind is that developer is unfamiliar with virus characteristic, contains virus characteristic in the code write.
However, either any situation, client application is actually nontoxic, therefore antivirus software is to nontoxic
The report poison of client application can all bring damage to image product, cause to mislead to user.
Generally use two methods in the prior art to check using whether by antivirus software report poison:
One is checking that website is checked to specific report poison, check that principle is to carry out cloud to client to look into.It is this
Method is easy, but the disadvantage is that truth of not being close to the users, user are typically all to install a certain antivirus software, then this is killed
Malicious software carries out local killing and cloud killing to this file;
Another is that by hand then installation antivirus software manually checks antivirus software whether there is or not pop-ups.But this method lacks
Point is time-consuming, and is unable to long-term monitoring.
In the prior art there are no the truth that a kind of mode can be close to the users, automatic and effective detection application is
It is no malicious by antivirus software report.
[summary of the invention]
The present invention provides a kind of detection applications by the method and apparatus of antivirus software report poison, to automatic and effective inspection
Application is surveyed whether by antivirus software report poison.
Specific technical solution is as follows:
The present invention provides a kind of detection applications by the method for antivirus software report poison, which comprises
It is executed in pop-up detection environment and is detected application, detect whether antivirus software is directed to according to pop-up configuration information
Whether the pop-up of the detected application or the file of the detection detected application are complete;
Determine the detected application whether by antivirus software report poison based on testing result.
According to one preferred embodiment of the present invention, the method also includes: according to need detect antivirus software list preparation
The pop-up detects environment.
According to one preferred embodiment of the present invention, the preparation pop-up detection environment includes:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
According to one preferred embodiment of the present invention, the antivirus software list and pop-up configuration information are obtained by main detection device
It takes, and antivirus software and pop-up configuration information corresponding with antivirus software is distributed to from detection device;
Prepare the processing of the detection environment and the detection by executing from detection device.
According to one preferred embodiment of the present invention, the antivirus software list and pop-up configuration information are responsible for safeguarding simultaneously by cloud
It is handed down to the main detection device.
According to one preferred embodiment of the present invention, described to detect whether antivirus software has for described according to pop-up configuration information
The pop-up of application includes:
Monitor the function that pop-up is generated in antivirus software;
When the function for generating pop-up is called, determine the pop window information generated in function and the pop-up with confidence
Whether breath matches;
If it does, then determining the pop-up having for the application.
According to one preferred embodiment of the present invention, detect the detected application file whether completely include:
Obtain the listed files of pre-generated detected application;
The listed files is compared with the listed files of the detected application under installation directory;
If comparison result is identical, it is determined that the file for being detected application is complete;
Otherwise the file for being detected application is imperfect.
According to one preferred embodiment of the present invention, have if testing result is for the pop-up for being detected application, it is determined that quilt
Detection application is by antivirus software report poison;
If testing result is no pop-up and detected application file is complete, it is determined that be detected application not by antivirus software
Report poison.
According to one preferred embodiment of the present invention, if testing result is no pop-up but detected application file is imperfect:
Judge whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
According to one preferred embodiment of the present invention, the detected application of execution in pop-up detection environment includes: in pop-up
It detects and pacifies loading, unloading, upgrading, the operation detected application in environment.
The present invention also provides a kind of detection applications by the device of antivirus software report poison, and described device includes:
Detection unit is detected application for executing in pop-up detection environment, is detected and killed virus according to pop-up configuration information
Whether whether software have complete for the pop-up of the detected application or the file of the detection detected application;
Determination unit, for determining the detected application whether by antivirus software report poison based on testing result.
According to one preferred embodiment of the present invention, described device further includes the preparatory unit being set to from detection device, is used for
Prepare the pop-up detection environment according to the antivirus software list for needing to detect.
According to one preferred embodiment of the present invention, the preparatory unit prepares the pop-up detection by executing following operation
Environment:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
According to one preferred embodiment of the present invention, the detection unit and determination unit are set to from detection device;
The device further include: the acquiring unit of main detection device is set to, for obtaining the antivirus software list and bullet
Window configuration information, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device.
According to one preferred embodiment of the present invention, the antivirus software list and pop-up configuration information are responsible for safeguarding simultaneously by cloud
It is handed down to the main detection device.
According to one preferred embodiment of the present invention, the detection unit further includes pop-up detection unit, soft for monitoring antivirus
The function of pop-up is generated in part;When the function for generating pop-up is called, the pop window information generated in function and institute are determined
State whether pop-up configuration information matches;If it does, then determining the pop-up having for the application.
According to one preferred embodiment of the present invention, the detection unit further includes file detection unit, for obtaining pre- Mr.
At detected application listed files;The listed files of detected application under the listed files and installation directory is carried out
Compare;If comparison result is identical, it is determined that the file for being detected application is complete;Otherwise the file for being detected application is imperfect.
According to one preferred embodiment of the present invention, have if testing result is for the pop-up for being detected application, it is described true
Order member, which determines, is detected application by antivirus software report poison;
If testing result is no pop-up and detected application file is complete, the determination is detected application and is not killed virus
Software report poison.
According to one preferred embodiment of the present invention, if testing result is no pop-up but detected application file is imperfect,
Then the determination unit judges whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
According to one preferred embodiment of the present invention, the detected application of execution in pop-up detection environment includes: in pop-up
It detects and pacifies loading, unloading, upgrading, the operation detected application in environment.
As can be seen from the above technical solutions, the present invention is detected application by detecting to execute in environment in pop-up, and
Malicious pop-up is reported by detection and detects the integrality of application file, so as to answer close to being equipped with antivirus software and execute
Whether the true environment of client detects client application by antivirus software report poison automatically and effectively.
[Detailed description of the invention]
Fig. 1 is that a kind of detection that the embodiment of the present invention one provides is applied by the method flow diagram of antivirus software report poison;
Fig. 2 is the method flow diagram that a kind of preparation pop-up that the embodiment of the present invention one provides detects environment;
Fig. 3 is a kind of detection application provided by Embodiment 2 of the present invention by the apparatus structure schematic diagram of antivirus software report poison.
[specific embodiment]
Whether the present invention mainly passes through two aspect detection client applications by antivirus software report poison: first is that detecting the presence of needle
The antivirus software pop-up of detected application is generated, second is that whether the file that detection is detected under the installation directory of application is deleted
It removes.
To make the objectives, technical solutions, and advantages of the present invention clearer, right in the following with reference to the drawings and specific embodiments
The present invention is described in detail.
Embodiment one,
Fig. 1 is that a kind of detection that the embodiment of the present invention one provides is applied by the method flow diagram of antivirus software report poison.Such as Fig. 1
Described, the detailed process of this method includes:
101, prepare pop-up detection environment according to the antivirus software list for needing to detect.
The step is mainly used for detecting the presence of and being directed to the antivirus software pop-up generation for being detected application, and detection quilt
Detect whether the file under the installation directory of application is deleted offer detection environment.
Fig. 2 is the method flow diagram that a kind of preparation pop-up that the embodiment of the present invention one provides detects environment, as shown in Fig. 2,
Following steps can also be subdivided by preparing pop-up detection environment:
1011, maintenance needs the pop-up configuration information of the antivirus software list and antivirus software that check and is handed down to main inspection
Measurement equipment.
Having recorded in the antivirus software list may be to the antivirus software of detected client application report poison.
Since antivirus software is numerous, antivirus software in the top can be taken to generate antivirus software list, the row
Name can be ranked up existing antivirus software according to the rule of different degree or common degree etc. by professional institution, to make
List is generated with antivirus software in the top, or can also be by the application and development end of development and application product according to reality
It needs to be determined that which antivirus software is monitored and is detected.
Since the pop-up of antivirus software can be divided into the malicious pop-up of report or the malicious pop-up of non-report, and report malicious pop-up again can be for not
Same application report poison.Therefore the present embodiment in order to determine antivirus software whether be for be detected application report poison, can be used with
The corresponding pop-up configuration information of each antivirus software distinguishes above-mentioned report poison pop-up and the malicious pop-up of non-report and the reported poison of pop-up
Concrete application.
Specifically, the pop-up configuration information unique identification report poison pop-up of this antivirus software, the pop-up of antivirus software
Configuration information includes window title, class name, window handle etc., is from there through the pop-up that pop-up configuration information can distinguish generation
No is to apply for detected, and can determine that this is to report malicious pop-up rather than other pop-ups of antivirus software.
In addition, due to antivirus software pop-up mark may change, can using safeguarded by cloud kill virus it is soft
The method of part pop-up home banking establishes a feature database to the pop-up mark of each antivirus software, to when needed will
Pop-up configuration information is handed down to main detection device (or Master equipment).
In order to which the antivirus software list detected to needs is flexibly controlled, antivirus software list can also be born by cloud
Duty maintenance, and antivirus software list is issued to Master equipment by cloud.
1012, main detection device obtains antivirus software list and pop-up configuration information, and by antivirus software and with killing virus it is soft
The corresponding pop-up configuration information of part is distributed to from detection device.
In the step, main detection device can be dispatched from detection device (or Slave equipment), the antivirus software that will acquire
And pop-up configuration information distributes to Slave equipment.
Main detection device can select an antivirus software from antivirus software list, and by the antivirus software and right with it
The pop-up configuration information answered distributes to multiple one from detection device, and can select from antivirus software list another
A antivirus software, and another antivirus software and corresponding pop-up configuration information are distributed to another from detection device
In, it is thus possible to using Master-Slave distributed structure/architecture by the antivirus software in soft list of killing virus disperse to it is multiple from
Detection device carries out the detection of pop-up, can easily increase and decrease Slave node, improves detection efficiency.
Main detection device passes through as each from detection device distribution antivirus software ID, by killing from detection device according to ID acquisition
The mode of malicious software code, or to the mode for each directly distributing antivirus software code from detection device, make from detection device
It obtains and executes corresponding antivirus software.
1013, prepare pop-up and detect environment.
In the step, preparing pop-up detection environment may include:
According to needing the antivirus software list detected to install and execute antivirus software, i.e. Mater equipment utilization needs to detect
Antivirus software list need the antivirus software that detects to the distribution of each Slave equipment, Slave equipment installs and executes what distribution came
Antivirus software;
Slave equipment starts the detection procedure to antivirus software pop-up.
102, it is executed in pop-up detection environment and is detected application, detect whether antivirus software has according to pop-up configuration information
Whether the file of pop-up or the detection detected application for the detected application is complete.
Wherein, according to pop-up configuration information detect antivirus software whether have for be detected application pop-up may include as
Lower process:
Client application is executed in Slave equipment, executing application may include peace loading, unloading, upgrading, operation etc., answer
When with executing, the function that pop-up is generated in antivirus software is monitored;When the function for generating pop-up is called, determine in function
Whether the pop window information of generation matches with the pop-up configuration information;If it does, then determining application by antivirus software report poison.
Specifically, because antivirus software needs to call the function for generating pop-up as long as generating pop-up, by continuing
Monitoring generates the function of pop-up, determines whether the function is called, if called, compare generation pop window information (title,
Class name, window handle etc.) it is whether identical as the pop-up configuration information of acquisition, it can identify whether antivirus software has carried out reporting malicious bullet
Window.The pop-ups configuration informations such as identification information title herein, class name, window handle can be being capable of one pop-up of unique identification
, and not labile information.
If having hit the pop-up of antivirus software with confidence by comparing window title, handle or the class name that discovery generates
Breath, it is determined that be detected application by antivirus software report poison.
The detection procedure of antivirus software pop-up be can use to monitor the function for generating pop-up in antivirus software, check this
Whether pop-up hits the content in pop-up configuration information, if having hit the content in pop-up configuration information, illustrates to kill virus soft
Part is to detected client application pop-up report poison.
Preferably due to antivirus software generally has self-protection function, it itself is exactly to operate in operating system ring0
Layer, has very high permission, by this layer of accessible all layers of data, and other drivers are located at ring1, ring2 layers, often
One layer of data that can only access this layer and permission lower level.Therefore antivirus software pop-up detection procedure can be made in operating system
Ring0 layers are monitored.Can be used hook monitoring antivirus software generate pop-up function, thus detect generation pop-up whether
Meet antivirus software pop-up mark (title, class name, one in handle), thereby determines that antivirus software whether to detected client
End application report poison.
By being monitored at ring0 layers of operating system to pop-up function, as long as antivirus software is to client pop-up, energy
Accurately, efficient detection goes out the pop-up.
Since when doing antivirus software detection, only client application is being operated, other product is not operated,
And operating system itself is clean, so the malicious pop-up of the report of antivirus software is generally be directed to this client for being carrying out operation
End application, has been also possible to exception certainly.In order to avoid the generation of exception, therefore when pop-up hit pop-up configuration
When content in information, it can be saved in the pop-up screenshot, and by pop-up screenshot from the designated position of detection device.It will antivirus
The pop-up of software carries out the purpose of screenshot, is project after the screenshot is sent to project team member by Master sending mail
Group membership can manually check whether this primary pop-up is directed to detected client application again.Screenshot can will take window
Location information write down.
Wherein, whether the file for detecting application completely may include following process:
Obtain the listed files of pre-generated detected application;By being detected under the listed files and installation directory
The listed files of application is compared;If comparison result is identical, it is determined that the file for being detected application is complete;Otherwise it is detected
The file of application is imperfect.
Wherein, the listed files of the detected application under installation directory can be system registry, and can from detection device
It, can be by the listed files that will obtain in advance with from the listed files of the external complete set for obtaining performed application in advance
It is compared with system registry in execution, to check be detected apply whether be modified note when executing basic operation
Volume table.
Whether the file for detecting application completely can be when being executed the basic operation of application by Slave equipment, and correspondence is used in
Behavior in use process is detected, and can also be detected, can also be unloaded to application to installation behavior in application installation
Carry or upgrade the detection that behavior carries out file integrality.
Furthermore it is possible to pass through the basic behaviour such as the peace loading, unloading, upgrading, operation of the execution application of Slave equipment automatization
Make, the mode of the automation can be realized by writing code;Alternatively, can also be by manually completing above-mentioned basic behaviour
Make.
103, it is determined based on testing result and whether is detected application by antivirus software report poison.
When whether detection is detected application by antivirus software report poison, available at least following several testing results, packet
Include: have for be detected application pop-up, without pop-up but application file it is imperfect, without pop-up and application file it is complete.
If first, testing result is the pop-up having for application is detected, no matter whether application file is complete, really
Fixed application is by antivirus software report poison;
If second, testing result is no pop-up and application file is complete, it is determined that application is not by antivirus software report poison.
If third, testing result are no pop-ups but application file is imperfect, need further to judge.
For thirdly, specifically, if detected application file is imperfect but there is no pop-up, it is likely that exist and kill
Malicious software leads to do not have the case where pop-up to detected application report poison, but since antivirus software pop window information fails,
Although it is imperfect that there may be application files, the imperfect application file is not the feelings as caused by antivirus software report poison
Condition, in order to distinguish above-mentioned two situations, it is therefore desirable to first judge whether the pop-up configuration information fails;If failure, really
Fixed application is by antivirus software report poison;If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software
Report poison.
The reason of causing pop-up configuration information to fail may is that causes not since antivirus software pop-up configuration information changes
It detects pop-up, after changing pop-up configuration information, if title, handle, class name etc. cannot all be hit, can not just supervise at this time
Control the pop-up of antivirus software.
Aiming at the problem that pop-up configuration information may change, it can be solved using following two mode:
First is that if it find that file under installation directory is deleted but antivirus software does not have pop-up, be considered as killing soft pop-up
It is possible that failing, reports information to server at this time, there is server to check whether the pop-up configuration information of this antivirus software loses
Effect updates the antivirus software pop-up configuration information in cloud if failure.
Second is that whether the pop-up configuration information for inspecting periodically antivirus software comes into force.
It by the information for reporting antivirus software pop-up to be subject to variation automatically and inspects periodically, can guarantee killing for cloud maintenance
The pop-up configuration information of malicious software pop-up does not fail.
If determining that pop-up configuration information does not fail through aforesaid way, but it is detected the entire implementation procedure of application not yet
At the end of, such as be detected application monitors and perform installation and operation, it, can be with when being also not carried out other operations such as upgrading or unloading
The detection procedure of antivirus software pop-up is continued to execute, i.e., continues to hold detected application using the detection procedure of antivirus software pop-up
Whether other capable basic operations are monitored, may be killed in the entire implementation procedure for being detected application with completely monitoring
Malicious software report poison.
104, main detection device summarizes and output test result.
In the step, the file under antivirus software pop-up screenshot and installation directory is being checked whether there is by Slave equipment
Whether it is complete after, return result to Master equipment.Master equipment merges the above results and exports.
Wherein it is possible to which exporting accordingly result by way of sending mail gives dependence test personnel.
After tester gets the mail, pop-up screenshot can be manually checked again, carried out with the report poison to client application
Analysis, or check whether file is designated antivirus software and deletes, other are notified after artificial testing result screening can be carried out
Personnel, such as project team personnel handle the malicious event of report.
Embodiment two,
Fig. 3 is a kind of detection application provided by Embodiment 2 of the present invention by the apparatus structure schematic diagram of antivirus software report poison.
As shown in figure 3, the apparatus may include the detection unit 2022 being set to from detection device 202 and determination unit 2023,
Middle detection unit 2022 may further include pop-up detection unit 2022A or file detection unit 2022B, in addition should be from detection
Equipment 202 can also include the preparatory unit 2021 being disposed therein;The device can also include being set to main detection device 201
Acquiring unit 2011, in addition, main detection device 201 can also include the result generation unit 2012 that is disposed therein.To this
Device is described in detail as follows:
Main detection device 201, the antivirus software list for detecting according to needs need to detect to from detection device distribution
Antivirus software, and be also used to summarize and output test result.
Main detection device 201 includes the acquiring unit 2011 that is disposed therein, for obtain the antivirus software list and
Pop-up configuration information, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device 202.
Wherein it is possible to the pop-up configuration information for the antivirus software list and antivirus software for needing to check by cloud maintenance
And it is handed down to main detection device 201.
Specifically, had recorded in the antivirus software list may antivirus to detected client application report poison it is soft
Part.
Antivirus software in the top can be taken to generate antivirus software list, which can be by professional institution to existing
Some antivirus softwares are ranked up according to the rule of different degree or common degree etc., to be come using antivirus software in the top
List is generated, or can also be by the application and development end of development and application product determine according to actual needs to which antivirus software
It is monitored and detects.
Pop-up configuration information corresponding with each antivirus software can be used to distinguish the malicious pop-up of report and the malicious pop-up of non-report, with
And the concrete application of poison is reported in pop-up.
The pop-up configuration information unique identification report poison pop-up of this antivirus software, the pop-up configuration information of antivirus software
Including window title, class name, window handle etc..
Main detection device 201 (or Master equipment) can dispatch from detection device (or Slave equipment), will be by obtaining
The antivirus software and pop-up configuration information for taking unit 2011 to obtain distribute to Slave equipment.
Main detection device 201 can select an antivirus software from antivirus software list, and by the antivirus software and with
Its corresponding pop-up configuration information distributes to multiple one from detection device, and can select from antivirus software list
Another antivirus software, and another antivirus software and corresponding pop-up configuration information are distributed to another from detection
In equipment, it is thus possible to which the antivirus software in soft list of killing virus is dispersed to more using Master-Slave distributed structure/architecture
A detection that pop-up is carried out from detection device, can easily increase and decrease Slave node, improve detection efficiency.
Main detection device passes through as each from detection device distribution antivirus software ID, by killing from detection device according to ID acquisition
The mode of malicious software code, or to the mode for each directly distributing antivirus software code from detection device, make from detection device
It obtains and executes corresponding antivirus software.
From detection device 202, it is detected application for executing in pop-up detection environment, is detected according to pop-up configuration information
Whether whether antivirus software have complete for the pop-up of the detected application or the file of the detection detected application;Base
Determine the detected application whether by antivirus software report poison in testing result.
It should further include preparatory unit 2021 from detection device, for preparing pop-up detection environment.
Specifically, preparatory unit can detect environment by executing following operation to prepare pop-up:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
Main detection device 201 further includes result generation unit 2012, for whether merging detection application by antivirus software report
Poison testing result and output.
Further include detection unit 2022 from detection device 202, is detected application, root for executing in pop-up detection environment
Whether there is described be detected of pop-up or detection for the detected application to answer according to pop-up configuration information detection antivirus software
Whether file is complete.
Wherein detection unit 2022 includes pop-up detection unit 2022A, for soft according to the detection antivirus of pop-up configuration information
Whether part has for the pop-up for being detected application, specifically:
Slave equipment starts to execute client application, and executing application may include pacifying loading, unloading, upgrading, operation etc.,
When application execution, pop-up detection unit 2022A monitors the function that pop-up is generated in antivirus software, when the function for generating pop-up
When called, determine whether the pop window information generated in function matches with the pop-up configuration information;If it does, then determination is answered
With by antivirus software report poison.
Because antivirus software needs to call the function for generating pop-up, pop-up detection unit as long as generating pop-up
2022A generates the function of pop-up by persistently monitoring, determines whether the function is called, if called, compares generation
Whether pop window information (title, class name, window handle etc.) and the pop-up configuration information obtained are identical, can identify that antivirus software is
It is no to have carried out reporting malicious pop-up.The pop-ups configuration informations such as identification information title herein, class name, window handle can be can be unique
Identify a pop-up, and not labile information.
If having hit the pop-up of antivirus software with confidence by comparing window title, handle or the class name that discovery generates
Breath, it is determined that be detected application by antivirus software report poison.
The detection procedure that pop-up detection unit 2022A can use antivirus software pop-up generates bullet to monitor in antivirus software
The function of window.
Preferably, antivirus software pop-up detection procedure can be made to be monitored at ring0 layers of operating system.And it can make
The function of pop-up is generated with hook monitoring antivirus software, so that whether the pop-up for detecting generation meets antivirus software pop-up mark
(title, class name, one in handle).
After determining application by antivirus software report poison, pop-up detection unit 2022A can be to this pop-up screenshot.
It further include file detection unit 2022B from detection device 202, whether the file for detecting application is complete, specifically
Ground:
The listed files of the available pre-generated detected application of file detection unit 2022B;The file is arranged
Table is compared with the listed files of the detected application under installation directory;If comparison result is identical, it is determined that be detected and answer
File is complete;Otherwise the file for being detected application is imperfect.
Wherein, the listed files of the detected application under installation directory can be system registry, and can from detection device
To obtain the listed files of the complete set of performed application in advance from outside.
Whether the file for detecting application completely can be when being executed the basic operation of application by Slave equipment, and correspondence is used in
Behavior in use process is detected, and can also be detected, can also be unloaded to application to installation behavior in application installation
Carry or upgrade the detection that behavior carries out file integrality.
Furthermore it is possible to pass through the basic behaviour such as the peace loading, unloading, upgrading, operation of the execution application of Slave equipment automatization
Make, the mode of the automation can be realized by writing code;Alternatively, can also be by manually completing above-mentioned basic behaviour
Make.
Include determination unit 2023 from detection device 202, is detected whether application is killed for determining based on testing result
Malicious software report poison.
When whether detection is detected application by antivirus software report poison, available at least following several testing results, packet
Include: have for be detected application pop-up, without pop-up but application file it is imperfect, without pop-up and application file it is complete.
Determination unit 2023 determines be detected application whether can be with by the mode of antivirus software report poison are as follows:
If first, testing result is the pop-up having for application is detected, no matter whether application file is complete, really
Fixed application is by antivirus software report poison;
If second, testing result is no pop-up and application file is complete, it is determined that application is not by antivirus software report poison.
If third, testing result are no pop-ups but application file is imperfect, need further to judge.
For thirdly, specifically, if detected application file is imperfect but there is no pop-up, can further judge
Whether the pop-up configuration information fails;If failure, it is determined that application is by antivirus software report poison;If pop-up configuration information is not
Failure, it is determined that the detected application is not by antivirus software report poison.
Aiming at the problem that pop-up configuration information may be no longer valid or be changed, it can be solved using following two mode:
First is that if it find that file under installation directory is deleted but antivirus software does not have pop-up, be considered as killing soft pop-up
It is possible that failing, reports information to server at this time, there is server to check whether the pop-up configuration information of this antivirus software loses
Effect updates the antivirus software pop-up configuration information in cloud if failure.
Second is that whether the pop-up configuration information for inspecting periodically antivirus software comes into force.
If determining that pop-up configuration information does not fail through aforesaid way, but it is detected the entire implementation procedure of application not yet
At the end of, such as be detected application monitors and perform installation and operation, it, can be with when being also not carried out other operations such as upgrading or unloading
The detection procedure of antivirus software pop-up is continued to execute, i.e., continues to hold detected application using the detection procedure of antivirus software pop-up
Whether other capable basic operations are monitored, may be killed in the entire implementation procedure for being detected application with completely monitoring
Malicious software report poison.
Finally, being checking whether there is the file under antivirus software pop-up screenshot and installation directory by Slave equipment 202
It is no it is complete after, return result to Master equipment 201.The result generation unit 2012 of Master equipment 201 merges above-mentioned knot
Fruit simultaneously exports.
Wherein it is possible to which exporting accordingly result by way of sending mail gives dependence test personnel.
After tester gets the mail, pop-up screenshot can be manually checked again, carried out with the report poison to client application
Analysis, or check whether file is designated antivirus software and deletes, other are notified after artificial testing result screening can be carried out
Personnel, such as project team personnel handle the malicious event of report.
In practical applications, tester and project team personnel can be the methods of automation inspection antivirus software pop-up
For daily test, online preceding test, daily monitoring etc., find client application whether by third party's antivirus software report in time
Poison, processing stops loss in time.
It, can whether there is or not to detected application product report with automatic detection antivirus software by executing technical solution of the present invention
Poison, and cloud control issues the antivirus software list for needing to check, checks that then summarized results, can flexibly control by distribution
The antivirus software for needing to detect, and shorten detection time.
In several embodiments provided by the present invention, it should be understood that disclosed method and apparatus can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
Only a kind of logical function partition, there may be another division manner in actual implementation.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (20)
1. a kind of detection application is by the method for antivirus software report poison, which is characterized in that the described method includes:
It is executed in pop-up detection environment and is detected application, detect whether antivirus software has for described according to pop-up configuration information
Whether the file of the pop-up and the detection detected application that are detected application is complete;
Determine the detected application whether by antivirus software report poison based on testing result.
2. the method according to claim 1, wherein the method also includes: according to needing the antivirus that detects soft
Part list prepares the pop-up and detects environment.
3. according to the method described in claim 2, it is characterized in that, the preparation pop-up detection environment includes:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
4. according to the method described in claim 2, it is characterized in that, the antivirus software list and pop-up configuration information are by main inspection
Measurement equipment obtains, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device;
Prepare the processing of the detection environment and the detection by executing from detection device.
5. according to the method described in claim 4, it is characterized in that, the antivirus software list and pop-up configuration information are by cloud
It is responsible for safeguarding and is handed down to the main detection device.
6. the method according to claim 1, wherein whether described detect antivirus software according to pop-up configuration information
There is the pop-up for the application to include:
Monitor the function that pop-up is generated in antivirus software;
When the function for generating pop-up is called, determine that the pop window information generated in function is with the pop-up configuration information
No matching;
If it does, then determining the pop-up having for the application.
7. the method according to claim 1, wherein the file of the detection detected application whether complete packet
It includes:
Obtain the listed files of pre-generated detected application;
The listed files is compared with the listed files of the detected application under installation directory;
If comparison result is identical, it is determined that the file for being detected application is complete;
Otherwise the file for being detected application is imperfect.
8. method according to claim 1-7, which is characterized in that
If testing result is the pop-up having for application is detected, it is determined that be detected application by antivirus software report poison;
If testing result is no pop-up and detected application file is complete, it is determined that be detected application not by antivirus software report
Poison.
9. method according to claim 1-7, which is characterized in that if testing result is no pop-up but is detected
Application file is imperfect, then:
Judge whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
10. method according to claim 1-6, which is characterized in that described to execute quilt in pop-up detection environment
Detection application includes: to pacify loading, unloading, upgrading, the operation detected application in pop-up detection environment.
11. a kind of detection application is by the device of antivirus software report poison, which is characterized in that described device includes:
Detection unit is detected application for executing in pop-up detection environment, detects antivirus software according to pop-up configuration information
Whether have whether complete for the pop-up of the detected application and the file of the detection detected application;
Determination unit, for determining the detected application whether by antivirus software report poison based on testing result.
12. device according to claim 11, which is characterized in that described device further includes the standard being set to from detection device
Standby unit, for preparing the pop-up detection environment according to the antivirus software list for needing to detect.
13. device according to claim 12, which is characterized in that the preparatory unit is by executing following operation to prepare
The pop-up detects environment:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
14. device according to claim 12, which is characterized in that the detection unit and determination unit are set to from detection
Equipment;
The device further include: be set to the acquiring unit of main detection device, match for obtaining the antivirus software list and pop-up
Confidence breath, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device.
15. device according to claim 14, which is characterized in that the antivirus software list and pop-up configuration information are by cloud
It is responsible for safeguarding and is handed down to the main detection device in end.
16. device according to claim 11, which is characterized in that the detection unit further includes pop-up detection unit, is used
The function of pop-up is generated in monitoring antivirus software;When the function for generating pop-up is called, determines and generated in function
Whether pop window information matches with the pop-up configuration information;If it does, then determining the pop-up having for the application.
17. device according to claim 11, which is characterized in that the detection unit further includes file detection unit, is used
In the listed files for obtaining pre-generated detected application;By the detected application under the listed files and installation directory
Listed files is compared;If comparison result is identical, it is determined that the file for being detected application is complete;Otherwise it is detected application
File is imperfect.
18. the described in any item devices of 1-17 according to claim 1, which is characterized in that
If testing result is the pop-up having for application is detected, it is soft that the determination unit determines that detected application is killed virus
Part report poison;
If testing result is no pop-up and detected application file is complete, the determination is detected application not by antivirus software
Report poison.
19. the described in any item devices of 1-17 according to claim 1, which is characterized in that if testing result be no pop-up but by
It is imperfect to detect application file,
Then the determination unit judges whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
20. the described in any item devices of 1-16 according to claim 1, which is characterized in that described to be executed in pop-up detection environment
Detected application includes: to pacify loading, unloading, upgrading, the operation detected application in pop-up detection environment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610028702.XA CN105608372B (en) | 2016-01-15 | 2016-01-15 | A kind of detection application is by the method and apparatus of antivirus software report poison |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610028702.XA CN105608372B (en) | 2016-01-15 | 2016-01-15 | A kind of detection application is by the method and apparatus of antivirus software report poison |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105608372A CN105608372A (en) | 2016-05-25 |
CN105608372B true CN105608372B (en) | 2019-07-23 |
Family
ID=55988300
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610028702.XA Active CN105608372B (en) | 2016-01-15 | 2016-01-15 | A kind of detection application is by the method and apparatus of antivirus software report poison |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105608372B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6779117B1 (en) * | 1999-07-23 | 2004-08-17 | Cybersoft, Inc. | Authentication program for a computer operating system |
CN102968590A (en) * | 2012-10-23 | 2013-03-13 | 北京奇虎科技有限公司 | Pop window suppression method and system |
CN103714289A (en) * | 2013-12-02 | 2014-04-09 | 百度在线网络技术(北京)有限公司 | Method and device for determining mobile application antivirus results |
CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
CN104484599A (en) * | 2014-12-16 | 2015-04-01 | 北京奇虎科技有限公司 | Behavior processing method and device based on application program |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102594780B (en) * | 2011-01-12 | 2016-03-30 | 西门子公司 | The detection of mobile terminal virus, sweep-out method and device |
CN103019687B (en) * | 2012-11-20 | 2016-06-22 | 北京奇虎科技有限公司 | Methods of exhibiting and device for pop window information |
CN103164654B (en) * | 2013-03-28 | 2016-08-03 | 北京奇虎科技有限公司 | A kind of method carrying out information alert in pop-up and user interface display device |
CN103488490A (en) * | 2013-10-08 | 2014-01-01 | 深圳市金立通信设备有限公司 | Method and device for determining application corresponding to pop-up window and terminal |
CN104021342A (en) * | 2014-05-06 | 2014-09-03 | 可牛网络技术(北京)有限公司 | Method and device for processing application program |
CN104008340B (en) * | 2014-06-09 | 2017-02-15 | 北京奇虎科技有限公司 | Virus scanning and killing method and device |
-
2016
- 2016-01-15 CN CN201610028702.XA patent/CN105608372B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6779117B1 (en) * | 1999-07-23 | 2004-08-17 | Cybersoft, Inc. | Authentication program for a computer operating system |
CN102968590A (en) * | 2012-10-23 | 2013-03-13 | 北京奇虎科技有限公司 | Pop window suppression method and system |
CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
CN103714289A (en) * | 2013-12-02 | 2014-04-09 | 百度在线网络技术(北京)有限公司 | Method and device for determining mobile application antivirus results |
CN104484599A (en) * | 2014-12-16 | 2015-04-01 | 北京奇虎科技有限公司 | Behavior processing method and device based on application program |
Also Published As
Publication number | Publication date |
---|---|
CN105608372A (en) | 2016-05-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9459995B2 (en) | Compliance testing engine for integrated computing system | |
US10824521B2 (en) | Generating predictive diagnostics via package update manager | |
US8984331B2 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
US7191364B2 (en) | Automatic root cause analysis and diagnostics engine | |
US8091127B2 (en) | Heuristic malware detection | |
CN108322446A (en) | Intranet assets leak detection method, device, computer equipment and storage medium | |
US10417416B1 (en) | Methods and systems for detecting computer security threats | |
CN109076063A (en) | Protection dynamic and short-term virtual machine instance in cloud environment | |
NO20171308A1 (en) | System analysis and handling | |
CN109522095B (en) | Cloud host abnormal fault detection and recovery system and method and cloud platform | |
WO2004010269A2 (en) | Method and apparatus for the automatic determination of potentially worm-like behaviour of a program | |
US20110296248A1 (en) | Systems and methods for restoring machine state history related to detected faults in package update process | |
CN105224441B (en) | Virtual machine information acquisition device, method and virtual machine information maintaining method and system | |
US20130111018A1 (en) | Passive monitoring of virtual systems using agent-less, offline indexing | |
US10305738B2 (en) | System and method for contextual clustering of granular changes in configuration items | |
CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
KR102156379B1 (en) | Agentless Vulnerability Diagnosis System through Information Collection Process and Its Method | |
BR112021000558A2 (en) | DIFFERENTIATION MECHANISM FOR DIGITAL FORENSIC SCIENCE | |
CN108595957A (en) | Main browser page altering detecting method, device and storage medium | |
CN105608372B (en) | A kind of detection application is by the method and apparatus of antivirus software report poison | |
KR20180130630A (en) | Vulnerability diagnosing and managing system and method of information system using automatic diagnosis tool | |
US9354962B1 (en) | Memory dump file collection and analysis using analysis server and cloud knowledge base | |
CN110909352A (en) | Malicious process detection method under Linux server | |
EP1997018B1 (en) | Thread interception and analysis | |
JP4827024B2 (en) | Server monitoring system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |