CN105608372B - A kind of detection application is by the method and apparatus of antivirus software report poison - Google Patents

A kind of detection application is by the method and apparatus of antivirus software report poison Download PDF

Info

Publication number
CN105608372B
CN105608372B CN201610028702.XA CN201610028702A CN105608372B CN 105608372 B CN105608372 B CN 105608372B CN 201610028702 A CN201610028702 A CN 201610028702A CN 105608372 B CN105608372 B CN 105608372B
Authority
CN
China
Prior art keywords
pop
antivirus software
application
detection
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610028702.XA
Other languages
Chinese (zh)
Other versions
CN105608372A (en
Inventor
肖娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201610028702.XA priority Critical patent/CN105608372B/en
Publication of CN105608372A publication Critical patent/CN105608372A/en
Application granted granted Critical
Publication of CN105608372B publication Critical patent/CN105608372B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention provides a kind of detection applications by the method and apparatus of antivirus software report poison.It is detected application the method comprise the steps that executing in pop-up detection environment, whether is had according to pop-up configuration information detection antivirus software whether complete for the pop-up of the detected application or the file of the detection detected application;Determine the detected application whether by antivirus software report poison based on testing result.As can be seen from the above technical solutions, the present invention is detected application by detecting to execute in environment in pop-up, and malicious pop-up is reported by detection and detects the integrality of application file, so as to close to being equipped with antivirus software and executing the true environment for the client applied, detect client application whether by antivirus software report poison automatically and effectively.

Description

A kind of detection application is by the method and apparatus of antivirus software report poison
[technical field]
The present invention relates to field of computer technology more particularly to a kind of detection application by the method and dress of antivirus software report poison It sets.
[background technique]
Internet is a white war, and the application product of client usually can be malicious by certain antivirus software reports, And client application usually will not be continued to apply by client again after report poison.
There are two types of situations by antivirus software report poison for client application:
One is antivirus software malice to report poison, or wrong report;
Another kind is that developer is unfamiliar with virus characteristic, contains virus characteristic in the code write.
However, either any situation, client application is actually nontoxic, therefore antivirus software is to nontoxic The report poison of client application can all bring damage to image product, cause to mislead to user.
Generally use two methods in the prior art to check using whether by antivirus software report poison:
One is checking that website is checked to specific report poison, check that principle is to carry out cloud to client to look into.It is this Method is easy, but the disadvantage is that truth of not being close to the users, user are typically all to install a certain antivirus software, then this is killed Malicious software carries out local killing and cloud killing to this file;
Another is that by hand then installation antivirus software manually checks antivirus software whether there is or not pop-ups.But this method lacks Point is time-consuming, and is unable to long-term monitoring.
In the prior art there are no the truth that a kind of mode can be close to the users, automatic and effective detection application is It is no malicious by antivirus software report.
[summary of the invention]
The present invention provides a kind of detection applications by the method and apparatus of antivirus software report poison, to automatic and effective inspection Application is surveyed whether by antivirus software report poison.
Specific technical solution is as follows:
The present invention provides a kind of detection applications by the method for antivirus software report poison, which comprises
It is executed in pop-up detection environment and is detected application, detect whether antivirus software is directed to according to pop-up configuration information Whether the pop-up of the detected application or the file of the detection detected application are complete;
Determine the detected application whether by antivirus software report poison based on testing result.
According to one preferred embodiment of the present invention, the method also includes: according to need detect antivirus software list preparation The pop-up detects environment.
According to one preferred embodiment of the present invention, the preparation pop-up detection environment includes:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
According to one preferred embodiment of the present invention, the antivirus software list and pop-up configuration information are obtained by main detection device It takes, and antivirus software and pop-up configuration information corresponding with antivirus software is distributed to from detection device;
Prepare the processing of the detection environment and the detection by executing from detection device.
According to one preferred embodiment of the present invention, the antivirus software list and pop-up configuration information are responsible for safeguarding simultaneously by cloud It is handed down to the main detection device.
According to one preferred embodiment of the present invention, described to detect whether antivirus software has for described according to pop-up configuration information The pop-up of application includes:
Monitor the function that pop-up is generated in antivirus software;
When the function for generating pop-up is called, determine the pop window information generated in function and the pop-up with confidence Whether breath matches;
If it does, then determining the pop-up having for the application.
According to one preferred embodiment of the present invention, detect the detected application file whether completely include:
Obtain the listed files of pre-generated detected application;
The listed files is compared with the listed files of the detected application under installation directory;
If comparison result is identical, it is determined that the file for being detected application is complete;
Otherwise the file for being detected application is imperfect.
According to one preferred embodiment of the present invention, have if testing result is for the pop-up for being detected application, it is determined that quilt Detection application is by antivirus software report poison;
If testing result is no pop-up and detected application file is complete, it is determined that be detected application not by antivirus software Report poison.
According to one preferred embodiment of the present invention, if testing result is no pop-up but detected application file is imperfect:
Judge whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
According to one preferred embodiment of the present invention, the detected application of execution in pop-up detection environment includes: in pop-up It detects and pacifies loading, unloading, upgrading, the operation detected application in environment.
The present invention also provides a kind of detection applications by the device of antivirus software report poison, and described device includes:
Detection unit is detected application for executing in pop-up detection environment, is detected and killed virus according to pop-up configuration information Whether whether software have complete for the pop-up of the detected application or the file of the detection detected application;
Determination unit, for determining the detected application whether by antivirus software report poison based on testing result.
According to one preferred embodiment of the present invention, described device further includes the preparatory unit being set to from detection device, is used for Prepare the pop-up detection environment according to the antivirus software list for needing to detect.
According to one preferred embodiment of the present invention, the preparatory unit prepares the pop-up detection by executing following operation Environment:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
According to one preferred embodiment of the present invention, the detection unit and determination unit are set to from detection device;
The device further include: the acquiring unit of main detection device is set to, for obtaining the antivirus software list and bullet Window configuration information, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device.
According to one preferred embodiment of the present invention, the antivirus software list and pop-up configuration information are responsible for safeguarding simultaneously by cloud It is handed down to the main detection device.
According to one preferred embodiment of the present invention, the detection unit further includes pop-up detection unit, soft for monitoring antivirus The function of pop-up is generated in part;When the function for generating pop-up is called, the pop window information generated in function and institute are determined State whether pop-up configuration information matches;If it does, then determining the pop-up having for the application.
According to one preferred embodiment of the present invention, the detection unit further includes file detection unit, for obtaining pre- Mr. At detected application listed files;The listed files of detected application under the listed files and installation directory is carried out Compare;If comparison result is identical, it is determined that the file for being detected application is complete;Otherwise the file for being detected application is imperfect.
According to one preferred embodiment of the present invention, have if testing result is for the pop-up for being detected application, it is described true Order member, which determines, is detected application by antivirus software report poison;
If testing result is no pop-up and detected application file is complete, the determination is detected application and is not killed virus Software report poison.
According to one preferred embodiment of the present invention, if testing result is no pop-up but detected application file is imperfect,
Then the determination unit judges whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
According to one preferred embodiment of the present invention, the detected application of execution in pop-up detection environment includes: in pop-up It detects and pacifies loading, unloading, upgrading, the operation detected application in environment.
As can be seen from the above technical solutions, the present invention is detected application by detecting to execute in environment in pop-up, and Malicious pop-up is reported by detection and detects the integrality of application file, so as to answer close to being equipped with antivirus software and execute Whether the true environment of client detects client application by antivirus software report poison automatically and effectively.
[Detailed description of the invention]
Fig. 1 is that a kind of detection that the embodiment of the present invention one provides is applied by the method flow diagram of antivirus software report poison;
Fig. 2 is the method flow diagram that a kind of preparation pop-up that the embodiment of the present invention one provides detects environment;
Fig. 3 is a kind of detection application provided by Embodiment 2 of the present invention by the apparatus structure schematic diagram of antivirus software report poison.
[specific embodiment]
Whether the present invention mainly passes through two aspect detection client applications by antivirus software report poison: first is that detecting the presence of needle The antivirus software pop-up of detected application is generated, second is that whether the file that detection is detected under the installation directory of application is deleted It removes.
To make the objectives, technical solutions, and advantages of the present invention clearer, right in the following with reference to the drawings and specific embodiments The present invention is described in detail.
Embodiment one,
Fig. 1 is that a kind of detection that the embodiment of the present invention one provides is applied by the method flow diagram of antivirus software report poison.Such as Fig. 1 Described, the detailed process of this method includes:
101, prepare pop-up detection environment according to the antivirus software list for needing to detect.
The step is mainly used for detecting the presence of and being directed to the antivirus software pop-up generation for being detected application, and detection quilt Detect whether the file under the installation directory of application is deleted offer detection environment.
Fig. 2 is the method flow diagram that a kind of preparation pop-up that the embodiment of the present invention one provides detects environment, as shown in Fig. 2, Following steps can also be subdivided by preparing pop-up detection environment:
1011, maintenance needs the pop-up configuration information of the antivirus software list and antivirus software that check and is handed down to main inspection Measurement equipment.
Having recorded in the antivirus software list may be to the antivirus software of detected client application report poison.
Since antivirus software is numerous, antivirus software in the top can be taken to generate antivirus software list, the row Name can be ranked up existing antivirus software according to the rule of different degree or common degree etc. by professional institution, to make List is generated with antivirus software in the top, or can also be by the application and development end of development and application product according to reality It needs to be determined that which antivirus software is monitored and is detected.
Since the pop-up of antivirus software can be divided into the malicious pop-up of report or the malicious pop-up of non-report, and report malicious pop-up again can be for not Same application report poison.Therefore the present embodiment in order to determine antivirus software whether be for be detected application report poison, can be used with The corresponding pop-up configuration information of each antivirus software distinguishes above-mentioned report poison pop-up and the malicious pop-up of non-report and the reported poison of pop-up Concrete application.
Specifically, the pop-up configuration information unique identification report poison pop-up of this antivirus software, the pop-up of antivirus software Configuration information includes window title, class name, window handle etc., is from there through the pop-up that pop-up configuration information can distinguish generation No is to apply for detected, and can determine that this is to report malicious pop-up rather than other pop-ups of antivirus software.
In addition, due to antivirus software pop-up mark may change, can using safeguarded by cloud kill virus it is soft The method of part pop-up home banking establishes a feature database to the pop-up mark of each antivirus software, to when needed will Pop-up configuration information is handed down to main detection device (or Master equipment).
In order to which the antivirus software list detected to needs is flexibly controlled, antivirus software list can also be born by cloud Duty maintenance, and antivirus software list is issued to Master equipment by cloud.
1012, main detection device obtains antivirus software list and pop-up configuration information, and by antivirus software and with killing virus it is soft The corresponding pop-up configuration information of part is distributed to from detection device.
In the step, main detection device can be dispatched from detection device (or Slave equipment), the antivirus software that will acquire And pop-up configuration information distributes to Slave equipment.
Main detection device can select an antivirus software from antivirus software list, and by the antivirus software and right with it The pop-up configuration information answered distributes to multiple one from detection device, and can select from antivirus software list another A antivirus software, and another antivirus software and corresponding pop-up configuration information are distributed to another from detection device In, it is thus possible to using Master-Slave distributed structure/architecture by the antivirus software in soft list of killing virus disperse to it is multiple from Detection device carries out the detection of pop-up, can easily increase and decrease Slave node, improves detection efficiency.
Main detection device passes through as each from detection device distribution antivirus software ID, by killing from detection device according to ID acquisition The mode of malicious software code, or to the mode for each directly distributing antivirus software code from detection device, make from detection device It obtains and executes corresponding antivirus software.
1013, prepare pop-up and detect environment.
In the step, preparing pop-up detection environment may include:
According to needing the antivirus software list detected to install and execute antivirus software, i.e. Mater equipment utilization needs to detect Antivirus software list need the antivirus software that detects to the distribution of each Slave equipment, Slave equipment installs and executes what distribution came Antivirus software;
Slave equipment starts the detection procedure to antivirus software pop-up.
102, it is executed in pop-up detection environment and is detected application, detect whether antivirus software has according to pop-up configuration information Whether the file of pop-up or the detection detected application for the detected application is complete.
Wherein, according to pop-up configuration information detect antivirus software whether have for be detected application pop-up may include as Lower process:
Client application is executed in Slave equipment, executing application may include peace loading, unloading, upgrading, operation etc., answer When with executing, the function that pop-up is generated in antivirus software is monitored;When the function for generating pop-up is called, determine in function Whether the pop window information of generation matches with the pop-up configuration information;If it does, then determining application by antivirus software report poison.
Specifically, because antivirus software needs to call the function for generating pop-up as long as generating pop-up, by continuing Monitoring generates the function of pop-up, determines whether the function is called, if called, compare generation pop window information (title, Class name, window handle etc.) it is whether identical as the pop-up configuration information of acquisition, it can identify whether antivirus software has carried out reporting malicious bullet Window.The pop-ups configuration informations such as identification information title herein, class name, window handle can be being capable of one pop-up of unique identification , and not labile information.
If having hit the pop-up of antivirus software with confidence by comparing window title, handle or the class name that discovery generates Breath, it is determined that be detected application by antivirus software report poison.
The detection procedure of antivirus software pop-up be can use to monitor the function for generating pop-up in antivirus software, check this Whether pop-up hits the content in pop-up configuration information, if having hit the content in pop-up configuration information, illustrates to kill virus soft Part is to detected client application pop-up report poison.
Preferably due to antivirus software generally has self-protection function, it itself is exactly to operate in operating system ring0 Layer, has very high permission, by this layer of accessible all layers of data, and other drivers are located at ring1, ring2 layers, often One layer of data that can only access this layer and permission lower level.Therefore antivirus software pop-up detection procedure can be made in operating system Ring0 layers are monitored.Can be used hook monitoring antivirus software generate pop-up function, thus detect generation pop-up whether Meet antivirus software pop-up mark (title, class name, one in handle), thereby determines that antivirus software whether to detected client End application report poison.
By being monitored at ring0 layers of operating system to pop-up function, as long as antivirus software is to client pop-up, energy Accurately, efficient detection goes out the pop-up.
Since when doing antivirus software detection, only client application is being operated, other product is not operated, And operating system itself is clean, so the malicious pop-up of the report of antivirus software is generally be directed to this client for being carrying out operation End application, has been also possible to exception certainly.In order to avoid the generation of exception, therefore when pop-up hit pop-up configuration When content in information, it can be saved in the pop-up screenshot, and by pop-up screenshot from the designated position of detection device.It will antivirus The pop-up of software carries out the purpose of screenshot, is project after the screenshot is sent to project team member by Master sending mail Group membership can manually check whether this primary pop-up is directed to detected client application again.Screenshot can will take window Location information write down.
Wherein, whether the file for detecting application completely may include following process:
Obtain the listed files of pre-generated detected application;By being detected under the listed files and installation directory The listed files of application is compared;If comparison result is identical, it is determined that the file for being detected application is complete;Otherwise it is detected The file of application is imperfect.
Wherein, the listed files of the detected application under installation directory can be system registry, and can from detection device It, can be by the listed files that will obtain in advance with from the listed files of the external complete set for obtaining performed application in advance It is compared with system registry in execution, to check be detected apply whether be modified note when executing basic operation Volume table.
Whether the file for detecting application completely can be when being executed the basic operation of application by Slave equipment, and correspondence is used in Behavior in use process is detected, and can also be detected, can also be unloaded to application to installation behavior in application installation Carry or upgrade the detection that behavior carries out file integrality.
Furthermore it is possible to pass through the basic behaviour such as the peace loading, unloading, upgrading, operation of the execution application of Slave equipment automatization Make, the mode of the automation can be realized by writing code;Alternatively, can also be by manually completing above-mentioned basic behaviour Make.
103, it is determined based on testing result and whether is detected application by antivirus software report poison.
When whether detection is detected application by antivirus software report poison, available at least following several testing results, packet Include: have for be detected application pop-up, without pop-up but application file it is imperfect, without pop-up and application file it is complete.
If first, testing result is the pop-up having for application is detected, no matter whether application file is complete, really Fixed application is by antivirus software report poison;
If second, testing result is no pop-up and application file is complete, it is determined that application is not by antivirus software report poison.
If third, testing result are no pop-ups but application file is imperfect, need further to judge.
For thirdly, specifically, if detected application file is imperfect but there is no pop-up, it is likely that exist and kill Malicious software leads to do not have the case where pop-up to detected application report poison, but since antivirus software pop window information fails, Although it is imperfect that there may be application files, the imperfect application file is not the feelings as caused by antivirus software report poison Condition, in order to distinguish above-mentioned two situations, it is therefore desirable to first judge whether the pop-up configuration information fails;If failure, really Fixed application is by antivirus software report poison;If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software Report poison.
The reason of causing pop-up configuration information to fail may is that causes not since antivirus software pop-up configuration information changes It detects pop-up, after changing pop-up configuration information, if title, handle, class name etc. cannot all be hit, can not just supervise at this time Control the pop-up of antivirus software.
Aiming at the problem that pop-up configuration information may change, it can be solved using following two mode:
First is that if it find that file under installation directory is deleted but antivirus software does not have pop-up, be considered as killing soft pop-up It is possible that failing, reports information to server at this time, there is server to check whether the pop-up configuration information of this antivirus software loses Effect updates the antivirus software pop-up configuration information in cloud if failure.
Second is that whether the pop-up configuration information for inspecting periodically antivirus software comes into force.
It by the information for reporting antivirus software pop-up to be subject to variation automatically and inspects periodically, can guarantee killing for cloud maintenance The pop-up configuration information of malicious software pop-up does not fail.
If determining that pop-up configuration information does not fail through aforesaid way, but it is detected the entire implementation procedure of application not yet At the end of, such as be detected application monitors and perform installation and operation, it, can be with when being also not carried out other operations such as upgrading or unloading The detection procedure of antivirus software pop-up is continued to execute, i.e., continues to hold detected application using the detection procedure of antivirus software pop-up Whether other capable basic operations are monitored, may be killed in the entire implementation procedure for being detected application with completely monitoring Malicious software report poison.
104, main detection device summarizes and output test result.
In the step, the file under antivirus software pop-up screenshot and installation directory is being checked whether there is by Slave equipment Whether it is complete after, return result to Master equipment.Master equipment merges the above results and exports.
Wherein it is possible to which exporting accordingly result by way of sending mail gives dependence test personnel.
After tester gets the mail, pop-up screenshot can be manually checked again, carried out with the report poison to client application Analysis, or check whether file is designated antivirus software and deletes, other are notified after artificial testing result screening can be carried out Personnel, such as project team personnel handle the malicious event of report.
Embodiment two,
Fig. 3 is a kind of detection application provided by Embodiment 2 of the present invention by the apparatus structure schematic diagram of antivirus software report poison. As shown in figure 3, the apparatus may include the detection unit 2022 being set to from detection device 202 and determination unit 2023, Middle detection unit 2022 may further include pop-up detection unit 2022A or file detection unit 2022B, in addition should be from detection Equipment 202 can also include the preparatory unit 2021 being disposed therein;The device can also include being set to main detection device 201 Acquiring unit 2011, in addition, main detection device 201 can also include the result generation unit 2012 that is disposed therein.To this Device is described in detail as follows:
Main detection device 201, the antivirus software list for detecting according to needs need to detect to from detection device distribution Antivirus software, and be also used to summarize and output test result.
Main detection device 201 includes the acquiring unit 2011 that is disposed therein, for obtain the antivirus software list and Pop-up configuration information, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device 202.
Wherein it is possible to the pop-up configuration information for the antivirus software list and antivirus software for needing to check by cloud maintenance And it is handed down to main detection device 201.
Specifically, had recorded in the antivirus software list may antivirus to detected client application report poison it is soft Part.
Antivirus software in the top can be taken to generate antivirus software list, which can be by professional institution to existing Some antivirus softwares are ranked up according to the rule of different degree or common degree etc., to be come using antivirus software in the top List is generated, or can also be by the application and development end of development and application product determine according to actual needs to which antivirus software It is monitored and detects.
Pop-up configuration information corresponding with each antivirus software can be used to distinguish the malicious pop-up of report and the malicious pop-up of non-report, with And the concrete application of poison is reported in pop-up.
The pop-up configuration information unique identification report poison pop-up of this antivirus software, the pop-up configuration information of antivirus software Including window title, class name, window handle etc..
Main detection device 201 (or Master equipment) can dispatch from detection device (or Slave equipment), will be by obtaining The antivirus software and pop-up configuration information for taking unit 2011 to obtain distribute to Slave equipment.
Main detection device 201 can select an antivirus software from antivirus software list, and by the antivirus software and with Its corresponding pop-up configuration information distributes to multiple one from detection device, and can select from antivirus software list Another antivirus software, and another antivirus software and corresponding pop-up configuration information are distributed to another from detection In equipment, it is thus possible to which the antivirus software in soft list of killing virus is dispersed to more using Master-Slave distributed structure/architecture A detection that pop-up is carried out from detection device, can easily increase and decrease Slave node, improve detection efficiency.
Main detection device passes through as each from detection device distribution antivirus software ID, by killing from detection device according to ID acquisition The mode of malicious software code, or to the mode for each directly distributing antivirus software code from detection device, make from detection device It obtains and executes corresponding antivirus software.
From detection device 202, it is detected application for executing in pop-up detection environment, is detected according to pop-up configuration information Whether whether antivirus software have complete for the pop-up of the detected application or the file of the detection detected application;Base Determine the detected application whether by antivirus software report poison in testing result.
It should further include preparatory unit 2021 from detection device, for preparing pop-up detection environment.
Specifically, preparatory unit can detect environment by executing following operation to prepare pop-up:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
Main detection device 201 further includes result generation unit 2012, for whether merging detection application by antivirus software report Poison testing result and output.
Further include detection unit 2022 from detection device 202, is detected application, root for executing in pop-up detection environment Whether there is described be detected of pop-up or detection for the detected application to answer according to pop-up configuration information detection antivirus software Whether file is complete.
Wherein detection unit 2022 includes pop-up detection unit 2022A, for soft according to the detection antivirus of pop-up configuration information Whether part has for the pop-up for being detected application, specifically:
Slave equipment starts to execute client application, and executing application may include pacifying loading, unloading, upgrading, operation etc., When application execution, pop-up detection unit 2022A monitors the function that pop-up is generated in antivirus software, when the function for generating pop-up When called, determine whether the pop window information generated in function matches with the pop-up configuration information;If it does, then determination is answered With by antivirus software report poison.
Because antivirus software needs to call the function for generating pop-up, pop-up detection unit as long as generating pop-up 2022A generates the function of pop-up by persistently monitoring, determines whether the function is called, if called, compares generation Whether pop window information (title, class name, window handle etc.) and the pop-up configuration information obtained are identical, can identify that antivirus software is It is no to have carried out reporting malicious pop-up.The pop-ups configuration informations such as identification information title herein, class name, window handle can be can be unique Identify a pop-up, and not labile information.
If having hit the pop-up of antivirus software with confidence by comparing window title, handle or the class name that discovery generates Breath, it is determined that be detected application by antivirus software report poison.
The detection procedure that pop-up detection unit 2022A can use antivirus software pop-up generates bullet to monitor in antivirus software The function of window.
Preferably, antivirus software pop-up detection procedure can be made to be monitored at ring0 layers of operating system.And it can make The function of pop-up is generated with hook monitoring antivirus software, so that whether the pop-up for detecting generation meets antivirus software pop-up mark (title, class name, one in handle).
After determining application by antivirus software report poison, pop-up detection unit 2022A can be to this pop-up screenshot.
It further include file detection unit 2022B from detection device 202, whether the file for detecting application is complete, specifically Ground:
The listed files of the available pre-generated detected application of file detection unit 2022B;The file is arranged Table is compared with the listed files of the detected application under installation directory;If comparison result is identical, it is determined that be detected and answer File is complete;Otherwise the file for being detected application is imperfect.
Wherein, the listed files of the detected application under installation directory can be system registry, and can from detection device To obtain the listed files of the complete set of performed application in advance from outside.
Whether the file for detecting application completely can be when being executed the basic operation of application by Slave equipment, and correspondence is used in Behavior in use process is detected, and can also be detected, can also be unloaded to application to installation behavior in application installation Carry or upgrade the detection that behavior carries out file integrality.
Furthermore it is possible to pass through the basic behaviour such as the peace loading, unloading, upgrading, operation of the execution application of Slave equipment automatization Make, the mode of the automation can be realized by writing code;Alternatively, can also be by manually completing above-mentioned basic behaviour Make.
Include determination unit 2023 from detection device 202, is detected whether application is killed for determining based on testing result Malicious software report poison.
When whether detection is detected application by antivirus software report poison, available at least following several testing results, packet Include: have for be detected application pop-up, without pop-up but application file it is imperfect, without pop-up and application file it is complete.
Determination unit 2023 determines be detected application whether can be with by the mode of antivirus software report poison are as follows:
If first, testing result is the pop-up having for application is detected, no matter whether application file is complete, really Fixed application is by antivirus software report poison;
If second, testing result is no pop-up and application file is complete, it is determined that application is not by antivirus software report poison.
If third, testing result are no pop-ups but application file is imperfect, need further to judge.
For thirdly, specifically, if detected application file is imperfect but there is no pop-up, can further judge Whether the pop-up configuration information fails;If failure, it is determined that application is by antivirus software report poison;If pop-up configuration information is not Failure, it is determined that the detected application is not by antivirus software report poison.
Aiming at the problem that pop-up configuration information may be no longer valid or be changed, it can be solved using following two mode:
First is that if it find that file under installation directory is deleted but antivirus software does not have pop-up, be considered as killing soft pop-up It is possible that failing, reports information to server at this time, there is server to check whether the pop-up configuration information of this antivirus software loses Effect updates the antivirus software pop-up configuration information in cloud if failure.
Second is that whether the pop-up configuration information for inspecting periodically antivirus software comes into force.
If determining that pop-up configuration information does not fail through aforesaid way, but it is detected the entire implementation procedure of application not yet At the end of, such as be detected application monitors and perform installation and operation, it, can be with when being also not carried out other operations such as upgrading or unloading The detection procedure of antivirus software pop-up is continued to execute, i.e., continues to hold detected application using the detection procedure of antivirus software pop-up Whether other capable basic operations are monitored, may be killed in the entire implementation procedure for being detected application with completely monitoring Malicious software report poison.
Finally, being checking whether there is the file under antivirus software pop-up screenshot and installation directory by Slave equipment 202 It is no it is complete after, return result to Master equipment 201.The result generation unit 2012 of Master equipment 201 merges above-mentioned knot Fruit simultaneously exports.
Wherein it is possible to which exporting accordingly result by way of sending mail gives dependence test personnel.
After tester gets the mail, pop-up screenshot can be manually checked again, carried out with the report poison to client application Analysis, or check whether file is designated antivirus software and deletes, other are notified after artificial testing result screening can be carried out Personnel, such as project team personnel handle the malicious event of report.
In practical applications, tester and project team personnel can be the methods of automation inspection antivirus software pop-up For daily test, online preceding test, daily monitoring etc., find client application whether by third party's antivirus software report in time Poison, processing stops loss in time.
It, can whether there is or not to detected application product report with automatic detection antivirus software by executing technical solution of the present invention Poison, and cloud control issues the antivirus software list for needing to check, checks that then summarized results, can flexibly control by distribution The antivirus software for needing to detect, and shorten detection time.
In several embodiments provided by the present invention, it should be understood that disclosed method and apparatus can pass through it Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only Only a kind of logical function partition, there may be another division manner in actual implementation.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.

Claims (20)

1. a kind of detection application is by the method for antivirus software report poison, which is characterized in that the described method includes:
It is executed in pop-up detection environment and is detected application, detect whether antivirus software has for described according to pop-up configuration information Whether the file of the pop-up and the detection detected application that are detected application is complete;
Determine the detected application whether by antivirus software report poison based on testing result.
2. the method according to claim 1, wherein the method also includes: according to needing the antivirus that detects soft Part list prepares the pop-up and detects environment.
3. according to the method described in claim 2, it is characterized in that, the preparation pop-up detection environment includes:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
4. according to the method described in claim 2, it is characterized in that, the antivirus software list and pop-up configuration information are by main inspection Measurement equipment obtains, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device;
Prepare the processing of the detection environment and the detection by executing from detection device.
5. according to the method described in claim 4, it is characterized in that, the antivirus software list and pop-up configuration information are by cloud It is responsible for safeguarding and is handed down to the main detection device.
6. the method according to claim 1, wherein whether described detect antivirus software according to pop-up configuration information There is the pop-up for the application to include:
Monitor the function that pop-up is generated in antivirus software;
When the function for generating pop-up is called, determine that the pop window information generated in function is with the pop-up configuration information No matching;
If it does, then determining the pop-up having for the application.
7. the method according to claim 1, wherein the file of the detection detected application whether complete packet It includes:
Obtain the listed files of pre-generated detected application;
The listed files is compared with the listed files of the detected application under installation directory;
If comparison result is identical, it is determined that the file for being detected application is complete;
Otherwise the file for being detected application is imperfect.
8. method according to claim 1-7, which is characterized in that
If testing result is the pop-up having for application is detected, it is determined that be detected application by antivirus software report poison;
If testing result is no pop-up and detected application file is complete, it is determined that be detected application not by antivirus software report Poison.
9. method according to claim 1-7, which is characterized in that if testing result is no pop-up but is detected Application file is imperfect, then:
Judge whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
10. method according to claim 1-6, which is characterized in that described to execute quilt in pop-up detection environment Detection application includes: to pacify loading, unloading, upgrading, the operation detected application in pop-up detection environment.
11. a kind of detection application is by the device of antivirus software report poison, which is characterized in that described device includes:
Detection unit is detected application for executing in pop-up detection environment, detects antivirus software according to pop-up configuration information Whether have whether complete for the pop-up of the detected application and the file of the detection detected application;
Determination unit, for determining the detected application whether by antivirus software report poison based on testing result.
12. device according to claim 11, which is characterized in that described device further includes the standard being set to from detection device Standby unit, for preparing the pop-up detection environment according to the antivirus software list for needing to detect.
13. device according to claim 12, which is characterized in that the preparatory unit is by executing following operation to prepare The pop-up detects environment:
The antivirus software list detected according to needs installs and executes antivirus software;
Start the detection procedure to antivirus software pop-up.
14. device according to claim 12, which is characterized in that the detection unit and determination unit are set to from detection Equipment;
The device further include: be set to the acquiring unit of main detection device, match for obtaining the antivirus software list and pop-up Confidence breath, and antivirus software and pop-up configuration information corresponding with antivirus software are distributed to from detection device.
15. device according to claim 14, which is characterized in that the antivirus software list and pop-up configuration information are by cloud It is responsible for safeguarding and is handed down to the main detection device in end.
16. device according to claim 11, which is characterized in that the detection unit further includes pop-up detection unit, is used The function of pop-up is generated in monitoring antivirus software;When the function for generating pop-up is called, determines and generated in function Whether pop window information matches with the pop-up configuration information;If it does, then determining the pop-up having for the application.
17. device according to claim 11, which is characterized in that the detection unit further includes file detection unit, is used In the listed files for obtaining pre-generated detected application;By the detected application under the listed files and installation directory Listed files is compared;If comparison result is identical, it is determined that the file for being detected application is complete;Otherwise it is detected application File is imperfect.
18. the described in any item devices of 1-17 according to claim 1, which is characterized in that
If testing result is the pop-up having for application is detected, it is soft that the determination unit determines that detected application is killed virus Part report poison;
If testing result is no pop-up and detected application file is complete, the determination is detected application not by antivirus software Report poison.
19. the described in any item devices of 1-17 according to claim 1, which is characterized in that if testing result be no pop-up but by It is imperfect to detect application file,
Then the determination unit judges whether the pop-up configuration information fails;
If failure, determine the detected application by antivirus software report poison;
If pop-up configuration information does not fail, it is determined that the detected application is not by antivirus software report poison.
20. the described in any item devices of 1-16 according to claim 1, which is characterized in that described to be executed in pop-up detection environment Detected application includes: to pacify loading, unloading, upgrading, the operation detected application in pop-up detection environment.
CN201610028702.XA 2016-01-15 2016-01-15 A kind of detection application is by the method and apparatus of antivirus software report poison Active CN105608372B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610028702.XA CN105608372B (en) 2016-01-15 2016-01-15 A kind of detection application is by the method and apparatus of antivirus software report poison

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610028702.XA CN105608372B (en) 2016-01-15 2016-01-15 A kind of detection application is by the method and apparatus of antivirus software report poison

Publications (2)

Publication Number Publication Date
CN105608372A CN105608372A (en) 2016-05-25
CN105608372B true CN105608372B (en) 2019-07-23

Family

ID=55988300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610028702.XA Active CN105608372B (en) 2016-01-15 2016-01-15 A kind of detection application is by the method and apparatus of antivirus software report poison

Country Status (1)

Country Link
CN (1) CN105608372B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6779117B1 (en) * 1999-07-23 2004-08-17 Cybersoft, Inc. Authentication program for a computer operating system
CN102968590A (en) * 2012-10-23 2013-03-13 北京奇虎科技有限公司 Pop window suppression method and system
CN103714289A (en) * 2013-12-02 2014-04-09 百度在线网络技术(北京)有限公司 Method and device for determining mobile application antivirus results
CN104252477A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 Method and device for controlling webpage pop-up window
CN104484599A (en) * 2014-12-16 2015-04-01 北京奇虎科技有限公司 Behavior processing method and device based on application program

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594780B (en) * 2011-01-12 2016-03-30 西门子公司 The detection of mobile terminal virus, sweep-out method and device
CN103019687B (en) * 2012-11-20 2016-06-22 北京奇虎科技有限公司 Methods of exhibiting and device for pop window information
CN103164654B (en) * 2013-03-28 2016-08-03 北京奇虎科技有限公司 A kind of method carrying out information alert in pop-up and user interface display device
CN103488490A (en) * 2013-10-08 2014-01-01 深圳市金立通信设备有限公司 Method and device for determining application corresponding to pop-up window and terminal
CN104021342A (en) * 2014-05-06 2014-09-03 可牛网络技术(北京)有限公司 Method and device for processing application program
CN104008340B (en) * 2014-06-09 2017-02-15 北京奇虎科技有限公司 Virus scanning and killing method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6779117B1 (en) * 1999-07-23 2004-08-17 Cybersoft, Inc. Authentication program for a computer operating system
CN102968590A (en) * 2012-10-23 2013-03-13 北京奇虎科技有限公司 Pop window suppression method and system
CN104252477A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 Method and device for controlling webpage pop-up window
CN103714289A (en) * 2013-12-02 2014-04-09 百度在线网络技术(北京)有限公司 Method and device for determining mobile application antivirus results
CN104484599A (en) * 2014-12-16 2015-04-01 北京奇虎科技有限公司 Behavior processing method and device based on application program

Also Published As

Publication number Publication date
CN105608372A (en) 2016-05-25

Similar Documents

Publication Publication Date Title
US9459995B2 (en) Compliance testing engine for integrated computing system
US10824521B2 (en) Generating predictive diagnostics via package update manager
US8984331B2 (en) Systems and methods for automated memory and thread execution anomaly detection in a computer network
US7191364B2 (en) Automatic root cause analysis and diagnostics engine
US8091127B2 (en) Heuristic malware detection
CN108322446A (en) Intranet assets leak detection method, device, computer equipment and storage medium
US10417416B1 (en) Methods and systems for detecting computer security threats
CN109076063A (en) Protection dynamic and short-term virtual machine instance in cloud environment
NO20171308A1 (en) System analysis and handling
CN109522095B (en) Cloud host abnormal fault detection and recovery system and method and cloud platform
WO2004010269A2 (en) Method and apparatus for the automatic determination of potentially worm-like behaviour of a program
US20110296248A1 (en) Systems and methods for restoring machine state history related to detected faults in package update process
CN105224441B (en) Virtual machine information acquisition device, method and virtual machine information maintaining method and system
US20130111018A1 (en) Passive monitoring of virtual systems using agent-less, offline indexing
US10305738B2 (en) System and method for contextual clustering of granular changes in configuration items
CN107644161A (en) Safety detecting method, device and the equipment of sample
KR102156379B1 (en) Agentless Vulnerability Diagnosis System through Information Collection Process and Its Method
BR112021000558A2 (en) DIFFERENTIATION MECHANISM FOR DIGITAL FORENSIC SCIENCE
CN108595957A (en) Main browser page altering detecting method, device and storage medium
CN105608372B (en) A kind of detection application is by the method and apparatus of antivirus software report poison
KR20180130630A (en) Vulnerability diagnosing and managing system and method of information system using automatic diagnosis tool
US9354962B1 (en) Memory dump file collection and analysis using analysis server and cloud knowledge base
CN110909352A (en) Malicious process detection method under Linux server
EP1997018B1 (en) Thread interception and analysis
JP4827024B2 (en) Server monitoring system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant