CN100374969C - Method for searching and killing virus and computer therefor - Google Patents

Method for searching and killing virus and computer therefor Download PDF

Info

Publication number
CN100374969C
CN100374969C CNB2004100904568A CN200410090456A CN100374969C CN 100374969 C CN100374969 C CN 100374969C CN B2004100904568 A CNB2004100904568 A CN B2004100904568A CN 200410090456 A CN200410090456 A CN 200410090456A CN 100374969 C CN100374969 C CN 100374969C
Authority
CN
China
Prior art keywords
virus
killing
module
hpa
district
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100904568A
Other languages
Chinese (zh)
Other versions
CN1779594A (en
Inventor
王晚丁
李亚辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CNB2004100904568A priority Critical patent/CN100374969C/en
Priority to PCT/CN2005/001922 priority patent/WO2006053488A1/en
Publication of CN1779594A publication Critical patent/CN1779594A/en
Application granted granted Critical
Publication of CN100374969C publication Critical patent/CN100374969C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention provides a method for searching and killing viruses, the key point of which comprises that when the self checking of a BIOS is finished, after a signal of executing the operation of virus killing is detected, an embedded system in an HPA is started up and invokes a virus killing module to execute the operation of virus searching and killing, and then an operating system is loaded to start a computer. By using the present invention, even when the computer can not be started normally, the system can still execute the operation of virus searching and killing. Because the virus killing method of the present invention does not depend upon the operating system, the viruses which can not be searched and killed in the operating system can be searched and killed, and meanwhile, the possibility of certain viruses closing virus killing software can be avoided. The present invention also provides the computer for searching and killing the viruses. The computer is provided with a function key specially used for starting the virus searching and killing function, when a user needs to search and kill the viruses on the computer, the user can directly press the key, which provides a clear operating prompt for the user and furthest facilitates the application of the user.

Description

A kind of computing machine of realizing the method for killing virus and realizing this method
Technical field
The present invention relates to killing computer virus technical field, be meant a kind of computing machine of realizing the method for killing virus and realizing this method especially.
Background technology
Computing power and the lasting raising of storage capacity along with computing machine, the raising of network transfer speeds, the variation of information exchange system between computing machine and the peripheral equipment, the becoming increasingly abundant of network application, people constantly strengthen the dependence of computing machine, and are also more and more higher to the demand of information security.Meanwhile, hacker's attack means is also in continuous variation, and the lethality of various computer viruses is also more and more stronger.
Existing anti-virus software operates on the original system mostly, the fragility of system itself can weaken the actual effect of these schemes greatly, a most typical example be exactly anti-virus software on the Windows be helpless to some boot-type virus, because this virus can be shown effect before the antivirus engine operation, even may close anti-virus software; When Windows runs into shock wave, this class new virus attack of Sasser, can restart repeatedly in addition, cause anti-virus software can't normally be upgraded to up-to-date viral rule base at all, thereby can't effectively kill virus operation; Have, some virus can be fought for system resource in operating system (OS), influence the normal operation of antivirus software again.
Summary of the invention
In view of this, one object of the present invention is to provide a kind of method that realizes killing virus, when computing machine can not normally enter operating system, also can realize the operation of killing virus.
Another object of the present invention provides a kind of computing machine of realizing killing virus, and this computing machine can be given the clear and definite operation indicating of user.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method that realizes killing virus is provided with embedded system and virus killing module in the HPA district, main protection zone of hard disk, and this method is further comprising the steps of:
The basic input-output system BIOS self check finishes, detect the signal of carrying out the virus killing operation after, start the embedded system in the HPA district, call the virus killing module by this embedded system and carry out that killing is viral to be operated, and then loading operation system start-up computing machine.
Preferably, preset system safety check module in the HPA district of hard disk;
Be finished in the operation of killing virus, and killing is not under the situation of virus, further comprise: by embedded system calling system safety check module, whether check system exists security breaches, if exist, then carry out refilling after security is reinforced and carry the os starting computing machine according to check result, otherwise direct loading operation system start-up computing machine.
Preferably, preset system is repaired module in the HPA district of hard disk;
Check system does not exist under the situation of security breaches, further comprises: repair module by the embedded system calling system, operating system is repaired, and then start computing machine.
Preferably, the operation of described killing virus may further comprise the steps: killing virus; And judge whether that killing arrives virus, and if there is not killing to arrive virus, new virus rule base more then, and then carry out the operation of killing virus.
Preferably, the method of described more new virus rule base is: by network new virus rule base more, or use more new virus rule base of floppy disk or portable hard drive, or according to the new virus rule base more of the assigned catalogue in the hard disk, or the mode that adopts above three kinds of combination in any new virus rule base more.
Preferably, described BIOS starts the method for the embedded system in the HPA district and is:
Preparatory function calling module in the HPA district of hard disk;
The BIOS self check finishes, detect the signal of carrying out the virus killing operation after, assigned address is provided for starting the parameter of embedded system in internal memory, then the calling function calling module; This function allocating module starts the embedded system in the HPA district after detecting the parameter of assigned address existence startup embedded system in the internal memory.
Preferably, assigned address is a F000 section in the internal memory in the described internal memory.
Preferably, after the normal startup of computing machine, when needing to carry out the virus killing operation, this method further comprises: after operating system detected the signal of execution virus killing operation, the virus killing module in starting the operating system was carried out the viral operation of killing.
The present invention is provided with embedded system and virus killing module in the HPA district of hard disk, when the BIOS self check finishes, after detecting the signal of carrying out the virus killing operation, start the embedded system in the HPA district, call the virus killing module by this embedded system and carry out the operation of killing virus, and then loading operation system start-up computing machine.Use the present invention, before operating system is loaded, can carry out the operation of killing virus, even thereby after being made the virus infections that computing machine can't normally start by " wave of oscillation " this class, system still can carry out the operation of killing virus.Owing to use virus method of the present invention and do not rely on operating system, thereby, can killing go out under operating system the virus that can't killing arrives, and killing goes out system bootstrap type virus, thereby realize thoroughly virus killing, avoided some virus to close the possibility of antivirus software simultaneously.In addition, use the present invention and also can carry out the security of system inspection, operating system such as is repaired at operation, further guaranteed the safety of computing machine.
The present invention also provides a kind of computing machine of realizing killing virus, on this computing machine, there is one to be specifically designed to the function key that starts the killing viral function, when the user need carry out killing virus to computing machine, directly pressing this key gets final product, provide clear and definite operation indicating to the user, made things convenient for user's application to greatest extent.
Description of drawings
Figure 1 shows that the principle schematic of an embodiment of the computing machine of realizing killing virus;
Figure 2 shows that and use the schematic flow sheet that BIOS of the present invention starts computing machine;
Figure 3 shows that the process flow diagram that the embedded system in the HPA district is carried out killing virus and repaired operation.
Embodiment
Again the present invention is done detailed description further below in conjunction with accompanying drawing.
Figure 1 shows that the principle schematic of an embodiment of the computing machine of realizing killing virus.In the present embodiment, on the keyboard 110 of computing machine, set up a function key 111 that is used for directly starting the virus killing function, the module 121 that being used in this function key 111 and the main frame 120 are discerned key information directly links to each other, makes the interior original module 121 that is used to discern key information of main frame can discern the function key 111 that is used for directly starting the virus killing function that this is set up.Wherein, function key 111 can pass through the PS2 interface with the module 121 that is used to discern key information, or USB interface, or wave point, or 1394 interfaces, or other interface is continuous, connected mode is not limited at this.The module 121 of above-mentioned identification key information comprises the module of identification key information in the BIOS and the module of the interior identification of operating system key information.
Like this, no matter whether can normal load operating system behind the computer booting, it can both discern the key information from this function key 111.That is to say, when the user needs computing machine to carry out the operation of killing virus, only need directly press this key and get final product, made things convenient for user's application.
Certainly, the function key 111 that is used for directly starting the virus killing function in the foregoing description can not be arranged on the keyboard yet, and is arranged on main frame, or mouse, or on the display.I.e. physical location the present invention for this function key 111 does not limit, as long as be user-friendly to.
After computer booting startup and normal load operating system, if the module of the identification key information in the operating system detects the signal promptly behind the signal from the function key that is used for directly starting the virus killing function of carrying out the virus killing operation, operating system is directly called the virus killing module of self having loaded, carries out the virus killing operation.Its specific implementation process and existing by keyboard or mouse activation virus killing module, the process of carrying out the virus killing operation is basic identical, so difference is only directly activating the virus killing module by the function key that has been provided with, rather than activates the virus killing module by keyboard or mouse.
Specify below after computer booting starts can not normal load operating system the time, realize the method for killing virus.
At first, on hard disk, create a HPA (Host Protected Area) space in advance, hard disk is divided into common hard disk district and the HPA district that uses for the user, generally, only under Basic Input or Output System (BIOS) (BIOS) and DOS environment, could visit the data in this HPA district, and general program can't be visited this zone, so the data in the HPA zone are safe.Secondly, to be divided into C dish, D dish for the common hard disk zoning that the user uses ... be divided into three zones in the HPA district with hard disk, be respectively the system backup district that is used for the Load System backup file, be used to load the virus killing reparation district of the embedded system of carrying out the killing viral function, and the funcall district that is used for the load function calling module, referring to table 1.
C:\ ? D:\ ? ... ? The system backup district The district is repaired in virus killing The funcall district
← user hard drive space-→ ←--HPA subregion hard drive space----→
Table 1
Wherein, the embedded system of above-mentioned execution killing viral function is Embedded linux system, and it possesses the most basic operation system function, can call virus killing module default in the one's respective area, and security of system is checked functional modules such as module, system's reparation module.
When computing machine runs into similar " wave of oscillation " such virus, when causing computing machine ceaselessly to be restarted automatically, the user only needs after computing machine is restarted, and presses the function key that being used for of being provided with directly start the virus killing function in the stage at POST and gets final product.Concrete virus killing process is as follows:
Figure 2 shows that and use the schematic flow sheet that BIOS of the present invention starts computing machine.
Step 201~step 202, the starting up after the BIOS self check finishes, detects the signal whether direct startup virus killing operation is arranged, and whether the function key that promptly is used for directly starting the virus killing function is pressed, if then execution in step 203, otherwise execution in step 204.
Step 203, assigned address in internal memory as the F000 section, is provided with the parameter that starts embedded system;
Step 204, call the function allocating module in the HPA district, whether there is the embedded system of startup parameter to judge whether to start embedded system by this function allocating module according to assigned address in the internal memory, if have, then start the embedded system in the HPA district, to carry out the operation of killing virus, afterwards, refill and carry the os starting computing machine; Otherwise direct loading operation system start-up computing machine.
Embedded system in the HPA district is carried out operations such as killing virus and reparation as shown in Figure 3.
Step 301, the embedded system in the HPA district are called the virus killing module in the one's respective area, carry out the operation of killing virus.This virus killing module can be the quick disinfecting module, also can be comprehensive quick disinfecting module, and its both difference only is that examination scope is different, and required time of killing virus is different.
Step 302 judges whether that killing arrives virus, if then execution in step 310, otherwise execution in step 303.
Step 303 is upgraded the viral rule base in this HPA zone.During specific implementation, can be by using more new virus rule base of floppy disk or portable hard drive, or by hard disk assigned catalogue new virus rule base more, or by network new virus rule base or the mode that adopts above three kinds of combination in any new virus rule base more more.
Use floppy disk or the portable hard drive more implementation method of new virus rule base are: embedded system reads the viral rule base in floppy disk or the portable hard drive, realize the renewal of viral rule base, the viral rule base in this floppy disk or the portable hard drive is that the user downloads from an intact computing machine.This update method is applicable to various types of computing machines, but needs user's participation.
By the hard disk assigned catalogue more the implementation method of new virus rule base be: assigned catalogue in the direct read operation of the embedded system system, realize more new virus rule base.This update method does not need user's participation, if but intrasystem assigned catalogue is not in time stored up-to-date viral rule base down, and then use this method and can not realize more new virus rule base.
By network more the implementation method of new virus rule base be: embedded system directly online is searched the most current virus rule base, downloads and new virus rule base more.This update method does not need user's participation, do not need to worry to upgrade in the process of viral rule base by virus attack yet, because in this embedded system, there is not the inlet of poisoning intrusion, but use the globally unique IPv6 address that this method must preset this machine, and the IPv6 address of virus rule upgrading storehouse, producer backstage server.
Step 304 is called the virus killing module in the one's respective area once more, to carry out the operation of killing virus.
Step 305 judges whether that killing arrives virus, if then execution in step 310, otherwise execution in step 306.
Step 306, the calling system safety check module is carried out safety inspection.
Step 307 according to the result of safety inspection, judges whether system is leaky, if having, then execution in step 308, otherwise execution in step 309.
Step 308 is carried out the security hardening operation, and execution in step 310 then.
Above-mentioned realization calling system safety check module, operating system is carried out security inspection and to the concrete grammar that system vulnerability is repaired is: the difference of the patch release of safeguarding on the patch of checked operation system and crucial application software and the background server, if the patch release on finding in this computing machine is not a latest edition, then up-to-date patch installation procedure is copied under the predetermined directories of the common subregion of hard disk, and shortcut of copy under the startup group catalogue of operating system place fdisk, make this shortcut point to the patch installation procedure, automatically restart computing machine then and enter into operating system, this moment, system can automatically perform this shortcut, group's user installation patch.Wherein, for method from HPA district install software to operating system, the denomination of invention that proposes the applicant is " method of automatic software installation in the os starting process ", application number is for providing detailed description in the Chinese patent application of " 200410081162.9 ", at this repeated description no longer.
Certainly, the mode of carrying out the security of system inspection is not limited to this, reinforces operation as long as can carry out security, and the leak of repairing operating system gets final product.
Step 309, start-up system is repaired module, and operation is repaired by system to whole operation, and execution in step 310 then.
The above-mentioned method that the whole operation system is repaired is: repairs module by the embedded system calling system, and repairs module by this system and cover file in the current system with the system backup file in the HPA district, thus the reparation of realization operating system.
Step 310 restarts computing machine.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (8)

1. a method that realizes killing virus is characterized in that, in the HPA district, main protection zone of hard disk embedded system and virus killing module is set, and this method is further comprising the steps of:
The basic input-output system BIOS self check finishes, detect the signal of carrying out the virus killing operation after, start the embedded system in the HPA district, call the virus killing module by this embedded system and carry out that killing is viral to be operated, and then loading operation system start-up computing machine.
2. method according to claim 1 is characterized in that,
Preset system safety check module in the HPA district of hard disk;
Be finished in the operation of killing virus, and killing is not under the situation of virus, further comprise: by embedded system calling system safety check module, whether check system exists security breaches, if exist, then carry out refilling after security is reinforced and carry the os starting computing machine according to check result, otherwise direct loading operation system start-up computing machine.
3. method according to claim 1 and 2 is characterized in that,
Preset system is repaired module in the HPA district of hard disk;
Check system does not exist under the situation of security breaches, further comprises: repair module by the embedded system calling system, operating system is repaired, and then start computing machine.
4. method according to claim 3 is characterized in that, the operation of described killing virus may further comprise the steps: killing virus; And judge whether that killing arrives virus, and if there is not killing to arrive virus, new virus rule base more then, and then carry out the operation of killing virus.
5. method according to claim 4, it is characterized in that, the method of described more new virus rule base is: by network new virus rule base more, or use more new virus rule base of floppy disk or portable hard drive, or according to the new virus rule base more of the assigned catalogue in the hard disk, or the mode that adopts above three kinds of combination in any new virus rule base more.
6. method according to claim 1 is characterized in that, the method that described BIOS starts the embedded system in the HPA district is:
Preparatory function calling module in the HPA district of hard disk;
The BIOS self check finishes, detect the signal of carrying out the virus killing operation after, assigned address is provided for starting the parameter of embedded system in internal memory, then the calling function calling module; This function allocating module starts the embedded system in the HPA district after detecting the parameter of assigned address existence startup embedded system in the internal memory.
7. method according to claim 6 is characterized in that, assigned address is the F000 section in the internal memory in the described internal memory.
8. method according to claim 1 is characterized in that, after the normal startup of computing machine, when needing to carry out the virus killing operation, this method further comprises: after operating system detected the signal of carrying out the virus killing operation, the virus killing module in starting the operating system was carried out the operation of killing virus.
CNB2004100904568A 2004-11-18 2004-11-18 Method for searching and killing virus and computer therefor Expired - Fee Related CN100374969C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2004100904568A CN100374969C (en) 2004-11-18 2004-11-18 Method for searching and killing virus and computer therefor
PCT/CN2005/001922 WO2006053488A1 (en) 2004-11-18 2005-11-15 A method for realizing anti-virus and a computer thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100904568A CN100374969C (en) 2004-11-18 2004-11-18 Method for searching and killing virus and computer therefor

Publications (2)

Publication Number Publication Date
CN1779594A CN1779594A (en) 2006-05-31
CN100374969C true CN100374969C (en) 2008-03-12

Family

ID=36406825

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100904568A Expired - Fee Related CN100374969C (en) 2004-11-18 2004-11-18 Method for searching and killing virus and computer therefor

Country Status (2)

Country Link
CN (1) CN100374969C (en)
WO (1) WO2006053488A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359356B (en) * 2007-08-03 2010-08-25 联想(北京)有限公司 Method and system for deleting or isolating computer virus
CN100541509C (en) * 2007-12-10 2009-09-16 上海北大方正科技电脑系统有限公司 A kind of method of scanning and killing computer virus
CN102902921B (en) * 2012-09-18 2015-11-25 北京奇虎科技有限公司 The method and apparatus of a kind of detection and dump virus
CN106980786A (en) * 2017-02-25 2017-07-25 深圳市赛亿科技开发有限公司 It is a kind of to prevent virus and the computer system of defense of wooden horse
CN110197071B (en) * 2018-04-25 2023-05-16 腾讯科技(深圳)有限公司 Boot sector data processing method and device, computer storage medium and electronic equipment
CN111030981B (en) * 2019-08-13 2023-04-28 北京安天网络安全技术有限公司 Method, system and storage device for blocking continuous attack of malicious file
CN110532768A (en) * 2019-08-21 2019-12-03 东软医疗系统股份有限公司 System safety encryption and device
CN112364350A (en) * 2020-12-07 2021-02-12 河北建筑工程学院 Information processing program and recording device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5826012A (en) * 1995-04-21 1998-10-20 Lettvin; Jonathan D. Boot-time anti-virus and maintenance facility
CN1403915A (en) * 2001-09-10 2003-03-19 英业达股份有限公司 Computer antiviral method and computer adopting the method
CN1508697A (en) * 2002-12-16 2004-06-30 联想(北京)有限公司 Method and apparatus for realizing protection of computer operation system in hard disk
CN1173266C (en) * 2000-01-11 2004-10-27 神达电脑股份有限公司 Starting-up type virus detection method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5826012A (en) * 1995-04-21 1998-10-20 Lettvin; Jonathan D. Boot-time anti-virus and maintenance facility
CN1173266C (en) * 2000-01-11 2004-10-27 神达电脑股份有限公司 Starting-up type virus detection method
CN1403915A (en) * 2001-09-10 2003-03-19 英业达股份有限公司 Computer antiviral method and computer adopting the method
CN1508697A (en) * 2002-12-16 2004-06-30 联想(北京)有限公司 Method and apparatus for realizing protection of computer operation system in hard disk

Also Published As

Publication number Publication date
CN1779594A (en) 2006-05-31
WO2006053488A1 (en) 2006-05-26

Similar Documents

Publication Publication Date Title
US11221838B2 (en) Hot update method, operating system, terminal device, system, and computer-readable storage medium for a system process
US6925557B2 (en) Method and system for a clean system booting process
US20040255106A1 (en) Recovery of operating system configuration data by firmware of computer system
US20070113062A1 (en) Bootable computer system circumventing compromised instructions
CN102024114B (en) Malicious code prevention method based on unified extensible fixed interface
EP3314514B1 (en) Protecting basic input/output (bios) code
US9684518B2 (en) Option read-only memory use
CN101359356B (en) Method and system for deleting or isolating computer virus
CN104008340A (en) Virus scanning and killing method and device
CN102184111B (en) The equipment of operating system online upgrading method and tape operation system
EP3682332B1 (en) Method and apparatus for erasing or writing flash data
CN104573529A (en) BIOS firmware dividing and updating method and system
CN100374969C (en) Method for searching and killing virus and computer therefor
CN103064705B (en) Computer system starting processing method and device
CN105677409A (en) System upgrading method and device
CN103455750A (en) High-security verification method and high-security verification system for embedded devices
CN113032183A (en) System management method, device, computer equipment and storage medium
CN110363011B (en) Method and apparatus for verifying security of UEFI-based BIOS
CN103019790B (en) Computer system power-on Acceleration of starting method and apparatus
CN105787359A (en) Course guarding method and device
CN100362471C (en) Harddisk main bootsector program virus defense method
RU2628920C2 (en) Method for detecting harmful assemblies
CN102831002A (en) Patch unloading method and device
CN1797337B (en) Method for installing software of computer automatically
CN105740697A (en) Address space layout randomization method and device in XP

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080312

Termination date: 20201118