CN102034047B - Automatic protection method for computer virus - Google Patents
Automatic protection method for computer virus Download PDFInfo
- Publication number
- CN102034047B CN102034047B CN201010598234A CN201010598234A CN102034047B CN 102034047 B CN102034047 B CN 102034047B CN 201010598234 A CN201010598234 A CN 201010598234A CN 201010598234 A CN201010598234 A CN 201010598234A CN 102034047 B CN102034047 B CN 102034047B
- Authority
- CN
- China
- Prior art keywords
- program
- guard process
- file
- push
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses an automatic protection method for a computer virus. A protection program is constructed and installed in a computer by taking a human immune system as a model; and the protection program realizes immunity of the computer from a virus program by monitoring a new program, performing engineering reversing, judging a diffusive replication statement, acquiring a replication target path, automatically creating a high-authority antibody folder, simulating byte count register (BCR) homologous judgment in the human immune system, presenting a peptide section by using a major histocompatibility complex (MHC) II and releasing an antibody by using a cell B. Compared with the prior art, the method has the advantages that: a virus database and manual scanning are not needed, network interconnection is not needed to update the virus database, the antibody is automatically produced aiming at a computer malicious program, and the computer malicious program is effectively intercepted, so the computer has active defense capacity to the virus. Tests show that the interception rate of the tested virus can reach over 99.7 percent.
Description
Technical field
The invention belongs to field of computer technology, relate to virus protection, adopt the human immune system that the immunization method model of bacterium and virus is realized the self-protection of computing machine to Virus, be a kind of computer virus automatic protection method.
Background technology
Antivirus software uses " condition code " virus killing technology mostly in the global range at present." condition code " virus killing technology is in the current network environment that virus is on the increase, and shortcoming appears: virus base constantly expands; Need networking regularly to upgrade; All the time lag behind virus; The user infects new virus often.
The technology and the defective of existing multiple antivirus software are following:
It is thus clear that present most of antivirus software all need carry out the scanning of computer system; The basis that needs virus base to judge as scanning; Scanning to computer system all can take a large amount of system resources usually; And virus base upgrading regularly could effectively be worked, and huge day by day virus base takies a large amount of storage spaces.
Summary of the invention
The problem that the present invention will solve is: existing virus killing technology is carried out killing to virus in the dependovirus storehouse mostly; Take resource for computer system; And virus base is upgrading regularly, and computer system is passive to the protection of Virus, and newborn virus is not had defensive ability/resistance ability in the very first time.
Technical scheme of the present invention is: a kind of computer virus automatic protection method; With human immune system is model; Make up guard process and be installed in the computing machine, said guard process through keep watch on new procedures, engineering reverse, judge the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file, the process that the BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges antibody automatically; Realize the immunity of computing machine to Virus; The running environment of said guard process is unit, and operating system is all Windows systems of version after Windows2000 reaches, may further comprise the steps:
1) keep watch on new procedures: guard process is provided with registration table; With any COM, EXE program with said guard process as unfolding mode; Activate guard process when opening COM, EXE program; Know the file path title of the program of opening through the Command start-up parameter; Be stored among the variable filepath, subsequently guard process through the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if through then discharging operation; If not through then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up subsequently, EXE program in the guard process internal delivery, gets into next treatment scheme through DDE message;
2) engineering is reverse: the shelling program is set supplies guard process to call; Guard process with the filepath that receives as start-up parameter; Call outside shelling program; The shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, and said address is stored among the variable UnpackedPath, and guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code; Realization is to the dis-assembling of suspicious program; The automatically interim storage of dis-assembling result, guard process is searched for all " CALL DWORD PTR [XXXXXXX] " statements automatically in the dis-assembling result, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled; Wherein [XXXXXXX] representes assembly code; Whenever search a place " CALL DWORD PTR [XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR [XXXXXXX] " interval, if call in the subprocess statement interval at two; Find double Push statement, then definite two Push statements being found are formed copy-statement jointly with first " CALL DWORD PTR [XXXXXXX] " statement that searches; Guard process is carried out record respectively to the address of said two push statements; These two Push statements are carried out Push destination address location respectively; Confirm 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address; And be the plaintext form of Unicode sign indicating number with 16 system data-switching, obtain said Unicode sign indicating number and it is kept among the array push (n) according to the order in suspicious program successively;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further convert Unicode sign indicating number-judge whether in the process into copy-statement into; The dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and got into next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation; Duplicate destination path in these all diffusivitys that possess the diffusivity version and create file; The file that duplicates destination path of said file and suspicious program is of the same name; Method through revised file attribute among the VB is provided with file for hiding, and passes through the API Calls of advapi32 and Kernel32, sets up system for computer authority user " SysUser " temporarily; The hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), remove being detained freezing of suspicious program, allow its operation; When then having suspicious program that diffusivity duplicates and implementing the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file; The RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box; Suspicious program is because the characteristic of microsoft operation system, makes mistakes and finished by operating system;
Through above step, realize the automatic protection of computing machine to Virus.
In the step 3), judge removable memory, the network storage mechanism of duplicating in the target through traversal hard disc of computer drive name or Kernel32API.
Step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
The present invention adopts the human immune system to the immunization method model of bacterium with virus, Computer Organization Principles such as the dis-assembling through computer program, code conversion, PE file analysis, run-time error, based on the human immune system to the immunization method of bacterium with virus; Realize virus-free feature database, pure unit framework, the upgrading of need not networking; Can be as human immune system MHC II, intelligent analysis Virus, and imitation B cell; Automatically generate the antibody file; Cause computer virus and mistake occurs, finished, make unit possess self-immunocompetence by operating system.
The compared with prior art virus-free storehouse of the present invention need not manual scanning, need not networking and upgrades virus base, makes antibody automatically to computer rogue program (being commonly called as virus), effectively tackles computer rogue program, makes computing machine possess initiatively defence capability to virus.Through test, can reach more than 99.7% to the viral interception rate of survey; Among the authentication checks result of software product inspection center of the Jiangsu Province Information Industry Department, can use the computer virus of all on-the-spot test of the inventive method written program interception.
Description of drawings
Fig. 1 is a principle of the invention process flow diagram.
Fig. 2 is human immune system's workflow.
Embodiment
Like Fig. 1 and Fig. 2; The present invention is model with human immune system; Make up guard process and be installed in the computing machine, said guard process through keep watch on new procedures, engineering reverse, judge the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file, the process that the BCR homology among the simulation human immune system is judged, MHC II offers the peptide section, the B cell discharges antibody automatically; Realize the immunity of computing machine, may further comprise the steps Virus:
1) keep watch on new procedures: guard process is provided with registration table; With any COM, EXE program with said guard process as unfolding mode; Activate guard process when opening COM, EXE program; When guard process is installed, through the mode of file association the unfolding mode of * .Exe and * .Com is set automatically, registration entry value is revised as related guard process path.With this, all EXE and COM can not be moved through the operating system system, and all through the guard process operation, the guard process oneself get rid of, and can directly open through operating system.
For example, any COM, EXE program unfolding mode are associated as the path of guard process:
Detailed process: revise: " my computer HKEY_LOCAL-MACHINE command acquiescence " with " my computer HKEY_LOCAL-MACHINE command give tacit consent to " is: the guard process path: " XXX guard process name .exe ";
Next, know through the Command start-up parameter to be stored in the file path title of the program of opening among the variable filepath that the Command start-up parameter is the capable argument section of return command, is the basic function of the program of VB exploitation; Subsequently guard process through the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if through then discharging operation; If not through then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up subsequently, EXE program in the guard process internal delivery, gets into next treatment scheme through DDE message;
2) engineering is reverse: the shelling program is set supplies guard process to call; Guard process with the filepath that receives as start-up parameter; Call outside shelling program; The shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, and said address is stored among the variable UnpackedPath, and guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code; Realization is to the dis-assembling of suspicious program; The automatically interim storage of dis-assembling result, guard process is searched for all " CALL DWORD PTR [XXXXXXX] " statements automatically in the dis-assembling result, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled; Wherein [XXXXXXX] representes assembly code; Whenever search a place " CALL DWORD PTR [XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR [XXXXXXX] " interval, if call in the subprocess statement interval at two; Find double Push statement, then definite two Push statements being found are formed copy-statement jointly with first " CALL DWORD PTR [XXXXXXX] " statement that searches; Guard process is carried out record respectively to the address of said two push statements; The address of these two Push statements is carried out Push destination address location respectively; Confirm 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address; And be the plaintext form of Unicode sign indicating number with 16 system data-switching, obtain said Unicode sign indicating number and it is kept among the array push (n) according to the order in suspicious program successively;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file; Carry out the doubtful copy command of above-mentioned intercepting to call subprocedure call statement-switch target address be 16 systems and further convert Unicode sign indicating number-judge whether in the process into copy-statement into; The dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and got into next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation; Duplicate destination path in these all diffusivitys that possess the diffusivity version and create file, the file that duplicates destination path of said file and suspicious program is of the same name, for example; The suspicious program of being found by guard process is called Virus.exe; If certain bar diffusivity copy-statement for copy to from " Virus.exe " " windows ", the file destination path of duplicating so be exactly " windows ", then according to " windows " establishment file; Folder name is 2.exe, windows under.After file is created; Method through revised file attribute among the VB is provided with file for hiding; And the API Calls through advapi32 and Kernel32; Set up system for computer authority user " SysUser ", the hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority temporarily;
5) virus is made mistakes and is withdrawed from: execution of step 4), remove being detained freezing of suspicious program, allow its operation; When then having suspicious program that diffusivity duplicates and implementing the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file; The RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box; Suspicious program is because the characteristic of microsoft operation system, makes mistakes and finished by operating system;
Through above step, realize the automatic protection of computing machine to Virus.
Wherein, in the step 3), judge removable memory, network storage mechanism through traversal hard disc of computer or Kernel32API.
Further, step 4) is carried out the suspicious program temporary file of guard process deletion through shelling.
With an embodiment practical implementation of the present invention is described below, in the present embodiment, guard process called after Behold.com of the present invention is the COM program.
1, certain Panda burning incense Virus Sample Setup.exe double-clicked by the user and to open;
2, Setup.exe is moved as unfolding mode with Behold.com automatically;
3, Behold.com by operating system with " Setup.exe " activate operation as the Command start-up parameter;
4, among the Behold.com SignatureCheck function to " Setup.exe " carry out digital signature and judge the nil signature;
5, Behold.com will " Setup.exe " send to guard process PCIS|FormDDE interface;
6, guard process obtains the Program path hung up through DDE (PCIS|FormDDE interface), will " Setup.exe " as start-up parameter, start virtual machine shelling SDK (VMUnpackerSDK) automatically;
7, virtual machine shelling SDK (VMUnpackerSDK) returns UnpackedPath=" Setup~.exe~" to guard process DDE (PCIS|FormDDE interface);
8, guard process is called the clsDisAssemble generic module through disassembler clsDisAssemble.DisAssemble (" Setup~.exe~", 0) and is carried out dis-assembling;
9, guard process begins search " CALL DWORD PTR " among the Result as a result in dis-assembling;
9-1, guard process search " CALL DWORD PTRDS: [〈 &KERNEL32.GetStartup>" as a result among the Result in dis-assembling;
9-1-1, guard process begin in " CALL DWORD PTR DS: [〈 &KERNEL32.GetStartup>" top, call subprocess statement below search " push " statement up to last one;
9-1-2, guard process do not search;
9-1-3, abandon and continue;
9-2, guard process search " CALL DWORD PTR SS: [EBP+14] " as a result among the Result in dis-assembling;
9-2-1, guard process begin in " CALL DWORD PTR SS: [EBP+14] " top, call subprocess statement below search " push " statement up to last one;
9-2-2, guard process search " PUSH EBX ", " PUSH ESI ", " PUSH EDI ";
9-2-3, abandon and continue;
9-3, guard process search " CALL DWORD PTRDS: [〈 &KERNEL32.copyfile>" as a result among the Result in dis-assembling;
9-3-1, guard process begin in " CALL DWORD PTR DS: [〈 &KERNEL32.copyfile>" top, call subprocess statement below search " push " statement up to last one;
9-3-2, guard process search " PUSH setup.0041A2D9 ", " PUSH setup1.0041A282 ";
9-3-3, guard process are Unicode through GetHex2Unicode (0041A2D9), GetHex2Unicode (0041A282) with the Hex code conversion of the address of the Push of institute; Push (0)=" Setup.exe ", push (1)=" windows ".
9-3-4, guard process are judged simply, think that Push (0), Push (1) are file path.
9-n, carry out cyclic search, judgement by above-mentioned regular guard process, final guard process is always handled Push (n).
10, according to the accumulation algorithm of Count in " diffusivity is duplicated judgement " chapters and sections in the literary composition, final Count=100.
11, guard process exists " windows " etc. the file path place of push (n) (n is an odd number) create file, and improve the folder management authority, be set to invisible.
12, guard process through Shell " Setup.exe ", vbNormalFocus, remove to " Setup.exe " freeze, allow its operation.
13, " Setup.exe " when normally moving to copy-statement, run into RuntimeError53 and eject error box, withdraw from subsequently.
Claims (3)
1. computer virus automatic protection method; It is characterized in that with human immune system being model; Make up guard process and be installed in the computing machine, said guard process through keep watch on new procedures, engineering reverse, judge the diffusivity copy-statement and obtain and duplicate destination path, create high authority antibody file, the process that the BCR homology among the simulation human immune system is judged, the MHC II is offered the peptide section, the B cell discharges antibody automatically; Realize the immunity of computing machine to Virus; The running environment of said guard process is unit, and operating system is all Windows systems of version after Windows2000 reaches, may further comprise the steps:
1) keep watch on new procedures: guard process is provided with registration table; With any COM, EXE program with said guard process as unfolding mode; Activate guard process when opening COM, EXE program; Know the file path title of the program of opening through the Command start-up parameter; Be stored among the variable filepath, subsequently guard process through the Wintrust.dll that calls the Windows system and carry judge COM, the EXE program of new operation whether have legal, not by that distort, not out of date digital signature, if through then discharging operation; If not through then temporarily being detained program, do not allow this COM, EXE program run as suspicious program, the Program path of the COM that will hang up subsequently, EXE program in the guard process internal delivery, gets into next treatment scheme through DDE message;
2) engineering is reverse: the shelling program is set supplies guard process to call; Guard process with the filepath that receives as start-up parameter; Call outside shelling program; The shelling program is returned suspicious program and is separated address that shell deposits in addition to guard process, and said address is stored among the variable UnpackedPath, and guard process is changed the OPCODE sign indicating number of the suspicious program of variable UnpackedPath record with corresponding assembler code; Realization is to the dis-assembling of suspicious program; The automatically interim storage of dis-assembling result, guard process is searched for all " CALL DWORD PTR [XXXXXXX] " statements automatically in the dis-assembling result, promptly search for all subprocess statements that call in the dis-assembling code of the suspicious program that is shelled; Wherein [XXXXXXX] representes assembly code; Whenever search a place " CALL DWORD PTR [XXXXXXX] " statement, automatically above this assembly instruction up on seek " Push " statement in " CALL DWORD PTR [XXXXXXX] " interval, if call in the subprocess statement interval at two; Find double Push statement, then definite two Push statements being found are formed copy-statement jointly with first " CALLDWORD PTR [XXXXXXX] " statement that searches; Guard process is carried out record respectively to the address of said two push statements; These two Push statements are carried out Push destination address location respectively; Confirm 16 scale coding data of the suspicious program corresponding subsequently with the address according to the push destination address; And be the plaintext form of Unicode sign indicating number with 16 system data-switching, obtain said Unicode sign indicating number and it is kept among the array push (n) according to the order in suspicious program successively;
Guard process judges, if the array push (n) that returns is the program file path form of standard, judges that then the copy-statement that searches is to duplicate carrying out program file;
Wherein in the 16 scale coding data of calling the corresponding suspicious program of subprocedure call statement-confirm destination address of carrying out the doubtful copy command of above-mentioned search and further convert Unicode sign indicating number-judge whether into and carrying out in the process that program file duplicates; The dis-assembling code of the suspicious program of traversal retrieval sums up the copy-statement that all run into; Preserve push (n), be for further processing;
3) diffusivity is duplicated judgement: define an initial value and be 0 branch number variable Count, and in push (n) array, the character of per two Push destination addresses, previous is original path, a back destination path for duplicating; Original path of every appearance is the self-path of suspicious program, and Count+10, destination path of every appearance are movable equipment or LAN storage, belongs to obvious diffusion propagation and duplicates Count+40; Destination path of every appearance is the Windows system directory, and it is resident to belong to internal system, Count+5;
If Count is higher than 100, calculated by 100 minutes;
The threshold value that diffusivity is duplicated is set, and threshold value is corresponding with the level of security of guard process, and the level of security of the more little then protection of threshold value is high more, if Count is higher than threshold value less than 100, then has been judged to diffusivity and has duplicated; Otherwise Count then duplicates for no diffusivity less than threshold value, and releasing is freezed related suspicious program, allows its operation;
Be judged to the diffusivity version and got into next step processing immediately;
4) high authority folder of the same name is created: guard process is created the file operation; Duplicate destination path in these all diffusivitys that possess the diffusivity version and create file; The file that duplicates destination path of said file and suspicious program is of the same name; Method through revised file attribute among the VB is provided with file for hiding, and passes through the API Calls of advapi32 and Kernel32, sets up system for computer authority user " SysUser " temporarily; The hidden folder of just having set up is set to " SysUser " authority, i.e. system user authority;
5) virus is made mistakes and is withdrawed from: execution of step 4), remove being detained freezing of suspicious program, allow its operation; When then having suspicious program that diffusivity duplicates and implementing the file copy instruction, just meet the file of the same name that step 4) is created, just high authority antibody file; The RuntimeError mistake occurs, eject all kinds of dialog boxes of makeing mistakes, after ejection makes mistakes dialog box; Suspicious program is because the characteristic of microsoft operation system, makes mistakes and finished by operating system;
Through above step, realize the automatic protection of computing machine to Virus.
2. a kind of computer virus automatic protection method according to claim 1; It is characterized in that in the step 3); Whether to destination path is movable equipment or LAN storage when judging, judges removable memory, the network storage mechanism of duplicating in the target through traversal hard disc of computer drive name or Kernel32API.
3. a kind of computer virus automatic protection method according to claim 1 and 2 is characterized in that in the step 4), accomplish the establishment of high authority folder of the same name after, carry out the suspicious program temporary file of guard process deletion through shelling.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010598234A CN102034047B (en) | 2010-12-21 | 2010-12-21 | Automatic protection method for computer virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010598234A CN102034047B (en) | 2010-12-21 | 2010-12-21 | Automatic protection method for computer virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102034047A CN102034047A (en) | 2011-04-27 |
| CN102034047B true CN102034047B (en) | 2012-10-17 |
Family
ID=43886927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010598234A Active CN102034047B (en) | 2010-12-21 | 2010-12-21 | Automatic protection method for computer virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102034047B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103544431B (en) * | 2012-07-09 | 2016-01-06 | 腾讯科技(深圳)有限公司 | A kind of immunization method to illegal program, system and device |
| CN102930209B (en) * | 2012-10-16 | 2016-04-27 | 北京奇虎科技有限公司 | The document handling method of movable storage device and document handling apparatus |
| CN103793209A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for modifying Android program execution flow |
| CN109254877A (en) * | 2018-09-11 | 2019-01-22 | 广州骏凯永卓信息科技有限公司 | A kind of Monitoring and maintenance system of enterprise's computer software fault |
| CN112100618B (en) * | 2019-06-18 | 2023-12-29 | 深信服科技股份有限公司 | Virus file detection method, system, equipment and computer storage medium |
| CN110933057B (en) * | 2019-11-21 | 2021-11-23 | 深圳渊联技术有限公司 | Internet of things security terminal and security control method thereof |
| CN113177207A (en) * | 2021-04-27 | 2021-07-27 | 顶象科技有限公司 | Virus immunization method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1641516A (en) * | 2004-01-05 | 2005-07-20 | 华为技术有限公司 | Method for ensuring system safety for window operating system |
| CN1900940A (en) * | 2006-07-19 | 2007-01-24 | 谢朝霞 | Method for computer safety start |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6792543B2 (en) * | 2001-08-01 | 2004-09-14 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
-
2010
- 2010-12-21 CN CN201010598234A patent/CN102034047B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1641516A (en) * | 2004-01-05 | 2005-07-20 | 华为技术有限公司 | Method for ensuring system safety for window operating system |
| CN1900940A (en) * | 2006-07-19 | 2007-01-24 | 谢朝霞 | Method for computer safety start |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102034047A (en) | 2011-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102034047B (en) | Automatic protection method for computer virus | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| EP2106085B1 (en) | System and method for securing a network from zero-day vulnerability exploits | |
| CN102810138B (en) | A kind of restorative procedure of user side file and system | |
| Yoon et al. | Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study | |
| CN107004089A (en) | Malware detection method and its system | |
| US11256712B2 (en) | Rapid design, development, and reuse of blockchain environment and smart contracts | |
| CN106302404B (en) | A kind of collection network is traced to the source the method and system of information | |
| CN102208002B (en) | Novel computer virus scanning and killing device | |
| KR20120071834A (en) | Automatic management system for group and mutant information of malicious code | |
| JP2019518298A (en) | Virus detection technology benchmarking | |
| CN105897752A (en) | Safety detection method and device of unknown domain name | |
| Rani et al. | An efficient approach to forensic investigation in cloud using VM snapshots | |
| CN106228067A (en) | Malicious code dynamic testing method and device | |
| Almutairi et al. | Innovative signature based intrusion detection system: Parallel processing and minimized database | |
| Pont et al. | A roadmap for improving the impact of anti-ransomware research | |
| JP2015179979A (en) | Attack detection system, attack detection apparatus, attack detection method, and attack detection program | |
| CN108460293A (en) | A kind of application integrity multistage checking mechanism | |
| CN106021027A (en) | Terminal data processing method and system | |
| Data et al. | The effectiveness of vaccinations on the spread of email-borne computer viruses | |
| US20240037269A1 (en) | Data Masking Method and Device | |
| US8938807B1 (en) | Malware removal without virus pattern | |
| Almulla et al. | A distributed snapshot framework for digital forensics evidence extraction and event reconstruction from cloud environment | |
| Jia et al. | Findevasion: an effective environment-sensitive malware detection system for the cloud | |
| CN109472139A (en) | It is a kind of to defend to extort virus to the method and system of the secondary encryption of host document |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: JIANGSU GUORUI XINAN TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: YAO ZHIHAO Effective date: 20130926 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 210018 NANJING, JIANGSU PROVINCE TO: 210023 NANJING, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20130926 Address after: 210023, 20, Xu Zhuang base, Jiangsu Software Park, 699-22 Xuanwu Avenue, Jiangsu, Nanjing Patentee after: Jiangsu GuoRui XinAn Technology Co., Ltd. Address before: 210018, Jiangsu Province, Xuanwu District, Nanjing four archway 61, created software building, room 632 Patentee before: Yao Zhihao |
|
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Yao Zhihao Inventor after: Wu Hesheng Inventor before: Yao Zhihao |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: YAO ZHIHAO TO: YAO ZHIHAO WU HESHENG |