CN102263773B - Real-time protection method and apparatus thereof - Google Patents
Real-time protection method and apparatus thereof Download PDFInfo
- Publication number
- CN102263773B CN102263773B CN201010186404.6A CN201010186404A CN102263773B CN 102263773 B CN102263773 B CN 102263773B CN 201010186404 A CN201010186404 A CN 201010186404A CN 102263773 B CN102263773 B CN 102263773B
- Authority
- CN
- China
- Prior art keywords
- real
- application filters
- control point
- time
- filters rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a real-time protection method and an apparatus thereof, and belongs to the safety field. The method comprises the following steps: acquiring an application level filtering rule from a server and updating the application level filtering rule in real time; determining whether a real-time protection event matches the application level filtering rule or not; if so, executing a corresponding operation on the real-time protection event according to the application level filtering rule. The apparatus comprises an obtaining module, a determining module and an executing module. According to the invention, through acquiring the application level filtering rule from the server and updating the application level filtering rule in real time, whether the real-time protection event matches the application level filtering rule or not is determined, if so, the corresponding operation on the real-time protection event is executed according to the application level filtering rule without user intervention, thus protection accuracy and user operation efficiency are raised.
Description
Technical field
The present invention relates to security fields, particularly a kind of method and apparatus of real-time protection.
Background technology
Network security situation is increasingly serious, and each viroid also serious threat our handling safety.In order to tackle various rogue programs, need to possess powerful protective capacities.
Current all kinds of real-time protection software is as EQSecure, System Safety Monitor, 360 security guards etc., in the first configuration file of installing of software, all define the control point that some may have influence on system safety behavior, in order to all kinds of events such as system startup item, Image File Execution Options, amendment system file, installation system service are caught.No matter these events are normal runnings of security procedure, or the malicious operation of suspicious program or rogue program, all submit to user and go to judge that this class behavior is to let pass or to forbid.For example, user has selected " all operations of this program of later letting pass " or " forbidding all operations of this program " later, so after this program not again pop-up window allow user select, but automatically let pass or forbid associative operation.
Comprehensively above-mentioned, at least there is following problem in prior art:
By user, all monitor events are selected, for some very safe system operation itself, can be affected user's operation, reduce user's operating efficiency; And in the time that user is not high for computer literacy Grasping level, user is difficult to make selecting properly, if forbidden fail-safe software or the Malware of having let pass, may cause safe running software undesired, or allow the software of malice have an opportunity to do what one wishes without restraint in system.
Summary of the invention
In order to improve user's operating efficiency, and help user to differentiate the software of safe software and malice, the embodiment of the present invention provides a kind of method and apparatus of real-time protection.Described technical scheme is as follows:
A method for real-time protection, described method comprises:
Obtain and real-time update application filters rule from server, described application filters rule comprises: the application filters rule of general policies control point and the application filters rule of self-shield control point;
Judge whether real-time protection event mates described application filters rule;
If coupling, carries out corresponding operation according to described application filters rule to described real-time protection event;
Described from server obtain and real-time update application filters rule before, described method also comprises:
Judge the type of the affiliated control point of described real-time protection event;
Describedly obtain and real-time update application filters rule from server, comprising:
In the time that the type of described control point is self-shield control point, from described server obtain and real-time update described in the application filters rule of self-shield control point;
In the time that the type of described control point is universal monitor vertex type, from described server obtain and real-time update described in the application filters rule of general policies control point.
Wherein, when described application filters rule has when multiple, described from server obtain and real-time update application filters rule after comprise:
From described server obtain and real-time update described in the execution sequence of application filters rule;
Describedly judge whether real-time protection event is mated described application filters rule and comprised:
According to described execution sequence, in the time that described real-time protection event is not mated with the previous application filters rule of described application filters rule, then judge whether described real-time protection event mates described application filters rule.
Wherein, described method also comprises:
If do not mated, described real-time protection event is sent to user's decision-making.
Wherein, described described real-time protection event sent to before user's decision-making and also comprised:
Determine the risk class of described real-time protection event;
Describedly send to user's decision-making also to comprise described real-time protection event:
The risk class of described real-time protection event is sent to described user, make described user carry out decision-making according to described risk class to described real-time protection event.
Wherein, describedly judge whether real-time protection event is mated described application filters rule and comprised:
In the time that the type of described control point is general policies control point, judge whether described real-time protection event mates the application filters rule of described general policies control point;
In the time that the type of described control point is self-shield control point, judge whether described real-time protection event mates the application filters rule of described self-shield control point.
Wherein, the application filters rule of described self-shield control point comprises: at least one in the black and white lists application filters rule of the first file signature application filters rule, process;
The application filters rule of described general policies control point comprises: at least one in the second file signature application filters rule, message digest algorithm MD5 application filters rule.
A device for real-time protection, described device comprises:
Acquisition module, for obtaining from server and real-time update application filters rule, described application filters rule comprises: the application filters rule of general policies control point and the application filters rule of self-shield control point;
Judge module, for judging whether real-time protection event mates the application filters rule that described acquisition module obtains;
Executive Module, if the result judging for described judge module is coupling, the application filters rule of obtaining according to described acquisition module is carried out corresponding operation to described real-time protection event;
Described device, also for judging the type of control point under described real-time protection event;
Describedly obtain and real-time update application filters rule from server, comprising:
In the time that the type of described control point is self-shield control point, from described server obtain and real-time update described in the application filters rule of self-shield control point;
In the time that the type of described control point is universal monitor vertex type, from described server obtain and real-time update described in the application filters rule of general policies control point.
Wherein, described acquisition module, also for having when described application filters rule when multiple, from described server obtain and real-time update described in the execution sequence of application filters rule;
Described judge module, the also execution sequence for obtaining according to described acquisition module, in the time that described real-time protection event is not mated with the previous application filters rule of described application filters rule, then judge whether described real-time protection event mates described application filters rule.
Wherein, described device also comprises:
Sending module, if the result judging for described judge module, for not mating, sends to user's decision-making by described real-time protection event.
Wherein, described device also comprises:
Determination module, before described real-time protection event is sent to user's decision-making, determines the risk class of described real-time protection event;
Described sending module, also for the risk class of described real-time protection event is sent to described user, makes described user carry out decision-making according to described risk class to described real-time protection event.
Wherein, described judge module comprises:
The first judging unit, in the time that the type of described control point is general policies control point, judges whether described real-time protection event mates the application filters rule of described general policies control point;
The second judging unit, in the time that the type of described control point is self-shield control point, judges whether described real-time protection event mates the application filters rule of described self-shield control point.
The application filters rule of the self-shield control point that wherein, described acquisition module obtains comprises: at least one in the black and white lists application filters rule of the first file signature application filters rule, process;
The application filters rule of the general policies control point that described acquisition module obtains comprises: at least one in the second file signature application filters rule, message digest algorithm MD5 application filters rule.
The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:
By obtaining from server and real-time update application filters rule, judge whether real-time protection event mates application filters rule, if coupling, according to application filters rule, real-time protection event is carried out to corresponding operation, do not need user intervention, improved the accuracy of protection and the efficiency of user's operation; Accordingly, if do not mate application filters rule, then issue user's decision-making, with respect to user, all monitor events are carried out to decision-making, be also conducive to improve the efficiency of user's operation.In addition, the risk class by assessment real-time protection event, with assisted user decision-making, can help user to differentiate the software of safe software and malice, makes correct selection.
Brief description of the drawings
Fig. 1 is the method flow diagram of the real-time protection that provides in the embodiment of the present invention 1;
Fig. 2 is another flow chart of method of the real-time protection that provides in the embodiment of the present invention 1;
Fig. 3 is the apparatus structure schematic diagram of the real-time protection that provides in the embodiment of the present invention 2;
Fig. 4 is another structural representation of device of the real-time protection that provides in the embodiment of the present invention 2.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Embodiment 1
Referring to Fig. 1, the present embodiment provides a kind of method of real-time protection, comprising:
101: obtain and real-time update application filters rule from server;
Wherein, application filters rule can be set for all control points are unified, also can set respectively for different control points, for example: the application filters rule of general policies control point and the application filters rule of self-shield control point.The application filters rule of self-shield control point can comprise: at least one in the black and white lists application filters rule of the first file signature application filters rule, process.The application filters rule of general policies control point can comprise the second file signature application filters rule, MD5(Message Digest Algorithm5, message digest algorithm 5) at least one in application filters rule.
Further, when application filters rule has when multiple, also need to obtain and the execution sequence of real-time update application filters rule from server.If be divided into the application filters rule of general policies control point and the application filters rule of self-shield control point, also need to obtain respectively its execution sequence.
102: judge whether real-time protection event mates application filters rule;
Concrete, when application filters rule has multiple and gets its execution sequence, according to execution sequence, in the time that real-time protection event is not mated with the previous application filters rule of application filters rule, then judge whether real-time protection event mates application filters rule.
103: if coupling is carried out corresponding operation according to application filters rule to real-time protection event.
Concrete, the clearance this real-time protection event specify according to the application filters rule of coupling or forbid the operation that this real-time protection event is carried out clearance or forbidden.
Further, if do not mated, real-time protection event is sent to user's decision-making.Before sending, can also determine the risk class of real-time protection event; Then real-time protection event and risk class thereof are sent to user, so that user carries out decision-making according to risk class to real-time protection event.
The method that the present embodiment provides, by obtaining from server and real-time update application filters rule, judge whether real-time protection event mates application filters rule, if coupling, according to application filters rule, real-time protection event is carried out to corresponding operation, do not need user intervention, improved the accuracy of protection and the efficiency of user's operation; Accordingly, if do not mate application filters rule, then issue user's decision-making, with respect to user, all monitor events are carried out to decision-making, be also conducive to improve the efficiency of user's operation.In addition, the risk class by assessment real-time protection event, with assisted user decision-making, can help user to differentiate the software of safe software and malice, makes correct selection.
Referring to Fig. 2, introduce the method for real-time protection below in conjunction with instantiation.
201: catch real-time protection event;
Wherein, real-time protection event can be the events such as amendment, deleted file or registration table, program upgrade.In the time that driving detects that a certain real-time protection event wish is carried out the operations such as amendment, deleted file or registration table, program upgrade, catch this real-time protection event by driving, the present embodiment does not limit concrete catching method.
202: the type that judges the affiliated control point of real-time protection event;
Concrete, according to the application layer message of control point association, judge the type of control point.If the application layer message of control point association is real-time protection software self, the type of this control point is self-shield control point; If the application layer message of control point association is other softwares except real-time protection software, the type of this control point is general policies control point.
If self-shield control point, execution step 203, if general policies control point, execution step 204.
In addition, this step is optional.This is because application filters rule can be set respectively for different control points, also can set for all control points are unified.In the time that the control point for different is set respectively, need to judge the type of control point, in the time of the unified setting in the control point for all, do not need to judge the type of control point.
203: obtain also application filters rule and the execution sequence thereof of real-time update self-shield control point from server, and filter;
Wherein, the present embodiment does not limit particular content, the number of the application filters rule of self-shield control point.Regular as example taking the black and white lists application filters of (first) file signature application filters rule and process below, the filtering rule of self-shield control point is described.
203a: real-time protection event is filtered according to (first) file signature application filters rule;
Wherein, file digital signature (abbreviation file signature) is protected file, prevents a kind of mode that file is tampered, and file digital signature comprises the information such as the publisher of file.
In the present embodiment, according to (first) file signature application filters rule, real-time protection event is filtered specifically and is comprised:
Obtain and real-time update (first) file signature application filters rule from server, every rule can filter the parameter configuration of verifying by appended document signature, then the first corresponding with parameter configuration file signature corresponding real-time protection event file signature is mated, if coupling, carry out the operation of letting pass accordingly or forbidding according to file signature application filters rule, then perform step 207, if do not mated, carry out next application filters rule.In the present embodiment, next application filters rule is the black and white lists application filters rule of step 203b process.
In above-mentioned filter process, the first file signature corresponding to parameter configuration can be blacklist or the white list of file signature, and blacklist is for forbidding the operation of real-time protection event, and white list is for the operation of the real-time protection event of letting pass.In addition, according to the difference of system monitoring point, black and white lists directly can be attached in parameter configuration, also the information such as version, path of black and white lists can be attached in parameter configuration.
For example, wish realizes the software with our company signature just can revise the associated documents resource of this software, can define a file signature application filters rule, additional parameter configuration is our company's signature, coupling is let pass, other signature directly forbids, by this application filters rule association to the control point of this software installation directory file modification.Again for example, define another file signature application filters rule, the additional parameter configuration of application filters rule be can be from server the software signature black and white lists of auto-update, this application filters rule is appended on the common monitoring points such as starting up's item, Image File Execution Options, system global hook.In the time monitoring these system events, will utilize the black and white lists defining in configuration to filter, legal software (software in white list) will be let pass automatically, illegal software (software in blacklist) will be prohibited, and the software in list can not be submitted to user and selected by user.
203b: real-time protection event is filtered according to the black and white lists application filters rule of process;
In the present embodiment, according to the black and white lists application filters rule of process, real-time protection event is filtered specifically and is comprised:
Obtain the also black and white lists application filters rule of real-time update process from server, every rule can additional process filter the parameter configuration of verifying, the process process corresponding with parameter configuration that real-time protection event is initiated mated, if coupling, carry out corresponding clearance or quiescing, then perform step 207, otherwise, if do not mated, transfer to user's decision-making.
In above-mentioned filter process, blacklist or white list that process corresponding to parameter configuration can process.According to the difference of system monitoring point, black and white lists directly can be attached in parameter configuration, also the information such as version, path of black and white lists can be attached in parameter configuration.In addition, because process title often changes and easily imitated, therefore white list is only set conventionally, some definite programs of letting pass.It can be used as supplementary that file signature filters and file MD5 filters, and some self-shield rules of General Definition, as clearance ROMPaq, amendment to the file under software installation directory etc.
204: obtain also application filters rule and the execution sequence thereof of real-time update general policies control point from server, and filter;
Wherein, the present embodiment does not limit particular content, the number of the application filters rule of self-shield control point.Regular as example taking the black and white lists application filters of (first) file signature application filters rule and process below, the filtering rule of self-shield control point is described.
Wherein, the present embodiment does not limit particular content, the number of the application filters rule of general policies control point.Regular as example taking (second) file signature application filters rule and MD5 application filters below, the application filters rule of general policies control point is described.Before carrying out the application filters rule of general policies control point, optional, also can first filter according to User Defined application filters rule, to improve filter efficiency.
204a: real-time protection event is filtered according to User Defined application filters rule;
Concrete, if the access of the former program that requires clearance always or forbid of real-time protection event matches user is directly let pass or forbids according to operation before always.The not operation in User Defined rule, continues to carry out next application filters rule.In the present embodiment, next application filters rule is (second) file signature application filters rule in step 204b.
For example, user's definition: the ROMPaq of certain software is carried out to " all operations of this process of later letting pass ", and the ROMPaq of follow-up this software can be let pass automatically.
204b: real-time protection event is filtered according to (second) file signature application filters rule;
Concrete, obtain and real-time update (second) file signature application filters rule from server, every rule can filter the parameter configuration of verifying by appended document signature, then the second corresponding with parameter configuration file signature corresponding real-time protection event file signature is mated, if coupling, carries out the operation of letting pass accordingly or forbidding according to file signature application filters rule, then perform step 207, if do not mated, carry out next application filters rule.In the present embodiment, next application filters rule is the MD5 application filters rule in step 204c.
Wherein,, repeat no more here referring to step 203a about the definition of file signature application filters rule.It should be noted that this step is identical with step 203a filter type, but the particular content of rule can be identical, also can be different, the first file signature and the second file signature and corresponding operation can be identical or different.
204c: real-time protection event is filtered according to MD5 application filters rule;
Concrete, obtain and real-time update MD5 application filters rule from server, every rule can add MD5 and filter the parameter configuration of verifying, then the MD5 corresponding real-time protection event MD5 corresponding with parameter configuration mated, if coupling, carries out the operation of letting pass accordingly or forbidding according to MD5 application filters rule, then perform step 207, if do not mated, carry out next application filters rule.
In above-mentioned filter process, MD5 corresponding to parameter configuration can be blacklist or the white list of MD5, and blacklist is for forbidding the operation of real-time protection event, and white list is for the operation of the real-time protection event of letting pass.In addition, according to the difference of system monitoring point, black and white lists directly can be attached in parameter configuration, also the information such as version, path of black and white lists can be attached in parameter configuration.
205: determine the risk class of real-time protection event, real-time protection event and risk class thereof are sent to user;
Concrete, the executable file of event is scanned, judge risk class, and risk class is appended in event context, as user's decision references.
In addition, this step is optional, also can only real-time protection event be sent to user.
206: user carries out decision-making according to risk class to real-time protection event;
Concrete, according to event context information, organize window to eject according to monitoring resource type, the details of event and the risk class of executable program in window, are comprised, determined let pass or forbid that this operates by user, if user has selected " all operations of this process of letting pass " or " forbidding all operations of this process " later later, be increased in User Defined application filters rule.
In addition, user also can be to the direct decision-making of real-time protection event, and the method is applicable to the user of familiar with computers safety.
207: drive according to the result of user's the result of decision or application filters rule, real-time protection event is carried out to the operation of letting pass or forbidding.
The method that the present embodiment provides, by obtaining from server and real-time update application filters rule, judge whether real-time protection event mates application filters rule, if coupling, according to application filters rule, real-time protection event is carried out to corresponding operation, do not need user intervention, improved the accuracy of protection and the efficiency of user's operation; Accordingly, if do not mate application filters rule, then issue user's decision-making, with respect to user, all monitor events are carried out to decision-making, be also conducive to improve the efficiency of user's operation.In addition, the risk class by assessment real-time protection event, with assisted user decision-making, can help user to differentiate the software of safe software and malice, makes correct selection.
Embodiment 2
Referring to Fig. 3, the present embodiment provides a kind of device of real-time protection, and this device comprises:
Acquisition module 301, for obtaining from server and real-time update application filters rule;
Judge module 302, for judging whether real-time protection event mates the application filters rule that acquisition module 301 obtains;
Executive Module 303, if the result judging for judge module 302 is coupling, the application filters rule of obtaining according to acquisition module 301 is carried out corresponding operation to real-time protection event.
Further, acquisition module 301, also for having when application filters rule when multiple, obtains and the execution sequence of real-time update application filters rule from server;
Accordingly, judge module 302, the also execution sequence for obtaining according to acquisition module 301, in the time that real-time protection event is not mated with the previous application filters rule of application filters rule, then judges whether real-time protection event mates application filters rule.
Further, referring to Fig. 4, this device also comprises:
Sending module 304, if the result judging for judge module 302, for not mating, sends to user's decision-making by real-time protection event.
Further, this device also comprises:
Determination module 305, before real-time protection event is sent to user's decision-making, determines the risk class of real-time protection event;
Sending module 304, also for the risk class of real-time protection event is sent to user, makes user carry out decision-making according to risk class to real-time protection event.
Wherein, the application filters rule that acquisition module 301 obtains comprises: the application filters rule of general policies control point and the application filters rule of self-shield control point;
Judge module 302 comprises:
Determining unit 302a, for the type of control point under definite real-time protection event;
The first judging unit 302b, in the time that the definite type of determining unit 302a is general policies control point, judges whether real-time protection event mates the application filters rule of general policies control point;
The second judging unit 302c, in the time that the definite type of determining unit 302a is self-shield control point, judges whether real-time protection event mates the application filters rule of self-shield control point.
The application filters rule of the self-shield control point that wherein, acquisition module 301 obtains comprises: at least one in the black and white lists application filters rule of the first file signature application filters rule, process;
The application filters rule of the general policies control point that acquisition module 301 obtains comprises: at least one in the second file signature application filters rule, message digest algorithm MD5 application filters rule.
The device that the present embodiment provides, belongs to same design with embodiment of the method, and its specific implementation process refers to embodiment of the method, repeats no more here.
The device that the present embodiment provides, by obtaining from server and real-time update application filters rule, judge whether real-time protection event mates application filters rule, if coupling, according to application filters rule, real-time protection event is carried out to corresponding operation, do not need user intervention, improved the accuracy of protection and the efficiency of user's operation; Accordingly, if do not mate application filters rule, then issue user's decision-making, with respect to user, all monitor events are carried out to decision-making, be also conducive to improve the efficiency of user's operation.In addition, the risk class by assessment real-time protection event, with assisted user decision-making, can help user to differentiate the software of safe software and malice, makes correct selection.
All or part of content in the technical scheme that above embodiment provides can realize by software programming, and its software program is stored in the storage medium can read, storage medium for example: hard disk, CD or floppy disk in computer.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (12)
1. a method for real-time protection, is characterized in that, described method comprises:
Obtain and real-time update application filters rule from server, described application filters rule comprises: the application filters rule of general policies control point and the application filters rule of self-shield control point;
Judge whether real-time protection event mates described application filters rule;
If coupling, carries out corresponding operation according to described application filters rule to described real-time protection event;
Described from server obtain and real-time update application filters rule before, described method also comprises:
Judge the type of the affiliated control point of described real-time protection event;
Describedly obtain and real-time update application filters rule from server, comprising:
In the time that the type of described control point is self-shield control point, from described server obtain and real-time update described in the application filters rule of self-shield control point;
In the time that the type of described control point is universal monitor vertex type, from described server obtain and real-time update described in the application filters rule of general policies control point.
2. the method for claim 1, is characterized in that, when described application filters rule has when multiple, described from server obtain and real-time update application filters rule after comprise:
From described server obtain and real-time update described in the execution sequence of application filters rule;
Describedly judge whether real-time protection event is mated described application filters rule and comprised:
According to described execution sequence, in the time that described real-time protection event is not mated with the previous application filters rule of described application filters rule, then judge whether described real-time protection event mates described application filters rule.
3. the method for claim 1, is characterized in that, described method also comprises:
If do not mated, described real-time protection event is sent to user's decision-making.
4. method as claimed in claim 3, is characterized in that, described described real-time protection event is sent to before user's decision-making and also comprised:
Determine the risk class of described real-time protection event;
Describedly send to user's decision-making also to comprise described real-time protection event:
The risk class of described real-time protection event is sent to described user, make described user carry out decision-making according to described risk class to described real-time protection event.
5. the method as described in claim as arbitrary in claim 1-4, is characterized in that, describedly judges whether real-time protection event is mated described application filters rule and comprised:
In the time that the type of described control point is general policies control point, judge whether described real-time protection event mates the application filters rule of described general policies control point;
In the time that the type of described control point is self-shield control point, judge whether described real-time protection event mates the application filters rule of described self-shield control point.
6. method as claimed in claim 5, is characterized in that, the application filters rule of described self-shield control point comprises: at least one in the black and white lists application filters rule of the first file signature application filters rule, process;
The application filters rule of described general policies control point comprises: at least one in the second file signature application filters rule, message digest algorithm MD5 application filters rule.
7. a device for real-time protection, is characterized in that, described device comprises:
Acquisition module, for obtaining from server and real-time update application filters rule, described application filters rule comprises: the application filters rule of general policies control point and the application filters rule of self-shield control point;
Judge module, for judging whether real-time protection event mates the application filters rule that described acquisition module obtains;
Executive Module, if the result judging for described judge module is coupling, the application filters rule of obtaining according to described acquisition module is carried out corresponding operation to described real-time protection event;
Described device, also for judging the type of control point under described real-time protection event;
Describedly obtain and real-time update application filters rule from server, comprising: in the time that the type of described control point is self-shield control point, from described server obtain and real-time update described in the application filters rule of self-shield control point;
In the time that the type of described control point is universal monitor vertex type, from described server obtain and real-time update described in the application filters rule of general policies control point.
8. device as claimed in claim 7, is characterized in that, described acquisition module, also for having when described application filters rule when multiple, from described server obtain and real-time update described in the execution sequence of application filters rule;
Described judge module, the also execution sequence for obtaining according to described acquisition module, in the time that described real-time protection event is not mated with the previous application filters rule of described application filters rule, then judge whether described real-time protection event mates described application filters rule.
9. device as claimed in claim 7, is characterized in that, described device also comprises:
Sending module, if the result judging for described judge module, for not mating, sends to user's decision-making by described real-time protection event.
10. device as claimed in claim 9, is characterized in that, described device also comprises:
Determination module, before described real-time protection event is sent to user's decision-making, determines the risk class of described real-time protection event;
Described sending module, also for the risk class of described real-time protection event is sent to described user, makes described user carry out decision-making according to described risk class to described real-time protection event.
Device as described in 11. claims as arbitrary in claim 7-10, is characterized in that, described judge module comprises:
The first judging unit, in the time that the type of described control point is general policies control point, judges whether described real-time protection event mates the application filters rule of described general policies control point;
The second judging unit, in the time that the type of described control point is self-shield control point, judges whether described real-time protection event mates the application filters rule of described self-shield control point.
12. devices as claimed in claim 11, is characterized in that,
The application filters rule of the self-shield control point that described acquisition module obtains comprises: at least one in the black and white lists application filters rule of the first file signature application filters rule, process;
The application filters rule of the general policies control point that described acquisition module obtains comprises: at least one in the second file signature application filters rule, message digest algorithm MD5 application filters rule.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010186404.6A CN102263773B (en) | 2010-05-25 | 2010-05-25 | Real-time protection method and apparatus thereof |
| BR112012028244-1A BR112012028244B1 (en) | 2010-05-25 | 2011-05-24 | Method and equipment to implement real-time protection |
| CA2797880A CA2797880C (en) | 2010-05-25 | 2011-05-24 | Method and apparatus for implementing real-time protection |
| PCT/CN2011/074575 WO2011147306A1 (en) | 2010-05-25 | 2011-05-24 | Real-time protection method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010186404.6A CN102263773B (en) | 2010-05-25 | 2010-05-25 | Real-time protection method and apparatus thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102263773A CN102263773A (en) | 2011-11-30 |
| CN102263773B true CN102263773B (en) | 2014-06-11 |
Family
ID=45003317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010186404.6A Active CN102263773B (en) | 2010-05-25 | 2010-05-25 | Real-time protection method and apparatus thereof |
Country Status (4)
| Country | Link |
|---|---|
| CN (1) | CN102263773B (en) |
| BR (1) | BR112012028244B1 (en) |
| CA (1) | CA2797880C (en) |
| WO (1) | WO2011147306A1 (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
| CN102880817A (en) * | 2012-08-20 | 2013-01-16 | 福建升腾资讯有限公司 | Running protection method for computer software product |
| CN103634272B (en) * | 2012-08-21 | 2018-09-04 | 腾讯科技(深圳)有限公司 | File scanning method, client device and server |
| CN108292342B (en) * | 2016-01-25 | 2022-09-06 | 惠普发展公司,有限责任合伙企业 | Notification of intrusions into firmware |
| CN107104944A (en) * | 2017-03-10 | 2017-08-29 | 林榆坚 | A kind of detection method and device of network intrusions |
| CN107360148A (en) * | 2017-07-05 | 2017-11-17 | 深圳市卓讯信息技术有限公司 | Core design method and its system based on real time monitoring network safety |
| CN109241734A (en) * | 2018-08-10 | 2019-01-18 | 航天信息股份有限公司 | A kind of securing software operational efficiency optimization method and system |
| CN111931066B (en) * | 2020-09-11 | 2021-09-07 | 四川新网银行股份有限公司 | Real-time recommendation system design method |
| CN112069505B (en) * | 2020-09-15 | 2021-11-23 | 北京微步在线科技有限公司 | Audit information processing method and electronic equipment |
| CN113282458A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Anti-flash-back method and device for application program, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340275A (en) * | 2008-08-27 | 2009-01-07 | 深圳华为通信技术有限公司 | Data card, data processing and transmitting method |
| CN101414996A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Firewall and method thereof |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100374972C (en) * | 2005-08-03 | 2008-03-12 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN101567888B (en) * | 2008-12-29 | 2011-12-21 | 郭世泽 | Safety protection method of network feedback host computer |
-
2010
- 2010-05-25 CN CN201010186404.6A patent/CN102263773B/en active Active
-
2011
- 2011-05-24 WO PCT/CN2011/074575 patent/WO2011147306A1/en active Application Filing
- 2011-05-24 BR BR112012028244-1A patent/BR112012028244B1/en active IP Right Grant
- 2011-05-24 CA CA2797880A patent/CA2797880C/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414996A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Firewall and method thereof |
| CN101340275A (en) * | 2008-08-27 | 2009-01-07 | 深圳华为通信技术有限公司 | Data card, data processing and transmitting method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011147306A1 (en) | 2011-12-01 |
| CA2797880A1 (en) | 2011-12-01 |
| CN102263773A (en) | 2011-11-30 |
| BR112012028244A2 (en) | 2016-08-02 |
| BR112012028244B1 (en) | 2022-03-29 |
| CA2797880C (en) | 2015-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102263773B (en) | Real-time protection method and apparatus thereof | |
| US11611586B2 (en) | Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots | |
| EP2667314B1 (en) | System and method for detection and treatment of malware on data storage devices | |
| EP2839406B1 (en) | Detection and prevention of installation of malicious mobile applications | |
| US8578345B1 (en) | Malware detection efficacy by identifying installation and uninstallation scenarios | |
| EP3493090B1 (en) | Control method and unit of mobile storage devices, and storage medium | |
| US20130067577A1 (en) | Malware scanning | |
| EP3113059B1 (en) | System and method of preventing installation and execution of undesirable programs | |
| US8667593B1 (en) | Methods and apparatuses for protecting against malicious software | |
| US8640233B2 (en) | Environmental imaging | |
| CN102508768B (en) | Monitoring method and monitoring device | |
| US9740865B2 (en) | System and method for configuring antivirus scans | |
| CN105335197A (en) | Starting control method and device for application program in terminal | |
| CN105550573A (en) | Bundled software interception method and apparatus | |
| EP3831031B1 (en) | Listen mode for application operation whitelisting mechanisms | |
| CN114417326A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN114722386A (en) | U disk transmission monitoring method based on Fanotify mechanism | |
| US9231969B1 (en) | Determining file risk based on security reputation of associated objects | |
| CN101114322A (en) | Application program filtering method and apparatus for | |
| EP2645293A2 (en) | Method and apparatus for controlling operations performed by a mobile computing device | |
| KR20110032449A (en) | Apparatus and method for behavior-based detection | |
| CN114969672A (en) | Safety protection method, device and system for industrial control host and storage medium | |
| CN117714098A (en) | Method, device, router and storage medium for monitoring illegal files | |
| CN116975857A (en) | Lesu software detection method, system, equipment and storage medium | |
| CN115168908A (en) | File protection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20151222 Address after: The South Road in Guangdong province Shenzhen city Fiyta building 518057 floor 5-10 Nanshan District high tech Zone Patentee after: Shenzhen Tencent Computer System Co., Ltd. Address before: 518000 Guangdong city of Shenzhen province Futian District SEG Science Park 2 East Room 403 Patentee before: Tencent Technology (Shenzhen) Co., Ltd. |