CN102306254A - Method and system for defending viruses or malicious programs - Google Patents
Method and system for defending viruses or malicious programs Download PDFInfo
- Publication number
- CN102306254A CN102306254A CN201110251373A CN201110251373A CN102306254A CN 102306254 A CN102306254 A CN 102306254A CN 201110251373 A CN201110251373 A CN 201110251373A CN 201110251373 A CN201110251373 A CN 201110251373A CN 102306254 A CN102306254 A CN 102306254A
- Authority
- CN
- China
- Prior art keywords
- virus
- malicious program
- file
- malicious
- environment information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 337
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000004458 analytical method Methods 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 19
- 230000007123 defense Effects 0.000 claims description 18
- 230000006399 behavior Effects 0.000 claims description 15
- 230000002265 prevention Effects 0.000 claims description 8
- 230000003068 static effect Effects 0.000 claims description 8
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 31
- 230000008901 benefit Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002269 spontaneous effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 208000008918 voyeurism Diseases 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a system for defending viruses or malicious programs. The method comprises the following steps that: a server counts the virus or malicious program data of all clients; the virus or malicious program data is analyzed so as to acquire the operating environment information of the viruses or malicious programs; and the clients occupy the operating environment of the viruses or malicious programs in advance according to the operating environment information of the viruses or malicious programs. By the method and the system, the resource overhead of defending the viruses or malicious programs can be saved, so that the system speed is improved.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a method and a system for defending viruses or malicious programs.
Background
In the field of computers, trojans are a type of malicious program. The Trojan horse is hidden and spontaneous, can be used for carrying out programs with malicious behaviors, mostly does not directly harm a computer, and is mainly controlled.
With the development of virus or malicious program writing technology, the threat of the Trojan programs to users is greater and greater, and especially some Trojan programs adopt very subtle means to conceal themselves, so that ordinary users are difficult to find after poisoning. The trojan program may steal the password or data of monitoring others and stealing others bare, such as the password of a theft manager is damaged, or the network password of a game account, a stock account or even an online bank account is stolen for other use, so as to achieve the purposes of peeping the privacy of others and obtaining economic benefits.
For popular trojans, the existing general defense method is mainly based on real-time scanning of features, wherein the features can comprise partial content features of a trojan file and can also comprise complete content features of the trojan file. When the security software scans the file, if a certain file is matched with one of the characteristics, the file is refused to be accessed or directly deleted, so that the effect of defending against the popular trojan horse is achieved.
The existing general defense method can effectively prevent the known Trojan horse from running on a user computer or being transmitted to the user computer, but the Trojan horse needs to run in real time by security software, so that whether each file to be accessed belongs to the popular Trojan horse can be judged by scanning, and once a user quits the security software for some reason (for example, worrying about false alarm of the security software), the defense effect of the Trojan horse does not exist. The real-time running of the security software consumes a large amount of system resources, which results in a slow system speed, and the hit rate of the consumption is low. Since most people access files that are not popular trojans, this process of feature matching is required.
In summary, one of the technical problems that needs to be urgently solved by those skilled in the art is: how to save the resource overhead of Trojan horse defense so as to improve the system speed.
Disclosure of Invention
The invention aims to provide a method and a system for defending a virus or a malicious program, which can save the resource overhead of defending the virus or the malicious program, thereby improving the system speed.
In order to solve the above problems, the present invention discloses a method for defending against viruses or malicious programs, comprising:
the server side counts virus or malicious program data of all the clients;
analyzing the virus or malicious program data to obtain the running environment information of the virus or malicious program;
and the client pre-occupies the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program.
Preferably, the virus or malicious program running environment information includes a path to be occupied by the virus or malicious program;
the step of pre-occupying the virus or malicious program running environment comprises the following steps:
the method and the device prevent data from being written, modified, replaced and deleted on the path to be occupied by the virus or the malicious program and/or prevent the data from being written, modified or deleted on the attribute of the path to be occupied by the virus or the malicious program.
Preferably, the running environment information of the virus or the malicious program comprises a path to be occupied by the virus or the malicious program;
the step of pre-occupying the virus or malicious program running environment comprises the following steps:
according to the running environment information of the virus or the malicious program, a security directory or file with the same directory name or file name as the data of the virus or the malicious program is created under the path to be occupied by the virus or the malicious program, and the security directory or file is prevented from being written, modified, replaced and deleted, and/or the attribute of the security directory or file is prevented from being written, modified or deleted.
Preferably, the step of preventing data from being written, modified, replaced, and deleted on the path to be occupied by the virus or the malicious program and/or writing, modifying, or deleting the attribute of the path to be occupied by the virus or the malicious program includes:
setting the permission of refusing to be written, modified, replaced or deleted for the path to be occupied by the virus or the malicious program; or,
and opening and not closing the handle object of the path to be occupied by the virus or the malicious program.
Preferably, the step of preventing writing, modifying, replacing, deleting and/or writing, modifying or deleting the attributes of the secure directory or file includes:
when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data, setting and selecting the permission of refusing to be written, modified, replaced or deleted; or,
when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data, setting a read-only attribute for the security directory or file; or,
handle objects when the secure directory or file is opened and not closed.
Preferably, the running environment information of the virus or the malicious program comprises key kernel objects required by the virus or the malicious program;
the method comprises the following steps that the client pre-occupies the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program, and comprises the following steps:
the key kernel objects required by the virus or malicious program are created and the corresponding file handle is not closed.
Preferably, the step of creating a key kernel object required by a virus or a malicious program comprises:
when an application programming interface function is called to create a key kernel object required by a virus or a malicious program, a memory block is allocated to the key kernel object required by the virus or the malicious program, and initialization is carried out;
scanning a handle table of the process, initializing a record and placing the record in the handle table;
and returning the index recorded in the handle table to the caller as the file handle of the key kernel object required by the virus or the malicious program.
Preferably, the step of the server side counting virus or malicious program data of all the clients includes:
the server periodically counts virus or malicious program data from the client, counts the virus or malicious program data with the number ranked at the top or the growth speed ranked at the top or the risk ranked at the top or the infectivity ranked at the top, and analyzes the counted virus or malicious program data.
Preferably, the method further comprises:
and when receiving a request for canceling the defense, the client releases the operating environment of the corresponding virus or malicious program which is occupied in advance according to the operating environment information of the virus or malicious program.
Preferably, the step of analyzing the virus or malware data includes:
static analysis is carried out on the binary codes of the viruses or the malicious programs to obtain the running environment information of the viruses or the malicious programs; or,
and running the virus or the malicious program, and observing the dynamic behavior characteristics of the virus or the malicious program to obtain the running environment information of the virus or the malicious program.
On the other hand, the invention also discloses a virus or malicious program defense system, which comprises:
the statistical module is positioned at the server side and used for counting virus or malicious program data of all the clients;
the analysis module is used for analyzing the virus or malicious program data to obtain the running environment information of the virus or malicious program;
and the pre-occupation module is positioned at the client and used for pre-occupying the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program.
Preferably, the virus or malicious program running environment information includes a path to be occupied by the virus or malicious program;
the pre-emption module comprising:
the first preventing submodule is used for preventing data from being written, modified, replaced and deleted on a path to be occupied by the virus or the malicious program and/or properties of the path to be occupied by the virus or the malicious program from being written, modified or deleted.
Preferably, the running environment information of the virus or the malicious program comprises a path to be occupied by the virus or the malicious program;
the pre-emption module comprising:
the first creating submodule is used for creating a security directory or file which is the same as a directory name or a file name in virus or malicious program data under a path to be occupied by the virus or malicious program according to the running environment information of the virus or malicious program;
and the second prevention submodule is used for preventing writing, modifying, replacing and deleting the safe directory or the safe file and/or writing, modifying or deleting the attribute of the safe directory or the safe file.
Preferably, the first preventing sub-module is specifically configured to set a permission to refuse to be written, modified, replaced, or deleted for a path to be occupied by a virus or a malicious program; or opening and not closing the handle object of the path to be occupied by the virus or the malicious program.
Preferably, the second prevention submodule includes:
the first setting unit is used for setting and selecting the permission of refusing to be written, modified, replaced or deleted when creating a safe directory or file with the same directory name or file name in the virus or malicious program data; or,
the second setting unit is used for setting a read-only attribute when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data; or,
and the holding unit is used for opening and not closing the handle object of the safe directory or the safe file.
Preferably, the running environment information of the virus or the malicious program comprises key kernel objects required by the virus or the malicious program;
the pre-emption module comprising:
and the second creating submodule is used for creating a key kernel object required by a virus or a malicious program and not closing a corresponding file handle.
Preferably, the second creating sub-module includes:
the device comprises an allocation unit, a memory block generation unit and a memory block generation unit, wherein the allocation unit is used for allocating a memory block to a key kernel object required by a virus or a malicious program and initializing the memory block when the key kernel object required by the virus or the malicious program is created by calling an application programming interface function;
the scanning unit is used for scanning the handle table of the process, initializing a record and placing the record in the handle table;
and the returning unit is used for returning the index recorded in the handle table to the caller as the file handle of the key kernel object required by the virus or the malicious program.
Preferably, the statistical module is specifically configured to perform statistics on virus or malicious program data from the client periodically, and perform statistics on virus or malicious program data with a top number ranking or a top growth rate ranking or a top risk ranking or a top infectivity ranking by the client, so as to perform analysis operation on the counted virus or malicious program data.
Preferably, the system further comprises:
and the release module is positioned at the client and used for releasing the operating environment of the corresponding virus or malicious program which is occupied in advance according to the operating environment information of the virus or malicious program when receiving the request of canceling the defense.
Preferably, the analysis module includes:
the static analysis submodule is used for carrying out static analysis on the binary code of the virus or the malicious program to obtain the running environment information of the virus or the malicious program; or,
and the dynamic analysis submodule is used for operating the virus or the malicious program and observing the dynamic behavior characteristics of the virus or the malicious program to obtain the operating environment information of the virus or the malicious program.
Compared with the prior art, the invention has the following advantages:
according to the method, the running environment information of the virus or the malicious program obtained by analysis is pre-occupied at the client, so that the virus or the malicious program can be prevented from entering a system, and the virus or the malicious program cannot normally finish attack behaviors; specifically, the method and the device can pre-occupy paths to be occupied by the virus or the malicious program, and refuse any program to add files to the paths, so that the virus or the malicious program is blocked from entering the system; or, based on the behavior characteristics of the virus or the malicious program, the key kernel object required by the virus or the malicious program during working is pre-occupied, so that the virus or the malicious program cannot normally complete the attack behavior.
Compared with the method for defending viruses or malicious programs in the prior art, the method needs security software to perform real-time characteristic scanning on each running program, and the real-time characteristic scanning consumes a large amount of system resources, so that the system speed is reduced; the invention only needs to pre-occupy the path to be occupied by the virus or the malicious program or the key kernel object required by the virus or the malicious program at one time, and has small resource demand on the system; the empty path to be occupied by the virus or the malicious program hardly occupies the disk space, and the key kernel object required by the virus or the malicious program only needs few memory resources; in short, because the invention does not need to carry out real-time characteristic scanning on each running program, a large amount of disk I/O and CPU consumption can be avoided, thereby improving the system speed.
In addition, the server end can also count the virus or malicious program data from the client end periodically, and count the virus or malicious program data with the number ranked at the top or the growth speed ranked at the top or the risk ranked at the top or the infectivity ranked at the top, so as to analyze the counted virus or malicious program data; due to the fact that the data statistics can find new popular viruses or malicious programs in time, after the analyzed defense information is updated, attacks of the viruses or the malicious programs can be defended, and corresponding defense can be conducted in time along with characteristic changes of the viruses or the malicious programs.
Drawings
FIG. 1 is a flow chart of an embodiment of a method for defending against a virus or malicious program according to the present invention;
fig. 2 is a block diagram of an embodiment of a virus or malware defense system of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
One of the core ideas of the embodiment of the invention is that the running environment information of the virus or the malicious program obtained by analysis is pre-occupied at the client, so that the virus or the malicious program can be prevented from entering the system, and the virus or the malicious program can not normally complete the attack behavior.
Referring to fig. 1, a flowchart of an embodiment of a method for defending against a virus or a malicious program according to the present invention is shown, and specifically may include:
the invention is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, distributed computing environments that include any of the above systems or devices, and the like.
The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
Through a great deal of analysis and research, the inventor of the patent summarizes the characteristics of the running environment information of the following viruses or malicious programs:
a path to be taken by a virus or a malicious program
Viruses or malicious programs are usually spread in some way. Taking trojan as an example, after entering a user computer, the trojan often copies the trojan to a specific path for continuous work through channels such as weak passwords or software bugs, software downloading or chatting software transmission files and the like. This particular path is regular, typically a more file-rich path (e.g., C: \ WINDOWS \ system32) or a more deep-level path (e.g., C: \ Program Files \ Common Files), and thus is predefined by code before the Trojan horse is released in order to avoid being discovered by an ordinary user. For long-term, continuous operation, such trojans usually wait for information to appear that is beneficial to themselves before beginning their actual work.
Two, the critical kernel objects required by a virus or malicious program
Some viruses or malicious programs are operated at one time, and the operation is not required after the computer is restarted. Such viruses or malicious programs do not replicate themselves to a particular path, but simply execute themselves. Such viruses or malicious programs are often destructive, such as modifying a user's browser homepage; or wait for an impending event (e.g., game login, online shopping, online payment) before initiating an attack.
The inventor of the present invention finds that when the virus or the malicious program runs, the virus or the malicious program needs to access kernel objects such as a registry, a process object, a window object and the like of a system besides self memory data. These kernel objects are usually necessary for the operation of viruses or malicious programs, because the viruses or malicious programs are different from common application programs and independently complete their functions, and the viruses or malicious programs need to modify the system and then have to access the registry; a virus or a malicious program needs to steal an account and must access kernel objects such as a game process.
In the embodiment of the present invention, the main purpose of server side statistics is to see which virus or malicious program data conform to the characteristics of the operating environment information of the virus or malicious program, so that the technical scheme of the present invention is adopted to defend the virus or malicious program data.
In practical application, the server can collect the data of the virus or the malicious program to be analyzed, and can also obtain the data of the virus or the malicious program to be analyzed from the client. For example, when a cloud searching and killing manner is used to search and kill a trojan, the client may send key information (such as content characteristics) of the trojan to the server, and the server compares the received virus or malicious program data to obtain a determination result: whether this file is a trojan. For strange files which cannot obtain key information, the client can completely or partially upload the files to the server, and the server calls a series of identification modes to judge whether the files are trojans or not. Therefore, the server side can periodically count the cloud-killed virus or malicious program data, the statistical period can be set by a person in the art according to actual conditions, for example, one day, two hours, one hour, half an hour or less, and the invention does not limit the specific analysis period.
102, analyzing the virus or malicious program data to obtain the running environment information of the virus or malicious program;
the analysis is mainly a process of extracting the running environment information of the virus or the malicious program from the virus or the malicious program data.
In a preferred embodiment of the invention, the analyzing may comprise:
and statically analyzing the binary codes of the virus or the malicious program to obtain the running environment information of the virus or the malicious program.
In a specific implementation, the path to be occupied by the corresponding virus or malicious program can be obtained by analyzing the virus or malicious program data. For example, for a trojan virus (hereinafter, abbreviated as a webpage trojan) loaded in a webpage, most webpages are developed based on javascript (which may be abbreviated as js) or vbscript (which may be abbreviated as vbs) scripting language, wherein an analytic technology for js webpage trojan is already mature, and for vbs webpage trojan, a vbc code sample of the trojan virus can be obtained in advance and processed as a section of common character string, and character string features in the vbbc code sample are extracted to identify the vbs webpage trojan, so as to obtain a corresponding trojan path.
In another preferred embodiment of the present invention, the analyzing may further include:
and running the virus or the malicious program, and observing the dynamic behavior characteristics of the virus or the malicious program to obtain the running environment information of the virus or the malicious program.
In a specific implementation, a specific sample of a Trojan horse can be analyzed to study the attack process of the Trojan horse, and then a kernel object required by the Trojan horse can be obtained. For example, for a Trojan horse attacking a browser, a corresponding browser process can be found, and a related window is opened; thus, the browser process and window are the kernel objects needed to attack the browser's trojan.
The analysis may be performed by the server or the client, which is not limited in the present invention. And after analyzing the data of the virus or the malicious program to obtain the path to be occupied by the virus or the malicious program and the running environment information of various virus or malicious programs such as a key kernel object required by the virus or the malicious program, respectively establishing a corresponding list. For the case of periodic analyses, the list resulting from each analysis should also be updated.
And 103, the client pre-occupies the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program.
The method has the advantages that the running environment of the virus or the malicious program is pre-occupied at the client, so that the virus or the malicious program can be prevented from entering a system, and the virus or the malicious program cannot normally finish an attack behavior.
In a preferred embodiment of the present invention, the virus or malicious program running environment information may include a path to be occupied by the virus or malicious program;
accordingly, the step 102 may further include:
the method and the device prevent data from being written, modified, replaced and deleted on the path to be occupied by the virus or the malicious program and/or prevent the data from being written, modified or deleted on the attribute of the path to be occupied by the virus or the malicious program.
The data can be prevented from being written into the path to be occupied by the virus or the malicious program, and the path to be occupied by the virus or the malicious program can be modified, replaced or deleted, so that the virus or the malicious program can be blocked from entering the system, and the virus or the malicious program can not normally complete the attack behavior.
In another preferred embodiment of the present invention, the running environment information of the virus or malicious program includes a path to be occupied by the virus or malicious program;
the step of pre-occupying the virus or malicious program execution environment may further include:
according to the running environment information of the virus or the malicious program, a security directory or file with the same directory name or file name as the data of the virus or the malicious program is created under the path to be occupied by the virus or the malicious program, and the security directory or file is prevented from being written, modified, replaced and deleted, and/or the attribute of the security directory or file is prevented from being written, modified or deleted.
Assuming that one path in the list of paths to be occupied by the virus or the malicious program is C \ WINDOWS \ system32, although the whole directory corresponding to the path cannot be limited at all, an empty directory or an empty file with the name of 1.exe can be created in advance according to the file name commonly used by the Trojan horse, such as 1. exe. The empty directory or file is secure because it pre-occupies the working path of a virus or malicious program and sets a way to prevent writing, modifying, replacing, deleting the secure directory or file and/or writing, modifying, or deleting the attributes of the secure directory or file.
In a specific implementation, as to how to prevent data from being written, modified, replaced, and deleted on a path to be occupied by a virus or a malicious program and/or data from being written, modified, or deleted on an attribute of the path to be occupied by the virus or the malicious program, the present invention may provide the following scheme:
the method comprises the following steps that firstly, the permission of refusing to be written, modified, replaced or deleted is set for the path to be occupied by the virus or the malicious program;
in order to prevent unauthorized users from accessing the empty directory or the empty file, corresponding rights may be set for the empty directory or the empty file.
In practice, for Windows or Linux operating systems, the authority to deny access to files or directories may be added by setting an API (Application Programming Interface). Here, the access denial is to deny any user and access in any mode, and the access right may further include: reading, executing, deleting, modifying and the like, wherein reading refers to displaying the content of the file, and if the file is a shell script or program, the file can be executed. Thus, any program can be denied adding files to the empty directory, thereby blocking viruses or malicious programs from entering the system, since any user is denied access to the empty directory of C \ WINDOWS \ system32\1. exe.
Scheme two, exclusive file objects.
Specifically, the handle object of the path to be taken by the virus or malicious program is opened and not closed.
An exclusive file object is a handle object that creates a file or directory, but does not close the file or directory, so that other programs can no longer use the file path.
In the process of reading and writing files, data is read from a file, an application program firstly calls an operating system function and transmits a file name, and a path to the file is selected to open the file. The function retrieves a sequence number, the file handle, which is the unique identification for the open file. To read a block of data from a file, the application program needs to call the function ReadFile and transfer the address of the file handle in the memory and the number of bytes to be copied to the operating system. When the task is completed, the file is closed by calling a system function. In short, as long as the handle object of the directory is not closed, other programs can not use the file any more, thereby blocking viruses or malicious programs from entering the system. Since the function of the handle object in the process of reading and writing the directory is similar to that in the process of reading and writing the file, the description is omitted here, and the functions can be referred to each other.
Since the scheme for setting the access denial right or monopolizing the file object has characteristics and applicability, in practice, a person skilled in the art can adopt the scheme for setting the access denial right or monopolizing the file object according to actual needs. For example, the scheme for setting the access denial authority does not need the security software to operate all the time, that is, after the security software exits, the scheme can still play a role in effectively defending viruses or malicious programs; while the scheme of exclusive file objects requires that the security software always run. For another example, the scheme for setting the permission to deny access requires an NTFS (New Technology File system) partition to support, and for the FAT32 (File Allocation Table32) partition, only the scheme of exclusive File object can be adopted.
In a preferred embodiment of the present invention, the step of preventing writing, modifying, replacing, deleting and/or writing, modifying or deleting the attribute of the secure directory or file may further include:
when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data, setting and selecting the permission of refusing to be written, modified, replaced or deleted; or,
when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data, setting a read-only attribute for the security directory or file; or,
handle objects when the secure directory or file is opened and not closed.
Of course, besides the above two schemes, those skilled in the art may also adopt other prevention schemes according to actual needs, for example, setting the attribute of the file or path to be read only, and the invention does not limit the specific prevention scheme.
In summary, the purpose of the present invention is to pre-occupy the paths to be occupied by the virus or the malicious program based on the analyzed paths to be occupied by the virus or the malicious program, and reject any program to add files to the paths, thereby blocking the virus or the malicious program from entering the system. It should be noted that, since the pre-occupied path of the virus or the malicious program is an empty directory or an empty file, and there is no actual content, the pre-occupied path of the virus or the malicious program cannot be mistaken for the virus or the malicious program by other security software.
In another preferred embodiment of the present invention, the virus or malicious program running environment information may include key kernel objects required by the virus or malicious program;
accordingly, the step 103 may further include:
the key kernel objects required by the virus or malicious program are created and the corresponding file handle is not closed.
The kernel object is a memory block allocated by an operating system, the memory block is a data structure, and a user manages various information. When an application program is to interact with system equipment, a kernel object is used, and for safety reasons, processes cannot directly access the kernel object, and an operating system provides corresponding functions to access the kernel object.
For example, a Windows system includes several types of kernel objects, such as access symbol objects, event objects, file map objects, I/O completion port objects, job objects, mailbox objects, mutex objects, pipe objects, process objects, semaphore objects, thread objects, and wait timer objects, among others. They often need to be created, opened and manipulated in practice.
These kernel objects can be created by calling functions. For example, the Create File Mapping function may enable the system to Create a File Mapping object. When a kernel object is created by using a Create File Mapping function, a kernel allocates a memory block for the object and initializes the memory block, then the kernel scans a handle table of the process again, initializes a record and puts the record in the handle table, and returns an index recorded in the handle table to a caller as a File handle of a key kernel object required by the virus or the malicious program.
The handle table is a table that each process is assigned with a handle when being initialized, the handle table is used for storing a handle of a kernel object, and the handle table comprises three contents: a kernel object handle, a kernel object handle address, and an access mask flag.
Since the data structures of kernel objects can only be accessed by the kernel, applications cannot find these data structures in memory and directly change their contents, and for this reason, Windows provides a set of functions through which to access kernel objects. When a function for creating a kernel object is called, the function returns a file handle identifying the object.
Therefore, if the key kernel object required by the virus or the malicious program can be always held, that is, the corresponding file handle is always opened, the virus or the malicious program will create a failure when the key kernel object is required, so that the virus or the malicious program can be prevented from entering the system. In implementation, in order to avoid normal operation of a common program, a key kernel object specially used by a virus or a malicious program should be selected as much as possible, instead of the kernel object accessed by the common program.
In a word, the method is based on the behavior characteristics of the virus or the malicious program, and pre-occupies the key kernel object required by the operation of the popular virus or the malicious program, so that the virus or the malicious program cannot normally complete the attack behavior. It should be noted that, since the key kernel object is not generally a standard for determining a virus or a malicious program, the key kernel object is not mistaken for the virus or the malicious program by other security software.
In the method for defending viruses or malicious programs in the prior art, security software is required to perform real-time characteristic scanning on each running program, and the real-time characteristic scanning consumes a large amount of system resources, so that the system speed is reduced. The invention only needs to pre-occupy the path to be occupied by the virus or the malicious program or the key kernel object required by the virus or the malicious program at one time, and has small resource demand on the system: the path to be occupied by the empty virus or malicious program hardly occupies the disk space, and the key kernel object required by the virus or malicious program only needs few memory resources; in short, because the invention does not need to carry out real-time characteristic scanning on each running program, a large amount of disk I/O (Input/Output) and CPU consumption can be avoided, thereby improving the system speed.
It can be understood that, when receiving a request for canceling defense, the client may also release the operating environment of the pre-occupied corresponding virus or malicious program according to the information of the operating environment of the virus or malicious program.
The step of releasing the pre-occupied corresponding virus or malicious program operating environment may specifically include:
1. setting the permission of refusing to be written, modified, replaced or deleted for the path to be occupied by the virus or the malicious program, and deleting the corresponding permission in a driving mode;
since the directories or files to which the permissions are added cannot be deleted by other programs and the processes of the security software themselves cannot be deleted, the directories or files need to be deleted by bypassing the permission check of the system in a driving mode.
2. For a scheme that monopolizes a file object, the empty directory or handle object for the empty file may be closed directly.
3. For the scheme of kernel objects, the file handle of the created key kernel object is directly closed.
For example, no matter how a process creates a kernel object, the end of access to the object should be declared to the operating system through the book CloseHandle (HANDLE hobj) when the object is not used.
The virus or malicious program features change quickly, and the feature library update of the security software along with the feature change needs to be timely and frequent. For example, some viruses or malware have characteristics that are highly variable, in order to avoid the characteristic scanning of security software.
In a preferred embodiment of the present invention, in order to protect against viruses or malicious programs more timely, before analyzing the virus or malicious program data, the method may further include:
the server periodically counts virus or malicious program data from the client, counts the virus or malicious program data with the number ranked at the top or the growth speed ranked at the top or the risk ranked at the top or the infectivity ranked at the top, and analyzes the counted virus or malicious program data.
Due to the fact that the data statistics can discover new popular viruses or malicious programs in time, the attacks of the viruses or the malicious programs can be defended after the analyzed defense information is updated to the client, corresponding defense can be carried out in time along with the change of characteristics of the viruses or the malicious programs, and the operation of analyzing, positioning and extracting the characteristics based on the characteristics of a plurality of samples in time similar to the prior art is avoided.
Corresponding to the foregoing method embodiment, the present invention further discloses a defense system for viruses or malicious programs, and with reference to fig. 2, the defense system specifically may include:
the statistical module 201 is located at the server side and used for counting virus or malicious program data of all the clients;
the analysis module 202 is configured to analyze the virus or malicious program data to obtain operating environment information of the virus or malicious program;
and the pre-occupation module 203 is located at the client and is used for pre-occupying the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program.
In a preferred embodiment of the present invention, the virus or malicious program running environment information may further include a path to be occupied by the virus or malicious program;
accordingly, the pre-occupancy module 203 may include:
the first preventing submodule is used for preventing data from being written, modified, replaced and deleted on a path to be occupied by the virus or the malicious program and/or properties of the path to be occupied by the virus or the malicious program from being written, modified or deleted.
In the embodiment of the present invention, it is preferable that the first preventing sub-module is specifically configured to set an authority to refuse to be written, modified, replaced, or deleted for a path to be occupied by a virus or a malicious program; or opening and not closing the handle object of the path to be occupied by the virus or the malicious program.
In another preferred embodiment of the present invention, the running environment information of the virus or malicious program may include a path to be occupied by the virus or malicious program;
accordingly, the pre-occupation module 203 may further include:
the first creating submodule is used for creating a security directory or file which is the same as a directory name or a file name in virus or malicious program data under a path to be occupied by the virus or malicious program according to the running environment information of the virus or malicious program;
and the second prevention submodule is used for preventing writing, modifying, replacing and deleting the safe directory or the safe file and/or writing, modifying or deleting the attribute of the safe directory or the safe file.
In the embodiment of the present invention, preferably, the second prevention submodule may further include:
the first setting unit is used for setting and selecting the permission of refusing to be written, modified, replaced or deleted when creating a safe directory or file with the same directory name or file name in the virus or malicious program data; or,
the second setting unit is used for setting a read-only attribute when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data; or,
and the holding unit is used for opening and not closing the handle object of the safe directory or the safe file.
In a further preferred embodiment of the present invention, the running environment information of the virus or malicious program may include key kernel objects required by the virus or malicious program;
at this time, the pre-occupation module 203 may further include:
and the second creating submodule is used for creating a key kernel object required by a virus or a malicious program and not closing a corresponding file handle.
In the embodiment of the present invention, preferably, the second creating sub-module may further include:
the device comprises an allocation unit, a memory block generation unit and a memory block generation unit, wherein the allocation unit is used for allocating a memory block to a key kernel object required by a virus or a malicious program and initializing the memory block when the key kernel object required by the virus or the malicious program is created by calling an application programming interface function;
the scanning unit is used for scanning the handle table of the process, initializing a record and placing the record in the handle table;
and the returning unit is used for returning the index recorded in the handle table to the caller as the file handle of the key kernel object required by the virus or the malicious program.
In a preferred embodiment of the present invention, the statistics module 201 may be specifically configured to periodically perform statistics on virus or malicious program data from the client, and count the virus or malicious program data with a top number, a top growth rate, a top risk, or a top infectivity, so as to perform analysis on the counted virus or malicious program data.
In another preferred embodiment of the present invention, the system may further include:
and the release module is positioned at the client and used for releasing the operating environment of the corresponding virus or malicious program which is occupied in advance according to the operating environment information of the virus or malicious program when receiving the request of canceling the defense.
In yet another preferred embodiment of the present invention, the analysis module 202 may further include:
the static analysis submodule is used for carrying out static analysis on the binary code of the virus or the malicious program to obtain the running environment information of the virus or the malicious program; or,
and the dynamic analysis submodule is used for operating the virus or the malicious program and observing the dynamic behavior characteristics of the virus or the malicious program to obtain the operating environment information of the virus or the malicious program.
For the system embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The method and the system for defending against viruses or malicious programs provided by the invention are introduced in detail, and the principle and the implementation mode of the invention are explained by applying specific examples, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (20)
1. A method for defending against a virus or a malicious program, comprising:
the server side counts virus or malicious program data of all the clients;
analyzing the virus or malicious program data to obtain the running environment information of the virus or malicious program;
and the client pre-occupies the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program.
2. The method of claim 1, wherein the virus or malware execution environment information includes a path to be taken by a virus or malware;
the step of pre-occupying the virus or malicious program running environment comprises the following steps:
the method and the device prevent data from being written, modified, replaced and deleted on the path to be occupied by the virus or the malicious program and/or prevent the data from being written, modified or deleted on the attribute of the path to be occupied by the virus or the malicious program.
3. The method of claim 1, wherein the operating environment information of the virus or malicious program comprises a path to be taken by the virus or malicious program;
the step of pre-occupying the virus or malicious program running environment comprises the following steps:
according to the running environment information of the virus or the malicious program, a security directory or file with the same directory name or file name as the data of the virus or the malicious program is created under the path to be occupied by the virus or the malicious program, and the security directory or file is prevented from being written, modified, replaced and deleted, and/or the attribute of the security directory or file is prevented from being written, modified or deleted.
4. The method as claimed in claim 2, wherein the step of preventing writing, modifying, replacing, deleting of data and/or writing, modifying or deleting of attributes of the path to be taken by the virus or malicious program comprises:
setting the permission of refusing to be written, modified, replaced or deleted for the path to be occupied by the virus or the malicious program; or,
and opening and not closing the handle object of the path to be occupied by the virus or the malicious program.
5. The method of claim 3, wherein the step of preventing writing, modifying, replacing, deleting of the secure directory or file and/or writing, modifying or deleting of the attributes of the secure directory or file comprises:
when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data, setting and selecting the permission of refusing to be written, modified, replaced or deleted; or,
when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data, setting a read-only attribute for the security directory or file; or,
handle objects when the secure directory or file is opened and not closed.
6. The method of claim 1, wherein the runtime environment information of the virus or malware includes key kernel objects required by the virus or malware;
the method comprises the following steps that the client pre-occupies the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program, and comprises the following steps:
the key kernel objects required by the virus or malicious program are created and the corresponding file handle is not closed.
7. The method of claim 6, wherein the step of creating a critical kernel object required by a virus or malware comprises:
when an application programming interface function is called to create a key kernel object required by a virus or a malicious program, a memory block is allocated to the key kernel object required by the virus or the malicious program, and initialization is carried out;
scanning a handle table of the process, initializing a record and placing the record in the handle table;
and returning the index recorded in the handle table to the caller as the file handle of the key kernel object required by the virus or the malicious program.
8. The method of claim 1, wherein the step of the server side counting virus or malware data of all clients comprises:
the server periodically counts virus or malicious program data from the client, counts the virus or malicious program data with the number ranked at the top or the growth speed ranked at the top or the risk ranked at the top or the infectivity ranked at the top, and analyzes the counted virus or malicious program data.
9. The method of claim 1, further comprising:
and when receiving a request for canceling the defense, the client releases the operating environment of the corresponding virus or malicious program which is occupied in advance according to the operating environment information of the virus or malicious program.
10. The method of claim 1, wherein the step of analyzing the virus or malware data comprises:
static analysis is carried out on the binary codes of the viruses or the malicious programs to obtain the running environment information of the viruses or the malicious programs; or,
and running the virus or the malicious program, and observing the dynamic behavior characteristics of the virus or the malicious program to obtain the running environment information of the virus or the malicious program.
11. A system for defending against viruses or malicious programs, comprising:
the statistical module is positioned at the server side and used for counting virus or malicious program data of all the clients;
the analysis module is used for analyzing the virus or malicious program data to obtain the running environment information of the virus or malicious program;
and the pre-occupation module is positioned at the client and used for pre-occupying the running environment of the virus or the malicious program according to the running environment information of the virus or the malicious program.
12. The system of claim 11, wherein the virus or malware execution environment information includes a path to be taken by the virus or malware;
the pre-emption module comprising:
the first preventing submodule is used for preventing data from being written, modified, replaced and deleted on a path to be occupied by the virus or the malicious program and/or properties of the path to be occupied by the virus or the malicious program from being written, modified or deleted.
13. The system of claim 11, wherein the operating environment information of the virus or malware includes a path to be taken by the virus or malware;
the pre-emption module comprising:
the first creating submodule is used for creating a security directory or file which is the same as a directory name or a file name in virus or malicious program data under a path to be occupied by the virus or malicious program according to the running environment information of the virus or malicious program;
and the second prevention submodule is used for preventing writing, modifying, replacing and deleting the safe directory or the safe file and/or writing, modifying or deleting the attribute of the safe directory or the safe file.
14. The system according to claim 12, wherein the first preventing submodule is specifically configured to set a permission to deny the path to be taken by a virus or a malicious program from being written, modified, replaced, or deleted; or opening and not closing the handle object of the path to be occupied by the virus or the malicious program.
15. The system of claim 13, wherein the second prevention submodule comprises:
the first setting unit is used for setting and selecting the permission of refusing to be written, modified, replaced or deleted when creating a safe directory or file with the same directory name or file name in the virus or malicious program data; or,
the second setting unit is used for setting a read-only attribute when creating a security directory or file with the same directory name or file name as those in the virus or malicious program data; or,
and the holding unit is used for opening and not closing the handle object of the safe directory or the safe file.
16. The system of claim 11, wherein the runtime environment information of the virus or malware includes key kernel objects required by the virus or malware;
the pre-emption module comprising:
and the second creating submodule is used for creating a key kernel object required by a virus or a malicious program and not closing a corresponding file handle.
17. The system of claim 16, wherein the second creation submodule comprises:
the device comprises an allocation unit, a memory block generation unit and a memory block generation unit, wherein the allocation unit is used for allocating a memory block to a key kernel object required by a virus or a malicious program and initializing the memory block when the key kernel object required by the virus or the malicious program is created by calling an application programming interface function;
the scanning unit is used for scanning the handle table of the process, initializing a record and placing the record in the handle table;
and the returning unit is used for returning the index recorded in the handle table to the caller as the file handle of the key kernel object required by the virus or the malicious program.
18. The system according to claim 11, wherein the statistics module is specifically configured to periodically perform statistics on virus or malicious program data from the client, and perform an analysis operation on the counted virus or malicious program data by counting the virus or malicious program data that is ranked at a top number or a top growth rate or a top risk or a top infectivity of the client.
19. The system of claim 11, further comprising:
and the release module is positioned at the client and used for releasing the operating environment of the corresponding virus or malicious program which is occupied in advance according to the operating environment information of the virus or malicious program when receiving the request of canceling the defense.
20. The method of claim 1, wherein the analysis module comprises:
the static analysis submodule is used for carrying out static analysis on the binary code of the virus or the malicious program to obtain the running environment information of the virus or the malicious program; or,
and the dynamic analysis submodule is used for operating the virus or the malicious program and observing the dynamic behavior characteristics of the virus or the malicious program to obtain the operating environment information of the virus or the malicious program.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110251373.2A CN102306254B (en) | 2011-08-29 | A kind of virus or the defence method of rogue program and system | |
| PCT/CN2012/080577 WO2013029504A1 (en) | 2011-08-29 | 2012-08-24 | Method and system of defense of viruses or malicious programs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110251373.2A CN102306254B (en) | 2011-08-29 | A kind of virus or the defence method of rogue program and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102306254A true CN102306254A (en) | 2012-01-04 |
| CN102306254B CN102306254B (en) | 2016-12-14 |
Family
ID=
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013029504A1 (en) * | 2011-08-29 | 2013-03-07 | 北京奇虎科技有限公司 | Method and system of defense of viruses or malicious programs |
| CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
| CN103679013A (en) * | 2012-09-03 | 2014-03-26 | 腾讯科技(深圳)有限公司 | System rogue program detecting method and device |
| CN107305569A (en) * | 2016-04-21 | 2017-10-31 | 北京搜狗科技发展有限公司 | A kind of information processing method and device |
| CN107729752A (en) * | 2017-09-13 | 2018-02-23 | 中国科学院信息工程研究所 | One kind extorts software defense method and system |
| WO2018035927A1 (en) * | 2016-08-24 | 2018-03-01 | 宇龙计算机通信科技(深圳)有限公司 | Application freezing method and apparatus, and terminal |
| CN110381009A (en) * | 2018-04-16 | 2019-10-25 | 北京升鑫网络科技有限公司 | A kind of detection method of the rebound shell of Behavior-based control detection |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101482907A (en) * | 2009-02-18 | 2009-07-15 | 中国科学技术大学 | Main unit malice code behavior detection system based on expert system |
| CN102034047A (en) * | 2010-12-21 | 2011-04-27 | 姚志浩 | Automatic protection method for computer virus |
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101482907A (en) * | 2009-02-18 | 2009-07-15 | 中国科学技术大学 | Main unit malice code behavior detection system based on expert system |
| CN102034047A (en) * | 2010-12-21 | 2011-04-27 | 姚志浩 | Automatic protection method for computer virus |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013029504A1 (en) * | 2011-08-29 | 2013-03-07 | 北京奇虎科技有限公司 | Method and system of defense of viruses or malicious programs |
| CN103679013A (en) * | 2012-09-03 | 2014-03-26 | 腾讯科技(深圳)有限公司 | System rogue program detecting method and device |
| CN103679013B (en) * | 2012-09-03 | 2017-10-31 | 腾讯科技(深圳)有限公司 | System malware detection methods and device |
| CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
| CN103065092B (en) * | 2012-12-24 | 2016-04-27 | 公安部第一研究所 | A kind of method of tackling suspect program and running |
| CN107305569A (en) * | 2016-04-21 | 2017-10-31 | 北京搜狗科技发展有限公司 | A kind of information processing method and device |
| CN107305569B (en) * | 2016-04-21 | 2021-07-06 | 北京搜狗科技发展有限公司 | Information processing method and device |
| WO2018035927A1 (en) * | 2016-08-24 | 2018-03-01 | 宇龙计算机通信科技(深圳)有限公司 | Application freezing method and apparatus, and terminal |
| CN107729752A (en) * | 2017-09-13 | 2018-02-23 | 中国科学院信息工程研究所 | One kind extorts software defense method and system |
| CN107729752B (en) * | 2017-09-13 | 2019-12-03 | 中国科学院信息工程研究所 | One kind extorting software defense method and system |
| CN110381009A (en) * | 2018-04-16 | 2019-10-25 | 北京升鑫网络科技有限公司 | A kind of detection method of the rebound shell of Behavior-based control detection |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2013029504A1 (en) | 2013-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Or-Meir et al. | Dynamic malware analysis in the modern era—A state of the art survey | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| Lanzi et al. | K-Tracer: A System for Extracting Kernel Malware Behavior. | |
| Ntantogian et al. | Evaluating the privacy of Android mobile applications under forensic analysis | |
| Fattori et al. | Hypervisor-based malware protection with accessminer | |
| CN107949846A (en) | The detection of malice thread suspension | |
| Shan et al. | Safe side effects commitment for OS-level virtualization | |
| US9038161B2 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
| KR101223594B1 (en) | A realtime operational information backup method by dectecting LKM rootkit and the recording medium thereof | |
| Pektaş et al. | A dynamic malware analyzer against virtual machine aware malicious software | |
| Alfalqi et al. | Android platform malware analysis | |
| Shan et al. | Enforcing mandatory access control in commodity OS to disable malware | |
| Lebbie et al. | Comparative analysis of dynamic malware analysis tools | |
| RU2460133C1 (en) | System and method of protecting computer applications | |
| Bottazzi et al. | Preventing ransomware attacks through file system filter drivers | |
| Neugschwandtner et al. | d Anubis–Dynamic Device Driver Analysis Based on Virtual Machine Introspection | |
| Petkovic et al. | A host based method for data leak protection by tracking sensitive data flow | |
| Zdzichowski et al. | Anti-forensic study | |
| Parida et al. | PageDumper: a mechanism to collect page table manipulation information at run-time | |
| CN102306254B (en) | A kind of virus or the defence method of rogue program and system | |
| Yan et al. | MOSKG: countering kernel rootkits with a secure paging mechanism | |
| Kim et al. | LoGos: Internet‐Explorer‐Based Malicious Webpage Detection | |
| CN102306254A (en) | Method and system for defending viruses or malicious programs | |
| Daghmehchi Firoozjaei et al. | Parent process termination: an adversarial technique for persistent malware | |
| Jin et al. | System log-based android root state detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160928 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100025 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220331 Address after: 1773, floor 17, floor 15, building 3, No. 10, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |