CN102629310A - System and method for protecting computer system from being infringed by activities of malicious objects - Google Patents
System and method for protecting computer system from being infringed by activities of malicious objects Download PDFInfo
- Publication number
- CN102629310A CN102629310A CN201210050079XA CN201210050079A CN102629310A CN 102629310 A CN102629310 A CN 102629310A CN 201210050079X A CN201210050079X A CN 201210050079XA CN 201210050079 A CN201210050079 A CN 201210050079A CN 102629310 A CN102629310 A CN 102629310A
- Authority
- CN
- China
- Prior art keywords
- file
- malicious objects
- registration table
- incident
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses a system, a method and a computer program product for protecting a computer system from being infringed by activities of malicious objects. The method includes monitoring execution events of one or more processes on the computer; identifying verifiable events of the monitored events which include creating, changing or deleting events of files, changing events of system registry, and network accessing events performed by the processes on the computer; recording the identified verifiable events in separate files, registries and network event logs; executing malware examination on one or more software objects on the computer; identifying the events relevant to the software objects from the files, the registries and the network event logs if the objects are examined to be malicious; returning the file events relevant to the malicious objects; returning the registry events relevant to the malicious objects; and stopping network connections relevant to the malicious objects.
Description
Technical field
The disclosed content of the present invention relates generally to computer safety field, and, specifically, relate to system, the method and computer program product of the file, registration table, system and the network activity infringement that are used to protect computer system to exempt from malicious objects.
Background technology
The development of current computer technology has reached very high level.The development of Along with computer technology, the quantity of numerical data is increasing with more allegro speed.Meanwhile, numerical data be rapid wear and need of the infringement of preventing malice object such as the Malware of virus, Trojan Horse, worm, spyware and other types.
Use the anti-virus system to come protection information to avoid the infringement of Malware, the basic task of this anti-virus system is the hazardous activity that stops malicious objects.But situation is: the anti-virus system can not stop the activity of malice with mode timely.This situation appears at, and for example, when novel Malware occurred, the methods availalbe of anti-virus system can't detect it, because these systems know nothing new Malware.Another kind of situation also possibly be: Malware utilizes the weakness of operating system or the weak point of anti-virus system self to walk around the anti-virus system.
The Malware that has invaded in the computer system can show dissimilar rogue activitys: file activity, registration table activity, system activity and network activity.During the file activity of malice, malicious objects can be carried out different operation to file, such as remove, change, or the establishment of new file.The activity of malicious registration table typically comprises establishment, the modification of registration table parameter and value or removes.The many situation movable about registration table all are known, and for example, malicious objects has been changed the parameter of registration table so that cause the automatic startup (auto-launch) of Malware during the load operation system.When Malware begins in computer system or stops process, perhaps work as it and in system or program process, start in the new execution thread, the system activity of malice possibly take place.The network activity of malice comprises that typically creating new network by malicious objects connects.
Utilize the activity of these malice, Malware can invade in the computer system, and the data that can obtain on it to be stored.Therefore, need detect the activity of malice, and the data that rogue activity damages, revises or moves are recovered.
Summary of the invention
Herein disclosed is system, the method and computer program product of the file, registration table, system and the network activity infringement that are used to protect computing machine to exempt from malicious objects.In one exemplary embodiment; Said system comprises the anti-virus database, and verifiable event database, and wherein the anti-virus database comprises the information relevant with the known malicious object; Verifiable event database comprises the tabulation of verifiable incident; This verifiable incident comprises establishment, change or the deletion event of file, the establishment of system registry, change or deletion event, and the access to netwoks incident of being undertaken by performed on computers process at least.Said system also comprises data collection module, and it operationally is used for the execution incident of one or more processes on the supervisory control comuter; Based on the tabulation that is included in the verifiable incident in the verifiable event data storage, discern the verifiable incident in the monitored incident; And in independent file, registration table and the network event daily record that storer comprised, write down the verifiable incident that is identified.
Said system also comprises the anti-virus module, and it is through being configured to: use the information about the known malicious object in the anti-virus database that is included in, the one or more software objects on the computing machine are carried out the Malware inspection.If confirmed to as if malice, the anti-virus module discern network event that one or more and said malicious objects is associated from the network event daily record so, and termination one or more networks connections of being set up by said malicious objects.Said system also comprises the recovery module; It is through being configured to: if confirmed to as if malice; One or more and the said malicious objects of identification is associated from file and registration table event log so file and registration table incident, and file event and registration table incident execution rollback operation (rollback) to being associated with said malicious objects.
In one exemplary embodiment, the method that is used to protect computing machine to exempt from the Malware infringement comprises: the execution incident to one or more processes on the computing machine is monitored; Discern the verifiable incident among the monitored incident; Wherein verifiable incident comprises establishment, change or the deletion event of file; The establishment of system registry, change or deletion event, and the access to netwoks incident of being undertaken by performed on computers process; In independent file, registration table and network event daily record, write down the verifiable incident that is identified; One or more software objects on the computing machine are carried out the Malware inspection; If confirmed to as if malice, the incident that identification is associated with said malicious objects from file, registration table and network event daily record so; File event to being associated with said malicious objects is carried out rollback operation; Registration table incident to being associated with said malicious objects is carried out rollback operation; Stop being connected with the network that said malicious objects is associated.
The brief overview of above-mentioned exemplary embodiment is used to provide for basic comprehension of the present invention.This summary is not that all pay close attention to the extensive overview ot of direction to the present invention, and it is neither intention is confirmed the crucial or determinative of all embodiment, and also non-intention delimited the range limit of any one embodiment or all embodiment.Its unique purpose is before present invention is described in further detail below, to propose one or more embodiment with the form of simplifying.In order to accomplish foreground, said one or more embodiment have comprised described in the claim and the characteristic of specifically noting.
Description of drawings
The accompanying drawing of incorporating this instructions into and constituting the part of this instructions illustrates one or more exemplary embodiment of the present invention, and, with specifying principle and the implementation procedure that is used for explaining these embodiment.
In the accompanying drawings:
Fig. 1 shows the synoptic diagram according to the malware protection system of an exemplary embodiment;
Fig. 2 shows the operation chart according to the malware protection system of another exemplary embodiment;
Fig. 3 shows the operation chart according to the malware protection system of another exemplary embodiment;
Fig. 4 A-4E shows the operative algorithm according to the malware protection system of a plurality of exemplary embodiments;
Fig. 5 shows the synoptic diagram according to the computer system of an exemplary embodiment.
Embodiment
Around the system, the method and computer program product that are used to protect computing machine to exempt from the Malware infringement exemplary embodiment of the present invention is described at this.Those those of ordinary skill in the art will recognize that following description only is illustrative and be not that intention limits by any way.Benefit from this disclosure, those skilled in the art can easily expect other embodiment.At length introduce now to realize illustrated exemplary embodiment of the present invention in the accompanying drawing.All use identical Reference numeral to represent identical or similar project in all accompanying drawings and the description subsequently as far as possible.
Fig. 1 shows the synoptic diagram according to the malware protection system 100 of an exemplary embodiment.System 100 can be realized by the software application that on the personal computer or the webserver, is disposed, and among Fig. 5 below it has been carried out describing in more detail.In one exemplary embodiment; System 100 has comprised anti-virus module 120; The anti-virus inspection of its executive software object 110; Said software object 110 comprises object 111,112 and 113, for example the executable program code that on the personal computer of the system of being deployed with 100 or server, moves of system and program file, script and other.Object 112 in the software object 110 is a malice.In one exemplary embodiment, anti-virus module 120 can be a program module, and it uses driver to have the core of the operation system of computer of system 100 to carry out alternately with its deploy.Anti-virus module 120 can be used different malware detection techniques, and for example signature inspection (signal check) is perhaps soundd out and behavioural analysis (heuristic and behavioral analysis), and perhaps other is used for the method that object 110 is analyzed.
Signature inspection be with by the syllabified code of analytic target 110 be stored in malware signature in different malicious objects codes between relatively be the basis.When the search malicious objects, heuristic analysis has been used analysis engine, and this analysis engine has used setting pattern (set pattern), the pattern of for example utilizing fuzzy logic to describe neatly.In particular case, behavioural analysis is with the basis that is viewed as to system event.For confirming with its behavior in system in that behavior sets in the framework of rule and is the basis to Malware of malicious objects.
Carry out anti-virus inspection for object 110 during, anti-virus module 120 also can be checked the term of execution process and the thread that are started at these objects.During the analysis of object 110 and associated process and thread, anti-virus module 120 can be used malware signature and the behavior signature that is included in the anti-virus database 121.The signature of Malware object is a byte sequence, its with just compare at the program code of checked object.In one example, can signature is regarded as existing with verification and (checksum) form, it be created and is stored in the anti-virus database 121 for each malicious objects.In this case, anti-virus module 120 can compare with the verification of the object of being analyzed with the signature of known malicious objects.If there is coupling between the two, then expression analyzed to as if malice.
And behavior signature has comprised the information of the possible behavior of relevant potential malicious objects, for example the start-up system function, quote registry data or the like.Anti-virus module 120 can monitored object 110 behavior and relevant process and thread; If the behavior of said object is similar with the behavior signature from the known malicious objects of anti-virus database 121, then monitored object 112 being regarded as is malice.
In one exemplary embodiment, if anti-virus module 120 has detected malicious objects 112, then it will send data collection module 150 about the identifying information of this malicious objects to.This identifying information can cover malicious objects 112 path, this object title perhaps, for example, the verification of Malware with.In addition; Anti-virus module 120 can provide the information relevant with some system activity to anti-virus module 120 by request msg collection module 150; Said system activity is associated with the execution of the malicious objects of being discerned 112, so that detect any relevant malicious process and thread that is associated with this malicious objects.
In another exemplary embodiment, anti-virus module 120 also can send to long-range central antivirus services device (not shown) via the Internet 180 with the information relevant with detected Malware.And this antivirus services device can be given the distribution of information relevant with detected malicious objects other the malware protection system that has the right to visit said antivirus services device.Through central antivirus services device, exchange between the malware protection system 100 on the various computing machine of Malware information in being deployed in network, can stop the propagation of novel Malware thus.
When anti-virus module 120 detects dangerous system activity; The dangerous process that is for example started by this object 112 or by the startup of this object 112 performed dangerous thread in another process, then anti-virus module 120 is configured to stop this hazardous activity.Especially, anti-virus module 120 has stopped the execution of dangerous process or execution thread, and sends identifying information to data collection module 150, and said identifying information is relevant with the malicious objects 112 of this process of startup or execution thread.
In one exemplary embodiment, data collection module 150 is monitored different object 110 performed activities through being configured to, and with the historical collection of object activity in the daily record of file or registration table or other incident 152-154.For example, at object 110, in the process such as the execution of object 111,112 and 113, these objects can start the process of the establishment (network activity) that the change (registration table is movable) that realizes file modification (file activity), registration table and/or network connect.This data collection module 150 is through being configured to write down this movable history.In one exemplary embodiment, this data collection module 150 can be with reference to the tabulation of verifiable (auditable) event database 151 with the incident that obtains to be monitored.This verifiable list of thing 151 includes, but are not limited to, document creation, modification and deletion event, and the registry change incident, process or thread generate incident, and network connects the establishment incident, and other possibly have the incident of rogue activity characteristic.In addition; For the Collection Events data, data collection module 150 can be by which process when which file to be installed through tracking also, and is which process to have generated which process when (promptly by; Set membership), discern set membership between the different objects.
In one of these embodiment, the incident that data collection module 150 can be monitored all system events that in verifiable event database 151, identify and/or be associated with special object.At last, data collection module 150 can comprise the index tabulation of the software object of being monitored by malware protection system 100 110, for example system address.For the object of being monitored; Data collection module 150 can be with document creation, the incident that removes or change; Also have the establishment of registry value, the incident that removes or change, and other logout of in verifiable event database 151, being indicated is to the daily record 152-154 of incident.For example; If certain object in this computer system has been created file in the system folder of operating system; Wherein anti-virus module 120 is not confirmed the malice property of this object; Data collection module 150 can write down this incident so, and be by what Object Creation what file will be known.Subsequently, when anti-virus is checked, be to create by malicious objects if find this file, can this file be removed by recovering module 160 so, will be described in more detail below.
In one exemplary embodiment; Data collection module 150 also can be dissimilar verifiable incidents and safeguards independent daily record; The for example daily record 153 of the daily record 152 of file event and registration table incident, it is used to store file and the movable relevant information of registration table with monitored object.In other embodiment, system 100 can also preserve the daily record 154 of other incident, for example User Activity incident, data input-output incident, network activity incident or the like.By this way, the history of system, file, registration table and the network activity of different objects can be collected by system 100.
In one exemplary embodiment; The identifier that this document event log 152 can comprise the movable object of execute file (for example; Filename, process or thread identifier), type (for example, the establishment of new file of file activity; The change of file, the removing of file) and to the identifier of the file of its executable operations.Said file identifier can be embodied as, for example, file path, file verification and or file-path (file-path) verification with.
In one exemplary embodiment; This registration table event log 153 (for example can comprise the movable type of identifier, the registration table of carrying out the movable object of registration table; The establishment of new registration table parameter; The change of registration table parameter value, the removing of registration table parameter or value) and to the title of the registration table parameter of its executable operations.
In one exemplary embodiment, network event daily record 154 can comprise identifier (for example, the filename of the object of carrying out network activity; Process or thread identifier), the type of network activity (for example; The establishment that new network connects, port number or type that network connects, for example TCP; UDP or FTP or the like) and the type of data (identifier of the file that for example, receives/transmit) that transmits/receive via the connection of having set up.Said file identifier can be embodied as, for example, file path, file verification and or file-path verification and.
In one exemplary embodiment, can verifiable event database 151 of regular update and anti-virus database 121.The appearance that can be accompanied by novel threat to upgrade termly this anti-virus database 121, so that this anti-virus module 120 is with the next reliable detection of carrying out malicious objects and other threats of mode timely.Also should upgrade termly, can be monitored by this malware protection system to guarantee novel rogue activity to the tabulation that is stored in the verifiable incident in the database 151.Can be through update module 170 Update Information storehouse 121 and 151, said update module 170 uses the connection of the Internet 180, can download the latest edition of antivirus definitions and verifiable incident from this central authorities' antivirus services device.This update module 170 can be implemented as the software module based on the network adapter that provides network to connect.
In one exemplary embodiment, during conventional Malware inspection, when this anti-virus module 120 detected malicious objects 112, module 120 was with conveying to data collection module 150 with these malicious objects 112 relevant information.Module 150 is extracted the information about file, registration table and the network activity of this malicious objects 112 from file event daily record 152, registration table event log 153 and network event daily record 154.In addition, the All Files, registration table and the network activity that are associated of all parent processes that generated of module 150 identification and object 112 and subprocess and execution thread.Then, module 150 sends to this information and recovers module 160.According to received information,, then recover module 160 and confirm that which file or registration table parameter need be removed if once created new file or registration table parameter; And if these files or registration table parameter be modified or remove, then recover module 160 and confirm that which file or registration table parameter need be repaired.
In one exemplary embodiment, 160 pairs of files that are associated with malicious objects of recovery module and the registration table incident of having utilized data collection module 150 to receive data are carried out rollback operation.For example, recover module 160 and can delete new nonsystematic file and the registration table parameter that all are created by this malicious objects 112.If changed more any files or registry value, perhaps removed more any files, registry value or parameter, carry out the recovery of source document, registry value and parameter so.For source document and registry data, recovering module 160 can reference paper backup database 161 and registration table backup database 162.In other embodiment, system 100 also can comprise other data backup database 163, is used for other categorical data such as user data.
In one exemplary embodiment, this document backup database 161 can comprise the copy of the file 130 that for its deploy has the operation of computer system of system 100, acquires a special sense.This class file can comprise system file, for example ntoskrnl.exe, ntdetect.com, hal.dll, boot.ini and other file in the operating system of
NT family.In addition, file backup database 161 can also be stored alternative document, and the integrality of these files is very important for this computer system or system user.This registration table backup database 162 can comprise the copy of the registry data 140 that influences operating system performance.
For file 130 and the registry data 140 that recovers computer system, recover 160 pairs of modules and handle, and receive about the file that is modified or removes or the information of registration table parameter from data collection module 150 received data.After this, recover module 160 and in backup database 161 and 162, retrieve corresponding file and registration table parameter.If found such file and registry data, recover module 160 so and repair file and the registry data that is perhaps removed by said malicious objects change.
In certain embodiments, recover module 160 can be only to being modified that file modifying is partly repaired and being not that whole file is repaired.In this case, backup file database 161 is also with the part that most possibly is subjected to malicious act infringement of include file.
In one exemplary embodiment, can or come said backup database 161-163 is carried out filling in of file and registry information from long-range central anti-virus database by the user via update module 170.Under latter event; Update module 170 uses new file and registry value to start the filling in of backup database 161-163, and the wherein said new file and the tabulation of registry value are received from central antivirus services device or other authentic data source through the Internet 180 by update module 170.After this, update module 170 can begin the renewal process, and recovers module 160 backup copies of file, registration table and other data is filled up to respectively among the backup database 161-163.
Fig. 2 shows the operation chart according to the malware protection system of an exemplary embodiment.The file activity of malicious objects can not be only to comprise the establishment of file and remove, and under establishment that only comprises file and situation about removing, will correspondingly remove or repair by recovering 160 pairs of files of module.Other behavior of malicious objects also is possible, for example changes file.In Fig. 2, malicious objects 212 has been changed object 213, and this object 213 was harmless before this change behavior.This change behavior for example can comprise malicious code is incorporated in the source document 213.In object 213, take place after these changes, object 212 stops to carry out any activity.On the other hand, object 213 for example begins to carry out the activity that is associated that removes with file 130 or registry value 140.Meanwhile, the behavior that is associated with the activity of object 213 may be by 150 records of data collection module.
If in the process of anti-virus inspection, anti-virus module 120 confirms that object 213 has menace, that is it is a malice; Module 120 can be blocked the movable of object 213 and send the information about this object to data collection module 150 and antivirus services device (not shown).Data collection module 150 sends the information of relevant activity history to recovery module 160, wherein recovers module 160 and utilizes backup database 161-163 to repair the data that have been modified.Meanwhile, if in file backup database 161, recovering module 160 so, also object 213 is repaired by the copy of object 213.
In addition, anti-virus module 120 can provide the information about the activity that is associated with object 213 by request msg collection module 150.As response, the information that data collection module 150 can provide object 213 to be changed by object 212 to anti-virus module 120.Anti-virus module 120 can be directed against the anti-virus inspection of object 212 then, confirm its be malice and it is blocked, stop the further malicious act of this object thus.
Fig. 3 shows the operation chart according to the malware protection system of another exemplary embodiment.Some object 310 can be created new network and connect in its implementation, for example, and to the connection of the Internet 180.Create if network connects by malicious objects, because it has increased the susceptibility of computing machine, then may cause threat so for computing machine.Malicious objects can from this computing machine transmit data or from other dangerous object of Internet to this computing machine.In order to prevent this from occurring,, can record in the network event daily record 154 by the network activity of data collection module 150 monitored object and with it according to an exemplary embodiment.
More particularly; If anti-virus module 120 has detected malicious objects, anti-virus module 120 can be to network activity or any and said malicious objects relevant object, process or the thread relevant information of data collection module 150 requests with malicious objects so.In above-mentioned example, object 312 wherein is recorded in said network activity in the network event daily record 154 by data collection module 150 for to have the malicious objects of network activity.Confirmed object 312 be malice and identify the network event that is associated with object 312 after; Anti-virus module 120 can stop/block all networks of being set up by malicious objects 312 and connect; Stop the execution of malicious objects 312; And if it is movable to have observed the file or the registration table of malice for this object or any relevant object, then sends the information about object 312 to data collection module 150 so that subsequently file and registry data are repaired.
Situation also possibly be: malicious objects 312 has generated process or execution thread in the Security Object of computing machine or process 311, and said then process or execution thread have been created the network that is recorded in the network event daily record 154 again and connected.Appearance along with this situation; Can distinguish two kinds of situations: when malicious objects 312 is incorporated into himself in Security Object 311 or the security procedure and when not influencing system performance, perhaps when malicious objects 312 with the object 313 that himself is incorporated into expression system file or system process in the time.
Under first kind of situation, when infected object or process were not system process, anti-virus module 120 record subsequently infected and the actual conditions of subsequent network activity, and the object 311 that is modified of blocking-up.In the process of this object of blocking-up, it is movable to stop below it:
File activity: this object can not be operated by execute file;
Registration table is movable: the possibility of blocking-up access system registration table;
System activity: stop process and flow process that all are started by this object;
Network activity: the possibility that network connects is created in blocking-up.
If anti-virus module 120 detects execution thread and is created in the process 311 by malicious objects 312; To stop said thread by anti-virus module 120 so, and also can automatically stop all and be connected with network that process 311 is associated by anti-virus module 120.
Under the situation that system file or process 313 are modified, anti-virus module 120 usually can not blocking system object 313, because can cause the fault of operating system like this.Yet in case detected the network activity of the said system file that is modified 313, anti-virus module 120 can stop this network activity, and stops only being connected by the network of being introduced that part of code started, and object 313 keeps operation simultaneously.Can utilize the backup copies of system object 313 in file backup database 161 to come it is repaired then.
If the malice execution thread is created in the system object 313 by object 312, this malice thread execution can be terminated and not influence object 313 so.
Fig. 4 A shows the operative algorithm according to the malware protection system of an exemplary embodiment.At step 401-403, update module 170 capable of using is upgraded anti-virus database 121, verifiable event database 151 and backup database 161-163.And then, in step 404, anti-virus module 120 is carried out the anti-virus inspection to object 110 in computer system.If in step 405, find that the object of checking is not a malice by the process that these objects started perhaps, so can be in the process of subsequent periods of time repeating step 405.Yet,, in step 406, stop the execution of this malicious objects so if any one in object 110 or the corresponding process is malice.In addition, in step 407, send the information of discerning this object to data collection module 150, and send the antivirus services device in step 408.In addition, also can receive information from the antivirus services device about the object activity other user's computer that is detected.Can also use this information by anti-virus module 120.In next procedure 409, for whether existing the activity of this object to carry out inspection.Particularly, to the perhaps activity of any associated process, thread etc. of said malicious objects, in file event daily record 152, registration table event log 153 and other available event daily records 154, carry out data search.If found the malice file or the movable record of registration table of said malicious objects, will be referred to send recovery module 160 in step 410 so by the data of the performed activity of said object.In step 411, recover module 160 and use these data, and be used to file and registration table Backup Data from database 161 and 162, file and registry data are repaired.
Fig. 4 B shows the exemplary embodiment of malware protection system responses in the movable operative algorithm of hostile network.In step 501, whether the malicious objects 312 that 120 inspections of anti-virus module are detected has perhaps asked or has opened any network to be connected with its process that is associated.Can utilize data collection module 150 to obtain this information.In step 502, after by these malicious objects 312 of anti-virus module 120 blocking-up, stop automatically by this malicious objects 312 directly network connection of establishment of institute itself.If also indicated this malicious objects other object 311,312 to be revised from the information of data collection module 150; Wherein in object 311,312, also observed network activity; In step 503, whether the object that 120 inspections of anti-virus module are modified is system object so.If the object that is modified 311 is not a system object, so in step 502, anti-virus module 120 these objects of blocking-up, and stop this network connection automatically.If change has taken place system object 313, be impossible block said object so, because may cause the fault of operating system like this.Yet in step 504, anti-virus module 120 can stop being connected by the network that part started that is introduced in this system object that is modified 313.This object itself still keeps operation.Then, can utilize recovery module 160 to repair this system object.In system process, loaded under the situation of malice thread, also can stop this malice execution thread.
Fig. 4 C shows the exemplary embodiment of malware protection system responses in the operative algorithm of rogue system activity.System activity comprises the appearance of the process that is started by malicious objects, and the startup of execution thread in other process.In step 601, if thereby anti-virus module 120 comes solicited message to identify the system activity of malicious objects through for example utilizing data collection module 150, and anti-virus module 120 can stop the process and the thread of all and this object associated in step 602 so.In addition, can the information relevant with the process that is terminated be transmitted to and recover module 160, said recovery module 160 has determined whether that any infected file or registry data need to upgrade.
Fig. 4 D shows the exemplary embodiment of malware protection system responses in the movable operative algorithm of malicious registration table.In step 701, anti-virus module 120 utilizes data collection module 150 to confirm whether registration table 140 is infected, and for example the activity through malicious objects has generated new registration table inlet.If detect this activity, then can instruct and recover module 160 newdata is removed from registration table in step 702.If the value of registration table parameter is modified or removes,, recover the module 160 infected registry values of inspection and parameter whether in backup registry database 162 in step 703 so if perhaps the registration table parameter is deleted.If found Backup Data, then recover registry value or the parameter that module 160 adopts the copy reparation of backup to be modified or to be removed in step 705.
Fig. 4 E shows the exemplary embodiment of malware protection system responses in the operative algorithm of malice file activity.In step 801, anti-virus module 120 utilizes data collection module 150 to ask the information about all new files of being created by malicious objects.If created new file, then recover module 160 and remove this file in step 802 instruction.If do not create new file, but existing file has been changed or removed to malicious objects, then in step 803, recovers module 160 and confirm whether the backup copies of the infected file in database 161 is available.If found required file, then recover module 160 and repair infected file in step 805 in step 804.
Fig. 5 has described can to dispose on it exemplary embodiment of the computer system 5 of malware protection system 100.Computer system 5 can comprise the data processing and the calculation element of the webserver, personal computer, notebook, panel computer, smart phone, medium receiver or other type.Computing machine 5 can comprise one or more processor 15, storer 20, one or more hard disk drive 30, one or more CD drive 35, one or more serial port 40, graphics card 45, sound card 50 and network interface cards 55 that connected by system bus 10.System bus 10 can be any in the polytype bus structure, and wherein said bus structure have comprised memory bus or Memory Controller, peripheral bus and used any one the local bus in the various known bus architectures.The microprocessor of processor 15 can comprise one or more
Core 2 Quad 2.33GHz processors or other kind.
System storage 20 can comprise ROM (read-only memory) (ROM) 21 and random-access memory (ram) 23.Storer 20 can be embodied as the memory architecture of DRAM (dynamic RAM), EPROM, EEPROM, flash memory or other type.ROM 21 has stored the basic input/output 22 (BIOS) that includes basic routine, and said basic routine helps transmission information between the assembly of computer system 5, for example between the starting period.RAM 23 has stored operating system 24 (OS); The operating system of
XP Professional or other type for example; Said operating system is responsible for the process in the computer system 5 is managed and coordinated, and the hardware resource in the computer system 5 is configured and shares.System storage 20 has also been stored application program and program 25, for example serves 306.(runtime) data 26 when system storage 20 has also been stored by the employed various operation of program 25.
Computer system 5 can further comprise hard disk drive 30, SATA magnetic hard drive (HDD) for example, and being used for from removable CD, for example CD-ROM, DVD-ROM or other optical medium CD drive 35 of reading or writing. Driver 30 and 35 and the computer-readable media that is associated the non-volatile memories of computer-readable instruction, data structure, application program and program module/subroutine is provided, wherein aforementioned calculation machine instructions, data structure, application program and program module/subroutine have realized algorithm disclosed herein and method.Though exemplary computer system 5 has been used disk and CD; But those skilled in the art should recognize in the alternative embodiment of said computer system, also can use other types can store computer system 5 addressable data computing machine computer-readable recording medium, the for example storeies of tape cassete, flash card, digital video disk, RAS, ROM (read-only memory), Erasable Programmable Read Only Memory EPROM and other type.
Computer system 5 further comprises a plurality of serial ports 40, USB (USB) for example, and it is used to connect data input device 75, for example keyboard, mouse, touch pad and other equipment.Serial port 40 also can be used for connecting data output apparatus 80, for example printer, scanner and other equipment, and the peripherals 85 that connects other, for example external data storage device etc.System 5 also can comprise graphics card 45; For example
GT 240M or other video card are used for being connected with monitor 60 or other video reproducing apparatus.System 5 also can comprise sound card 50, is used for reproducing sound via inside or external loudspeaker 65.In addition, system 5 can comprise network interface card 55, and for example Ethernet, WiFi, GSM, bluetooth or other wired, wireless or cellular network interface are used for computer system 5 is connected to network 70, for example the Internet.
In various embodiment, algorithm described herein and method can realize through hardware, software, firmware or its any array mode.If realize with software, its function can be stored in the mode of one or more instructions or code on the nonvolatile property computer-readable medium so.Computer-readable medium comprises Computer Storage and communication media simultaneously, and the two helps computer program is sent to another place from a place.Storage medium can be can be by any usable medium of computer access.For instance; And and non-limiting, this computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM or other optical disc memory, magnetic disk memory or other magnetic storage apparatus, or any other can be used for carrying or store program code that the required form with instruction or data structure exists and can be by the medium of computer access.In addition, any connection all can be called as computer-readable medium.For example; If utilize that concentric cable, fiber optic cables, twisted-pair feeder, Digital Subscriber Line or wireless technology such as infrared ray, radio and microwave come from the website, server or other remote resource transmitting software, then it includes in the definition of said medium.
For the sake of clarity, all conventional characteristics of embodiment are not illustrated and describe at this.Should recognize in the performance history of the embodiment of any this type reality; Must make a large amount of specific embodiment decision-makings to realize developer's specific objective, should recognize that these specific objectives will change with the difference of embodiment and developer's difference simultaneously.And, should recognize that this type development possibly be complicated and time-consuming, but for the those of ordinary skill in the art who benefits from this paper disclosure, all will be conventional engineering duty.
In addition; It is understandable that wording or term in this use are the purposes non-limiting for description, so that those skilled in the art is according to separating wording or term in the reader instructions in the instruction of this proposition and guide and the knowledge that combines various equivalent modifications to grasp.And, remove clear and definite the setting forth of being far from it, otherwise all being intention, any term in this instructions or the claim is not summed up as unconventional or special implication.
Various embodiment disclosed here is included in this known equivalents through the present and the future of the mentioned known tip assemblies of the mode of example.And; Although illustrated and described embodiment and application thereof; But it is obvious that for benefiting from those skilled in the art of the present invention, under the situation that does not break away from the inventive concept disclosed in the application, is possible than above-mentioned more modification.
Claims (14)
1. one kind is used for the method that computer malware protects, and said method comprises:
Execution incident to one or more processes on the computing machine is monitored;
Discern the verifiable incident among the said monitored incident; Wherein said verifiable incident comprises establishment, change or the deletion event of file at least; The parameter of system registry and the establishment of value, change or deletion event, and the access to netwoks incident of being undertaken by performed on computers process;
The said verifiable incident that identifies of record in independent file, registration table and network event daily record;
One or more software objects on the computing machine are carried out the Malware inspection;
If confirmed to as if malice, the one or more and said malicious objects of identification is associated from said file, registration table and network event daily record so file, registration table and network event;
One or more file events to being associated with said malicious objects are carried out rollback operation;
One or more registration table incidents to being associated with said malicious objects are carried out rollback operation;
Stop being connected with one or more networks that said malicious objects is associated.
2. according to the process of claim 1 wherein that the rollback operation of execute file incident comprises:
Based on the file event that said malicious objects that identify and said is associated, one or more files that identification is created, changed or deleted by said malicious objects;
Delete the said new file of creating by said malicious objects that identifies; And
From believable backup, recover the said file that is modified and deletes of part at least.
3. according to the process of claim 1 wherein that the rollback operation of carrying out the registration table incident comprises:
Based on the registration table incident that said malicious objects that identify and said is associated, one or more registration table parameters and value that identification is created, changed or deleted by said malicious objects;
New registration table parameter and value that deletion is created by said malicious objects; And
Recovery is modified or deletes from believable backup registration table parameter and value.
4. comprise according to the process of claim 1 wherein the execution incident of one or more processes on the said computing machine monitored further:
Discern monitored father and son's process and by the relation between the said monitored execution thread that process generated;
Identification and one or more relevant father and son's processes and one or more files, registration table and the network event that is associated by the execution thread that said malicious objects generated from said file, registration table and network event daily record.
5. according to the method for claim 4, comprising further:
Discern one or more by said father and son's process and system and the nonsystematic file creating, change or delete by the execution thread that said malicious objects generated;
System and nonsystematic file that the said system that is modified of from believable backup, recovering part at least and nonsystematic file or quilt are deleted;
Delete that all identify by said father and son's process and the new nonsystematic file created by the execution thread that said malicious objects generated.
6. according to the method for claim 4, comprising further:
Discern one or more by said father and son's process and registration table parameter and the value creating, change or delete by the execution thread that said malicious objects generated;
Delete one or more identify by said father and son's process and new registration table parameter and the value created by the execution thread that said malicious objects generated; And
Recovery is modified or deletes from believable backup registration table parameter and value.
7. according to the method for claim 4, comprising further:
Discerning one or more networks of setting up by said father and son's process and by the execution thread that said malicious objects generated connects;
Stop one or more connecting of identifying by said father and son's process and by the network that the execution thread that said malicious objects generated is set up.
8. one kind is used for the system that computer malware protects; Wherein said computing machine has processor and storer, the software module that said system comprises at least in the following said storer that is loaded into said computing machine and can be carried out by the said processor of said computing machine:
The anti-virus database, it comprises the information relevant with the known malicious object;
Verifiable event database; It comprises the tabulation of verifiable incident; Wherein said verifiable incident comprises establishment, change or the deletion event of file at least; The parameter of system registry and the establishment of value, change or deletion event, and the access to netwoks incident of being undertaken by performed on computers process;
Data collection module, it is through being configured to:
Execution incident to one or more processes on the computing machine is monitored;
Discern the verifiable incident among the said monitored incident based on the tabulation that is included in the said verifiable incident in the said verifiable event database; And
The said verifiable incident that identifies of record in independent file in being included in said storer, registration table and the network event daily record;
The anti-virus module, it is through being configured to:
Use is included in said relevant with the known malicious object information in the said anti-virus database, and the one or more software objects on the said computing machine are carried out the Malware inspection;
If confirmed to as if malice, the network event that the one or more and said malicious objects of identification is associated from said network event daily record so; And
One or more networks that termination is set up by said malicious objects connect;
Recover module, it is through being configured to:
If confirmed said to as if malice, from said file and registration table event log, discern file and the registration table incident that one or more and said malicious objects is associated so;
One or more file events to being associated with said malicious objects are carried out rollback operation;
One or more registration table incidents to being associated with said malicious objects are carried out rollback operation.
9. according to Claim 8 system, wherein for file event is carried out rollback operation, said recovery module further ground warp is configured to:
Based on the file event that said malicious objects that identify and said is associated, one or more files that identification is created, changed or deleted by said malicious objects;
Delete the said new file of creating by said malicious objects that identifies; And
From believable backup, recover the said file that is modified and deletes of part at least.
10. according to Claim 8 system, wherein for the registration table incident is carried out rollback operation, said recovery module further ground warp is configured to:
Based on the registration table incident that said malicious objects that identify and said is associated, one or more registration table parameters and value that identification is created, changed or deleted by said malicious objects;
New registration table parameter and value that deletion is created by said malicious objects; And
Recovery is modified or deletes from believable backup registration table parameter and value.
11. system according to Claim 8 wherein monitors for the execution incident to one or more processes, said data collection module further ground warp is configured to:
Discern monitored father and son's process and by the relation between the said monitored execution thread that process generated;
Identification and one or more relevant father and son's processes and one or more files, registration table and the network event that is associated by the execution thread that said malicious objects generated from said file, registration table and network event daily record.
12. according to the system of claim 11, wherein said recovery module further ground warp is configured to:
Discern one or more by said father and son's process and system and the nonsystematic file creating, change or delete by the execution thread that said malicious objects generated;
System and nonsystematic file that the said system that is modified of from believable backup, recovering part at least and nonsystematic file or quilt are deleted;
Delete that all identify by said father and son's process and the new nonsystematic file created by the execution thread that said malicious objects generated.
13. according to the system of claim 11, wherein said recovery module further ground warp is configured to:
Discern one or more by said father and son's process and registration table parameter and the value creating, change or delete by the execution thread that said malicious objects generated;
Delete one or more identify by said father and son's process and new registration table parameter and the value created by the execution thread that said malicious objects generated; And
Recovery is modified or deletes from believable backup registration table parameter and value.
14. according to the system of claim 11, wherein said anti-virus module further ground warp is configured to:
Discerning one or more networks of setting up by said father and son's process and by the execution thread that said malicious objects generated connects; And
Stop one or more connecting of identifying by said father and son's process and by the network that the execution thread that said malicious objects generated is set up.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710150404.2A CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
| CN201210050079XA CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210050079XA CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710150404.2A Division CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102629310A true CN102629310A (en) | 2012-08-08 |
Family
ID=46587568
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210050079XA Pending CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
| CN201710150404.2A Pending CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710150404.2A Pending CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN102629310A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867146A (en) * | 2012-09-18 | 2013-01-09 | 珠海市君天电子科技有限公司 | Method and system for preventing computer virus from frequently infecting systems |
| CN102902913A (en) * | 2012-09-19 | 2013-01-30 | 无锡华御信息技术有限公司 | Preservation method for preventing software in computer from being damaged maliciously |
| CN103413091A (en) * | 2013-07-18 | 2013-11-27 | 腾讯科技(深圳)有限公司 | Method and device for monitoring malicious behaviors |
| CN103679031A (en) * | 2013-12-12 | 2014-03-26 | 北京奇虎科技有限公司 | File virus immunizing method and device |
| CN104050413A (en) * | 2013-03-13 | 2014-09-17 | 腾讯科技(深圳)有限公司 | Method for data processing and terminal |
| CN105518694A (en) * | 2013-06-25 | 2016-04-20 | 微软技术许可有限责任公司 | Reverse replication to rollback corrupted files |
| CN106257481A (en) * | 2015-06-19 | 2016-12-28 | 卡巴斯基实验室股份制公司 | For recovering the system and method for the data of amendment |
| CN107292169A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | The threat source tracing method and device of Malware |
| CN108701188A (en) * | 2016-02-01 | 2018-10-23 | 赛门铁克公司 | In response to detecting the potential system and method for extorting software for modification file backup |
| CN109145592A (en) * | 2017-06-16 | 2019-01-04 | 卡巴斯基实验室股份制公司 | The system and method for detecting anomalous event |
| CN109478220A (en) * | 2016-07-26 | 2019-03-15 | 微软技术许可有限责任公司 | It is remedied to software attacks are extorted in cloud drive folder |
| CN109997139A (en) * | 2016-09-30 | 2019-07-09 | 爱维士软件有限责任公司 | Utilize the fingerprint detection Malware based on hash |
| CN110598410A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Malicious process determination method and device, electronic device and storage medium |
| CN110785758A (en) * | 2017-04-26 | 2020-02-11 | 西兰克公司 | Endpoint detection and response system with endpoint-based artifact storage |
| CN111435392A (en) * | 2019-01-14 | 2020-07-21 | 孙兴珍 | Network data instant updating method |
| CN111886594A (en) * | 2018-03-20 | 2020-11-03 | 北京嘀嘀无限科技发展有限公司 | Malicious process tracking |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019099929A1 (en) * | 2017-11-17 | 2019-05-23 | AVAST Software s.r.o. | Using a machine learning model in quantized steps for malware detection |
| US10963566B2 (en) * | 2018-01-25 | 2021-03-30 | Microsoft Technology Licensing, Llc | Malware sequence detection |
| RU2697954C2 (en) * | 2018-02-06 | 2019-08-21 | Акционерное общество "Лаборатория Касперского" | System and method of creating antivirus record |
| CN113254397B (en) * | 2021-06-15 | 2021-10-15 | 成都统信软件技术有限公司 | Data checking method and computing device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1498363A (en) * | 2001-03-30 | 2004-05-19 | ���������˼�빫˾ | System and method for restoring computer systems damaged by mallcious computer program |
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| US7080408B1 (en) * | 2001-11-30 | 2006-07-18 | Mcafee, Inc. | Delayed-delivery quarantining of network communications having suspicious contents |
| CN101022662A (en) * | 2007-02-26 | 2007-08-22 | 华为技术有限公司 | Calling log service device, system and method thereof |
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
| CN101414997A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing malevolence program from accessing network |
-
2012
- 2012-02-29 CN CN201210050079XA patent/CN102629310A/en active Pending
- 2012-02-29 CN CN201710150404.2A patent/CN107103238A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1498363A (en) * | 2001-03-30 | 2004-05-19 | ���������˼�빫˾ | System and method for restoring computer systems damaged by mallcious computer program |
| US7080408B1 (en) * | 2001-11-30 | 2006-07-18 | Mcafee, Inc. | Delayed-delivery quarantining of network communications having suspicious contents |
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| CN101022662A (en) * | 2007-02-26 | 2007-08-22 | 华为技术有限公司 | Calling log service device, system and method thereof |
| CN101414997A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing malevolence program from accessing network |
| CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867146B (en) * | 2012-09-18 | 2016-01-27 | 珠海市君天电子科技有限公司 | Method and system for preventing computer virus from repeatedly infecting system |
| CN102867146A (en) * | 2012-09-18 | 2013-01-09 | 珠海市君天电子科技有限公司 | Method and system for preventing computer virus from frequently infecting systems |
| CN102902913A (en) * | 2012-09-19 | 2013-01-30 | 无锡华御信息技术有限公司 | Preservation method for preventing software in computer from being damaged maliciously |
| CN102902913B (en) * | 2012-09-19 | 2016-08-03 | 无锡华御信息技术有限公司 | Prevent the security method of software in malicious sabotage computer |
| CN104050413A (en) * | 2013-03-13 | 2014-09-17 | 腾讯科技(深圳)有限公司 | Method for data processing and terminal |
| US10204113B2 (en) | 2013-06-25 | 2019-02-12 | Microsoft Technology Licensing, Llc | Reverse replication to rollback corrupted files |
| CN105518694A (en) * | 2013-06-25 | 2016-04-20 | 微软技术许可有限责任公司 | Reverse replication to rollback corrupted files |
| CN103413091A (en) * | 2013-07-18 | 2013-11-27 | 腾讯科技(深圳)有限公司 | Method and device for monitoring malicious behaviors |
| CN103413091B (en) * | 2013-07-18 | 2016-01-20 | 腾讯科技(深圳)有限公司 | The method for supervising of malicious act and device |
| CN103679031A (en) * | 2013-12-12 | 2014-03-26 | 北京奇虎科技有限公司 | File virus immunizing method and device |
| CN103679031B (en) * | 2013-12-12 | 2017-10-31 | 北京奇虎科技有限公司 | A kind of immune method and apparatus of file virus |
| CN106257481A (en) * | 2015-06-19 | 2016-12-28 | 卡巴斯基实验室股份制公司 | For recovering the system and method for the data of amendment |
| CN106257481B (en) * | 2015-06-19 | 2019-03-05 | 卡巴斯基实验室股份制公司 | System and method for restoring the data of modification |
| CN108701188B (en) * | 2016-02-01 | 2021-09-24 | 诺顿卫复客公司 | System and method for modifying a file backup in response to detecting potential lasso software |
| CN108701188A (en) * | 2016-02-01 | 2018-10-23 | 赛门铁克公司 | In response to detecting the potential system and method for extorting software for modification file backup |
| CN107292169A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | The threat source tracing method and device of Malware |
| CN109478220B (en) * | 2016-07-26 | 2022-03-29 | 微软技术许可有限责任公司 | Remediation of Lego software attacks on cloud drive folders |
| CN109478220A (en) * | 2016-07-26 | 2019-03-15 | 微软技术许可有限责任公司 | It is remedied to software attacks are extorted in cloud drive folder |
| CN109997139A (en) * | 2016-09-30 | 2019-07-09 | 爱维士软件有限责任公司 | Utilize the fingerprint detection Malware based on hash |
| CN109997139B (en) * | 2016-09-30 | 2023-05-09 | 爱维士软件有限责任公司 | Detecting malware using hash-based fingerprints |
| CN111066015B (en) * | 2017-04-26 | 2024-02-23 | 西兰克公司 | Endpoint detection and response system event feature data transmission |
| CN110785758A (en) * | 2017-04-26 | 2020-02-11 | 西兰克公司 | Endpoint detection and response system with endpoint-based artifact storage |
| CN111066015A (en) * | 2017-04-26 | 2020-04-24 | 西兰克公司 | Endpoint detection and response system event feature data transfer |
| CN110785758B (en) * | 2017-04-26 | 2024-02-23 | 西兰克公司 | Endpoint detection and response system with endpoint-based artifact storage |
| CN109145592A (en) * | 2017-06-16 | 2019-01-04 | 卡巴斯基实验室股份制公司 | The system and method for detecting anomalous event |
| CN111886594A (en) * | 2018-03-20 | 2020-11-03 | 北京嘀嘀无限科技发展有限公司 | Malicious process tracking |
| CN111886594B (en) * | 2018-03-20 | 2023-08-18 | 北京嘀嘀无限科技发展有限公司 | Malicious process tracking |
| CN111435392B (en) * | 2019-01-14 | 2021-09-24 | 武汉网宇信息技术有限公司 | Network data instant updating method |
| CN111435392A (en) * | 2019-01-14 | 2020-07-21 | 孙兴珍 | Network data instant updating method |
| CN110598410A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Malicious process determination method and device, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107103238A (en) | 2017-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102629310A (en) | System and method for protecting computer system from being infringed by activities of malicious objects | |
| US8181247B1 (en) | System and method for protecting a computer system from the activity of malicious objects | |
| CN103020522B (en) | For correcting anti-virus record to minimize the system and method for Malware flase drop | |
| US20200050765A1 (en) | Methods and apparatus for identifying and removing malicious applications | |
| EP2667314B1 (en) | System and method for detection and treatment of malware on data storage devices | |
| US8434151B1 (en) | Detecting malicious software | |
| CN103065088B (en) | Based on the system and method for the ruling detection computations machine security threat of computer user | |
| EP2515250A1 (en) | System and method for detection of complex malware | |
| CN103065094A (en) | System and method for detecting malware targeting the boot process of a computer using boot process emulation | |
| CN103065091B (en) | Reduce with malware detection expanding system | |
| EP2637121A1 (en) | A method for detecting and removing malware | |
| CN102882875B (en) | Active defense method and device | |
| CN101901314A (en) | The detection of wrong report and minimizing during anti-malware is handled | |
| US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
| CN102999720A (en) | Program identification method and system | |
| US9734330B2 (en) | Inspection and recovery method and apparatus for handling virtual machine vulnerability | |
| CN102857519B (en) | Active defensive system | |
| CN102902921A (en) | Method and device for detecting and eliminating computer viruses | |
| US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
| EP2584484B1 (en) | System and method for protecting a computer system from the activity of malicious objects | |
| US20210081533A1 (en) | Detection system, detection method, and an update verification method performed by using the detection method | |
| RU2468427C1 (en) | System and method to protect computer system against activity of harmful objects | |
| CN114115936A (en) | Method and device for upgrading computer program, electronic equipment and storage medium | |
| CN117786674A (en) | Method for identifying potential data leakage attacks in at least one software package | |
| CN117313110A (en) | Method and system for protecting integrity and running state of software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120808 |
|
| RJ01 | Rejection of invention patent application after publication |