CN102629310A - System and method for protecting computer system from being infringed by activities of malicious objects - Google Patents

System and method for protecting computer system from being infringed by activities of malicious objects Download PDF

Info

Publication number
CN102629310A
CN102629310A CN 201210050079 CN201210050079A CN102629310A CN 102629310 A CN102629310 A CN 102629310A CN 201210050079 CN201210050079 CN 201210050079 CN 201210050079 A CN201210050079 A CN 201210050079A CN 102629310 A CN102629310 A CN 102629310A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
events
objects
malicious
computer
system
Prior art date
Application number
CN 201210050079
Other languages
Chinese (zh)
Inventor
尤里·G·斯洛博迪亚努克
弗拉季斯拉夫·V·马蒂嫩科
米哈伊尔·A·帕夫柳席奇卡
Original Assignee
卡巴斯基实验室封闭式股份公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses a system, a method and a computer program product for protecting a computer system from being infringed by activities of malicious objects. The method includes monitoring execution events of one or more processes on the computer; identifying verifiable events of the monitored events which include creating, changing or deleting events of files, changing events of system registry, and network accessing events performed by the processes on the computer; recording the identified verifiable events in separate files, registries and network event logs; executing malware examination on one or more software objects on the computer; identifying the events relevant to the software objects from the files, the registries and the network event logs if the objects are examined to be malicious; returning the file events relevant to the malicious objects; returning the registry events relevant to the malicious objects; and stopping network connections relevant to the malicious objects.

Description

用于保护计算机系统免遭恶意对象活动侵害的系统和方法 System and method for protecting a computer system from malicious activity against the target

技术领域 FIELD

[0001] 本发明所公开的内容总体上涉及计算机安全领域,并且,具体地说,涉及用于保护计算机系统免遭恶意对象的文件、注册表、系统和网络活动侵害的系统、方法和计算机程序 [0001] The disclosure of the present invention relates generally to the field of computer security and, in particular, relates to a computer system for protecting files from malicious object registry, system and network activity against the systems, methods and computer program

背景技术 Background technique

[0002] 当前计算机技术的发展已经达到了很高的水平。 [0002] The current development of computer technology has reached a very high level. 随着计算机技术的发展,数字数据的数量以更快节奏的速率在增长。 With the development of computer technology, the number of digital data at a faster pace of rate increase. 与此同时,数字数据是易损的并且需要防范恶意对象比如病毒、特洛伊木马、蠕虫、间谍软件及其他类型的恶意软件的侵害。 At the same time, the digital data is vulnerable and the need to guard against malicious objects such as viruses, Trojans, worms, spyware and other types of malicious software infringement.

[0003] 使用反病毒系统来保护信息免受恶意软件的侵害,该反病毒系统的基本任务是阻止恶意对象的危险活动。 [0003] Use anti-virus systems to protect information from malicious software, the basic task of the anti-virus system is to prevent malicious objects hazardous activities. 但情况是:反病毒系统不能以及时的方式来阻止恶意的活动。 But the situation is: anti-virus system can not in a timely manner to prevent malicious activities. 这种情况出现在,例如,新型的恶意软件出现的时候,反病毒系统的可用方法无法将其检测出来,因为这些系统对新的恶意软件一无所知。 This occurs, for example, when new malware appears, the methods available anti-virus system can not be detected it, because these systems to new malware ignorant. 另一种情况也可能是:恶意软件利用操作系统的弱点或者反病毒系统自身的不足之处来绕过反病毒系统。 Another case may be: the malware using the operating system's weaknesses or anti-virus system at their own shortcomings to bypass anti-virus system.

[0004] 已经侵入到计算机系统中的恶意软件可以展现出不同类型的恶意活动:文件活动、注册表活动、系统活动以及网络活动。 [0004] have intruded into the computer system of malware can exhibit different types of malicious activity: file activity, registry activity, system activity and network activity. 在恶意的文件活动期间,恶意对象可对文件执行不同的操作,比如移除、更改、或者新文件的创建。 During the malicious file activity, malicious objects can perform various file operations, such as removing, altering, or create a new file. 恶意注册表活动典型地包括注册表参数和值的创建、修改或者移除。 Malicious registry activity typically includes making registry parameters and values, modified or removed. 关于注册表活动的许多情况都是已知的,例如,恶意对象更改了注册表的参数以便加载操作系统时引起恶意软件的自动启动(auto-launch)。 In many cases on the registry activities it is known, for example, malicious objects change the parameters of the registry in order to cause malicious software to load when the operating system starts automatically (auto-launch). 当恶意软件在计算机系统中开始或者停止进程的时候,或者当它在系统或者程序进程中启动新的执行线程的时候,可能发生恶意的系统活动。 When malicious software in the computer system start or stop the process, or when it starts a new thread of execution in a system or program process, malicious system activity may occur. 恶意的网络活动典型地包括由恶意对象来创建新的网络连接。 Malicious network activity typically includes creating a new network connection by a malicious object.

[0005] 利用这些恶意的活动,恶意软件可以侵入到计算机系统中,并且可以获取其上所存储的数据。 [0005] With these malicious activities, malware can invade into a computer system, which may be acquired and stored data. 因此,需要检测出恶意的活动,并且对恶意活动所损坏、修改或者移动的数据进行恢复。 Thus, necessary to detect malicious activity and the damage to the malicious activity, modifying or moving data recovery.

发明内容 SUMMARY

[0006] 本文公开了用于保护计算机免遭恶意对象的文件、注册表、系统和网络活动侵害的系统、方法和计算机程序产品。 [0006] Disclosed herein are used to protect the computer from malicious file objects, registry, system and network activity against the system, method and computer program product. 在一个示例性实施例中,所述系统包括反病毒数据库,以及可核查事件数据库,其中反病毒数据库包含与已知恶意对象有关的信息,可核查事件数据库包含可核查事件的列表,该可核查事件至少包括文件的创建、更改或者删除事件,系统注册表的创建、更改或者删除事件,以及由在计算机上所执行的进程进行的网络访问事件。 In one exemplary embodiment, the system includes antivirus database, and a verification event database, wherein the anti-virus database contains information relating to a known malicious objects, the event database that contains a listing verifiable verifiable event, the verifiable events include at least create the file, change or delete an event, create a system registry, change or delete the event, as well as network access by events on the process performed by the computer. 所述系统还包括数据收集模块,其可操作地用于监控计算机上一个或多个进程的执行事件;基于包含在可核查事件数据存储器中的可核查事件的列表,识别被监控事件中的可核查事件;并且在存储器所包含的单独的文件、注册表以及网络事件日志中记录所识别出的可核查事件。 The system further comprises a data collection module operable on a computer monitor or a plurality of processes for execution event; verifiable based on the list contained in the event data in the memory verifiable events, event recognition may be monitored verification event; and verifiable identified events are recorded in a separate file, registry, and network event log included in a memory. [0007] 所述系统还包括反病毒模块,其经配置以:使用包含在反病毒数据库中的关于已知恶意对象的信息,对计算机上的一个或多个软件对象执行恶意软件检查。 The [0007] system further including anti-virus module, configured to: use the anti-virus database containing information about known malicious object, for malware checks one or more software objects on computers. 如果确定了对象是恶意的,那么反病毒模块从网络事件日志中识别一个或多个与所述恶意对象相关联的网络事件,并且终止由所述恶意对象所建立的一个或多个网络连接。 If the object is determined to be malicious, then the antivirus module identifies one or more network event associated with the malicious objects from the network event log, and terminates by the one or more network connections established malicious objects. 所述系统还包括恢复模块,其经配置以:如果确定了对象是恶意的,那么从文件和注册表事件日志中识别一个或多个与所述恶意对象相关联的文件和注册表事件,并且对与所述恶意对象相关联的文件事件以及注册表事件执行回退操作(rollback)。 The system further comprises a recovery module, which is configured to: determine if the object is malicious, then identify one or more objects associated with the malicious files and registry files and registry events from the event log, and execute a fallback operation (rollback) for malicious objects associated with the event, and registry files associated with the event.

[0008] 在一个示例性实施例中,用于保护计算机免遭恶意软件侵害的方法包括:对计算机上一个或多个进程的执行事件进行监控;识别被监控事件之中的可核查事件,其中可核查事件包括文件的创建、更改或者删除事件,系统注册表的创建、更改或者删除事件,以及由在计算机上所执行的进程进行的网络访问事件;在单独的文件、注册表以及网络事件日志中记录所识别出的可核查事件;对计算机上的一个或多个软件对象执行恶意软件检查;如果确定了对象是恶意的,那么从文件、注册表和网络事件日志中识别与所述恶意对象相关联的事件;对与所述恶意对象相关联的文件事件执行回退操作;对与所述恶意对象相关联的注册表事件执行回退操作;终止与所述恶意对象相关联的网络连接。 Method [0008] In one exemplary embodiment, for protecting a computer from malware comprises: performing one or more processes on a computer event monitoring; identifying verifiable monitoring events among the event, wherein verifiable events include file creation, change or delete an event, create a system registry, change or delete the event, as well as network access by events on the process performed by the computer; in a separate file, registry, and network event logs recording the identified event verifiable; one or more software objects on the computer to check for malware; if the object is determined to be malicious, then identified from the file, registry, and network with the event log malicious objects associated with the event; execution of malicious objects related to the events associated with the file back operation; execute a fallback operation of objects associated with the malicious registry events; network terminating malicious objects associated with the connection.

[0009] 上述示例性实施例的简要概括用于提供对于本发明的基本理解。 Brief summary [0009] The exemplary embodiments of the present invention is to provide a basic understanding for. 这个概括并非对本发明所有关注方向的广泛概述,并且其既非意图确定所有实施例的关键或者决定因素,也非意图划定任何一个实施例或者所有实施例的范围界限。 This summary is not an extensive overview of all directions of interest according to the present invention, and is neither intended to identify key or determinant of all embodiments nor delineate any one embodiment or all of the embodiments of the limits of the range. 其唯一的目的是,在下面更加详细地对本发明进行描述之前,以简化的形式来提出一个或多个实施例。 Its sole purpose is to, before the following the invention is described in more detail below, presented in simplified form one or more embodiments. 为了完成前述事项,所述一个或多个实施例包括了权利要求中所描述并且具体指出的特征。 To accomplish the foregoing, one or more embodiments comprise the claims described and particularly pointed out features.

附图说明 BRIEF DESCRIPTION

[0010] 并入此说明书并构成此说明书的一部分的附图图示了本发明的一个或多个示例性实施例,并且,与详细说明一起用来解释这些实施例的原理和实现过程。 [0010] this specification are incorporated in and constitute a part of this specification, illustrate one or more exemplary embodiments of the present invention and, together with the detailed description serve to explain the principles of these embodiments and implementation process.

[0011] 在附图中: [0011] In the drawings:

[0012] 图I示出了根据一个示例性实施例的恶意软件保护系统的示意图; [0012] FIG I shows a schematic diagram of a malware protection system of the exemplary embodiment;

[0013] 图2示出了根据另一个示例性实施例的恶意软件保护系统的操作示意图; [0013] FIG. 2 shows a schematic view of the operation of malware protection system according to another exemplary embodiment;

[0014] 图3示出了根据另一个示例性实施例的恶意软件保护系统的操作示意图; [0014] FIG. 3 shows a schematic view of the operation malware protection system according to another exemplary embodiment;

[0015]图4A-4E示出了根据多个示例性实施例的恶意软件保护系统的操作算法; [0015] FIGS. 4A-4E illustrate the operation algorithm of a plurality of malware protection system according to an exemplary embodiment;

[0016] 图5示出了根据一个示例性实施例的计算机系统的示意图。 [0016] FIG. 5 shows a schematic of a computer system according to one exemplary embodiment.

具体实施方式 detailed description

[0017] 在此围绕用于保护计算机免遭恶意软件侵害的系统、方法和计算机程序产品来描述本发明的示例性实施例。 [0017] In this exemplary embodiment of the present invention for protecting a computer from about malware systems, methods and computer program product described. 那些本领域的普通技术人员将意识到以下描述仅仅是说明性的而并非意图以任何方式进行限定。 Those of ordinary skill in the art will recognize that the following description is illustrative only and is not intended to be limiting in any way. 受益于此公开内容,本领域技术人员可以容易地想到其它实施例。 The benefit of this disclosure, those skilled in the art can readily conceive of other embodiments. 现在进行详细地介绍以实现附图中所图示的本发明的示例性实施例。 Now in detail to exemplary embodiments of the present invention is to achieve as illustrated in the accompanying drawings. 所有的附图以及随后的描述中都尽可能使用相同的附图标记来表示相同的或者相似的项目。 All the drawings and the following description uses the same reference numerals as much as possible, to designate identical or similar items.

[0018] 图I示出了根据一个示例性实施例的恶意软件保护系统100的示意图。 [0018] FIG I shows a schematic diagram 100 according to an exemplary malware protection system of the exemplary embodiment. 系统100可由在个人计算机或者网络服务器上所配置的软件应用程序来实现,在下面的图5中对其进行了更为详细地描述。 The system 100 may be a software application on a personal computer or a network server configured to implement, in FIG. 5 below be described in more detail below. 在一个示例性实施例中,系统100包括了反病毒模块120,其执行软件对象110的反病毒检查,所述软件对象110包括对象111,112和113,例如系统和程序文件、脚本及其它在部署有系统100的个人计算机或者服务器上运行的可执行程序代码。 In one exemplary embodiment, the system 100 includes antivirus module 120, a software object that executes antivirus check 110, the software object 110 includes an object 111, 112 and 113, for example systems and program files, scripts, and the other deploy executable program code running on a personal computer or server system 100. 软件对象110中的对象112是恶意的。 Software objects 110 in object 112 is malicious. 在一个示例性实施例中,反病毒模块120可以是程序模块,其使用驱动器来与其上部署有系统100的计算机的操作系统的核心进行交互。 In one exemplary embodiment, the antivirus module 120 may be a program module which uses the drive to the computer on which the system is deployed in the core of the operating system 100 interact. 反病毒模块120可以使用不同的恶意软件检测技术,例如签名检查(signal check),或者试探和行为分析(heuristic and behavioral analysis),或者其它用于对象110分析的方法。 AV module 120 may use different malware detection techniques, such as signature checking (signal check), or heuristic and behavioral analysis (heuristic and behavioral analysis), Other methods for analysis of the object 110 or.

[0019] 签名检查是以被分析对象110的字节代码与存储在恶意软件签名中的不同的恶意对象代码之间的比较为基础的。 [0019] The signature is checked by analysis and comparison between different byte code malicious objects stored in the object 110 malware signature based. 在搜索恶意对象时,试探分析使用了分析引擎,该分析引擎灵活地运用了设定模式(set pattern),例如利用模糊逻辑来描述的模式。 When searching malicious objects, heuristic analysis using the analysis engine, the flexibility to use the analysis engine setting mode (set pattern), for example, to describe fuzzy logic mode. 在特定情况中,行为分析是以对系统事件的观察为基础的。 In certain circumstances, the behavior analysis is based on the observation of system events based. 对于恶意对象的确定是以其在系统中的行为在对恶意软件行为所设定规则的框架内为基础的。 For malicious objects is determined by its behavior in the system, within the framework set by malware behavior rules-based.

[0020] 在对于对象110进行反病毒检查期间,反病毒模块120也可以检查在这些对象的执行期间所启动的进程和线程。 [0020] During the anti virus check to the object 110, antivirus module 120 may be checked during the execution of these objects start processes and threads. 在对象110和相关进程以及线程的分析期间,反病毒模块120可以使用包含在反病毒数据库121中的恶意软件签名和行为签名。 In related processes as well as during the analysis object 110 and threads, antivirus module 120 can use malware contained in the anti-virus signature database 121 signatures and behavior. 恶意软件对象的签名是字节序列,其与正在被检查的对象的程序代码进行比较。 Malware signature object is a sequence of bytes, compares it with the program code of the object being examined. 在一个示例中,可以将签名视为以校验和(checksum)的形式存在的,其为每个恶意对象加以创建并且存储在反病毒数据库121中。 In one example, to verify the signature can be seen as form and (checksum) of existence, the be created and stored in the anti-virus database 121 for each malicious object. 在这种情况下,反病毒模块120可以将正在被分析的对象的校验和与已知的恶意对象的签名进行比较。 In this case the object, antivirus module 120 may check being analyzed and a known malicious object signature comparison. 如果二者之间存在匹配,则表示正在被分析的对象是恶意的。 If there is a match between the two, it means that the object being analyzed is malicious.

[0021] 而行为签名包含了有关潜在恶意对象可能的行为的信息,例如启动系统函数、弓丨用注册表数据等等。 [0021] The signature contains information about the behavior of potentially malicious behavior of objects may, for example, start the system function, with Bow Shu registry data, and so on. 反病毒模块120可以监控对象110的行为以及相关的进程和线程;如果所述对象的行为与来自反病毒数据库121的已知的恶意对象的行为签名相似,则将被监控对象112认定为是恶意的。 The AV module 120 may monitor the behavior of the object 110 and the associated processes and threads; behavior if the behavior of the object from the known anti-virus database 121 similar malicious object signature, would then be monitored object 112 identified as malicious of.

[0022] 在一个示例性实施例中,如果反病毒模块120检测到了恶意对象112,则其将关于该恶意对象的识别信息传送给数据收集模块150。 [0022] In one exemplary embodiment, if the antivirus module 120 detects malicious object 112, its identification information about the malicious object to the data collection module 150. 该识别信息可以包含到恶意对象112的路径、该对象的名称或者,例如,恶意软件的校验和。 The identification information may include a path to the malicious object 112, or the name of the object, e.g., malware checksum. 此外,反病毒模块120可以请求数据收集模块150向反病毒模块120提供与某些系统活动有关的信息,所述系统活动与所识别的恶意对象112的执行相关联,以便检测出任何与该恶意对象相关联的有关恶意进程和线程。 Moreover, antivirus module 120 may request information about the data collection module 150 to the module 120 to provide anti-virus and certain system activity, system activity and the identified objects associated with the execution of malicious 112 to detect any of the malicious malicious processes and threads about objects associated with it.

[0023] 在另一个示例性实施例中,反病毒模块120也可以将与所检测出的恶意软件有关的信息经由因特网180发送给远程的中央反病毒服务器(未图示)。 Central antivirus server (not shown) information [0023] In another exemplary embodiment, the antivirus module 120 may be associated with the detected malware transmitted to the remote 180 via the Internet. 而该反病毒服务器可以将与所检测出的恶意对象有关的信息分发给其它的有权访问所述反病毒服务器的恶意软件保护系统。 And the anti-virus server information with the malicious objects detected related to distribute other malware have access to the server anti-virus protection system. 通过中央反病毒服务器,恶意软件信息在部署于网络中的不同计算机上的恶意软件保护系统100之间进行交换,由此可以阻止新型的恶意软件的传播。 , By the central antivirus server malware information on different computers deployed in a network system between the malware protection switching 100, thereby preventing the spread of new malware.

[0024] 当反病毒模块120检测到危险的系统活动时,例如由该对象112所启动的危险进程或者由该对象112在另一个进程中所执行的危险线程的启动,则反病毒模块120被配置为终止该危险活动。 [0024] When the antivirus module system 120 detects the dangerous activities, such as by the object 112 to start the boot process or risk the risk of a thread in another process object 112 executed, the AV module 120 is configured to terminate the dangerous activity. 特别地,反病毒模块120终止了危险进程或者执行线程的执行,并且将识别信息传送给数据收集模块150,所述识别信息与启动这一进程或者执行线程的恶意对象112有关。 In particular, the AV module 120 terminates execution of the process or thread of execution is dangerous, and the identification information to the data collection module 150 transmits the identification information to start the process or thread of execution a malicious object 112 related.

[0025] 在一个示例性实施例中,数据收集模块150经配置以对不同对象110所执行的活动进行监控,并且将对象活动的历史收集到文件或注册表或者其它事件152-154的日志中。 [0025] In one exemplary embodiment, the data collection module 150 is configured to monitor the activities performed by the different objects 110, and the collected activity history object file or registry or other event log 152-154 . 例如,在对象110,诸如对象111,112和113的执行的过程中,这些对象可以启动实现文件修改(文件活动)、注册表的更改(注册表活动)、和/或网络连接的创建(网络活动)的进程。 For example, an object 110, during the execution of an object such as 111, 112 and 113, these objects can be modified to start implementation file (file activity), change the registry (registry activity), and / or create (Fi network activities) process. 该数据收集模块150经配置以记录此活动的历史。 The data collection module 150 is configured to record the history of this event. 在一个示例性实施例中,该数据收集模块150可以参考可核查(auditable)事件数据库151以获得应受监控的事件的列表。 In one exemplary embodiment, the data collection module 150 may reference verifiable (Auditable) event database 151 to obtain a list of events to be monitored. 该可核查事件列表151包括但是不局限于,文件创建、修改和删除事件,注册表更改事件,进程或者线程生成事件,网络连接创建事件,以及其它可能具有恶意活动特征的事件。 The verifiable list of events 151 include but are not limited to, file creation, modification and deletion events, the registry change events, processes or threads generate events, create an event-Fi, as well as other possible malicious activity characteristics of the event. 此外,为了收集事件数据,数据收集模块150也可以通过跟踪是由哪个进程在何时安装了哪些文件,以及是由哪个进程在何时生成了哪个进程(即,父子关系),来识别不同对象之间的父子关系。 In addition, in order to collect event data, the data collection module 150 can also track when and by what process what files, as well as the process by which became what process Shisheng (ie, parent-child relationship) is installed, to identify different objects the relationship between father and son.

[0026] 在这些实施例之一中,数据收集模块150可以监控所有在可核查事件数据库151中识别出来的系统事件和/或与特定对象相关联的事件。 [0026] In one of these embodiments, the data collection module 150 may monitor all identified verifiable in the event database 151 in the system event and / or associated with a particular object associated with the event. 最后,数据收集模块150可以包含被恶意软件保护系统100所监控的软件对象110的指标列表,例如系统地址。 Finally, the data collection module 150 may comprise software object malware protection monitoring system 100 of the index list 110, such as a system address. 对于所监控的对象,数据收集模块150可以将文件创建、移除或者改变的事件,还有注册表值的创建、移除或者更改的事件,以及其它在可核查事件数据库151中被指示的事件记录到事件的日志152-154。 For object surveillance, data collection module 150 can create the file, remove or change events, as well as create the registry value, remove or change events, and other events in a verifiable event database 151 is indicated logged events 152-154. 例如,如果该计算机系统中的某个对象在操作系统的系统文件夹中创建了文件,其中反病毒模块120并未确定该对象的恶意性,那么数据收集模块150可以记录这一事件,并且是由什么对象创建了什么文件将会为人所知。 For example, if the computer system creates an object file in the operating system folder, where the anti-virus module 120 does not determine the maliciousness of the object, then the data collection module 150 can record the event, and is What object is created by what the file will be known. 随后,当反病毒检查时,如果发现这一文件是由恶意对象所创建的,那么可由恢复模块160将这一文件移除,以下将更为详细地对其进行描述。 Then, when the anti-virus check, if it is found that the file is malicious objects created, then the recovery module 160 may remove this file, the following will be described in more detail.

[0027] 在一个示例性实施例中,数据收集模块150也可为不同类型的可核查事件维护单独的日志,例如文件事件的日志152以及注册表事件的日志153,其用于存储与被监控对象的文件以及注册表活动有关的信息。 [0027] In one exemplary embodiment, the data collection module 150 may also maintain a separate logs for different types of events may be verified, such as log event registry 152, and the log file 153 events, which is being monitored for storing For information about the object file and registry activity. 在其它的实施例中,系统100还可以保存其它事件的日志154,例如用户活动事件、数据输入-输出事件、网络活动事件等等。 In other embodiments, the system 100 may save the log 154 other events, such as user activity event, the data input - output events, network events like activity. 以这种方式,系统100可以收集不同对象的系统、文件、注册表以及网络活动的历史。 In this way, the system 100 may collect different system objects, historical documents, registry and network activity.

[0028] 在一个示例性实施例中,该文件事件日志152可包含执行文件活动的对象的标识符(例如,文件名,进程或者线程标识符)、文件活动的类型(例如,新文件的创建,文件的更改,文件的移除)以及对其执行操作的文件的标识符。 Create identifiers (for example, file name, process or thread identifier) ​​[0028] In one exemplary embodiment, the event log file 152 can perform file containing the object of activity, the type of file activity (for example, a new file , remove a file changes, file) as well as its file identifier to perform operations. 所述文件标识符可实现为,例如,文件路径、文件校验和、或者文件-路径(file-path)校验和。 The file identifier may be implemented, for example, file path, file checksum, the file or the - path (file-path) checksum.

[0029] 在一个示例性实施例中,该注册表事件日志153可包含执行注册表活动的对象的标识符、注册表活动的类型(例如,新的注册表参数的创建,注册表参数值的改变,注册表参数或者值的移除)以及对其执行操作的注册表参数的名称。 [0029] In one exemplary embodiment, the registry 153 may comprise event log identifier, the type of activity performed registry activity registry object (e.g., creating a new registry parameters, parameter values ​​registry remove change registry values ​​or parameters), and the name of its registry parameter to perform operations.

[0030] 在一个示例性实施例中,网络事件日志154可包含执行网络活动的对象的标识符(例如,文件名,进程或者线程标识符)、网络活动的类型(例如,新的网络连接的创建,网络连接的端口数或者类型,例如TCP,UDP或者FTP等等)以及经由已建立的连接所传送/接收的数据的类型(例如,所接收/传送的文件的标识符)。 [0030] In one exemplary embodiment, the network event log 154 may include an object identifier perform network activity (e.g., file name, process or thread identifier), the type of network activity (e.g., a new network connection created, the port number or type of network connection, such as TCP, UDP or FTP, etc.) and the type of connection established via the transmission / reception of data (e.g., a file identifier / transmission received). 所述文件标识符可实现为,例如,文件路径、文件校验和、或者文件-路径校验和。 The file identifier may be implemented, for example, file path, file checksum, the file or the - path checksum. [0031] 在一个示例性实施例中,可以定期更新可核查事件数据库151以及反病毒数据库121。 [0031] In one exemplary embodiment, it can be updated regularly verifiable event database 151, and 121 anti-virus database. 可以伴随着新型威胁的出现来定期地更新该反病毒数据库121,以使该反病毒模块120以及时的方式来可靠执行对恶意对象及其他威胁的检测。 It can be accompanied by the emergence of new threats to regularly update the anti-virus database 121 to 120 in a timely manner so that the antivirus module to perform reliable detection of malicious objects and other threats. 也应当对存储在数据库151中的可核查事件的列表进行定期地更新,以确保新型的恶意活动可被该恶意软件保护系统所监控。 It should also be regularly updated list of verifiable events stored in the database 151 in order to ensure that a new type of malicious activity can be monitored by the malware protection system. 可以通过更新模块170来更新数据库121以及151,所述更新模块170使用到因特网180的连接,可以从该中央反病毒服务器下载反病毒定义以及可核查事件的最新版本。 May be updated by the updating module 170 and database 121 151, the update module 170 uses the connection to the Internet 180, and download the latest version of the virus definition verifiable event from the central antivirus server. 该更新模块170可以实现为基于提供网络连接的网络适配器的软件模块。 The update module 170 may be implemented as a network adapter based on providing network connection software module. [0032] 在一个示例性实施例中,在常规恶意软件检查期间,当该反病毒模块120检测到恶意对象112时,模块120将与该恶意对象112有关的信息传达给数据收集模块150。 [0032] When an exemplary embodiment, during normal malware inspection, when the antivirus module 120 detects malicious object 112, module 120 to communicate information relating to the malicious object 112 to the data collection module 150. 模块150从文件事件日志152、注册表事件日志153以及网络事件日志154中提取关于该恶意对象112的文件、注册表、以及网络活动的信息。 Module 152 from 150 log file event, registry, and network event log 153 event log file 154 to extract information about the malicious objects 112, registry, and network activity. 此外,模块150识别与对象112所生成的所有父进程和子进程以及执行线程相关联的所有文件、注册表以及网络活动。 In addition, the module 150 identifies the object 112 generated by all parent and child processes as well as all the files, registry, and network activity associated with the thread of execution. 然后,模块150将这一信息发送给恢复模块160。 Then, module 150 transmits this information to a recovery module 160. 根据所接收到的信息,如果曾创建了新的文件或者注册表参数,则恢复模块160确定哪些文件或者注册表参数需要被移除;以及如果这些文件或者注册表参数已经被更改或者移除,则恢复模块160确定哪些文件或者注册表参数需要被修复。 According to information received, if you have created a new file or registry parameters, the recovery module 160 determines which files or registry parameters need to be removed; and removing files or registry if these parameters have been changed or, the recovery module 160 determines which files or registry parameters need to be repaired.

[0033] 在一个示例性实施例中,已经利用数据收集模块150接收了数据的恢复模块160对与恶意对象相关联的文件和注册表事件执行回退操作。 [0033] In one exemplary embodiment, it has a recovery module 150 receives data 160 related to the object associated with malicious files and registry event rollback operation performed using the data collection module. 例如,恢复模块160可以删除所有由该恶意对象112创建的新的非系统文件和注册表参数。 For example, restoration module 160 may delete all new non-system files and registry parameters created by the malicious objects 112. 如果已经更改了任意一些文件或者注册表值,或者已经移除了任意一些文件、注册表值或者参数,那么执行原始文件、注册表值以及参数的恢复。 If you have changed any files or registry values, or have removed any files, registry values ​​or parameters, then the implementation of the original file, restore the registry values ​​and parameters. 对于原始文件以及注册表数据,恢复模块160可以参考文件备份数据库161以及注册表备份数据库162。 For the original data files and registry recovery module 160 may reference the database 161 and backup database 162 backup of the registry. 在其它的实施例中,系统100也可以包括其它数据备份数据库163,用于诸如用户数据的其它类型数据。 In other embodiments, the system 100 may also include other data backup database 163, for other types of data such as user data.

[0034] 在一个示例性实施例中,该文件备份数据库161可包含对于其上部署有系统100的计算机系统的操作来说具有特殊意义的文件130的副本。 [0034] In one exemplary embodiment, the document database 161 may include a backup copy of the file 130 has special significance in the operation of the computer system 100 is a system for which there is deployed. 此类文件可包括系统文件,例如ntoskrnl. exe、ntdetect. com、hal. dll、boot, ini 及其它在Microsoft^WindowS® NT 家族的操作系统中的文件。 These files include system files, such as ntoskrnl. Exe, ntdetect. Com, hal. Dll, boot, ini files in the operating system and other Microsoft ^ WindowS® NT family of. 此外,文件备份数据库161还可以存储其他文件,这些文件的完整性对于该计算机系统或者系统用户来说是非常重要的。 In addition, file backup database 161 may also store other files, the integrity of these files to the computer system or the system user is very important. 该注册表备份数据库162可包含影响操作系统性能的注册表数据140的副本。 The registry data backup copy of the registry database affect the operating system 162 may comprise 140 performance.

[0035] 为了恢复计算机系统的文件130以及注册表数据140,恢复模块160对从数据收集模块150所接收到的数据进行处理,并且接收关于被更改或移除的文件或者注册表参数的信息。 [0035] In order to restore the data file 130 and the registry of the computer system 140, recovery module 160 on the data from the data collection module 150 for processing the received and receive information about the file is removed or changed parameters or the registry. 此后,恢复模块160在备份数据库161和162中检索对应的文件以及注册表参数。 Thereafter, the retrieval module 160 retrieves the corresponding parameter files and registry database backup 161 and 162. 如果找到了这样的文件以及注册表数据,那么恢复模块160修复被所述恶意对象更改或者移除的文件以及注册表数据。 If such files and registry data is found, then the recovery module 160 to repair the malicious objects is changed or removed files and registry data.

[0036] 在特定的实施例中,恢复模块160可以只对被更改文件的修改部分进行修复而并非对整个文件进行修复。 [0036] In a particular embodiment, the recovery module 160 may modify some of the files will be changed and not only fixes the entire file repair. 在这种情况下,备份文件数据库161也将包含文件的最有可能遭受到恶意行为侵害的部分。 In this case, the database backup file will also contain 161 files are most likely to suffer from malicious acts against the part.

[0037] 在一个示例性实施例中,可由用户或者经由更新模块170从远程的中央反病毒数据库来对所述备份数据库161-163进行文件以及注册表信息的填写。 [0037] In one exemplary embodiment, by a user or via the install module 170 performs remote from the central antivirus database and the backup database files 161-163 fill registry information. 在后一种情况下,更新模块170使用新的文件以及注册表值来启动对备份数据库161-163的填写,其中所述新的文件以及注册表值的列表是由更新模块170通过因特网180从中央反病毒服务器或者其它可靠数据源接收而来的。 In the latter case, the update module 170 uses the new files and registry value to start to fill the backup databases 161-163, wherein the new values ​​and a list of the registry file is updated from the module 170 via the Internet 180 central antivirus server or received from other sources of reliable data. 此后,更新模块170可以开始更新进程,并且恢复模块160将文件、注册表及其他数据的备份副本分别填写到备份数据库161-163中。 After that, the update module 170 can start the update process, and restore the file 160, a backup copy of the registry and other data modules are populated into the backup database 161-163.

[0038] 图2示出了根据一个示例性实施例的恶意软件保护系统的操作示意图。 [0038] FIG. 2 shows a schematic diagram of operation of a malicious software protection system of the exemplary embodiment. 恶意对象的文件活动可以并非仅包括文件的创建和移除,而在仅包括文件的创建和移除的情况下将由恢复模块160对文件进行相应地移除或者修复。 File activity include malicious objects can not only create and remove files, but only in the case, including creating and removing files by file recovery module 160 accordingly removed or repaired. 恶意对象的其它行为也是可能的,例如更改文件。 Other acts of malicious objects is also possible, for example, change the file. 在图2中,恶意对象212更改了对象213,该对象213在该更改行为之前是无害的。 In Figure 2, 212 malicious objects changed the object 213, the object 213 before the change in behavior is harmless. 该更改行为可以包括例如将恶意代码引入到原始文件213中。 This change in behavior may include, for example, the malicious code into the original file 213. 在对象213中发生这些改变之后,对象212停止执行任何活动。 After these changes in the object 213, the object 212 to stop any activity. 在另一方面,对象213开始执行例如与文件130或者注册表值140的移除相关联的活动。 In another aspect, the object 213 is removed, for example, begin with the registry value file 130 or 140 associated activities. 与此同时,与对象213的活动相关联的行为可能会被数据收集模块150所记录。 At the same time, the activities associated with the behavior of the object 213 may be 150 to record data collection module.

[0039] 如果,在反病毒检查的过程中,反病毒模块120确定对象213具有威胁性,亦即,其是恶意的;模块120可以阻断对象213的活动并且将有关这一对象的信息传送给数据收集模块150和反病毒服务器(未图示)。 [0039] If, during the checking of the anti-virus, anti-virus module 120 determines 213 threatening objects, i.e., it is malicious; module 120 may block the activity objects 213 and transmits information on this subject to the data collection module 150 and the AV server (not shown). 数据收集模块150将有关活动历史记录的信息传送给恢复模块160,其中恢复模块160利用备份数据库161-163来修复已被更改的数据。 Data collection module 150 transmits information about the history of its activity to the recovery module 160, which use the backup database recovery module 160 161-163 to repair the data has been changed. 与此同时,如果对象213的副本在文件备份数据库161中,那么恢复模块160也对对象213进行修复。 At the same time, if a copy of the 213 objects in the file backup database 161, then recovery module 160 is also an object 213 to repair.

[0040] 此外,反病毒模块120可以请求数据收集模块150提供有关与对象213相关联的活动的信息。 [0040] Further, antivirus module 120 may request the data collection module 150 to provide information about the event associated with the object 213. 作为响应,数据收集模块150可以向反病毒模块120提供对象213已经被对象212所更改的信息。 In response, the data collection module 150 may provide the object information of the object 213 has been changed to 212 antivirus module 120. 然后反病毒模块120可以进行针对对象212的反病毒检查,确定其是恶意的并且对其进行阻断,由此来阻止此对象进一步的恶意行为。 The AV module 120 may then be checked against the antivirus object 212 to determine which is subjected to malicious and blocked, thereby preventing further object of malicious behavior.

[0041] 图3示出了根据另一个示例性实施例的恶意软件保护系统的操作示意图。 [0041] FIG. 3 shows a schematic view of the operation malware protection system according to another exemplary embodiment. 某些对象310在其执行过程中可以创建新的网络连接,例如,到因特网180的连接。 Some objects 310 can create a new network connection during its execution, for example, to the Internet 180. 如果网络连接是由恶意对象创建的,那么由于其增加了计算机的易受攻击性,则可能会导致对于计算机的威胁。 If the network connection is created by the malicious objects, then because it increases the vulnerability of the computer, it may cause a threat to the computer. 恶意对象可以从该计算机传送数据或者从因特网下载其它的危险对象到该计算机上。 Malicious objects other dangerous objects may be downloaded onto the computer from the Internet or transmit data from the computer. 为了防止这样的情况发生,根据一个实例性实施例,可由数据收集模块150监控对象的网络活动并且将其记录到网络事件日志154中。 To prevent this from happening, according to an exemplary embodiment, the network activity monitor 150 by the data collection module object to the network and recorded in the event log 154.

[0042] 更具体地说,如果反病毒模块120检测到了恶意对象,那么反病毒模块120可以向数据收集模块150请求与恶意对象的网络活动或者任何与所述恶意对象相关的对象、进程或线程有关的信息。 [0042] More specifically, if the antivirus module 120 detects malicious object, antivirus module 120 may be network activity 150 to the data collection module requests the malicious objects or any objects associated with the malicious object, process or thread related information. 在上述的示例中,对象312为具有网络活动的恶意对象,其中由数据收集模块150将所述网络活动记录在网络事件日志154中。 In the above example, the object 312 with the object is malicious network activity, wherein the data collection module 150 to the network activity records in the event log 154 in the network. 在确定了对象312是恶意的并且识别出与对象312相关联的网络事件之后,反病毒模块120可以终止/阻断所有由恶意对象312所建立的网络连接,终止恶意对象312的执行,并且如果对于这一对象或者任何相关的对象已经观察到了恶意的文件或者注册表活动,则将有关对象312的信息传送给数据收集模块150以便随后对文件和注册表数据进行修复。 After determining the target 312 and identifies malicious network events associated with the object 312, 120 may terminate antivirus module / block all malicious objects by the established network connection 312, 312 to terminate the execution of malicious objects, and if for this object or any related objects have been observed malicious files or registry activities, information about the object 312 will be transmitted to the data collection module 150 for subsequent data files and registry repair.

[0043] 情况也可能是:恶意对象312在计算机的安全对象或者进程311中生成了进程或者执行线程,然后所述进程或者执行线程又创建了记录在网络事件日志154中的网络连接。 [0043] case may be: malicious objects 312 generates a process or thread of execution in a secure object or process 311 computer, and then the process or execution thread and created a record-Fi network in the event log 154. 随着这种情况的出现,可以区分出两种情形:当恶意对象312将其自身引入到安全对象311或者安全进程中而没有影响系统性能的时候,或者当恶意对象312将其自身引入到表示系统文件或者系统进程的对象313中的时候。 As this occurs, the two situations can be distinguished: when introducing malicious objects 312 to secure object 311 itself, or when the security process without affecting system performance, or when malicious objects 312 representing itself to be introduced Object 313 system files or system processes in time.

[0044] 在第一种情形下,当被感染的对象或者进程并非系统进程的时候,反病毒模块120会随后记录感染以及后续网络活动的实际情况,并且阻断被修改的对象311。 [0044] In the first case, when an infected object or process is not a process of the system, the AV module 120 will then record the actual situation of the network activity and subsequent infection, and block 311 the object being modified. 在阻断该对象的过程中,停止其以下活动: During the blocking object, which stops the following activities:

[0045] •文件活动:该对象不能执行文件操作; [0045] • Files Activities: The object can not perform file operations;

[0046] •注册表活动:阻断访问系统注册表的可能性; [0046] • registry activity: the possibility of blocking access to the system registry;

[0047] •系统活动:终止所有由该对象启动的进程和流程; [0047] • System Activity: terminate all the process initiated by the objects and processes;

[0048] •网络活动:阻断创建网络连接的可能性。 [0048] • network activity: blocking the possibility of creating a network connection.

[0049] 如果反病毒模块120检测到执行线程是由恶意对象312生成在进程311中的,那么将由反病毒模块120终止所述线程,以及还可由反病毒模块120自动地终止所有与进程311相关联的网络连接。 [0049] If the antivirus module 120 detects execution thread 312 is generated in the process by the malicious objects 311, then the antivirus module 120 will terminate the thread, and may be automatically terminated by the antivirus module 120 all associated processes 311 associated network connection.

[0050] 在系统文件或者进程313被修改的情况下,反病毒模块120通常不能阻断系统对象313,因为这样会导致操作系统的故障。 [0050] In the case where the process or system file 313 is modified, the AV module 120 typically does not block system object 313, as this would lead to failure of the operating system. 然而,一旦检测到了所述被修改的系统文件313的网络活动,反病毒模块120可以停止该网络活动,并且终止仅由所引入的那部分代码所启动的网络连接,同时对象313保持操作。 However, upon detection of the modified file system 313 of the network activity, antivirus module 120 may stop the network activity, and terminating only the parts of the code introduced by the start of the network connection, the object 313 while holding operation. 然后可以利用系统对象313在文件备份数据库161中的备份副本来对其进行修复。 You can then use to repair a backup copy of the file system object 313 in the backup database 161.

[0051] 如果恶意执行线程是由对象312生成在系统对象313中的,那么该恶意线程执行可以被终止而并不影响对象313。 [0051] If a malicious thread of execution 312 is generated by the system objects 313 in the object, then the malicious thread execution may be terminated without affecting the object 313.

[0052]图4A示出了根据一个示例性实施例的恶意软件保护系统的操作算法。 [0052] FIG. 4A illustrates the operation algorithm in accordance with malware protection system according to one exemplary embodiment. 在步骤401-403,可利用更新模块170来更新反病毒数据库121、可核查事件数据库151以及备份数据库161-163。 In step 401-403, update module 170 may be utilized to update the antivirus database 121, 151 and verifiable event database backup database 161-163. 紧接着,在步骤404,反病毒模块120在计算机系统中执行针对对象110的反病毒检查。 Next, at step 404, the antivirus module 120 antivirus check 110 for the object in a computer system. 如果在步骤405中,发现正在检查的对象或者由这些对象所启动的进程都不是恶意的,那么可以在随后的时段重复步骤405的过程。 If, in step 405, the object being inspected or found by the process initiated by these objects are not malicious, you can repeat the process in a subsequent period of 405 steps. 然而,如果对象110或者相应进程中的任何一个是恶意的,那么则在步骤406中停止该恶意对象的执行。 However, if the object 110 or any appropriate process is malicious, it stops the execution of the malicious object in step 406. 此外,在步骤407,将识别这一对象的信息传送给数据收集模块150,并且在步骤408传送给反病毒服务器。 Further, at step 407, the identification information of this object to the data collection module 150, and transmitted to the AV server at step 408. 此外,也可以从反病毒服务器接收关于所检测的对象在其它用户的计算机中活动的信息。 Furthermore, the object may also receive information about the activity detected in the other user's computer from the AV server. 还可以由反病毒模块120来使用这一信息。 This information can also be used by the antivirus module 120. 在下一个步骤409中,对于是否存在这一对象的活动执行检查。 In the next step 409, a check for the existence of the activities of this object. 具体地,针对所述恶意对象或者任何相关进程、线程等的活动,在文件事件日志152、注册表事件日志153及其他可用事件日志154中执行数据搜索。 Specifically, with respect to the activities related to any malicious objects or processes, threads, etc., and performs data search in the event log file 152, registry and event log 153 event log 154 other available. 如果发现了所述恶意对象的恶意文件或者注册表活动的记录,那么在步骤410将涉及由所述对象所执行的活动的数据传送给恢复模块160。 If it is found that the malicious object malicious file or registry record activity, then step relates to the activities performed by the object 410 in the data transfer module 160 to recover. 在步骤411,恢复模块160使用这一数据,并利用来自数据库161和162的文件和注册表备份数据,对文件和注册表数据进行修复。 In step 411, recovery module 160 uses this data, and use the backup data files and registry 161 and 162 from the database, data files and registry repair.

[0053] 图4B示出了恶意软件保护系统响应于恶意网络活动的操作算法的一个示例性实施例。 [0053] FIG. 4B illustrates an exemplary embodiment of the operation of the algorithm malware protection system in response to a malicious network activity. 在步骤501,反病毒模块120检查被检测到的恶意对象312或者与其相关联的进程是否已经请求或者打开任何网络连接。 In step 501, the process 120 checks whether the antivirus module is detected malicious objects 312 associated therewith or has requested, or open a network connection. 可以利用数据收集模块150来获取这一信息。 Data collection module 150 may be utilized to obtain this information. 在步骤502,在由反病毒模块120阻断该恶意对象312之后,自动终止由该恶意对象312本身所直接创建的网络连接。 In step 502, after the blocking malicious objects 312 by the antivirus module 120 automatically terminates the connection to the network by a malicious objects 312 created directly itself. 如果来自数据收集模块150的信息还指示了这一恶意对象已经对其它的对象311、312做了修改,其中在对象311、312中也已经观察到了网络活动,那么在步骤503,反病毒模块120检查被修改的对象是否为系统对象。 If the information from the data collection module 150 also indicates that the subject has been done for other malicious objects 311, 312 modified, wherein in the object 311, 312 has also been observed network activity, in step 503, the AV module 120 check whether the object being modified system objects. 如果被修改的对象311不是系统对象,那么在步骤502,反病毒模块120阻断这一对象,并且自动终止该网络连接。 If the object being modified is not a system object 311, then at step 502, the AV module 120 block objects, and automatically terminates the network connection. 如果是系统对象313发生了更改,那么是不可能阻断所述对象的,因为这样可能会导致操作系统的故障。 If the object is a system 313 changes happen, then it is impossible to block the object, as this may cause a malfunction of the operating system. 然而,在步骤504,反病毒模块120可以终止由该被修改的系统对象313中被引入的部分所启动的网络连接。 However, in step 504, the AV module 120 can be terminated by the modified system object 313 is introduced into the portion of the network initiated connection. 该对象本身仍保持操作。 The object itself remains operational. 然后,可以利用恢复模块160来修复这一系统对象。 Then, you can use recovery module 160 to repair the system object. 在系统进程中加载了恶意线程的情况下,也可以停止这一恶意执行线程。 Case load malicious threads in the system process, you can stop this malicious threads of execution.

[0054] 图4C示出了恶意软件保护系统响应于恶意系统活动的操作算法的一个示例性实施例。 [0054] FIG. 4C illustrates an exemplary embodiment of the operation of the algorithm malware protection system in response to a malicious system activity. 系统活动包括由恶意对象所启动的进程的出现,以及在其它进程中执行线程的启动。 System activities including the emergence of malicious objects by the process started, and start execution of threads in other processes. 在步骤601,如果反病毒模块120通过例如利用数据收集模块150来请求信息从而识别出恶意对象的系统活动,那么反病毒模块120可在步骤602终止所有与该对象相关联的进程和线程。 In step 601, if the antivirus module 120 by using, for example, data collection module 150 to request information out of the system to identify malicious activity objects, antivirus module 120 may then terminate all processes associated with the object at step 602 and threads. 此外,可将与被终止的进程有关的信息转发给恢复模块160,所述恢复模块160确定是否有任何受感染的文件或者注册表数据需要更新。 In addition, information about the process is terminated can be forwarded to the recovery module 160, the recovery module 160 determines whether there are any infected files or registry data needs to be updated.

[0055] 图4D示出了恶意软件保护系统响应于恶意注册表活动的操作算法的一个示例性实施例。 [0055] FIG. 4D illustrates an exemplary embodiment of the operation of the algorithm in response to the malicious software protection system registry of malicious activity. 在步骤701,反病毒模块120利用数据收集模块150来确定注册表140是否受到感染,例如通过恶意对象的活动生成了新的注册表入口。 At step 701, anti-virus modules 120 use data collection module 150 determines whether the registry 140 are infected, for example, generates a new registry object through the inlet malicious activity. 如果检测到这种活动,则在步骤702可以指令恢复模块160将新建数据从注册表中移除。 If such activity is detected, then at step 702 may instruct the module 160 to recover the new data is removed from the registry. 如果注册表参数的值已被更改或者移除,或者如果注册表参数已被删除,那么在步骤703恢复模块160检查受感染的注册表值和参数是否在备份注册表数据库162中。 If the value of the registry parameters have been changed or removed, or if the registry parameter has been removed, then in step 703 recovery module 160 checks infected registry values ​​and parameters are backed up in the registry database 162. 如果发现了备份数据,则在步骤705恢复模块160采用备份的副本来修复被更改或者被移除的注册表值或者参数。 If the backup data is found at step 705 to restore backup copies using the module 160 to be repaired or removed to change registry values ​​or parameters.

[0056] 图4E示出了恶意软件保护系统响应于恶意文件活动的操作算法的一个示例性实施例。 [0056] FIG. 4E illustrates an exemplary embodiment of the operation of the algorithm malware protection system in response to the malicious file activity. 在步骤801,反病毒模块120利用数据收集模块150来请求关于所有由恶意对象所创建的新文件的信息。 In step 801, the antivirus module 120 using the data collection module 150 to request information on all new documents created by the malicious objects of. 如果创建了新的文件,则在步骤802指令恢复模块160移除此文件。 If a new file is created, then at step 802 the instruction module 160 is removed to restore the file. 如果没有创建新的文件,但是恶意对象已经更改或者移除了现有的文件,则在步骤803,恢复模块160确定在数据库161中的受感染文件的备份副本是否可用。 If the new file is not created, but malicious objects have been changed or removed an existing file, then at step 803, recovery module 160 determines infected file is in the database 161 backup copy is available. 如果在步骤804发现了所需的文件,则在步骤805恢复模块160修复受感染的文件。 If in step 804 found the desired file, then at step 805 recovery module 160 to repair infected files.

[0057]图5描绘了其上可部署恶意软件保护系统100的计算机系统5的示例性实施例。 [0057] FIG 5 depicts an exemplary embodiment may be deployed on which malware protection system 5 of the computer system 100. 计算机系统5可以包括网络服务器、个人计算机、笔记本、平板电脑、智能电话、媒体接收器或者其它类型的数据处理和计算装置。 The computer system 5 may include a network server, a personal computer, a notebook, a tablet PC, a smart phone, media receiver or other types of data processing and computing apparatus. 计算机5可以包括一个或多个由系统总线10所连接的处理器15、存储器20、一个或多个硬盘驱动器30、一个或多个光盘驱动器35、一个或多个串行端口40、图形卡45、声卡50和网卡55。 The computer 5 may include one or more of a system bus 10 by a processor 15 connected to memory 20, one or more hard drives 30, one or more optical disk drives 35, one or more serial ports 40, a graphics card 45 , sound card 50 and 55. 系统总线10可以是多种类型总线结构中的任何一种,其中所述总线结构包括了存储器总线或者存储器控制器、外围总线以及使用各种已知的总线架构中的任意一种的局部总线。 The system bus 10 may be any of several types of bus structures, including a bus structure wherein said memory bus or memory controller, a peripheral bus, and using any of a variety of bus architectures known local bus. 处理器15可以包括一个或多个Intel® Core 2Quad 2. 33GHz处理器或者其它种类的微处理器。 The processor 15 may include one or more Intel® Core 2Quad 2. 33GHz processor or other type of microprocessor.

[0058] 系统存储器20可以包括只读存储器(ROM) 21以及随机存取存储器(RAM) 23。 [0058] System memory 20 may include read only memory (ROM) 21 and random access memory (RAM) 23. 存储器20可实现为DRAM(动态随机存取存储器)、EPROM、EEPR0M、闪存或者其它类型的存储器架构。 The memory 20 may be implemented as a DRAM (Dynamic Random Access Memory), EPROM, EEPR0M, flash memory, or other type of memory architecture. ROM 21存储了包含有基本例行程序的基本输入/输出系统22 (BIOS),所述基本例行程序有助于在计算机系统5的组件之间传送信息,例如在启动期间。 ROM 21 stores the basic routines comprising a basic input / output system 22 (BIOS), the basic routines that help to transfer information between components of computer system 5, such as during startup. RAM 23存储了操作系统24 (OS),例如Windows®XP Professional或者其它类型的操作系统,所述操作系统负责对计算机系统5中的进程进行管理和协调,并且对计算机系统5中的硬件资源进行配置和共享。 RAM 23 stores operating system 24 (OS), e.g. Windows®XP Professional or other types of operating systems, the operating system is responsible for the computer system 5 processes for management and coordination, and the computer system hardware resources 5 configuration and sharing. 系统存储器20也存储了应用程序和程序25,例如服务306。 The system memory 20 also stores application programs 25 and, for example, service 306. 系统存储器20也存储了由程序25所使用的各种运行时(runtime)数据26。 The system memory 20 also stores a program 25 to run various uses when (Runtime) data 26.

[0059] 计算机系统5可更进一步地包括硬盘驱动器30,例如SATA磁性硬盘驱动器(HDD),以及用于从可移动光盘,例如CD-ROM、DVD-ROM或者其它光媒体进行读取或者写入的光盘驱动器35。 [0059] Computer system 5 may further include a hard disk drive 30, e.g. SATA magnetic hard drive (an HDD), and a removable optical disk from, for example, CD-ROM, DVD-ROM or other optical media read or write the optical disk drive 35. 驱动器30和35及其相关联的计算机可读媒体提供了计算机可读指令、数据结构、应用程序和程序模块/子程序的非易失性存储,其中上述计算机可读指令、数据结构、应用程序和程序模块/子程序实现了在此公开的算法以及方法。 30 and 35 drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules, and application / non-volatile storage subroutine, wherein said computer-readable instructions, data structures, application programs program modules and / subprogram algorithms and methods disclosed herein. 虽然示范性的计算机系统5使用了磁盘以及光盘,但是本领域技术人员应该了解到在所述计算机系统的可替换实施例中也可以使用其他类型的可以储存计算机系统5可访问的数据的计算机可读介质,例如磁带盒、闪存卡、数字视频光盘、随机存取存储器、只读存储器、可擦除可编程只读存储器及其它类型的存储器。 While the exemplary computer system using the disk 5 and an optical disk, those skilled in the art should understand that the computer may be a computer system, alternative embodiments may also be other types of computer system 5 can store data that are accessible readable medium, such as magnetic tape cassettes, flash memory cards, digital video disks, random access memory, read only memory, an erasable programmable read-only memory, and other types of memory.

[0060] 计算机系统5更进一步地包括多个串行端口40,例如通用串行总线(USB),其用于连接数据输入设备75,例如键盘、鼠标、触摸板及其它设备。 [0060] Computer system 5 further comprises a plurality of serial ports 40, such as a Universal Serial Bus (USB), for connecting the data input device 75, such as a keyboard, mouse, touch pad and other equipment. 串行端口40也可用于连接数据输出设备80,例如打印机、扫描仪及其他设备,以及连接其它的外围设备85,例如外部数据存储设备等。 Serial port 40 can also be used to connect the data output apparatus 80, such as printers, scanners and other devices, and other peripheral devices 85 is connected, for example, an external data storage device and the like. 系统5也可包括图形卡45,例如nVidia®GeForce® GT 240M或者其它的视频卡,用于与监视器60或者其它的视频再现设备相连接。 The system 5 may also include a graphics card 45, e.g. nVidia®GeForce® GT 240M or other video card, to the monitor 60 or other video reproduction device is connected. 系统5也可包括声卡50,用于经由内部或者外接扬声器65再现声音。 The system 5 may also include a sound card 50, for reproducing sound via an internal or external speaker 65. 此外,系统5可以包括网卡55,例如以太网、WiFi、GSM、蓝牙或者其它有线、无线或蜂窝网络接口,用于将计算机系统5连接到网络70,例如因特网。 Further, the system 5 may include a network card 55, such as Ethernet, WiFi, GSM, Bluetooth or other wired, wireless or cellular network interface for the computer system 5 is connected to a network 70 such as the Internet.

[0061] 在不同的实施例中,在此所描述的算法以及方法都可以通过硬件、软件、固件或者其任何组合方式来实现。 [0061] In various embodiments, methods and algorithms described herein may be implemented in hardware, software, firmware, or any combination thereof. 如果用软件来实现,那么其功能可以以一个或多个指令或者代码的方式存储在非暂时性计算机可读介质上。 If implemented in software, its functions may be stored as one or more instructions or code in a manner non-transitory computer-readable medium. 计算机可读介质同时包括计算机存储和通信介质,二者有助于将计算机程序从一个地方传送到另一个地方。 Computer-readable media includes both computer storage media and communication, both help of a computer program from one place to another. 存储介质可以是可由计算机访问的任何可用介质。 A storage media may be any available media that can be accessed by a computer. 举例来说,而并非限定,这种计算机可读介质可以包括RAM、ROM、EEPROM、CD-ROM或其它的光盘存储器、磁盘存储器或其它的磁存储设备、或者任何其它可用于携带或存储所需的以指令或者数据结构的形式存在的程序代码并且可由计算机访问的介质。 By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other may be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by the computer. 此外,任何连接都可被称为计算机可读介质。 Also, any connection may be termed a computer-readable medium. 例如,如果利用同轴电缆、光纤电缆、双绞线、数字用户线路(DSL)或者无线技术如红外线、无线电和微波来从网站、服务器或者其它的远程资源传输软件,则其均包括在所述介质的定义中。 For example, if the use of a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave from a website, server, or other remote transmission software resources, which are included in the said the definition of medium.

[0062] 为了清楚起见,在此并未对实施例的所有常规特征加以示出和描述。 [0062] For clarity, this description is not to be shown, and all of the routine features of the embodiments. 应当意识到在任何这类实际的实施方式的开发过程中,必须做出大量特定的实施方式决策以实现开发者的特定目标,同时应当意识到这些特定目标将随实施方式的不同以及开发者的不同而改变。 It should be realized that the development of any such actual embodiment, must make numerous specific embodiment of decisions to achieve the developer's specific goals, but it should be realized that these specific goals will vary depending on the embodiments and developers different change. 而且,应当意识到这类开发工作可能是复杂且耗费时间的,但是对于受益于本文公开内容的本领域的普通技术人员而言,都将是常规的工程任务。 Moreover, it should be realized that such a development effort might be complex and time-consuming, but for the benefit of ordinary skill in the art disclosure herein, will be routine engineering tasks.

[0063] 此外,可以理解的是在此使用的措辞或术语是为了描述而非限定的目的,以便本领域的技术人员根据在此提出的教导及指引并结合相关领域技术人员所掌握的知识来解读本说明书中的措辞或术语。 [0063] Further, it is understood that the phraseology or terminology herein is for the purpose of description and not for purposes of limitation so that those skilled in the art based on the teachings and guidance presented herein in conjunction skilled in the relevant art knowledge to Interpretation of the present specification, the phraseology or terminology. 而且,除非如此明确的予以阐述,否则本说明书或权利要求中的任何术语均并非意图归结为非常规或者特殊的含义。 Moreover, unless so forth to be clear, otherwise, any term in the specification or claims are not intended to be attributed to non-conventional or special meaning.

[0064] 在此披露的各种实施例包含在此通过示例的方式所提及的已知组件的现在和将来的已知等同物。 [0064] In various embodiments disclosed herein contain known components referred to herein, and by way of example of the present and future known equivalents. 而且,尽管已经示出及描述了实施例及其应用,但对于受益于本发明的本领域的技术人员而言显而易见的是,在不脱离本申请中所披露的发明构思的情况下,比以上提及的更多的修改是可能的。 Further, while there have shown and described embodiments and applications, but for the benefit of the present invention are apparent to those skilled in the art, in the case without departing from the concepts of the present invention disclosed herein, more than more changes mentioned are possible.

Claims (14)

  1. 1. 一种用于计算机恶意软件防护的方法,所述方法包括: 对计算机上一个或多个进程的执行事件进行监控; 识别所述被监控事件之中的可核查事件,其中所述可核查事件至少包括文件的创建、更改或者删除事件,系统注册表的参数和值的创建、更改或者删除事件,以及由在计算机上所执行的进程进行的网络访问事件; 在单独的文件、注册表以及网络事件日志中记录所述识别出的可核查事件; 对计算机上的一个或多个软件对象执行恶意软件检查; 如果确定了对象是恶意的,那么从所述文件、注册表和网络事件日志中识别一个或多个与所述恶意对象相关联的文件、注册表以及网络事件; 对与所述恶意对象相关联的一个或多个文件事件执行回退操作; 对与所述恶意对象相关联的一个或多个注册表事件执行回退操作; 终止与所述恶意对象相关联的一 1. A method for computer malware, the method comprising: performing one or more processes on a computer event monitoring; identifying the events being monitored verifiable event, wherein said verifiable events include at least the file was created, changed or deleted events, create parameters and values ​​of the system registry, change or delete the event, as well as network access by events on the process performed by the computer; in separate files, and registry the network event log events identified verifiable; to execute one or more software objects on a computer malware checks; if the object is determined to be malicious, then from the file, registry, and network event logs identifying one or more files, registry, and network event associated with the malicious objects; performing rollback operations with the malicious objects of one or more files associated event; related objects associated with the malicious a termination of the associated malicious objects; one or more registry events execute a fallback operation 或多个网络连接。 Or more network connections.
  2. 2.根据权利要求I的方法,其中执行文件事件的回退操作包括: 基于所述识别出的与所述恶意对象相关联的文件事件,识别由所述恶意对象所创建、更改或者删除的一个或多个文件; 删除所述识别出的由所述恶意对象所创建的新文件;以及从可信的备份中恢复至少部分的所述被更改和删除的文件。 2. The method of claim I, wherein the file operations performed rollback event comprises: based on the identified event file with the malicious objects associated identification created by the malicious objects, changing, or deleting a or more files; deleting the identified new file created by the malicious object; and at least part of recovery from a trusted backup files are deleted, and changed.
  3. 3.根据权利要求I的方法,其中执行注册表事件的回退操作包括: 基于所述识别出的与所述恶意对象相关联的注册表事件,识别由所述恶意对象所创建、更改或者删除的一个或多个注册表参数和值; 删除由所述恶意对象所创建的新的注册表参数和值;以及从可信的备份中恢复被更改或者删除的注册表参数和值。 3. The method of claim I, wherein performing rollback event registry comprises: based on the identified malicious objects associated with the event registry, created by identifying the malicious objects, change or delete one or more of the registry parameters and values; delete new registry parameters and values ​​by the malicious objects created; and recover from a trusted backup is changed or deleted registry parameters and values.
  4. 4.根据权利要求I的方法,其中对所述计算机上一个或多个进程的执行事件进行监控更进一步地包括: 识别被监控的父和子进程以及由所述被监控的进程所生成的执行线程之间的关系;从所述文件、注册表和网络事件日志中识别与一个或多个相关的父和子进程以及由所述恶意对象所生成的执行线程相关联的一个或多个文件、注册表和网络事件。 4. The method of claim I, wherein the computer to perform one or more processes event monitoring further comprises: identifying a monitored process and the parent and child threads executed by the monitored process generated the relationship between;, registry, and network event logs associated with identifying one or more processes from the parent and child files and a malicious object generated by the execution thread associated with the one or more files, registry and network events.
  5. 5.根据权利要求4的方法,更进一步的包括: 识别一个或多个被所述父和子进程以及由所述恶意对象所生成的执行线程所创建、更改或者删除的系统和非系统文件; 从可信的备份中恢复至少部分的所述被更改的系统和非系统文件或者被删除的系统和非系统文件; 删除所有识别出的被所述父和子进程以及由所述恶意对象所生成的执行线程所创建的新的非系统文件。 The method according to claim 4, further comprising: identifying a parent and child process and the one or more generated by the malicious object created thread of execution, change or delete the file system and non-system; from the system trusted backup restore at least a portion of said non-system is changed and deleted files or system and non-system files; delete all identified by the parent and child processes and executed by the malicious objects generated new non-threaded file system created.
  6. 6.根据权利要求4的方法,更进一步的包括: 识别一个或多个被所述父和子进程以及由所述恶意对象所生成的执行线程所创建、更改或者删除的注册表参数和值; 删除一个或多个识别出的被所述父和子进程以及由所述恶意对象所生成的执行线程所创建的新的注册表参数和值;以及从可信的备份中恢复被更改或者删除的注册表参数和值。 6. The method according to claim 4, further comprising: identifying a parent and child process and the one or more generated by the malicious object created thread of execution, change or delete registry parameters and values; delete one or more identified by the parent and child processes as well as new registry parameters and values ​​generated by the malicious objects created thread of execution; and recover from a trusted backup of the registry is changed or deleted parameters and values.
  7. 7.根据权利要求4的方法,更进一步的包括: 识别一个或多个被所述父和子进程以及由所述恶意对象所生成的执行线程所建立的网络连接; 终止一个或多个识别出的被所述父和子进程以及由所述恶意对象所生成的执行线程所建立的网络连接。 7. A method according to claim 4, further comprising: identifying a parent and child process and the one or more generated by the malicious object execution thread the established network connection; terminated with one or more identified and by connecting the parent and child processes generated by the malicious object execution thread the established network.
  8. 8. 一种用于计算机恶意软件防护的系统,其中所述计算机具有处理器和存储器,所述系统至少包括以下被加载到所述计算机的所述存储器中并可由所述计算机的所述处理器执行的软件模块: 反病毒数据库,其包含与已知恶意对象有关的信息; 可核查事件数据库,其包含可核查事件的列表,其中所述可核查事件至少包括文件的创建、更改或者删除事件,系统注册表的参数和值的创建、更改或者删除事件,以及由在计算机上所执行的进程进行的网络访问事件; 数据收集模块,其经配置以: 对计算机上一个或多个进程的执行事件进行监控; 基于包含在所述可核查事件数据库中的所述可核查事件的列表来识别所述被监控的事件之中的可核查事件;以及在包含在所述存储器中的单独的文件、注册表以及网络事件日志中记录所述识别出的可核查事件; 反病 8. A computer system for malware, wherein the computer having a processor and a memory, said system comprising at least the following are loaded into the memory of the computer and the computer by the processor software module executed: anti-virus database, which contains information about known malicious objects; verifiable event database, which contains a list of verifiable events in which the verifiable events include at least create the file, change or delete the event, parameters registry and create a system of values, change or delete the event, as well as network access by events on the process performed by the computer; data collection module configured to: execute events on one or more computer processes monitoring; identifying among the monitored event based on verifiable events contained in the list of event database verifiable verifiable event; and in a separate file contained in the memory, register table event log and network the identified verifiable event; reverse the disease 模块,其经配置以: 使用包含在所述反病毒数据库中的所述与已知恶意对象有关的信息,对所述计算机上的一个或多个软件对象执行恶意软件检查; 如果确定了对象是恶意的,那么从所述网络事件日志中识别一个或多个与所述恶意对象相关联的网络事件;以及终止由所述恶意对象所建立的一个或多个网络连接; 恢复模块,其经配置以: 如果确定了所述对象是恶意的,那么从所述文件和注册表事件日志中识别一个或多个与所述恶意对象相关联的文件和注册表事件; 对与所述恶意对象相关联的一个或多个文件事件执行回退操作; 对与所述恶意对象相关联的一个或多个注册表事件执行回退操作。 Module, configured to: use the anti-virus contained in the database information relating to the malicious objects known, for malware checks to one or more software objects on the computer; if the object is determined malicious, then identifying said network event logs from one or more network event associated with the malicious objects; and terminated by the one or more network connections established malicious objects; restoration module configured in: if determining that the object is malicious, then identify one or more objects associated with the malicious files and registry files and registry event from the event log; of malicious objects associated with the one or more file events execute a fallback operation; execute a fallback operation of a malicious object associated with the one or more registry events.
  9. 9.根据权利要求8的系统,其中对于对文件事件执行回退操作,所述恢复模块更进一步地经配置以: 基于所述识别出的与所述恶意对象相关联的文件事件,识别由所述恶意对象所创建、更改或者删除的一个或多个文件; 删除所述识别出的由所述恶意对象所创建的新文件;以及从可信的备份中恢复至少部分的所述被更改和删除的文件。 9. The system of claim 8, wherein the event execution file for a rollback module further configured to restore the: basis of the identified objects associated with the malicious file event, identified by the malicious said created object, change or delete one or more files; delete the new file is identified by the malicious object created; and recover at least partially from the trusted backup is changed and deleted document.
  10. 10.根据权利要求8的系统,其中对于对注册表事件执行回退操作,所述恢复模块更进一步地经配置以: 基于所述识别出的与所述恶意对象相关联的注册表事件,识别由所述恶意对象所创建、更改或者删除的一个或多个注册表参数和值; 删除由所述恶意对象所创建的新的注册表参数和值;以及从可信的备份中恢复被更改或者删除的注册表参数和值。 10. The system of claim 8, wherein for performing rollback operations registry event, the recovery module further configured to: based on the identified event registry associated with the malicious objects, identifying created by the malicious objects, change or delete one or more registry parameters and values; delete new registry parameters and values ​​by the malicious objects created; and recover from a trusted backup is changed or registry parameters and values ​​to delete.
  11. 11.根据权利要求8的系统,其中对于对一个或多个进程的执行事件进行监控,所述数据收集模块更进一步地经配置以: 识别被监控的父和子进程以及由所述被监控的进程所生成的执行线程之间的关系; 从所述文件、注册表和网络事件日志中识别与一个或多个相关的父和子进程以及由所述恶意对象所生成的执行线程相关联的一个或多个文件、注册表和网络事件。 11. The system of claim 8, wherein an event for performing one or more processes to be monitored, the data collection module is further configured to: identify the parent and child processes monitored by the process and monitored the relationship between the generated execution threads; from the file, registry, and network event log associated with the identified one or more parent and child processes and a malicious object generated by the execution thread associated or files, registry, and network events.
  12. 12.根据权利要求11的系统,其中所述恢复模块更进一步地经配置以: 识别一个或多个被所述父和子进程以及由所述恶意对象所生成的执行线程所创建、更改或者删除的系统和非系统文件; 从可信的备份中恢复至少部分的所述被更改的系统和非系统文件或者被删除的系统和非系统文件; 删除所有识别出的被所述父和子进程以及由所述恶意对象所生成的执行线程所创建的新的非系统文件。 12. The system of claim 11, wherein the restoration module further configured to: identify one or more are created and the parent and child processes generated by the malicious object thread of execution, changed or deleted file system and non-system; trusted restored from backup at least part of the modified system and non-system files or deleted files system and non-system; delete all identified by said parent process and a child and the the new non-system document referred malicious objects generated by the execution thread created.
  13. 13.根据权利要求11的系统,其中所述恢复模块更进一步地经配置以: 识别一个或多个被所述父和子进程以及由所述恶意对象所生成的执行线程所创建、更改或者删除的注册表参数和值; 删除一个或多个识别出的被所述父和子进程以及由所述恶意对象所生成的执行线程所创建的新的注册表参数和值;以及从可信的备份中恢复被更改或者删除的注册表参数和值。 13. The system of claim 11, wherein the restoration module further configured to: identify one or more are created and the parent and child processes generated by the malicious object thread of execution, changed or deleted registry parameters and values; delete one or more identified by the parent and child processes as well as new registry parameters and values ​​generated by the malicious objects created thread of execution; and recover from a trusted backup It has been changed or deleted registry parameters and values.
  14. 14.根据权利要求11的系统,其中所述反病毒模块更进一步地经配置以: 识别一个或多个被所述父和子进程以及由所述恶意对象所生成的执行线程所建立的网络连接;以及终止一个或多个识别出的被所述父和子进程以及由所述恶意对象所生成的执行线程所建立的网络连接。 14. The system of claim 11, wherein the antivirus module is further configured to: identify the parent and child processes by the one or more networks and malicious objects generated by the execution thread the established connection; and terminating the one or more identified to be established and the parent and child processes generated by the malicious object execution threads connected to the network.
CN 201210050079 2012-02-29 2012-02-29 System and method for protecting computer system from being infringed by activities of malicious objects CN102629310A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201210050079 CN102629310A (en) 2012-02-29 2012-02-29 System and method for protecting computer system from being infringed by activities of malicious objects

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 201710150404 CN107103238A (en) 2012-02-29 2012-02-29 System and method for protecting computer system from malicious object activity violation
CN 201210050079 CN102629310A (en) 2012-02-29 2012-02-29 System and method for protecting computer system from being infringed by activities of malicious objects

Publications (1)

Publication Number Publication Date
CN102629310A true true CN102629310A (en) 2012-08-08

Family

ID=46587568

Family Applications (2)

Application Number Title Priority Date Filing Date
CN 201210050079 CN102629310A (en) 2012-02-29 2012-02-29 System and method for protecting computer system from being infringed by activities of malicious objects
CN 201710150404 CN107103238A (en) 2012-02-29 2012-02-29 System and method for protecting computer system from malicious object activity violation

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN 201710150404 CN107103238A (en) 2012-02-29 2012-02-29 System and method for protecting computer system from malicious object activity violation

Country Status (1)

Country Link
CN (2) CN102629310A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102867146A (en) * 2012-09-18 2013-01-09 珠海市君天电子科技有限公司 Method and system for preventing computer virus from frequently infecting systems
CN102902913A (en) * 2012-09-19 2013-01-30 无锡华御信息技术有限公司 Preservation method for preventing software in computer from being damaged maliciously
CN103413091A (en) * 2013-07-18 2013-11-27 腾讯科技(深圳)有限公司 Method and device for monitoring malicious behaviors
CN103679031A (en) * 2013-12-12 2014-03-26 北京奇虎科技有限公司 File virus immunizing method and device
CN104050413A (en) * 2013-03-13 2014-09-17 腾讯科技(深圳)有限公司 Method for data processing and terminal
CN105518694A (en) * 2013-06-25 2016-04-20 微软技术许可有限责任公司 Reverse replication to rollback corrupted files

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1498363A (en) * 2001-03-30 2004-05-19 计算机联合思想公司 System and method for restoring computer systems damaged by mallcious computer program
CN1737722A (en) * 2005-08-03 2006-02-22 珠海金山软件股份有限公司 System and method for detecting and defending computer worm
US7080408B1 (en) * 2001-11-30 2006-07-18 Mcafee, Inc. Delayed-delivery quarantining of network communications having suspicious contents
CN101022662A (en) * 2007-02-26 2007-08-22 华为技术有限公司 Calling log service device, system and method thereof
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN101408919A (en) * 2008-12-09 2009-04-15 欣 吕 Method and system for monitoring computer espionage behavior
CN101414997A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Method and apparatus for preventing malevolence program from accessing network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1498363A (en) * 2001-03-30 2004-05-19 计算机联合思想公司 System and method for restoring computer systems damaged by mallcious computer program
US7080408B1 (en) * 2001-11-30 2006-07-18 Mcafee, Inc. Delayed-delivery quarantining of network communications having suspicious contents
CN1737722A (en) * 2005-08-03 2006-02-22 珠海金山软件股份有限公司 System and method for detecting and defending computer worm
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN101022662A (en) * 2007-02-26 2007-08-22 华为技术有限公司 Calling log service device, system and method thereof
CN101414997A (en) * 2007-10-15 2009-04-22 北京瑞星国际软件有限公司 Method and apparatus for preventing malevolence program from accessing network
CN101408919A (en) * 2008-12-09 2009-04-15 欣 吕 Method and system for monitoring computer espionage behavior

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102867146A (en) * 2012-09-18 2013-01-09 珠海市君天电子科技有限公司 Method and system for preventing computer virus from frequently infecting systems
CN102867146B (en) * 2012-09-18 2016-01-27 珠海市君天电子科技有限公司 Method and system for preventing repeated computer virus infected systems
CN102902913A (en) * 2012-09-19 2013-01-30 无锡华御信息技术有限公司 Preservation method for preventing software in computer from being damaged maliciously
CN102902913B (en) * 2012-09-19 2016-08-03 无锡华御信息技术有限公司 Preservation methods to prevent malicious software in the computer sabotage
CN104050413A (en) * 2013-03-13 2014-09-17 腾讯科技(深圳)有限公司 Method for data processing and terminal
CN105518694A (en) * 2013-06-25 2016-04-20 微软技术许可有限责任公司 Reverse replication to rollback corrupted files
CN103413091B (en) * 2013-07-18 2016-01-20 腾讯科技(深圳)有限公司 Method and apparatus for monitoring malicious behavior
CN103413091A (en) * 2013-07-18 2013-11-27 腾讯科技(深圳)有限公司 Method and device for monitoring malicious behaviors
CN103679031A (en) * 2013-12-12 2014-03-26 北京奇虎科技有限公司 File virus immunizing method and device
CN103679031B (en) * 2013-12-12 2017-10-31 北京奇虎科技有限公司 A method and apparatus for file virus immunization

Also Published As

Publication number Publication date Type
CN107103238A (en) 2017-08-29 application

Similar Documents

Publication Publication Date Title
US8713631B1 (en) System and method for detecting malicious code executed by virtual machine
US7356736B2 (en) Simulated computer system for monitoring of software performance
US20120254995A1 (en) System and method for below-operating system trapping and securing loading of code into memory
US20120255012A1 (en) System and method for below-operating system regulation and control of self-modifying code
US20070016953A1 (en) Methods and apparatus for dealing with malware
US20050172337A1 (en) System and method for unpacking packed executables for malware evaluation
US5802277A (en) Virus protection in computer systems
US7437764B1 (en) Vulnerability assessment of disk images
US20120255018A1 (en) System and method for securing memory and storage of an electronic device with a below-operating system security agent
US20100077481A1 (en) Collecting and analyzing malware data
US20130276056A1 (en) Automatic curation and modification of virtualized computer programs
US20130086299A1 (en) Security in virtualized computer programs
US20090038011A1 (en) System and method of identifying and removing malware on a computer system
US7472420B1 (en) Method and system for detection of previously unknown malware components
US20100031353A1 (en) Malware Detection Using Code Analysis and Behavior Monitoring
US20110219447A1 (en) Identification of Unauthorized Code Running in an Operating System's Kernel
US20120255002A1 (en) System and method for below-operating system trapping of driver loading and unloading
US7657941B1 (en) Hardware-based anti-virus system
US8365297B1 (en) System and method for detecting malware targeting the boot process of a computer using boot process emulation
US20110173698A1 (en) Mitigating false positives in malware detection
US20060031673A1 (en) Method and system for detecting infection of an operating system
US20120254982A1 (en) System and method for protecting and securing storage devices using below-operating system trapping
US8307443B2 (en) Securing anti-virus software with virtualization
US20020178375A1 (en) Method and system for protecting against malicious mobile code
US7243348B2 (en) Computing apparatus with automatic integrity reference generation and maintenance

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
RJ01