CN102902921A - Method and device for detecting and eliminating computer viruses - Google Patents

Method and device for detecting and eliminating computer viruses Download PDF

Info

Publication number
CN102902921A
CN102902921A CN2012103477507A CN201210347750A CN102902921A CN 102902921 A CN102902921 A CN 102902921A CN 2012103477507 A CN2012103477507 A CN 2012103477507A CN 201210347750 A CN201210347750 A CN 201210347750A CN 102902921 A CN102902921 A CN 102902921A
Authority
CN
China
Prior art keywords
virus
predefined
detection
database
boot record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012103477507A
Other languages
Chinese (zh)
Other versions
CN102902921B (en
Inventor
邵坚磊
姚彤
马贞辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210347750.7A priority Critical patent/CN102902921B/en
Publication of CN102902921A publication Critical patent/CN102902921A/en
Priority to PCT/CN2013/083751 priority patent/WO2014044187A2/en
Application granted granted Critical
Publication of CN102902921B publication Critical patent/CN102902921B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for detecting and eliminating computer viruses. The method comprises the steps of detecting a basic input/output system of a computer, and eliminating viruses on the condition that viruses exist; and/or detecting a master boot record (MBR) of computer hardware, and restoring a default MBR on the condition that viruses exist; and/or detecting a driver layer of an operating system of the computer, and prohibiting loading of a driver which are infected with viruses on the condition that viruses exist; and detecting an application layer of the operating system of the computer, and eliminating viruses of the application layer on the condition that viruses exist. According to an embodiment of the method and the device, a multi-layer detection and eliminating method is adopted, and viruses are detected and eliminated from the bottom layer, so that viruses which exist in all layers can be eliminated thoroughly, the capability of detection and elimination of computer viruses is greatly improved, and the safety of computer systems is guaranteed.

Description

The method and apparatus of a kind of detection and dump virus
Technical field
The present invention relates to computer security, be specifically related to a kind of for detection of with the method and apparatus of dump virus.
Background technology
Computer virus is a recapitulative term, refers to that any intentional establishment is used for carrying out without permission and the software program of harmful act normally.Infectious virus, backdoor programs, Key Logger, password are stolen taker, Word and excel macro virus, leading viruses, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and ad ware etc., all be some examples that can be referred to as computer virus.
In traditional computer virus checking and killing technology, enumerate All Files and registration table in application layer (Ring 3), then the virus database with high in the clouds compares, and in-problem file and registration table are removed processing.Along with the development of Rootkit technology, the computer virus checking and killing technology for kernel-driven layer (Ring 0) has appearred, comprise crossing technology and the anti-write-back technology of kernel-driven.But along with the development of wooden horse technology, these traditional computer virus checking and killing technology have seemed and have been at one's wit's end.
Rootkit is a kind of special virus (Malware), its function is to hide the information such as file, process and network linking of self and appointment at installation targets, and what often see is that Rootkit generally is combined with other rogue programs such as wooden horse, back doors.Rootkit revises system kernel, and then reaches the purpose that hides Info by loading special driving.Bootkit is more senior Rootkit, this concept was mentioned in the project at their " BootRoot " by eEye Digital company early than 2005, this project is by infecting MBR(Master Boot Record, (hard disk) Main Boot Record) mode realizes walking around interior nuclear inspection and starts stealthy.Can think, all when start than more Zao loadings of Windows kernel, the technology of realization kernel abduction can be referred to as Bootkit, afterwards BIOS Rootkit for example, VBootkit, SMM Rootkit etc.Development along with the Bootkit technology, the computer virus that comprises at present wooden horse is towards without file, without registration table, without the future development of module, only be present in sector and Shellcode(padding data outside the computer operating system) in, traditional checking and killing virus technology is shot at random, and such virus is ghost series (1,2,3), TLD4 and BMW BIOS wooden horse for example.Therefore, though killing the wooden horse file, but because root is not removed, cause restarting rear wooden horse and bring back to life again, repeatedly killing still can't be removed this wooden horse.Simultaneously, the wooden horse in the MBR also can discharge malice and drive, and disturbs killing, even causes the killing program to start.
Summary of the invention
In view of the above problems, the present invention has been proposed, so as to provide a kind of overcome the problems referred to above or address the above problem at least in part for detection of with the method for dump virus and corresponding device.
According to one aspect of the present invention, provide a kind of for detection of with the method for dump virus, comprising:
Detection computations machine Basic Input or Output System (BIOS) is in the situation that exist virus that it is removed processing; And/or
The Main Boot Record of detection computations machine hard disk is in the situation that exist virus to recover the Main Boot Record of acquiescence; And/or
The driving layer of detection computations machine operation system is in the situation that exist virus to forbid loading the driving of infecting virus; With
The application layer of detection computations machine operation system is in the situation that exist virus that it is removed processing.
In an embodiment of the present invention, in the step of described detection computations machine Basic Input or Output System (BIOS), whether predefined the first virus database based on the condition code of the virus that comprises basic input output system of computer exists virus in the detection computations machine Basic Input or Output System (BIOS).
In an embodiment of the present invention, in the step of the Main Boot Record of described detection computations machine hard disk, whether predefined the second virus database based on the condition code of the virus of the Main Boot Record that comprises hard disc of computer exists Bootkit virus in the Main Boot Record of detection computations machine hard disk.
In an embodiment of the present invention, in the step of the driving layer of described detection computations machine operation system, whether predefined the 3rd virus database based on the condition code of the virus of the driving layer that comprises computer operating system exists Rootkit virus in the driving layer of detection computations machine operation system.
In an embodiment of the present invention, in the step of the application layer of described detection computations machine operation system, whether the predefined filatow-Dukes disease poison database based on the condition code of the virus of the application layer that comprises computer operating system exists virus in the application layer of detection computations machine operation system.
In an embodiment of the present invention, detect and whether exist the step of virus to comprise: based on the condition code of virus, file to be detected positioned process and matching treatment, in the situation of file to be detected and the condition code coupling of virus, having judged File Infection that this is to be detected should virus.
In an embodiment of the present invention, whether exist the step of Bootkit virus to comprise in predefined second virus database of the condition code of the virus of described Main Boot Record based on comprising hard disc of computer, the Main Boot Record of detection computations machine hard disk: based on described predefined the second virus database, to utilize heuristic detection to come whether to exist in the Main Boot Record of detection computations machine hard disk Bootkit virus.
In an embodiment of the present invention, described predefined the first virus database, predefined the second virus database, predefined the 3rd virus database, that predefined filatow-Dukes disease poison database is stored in described computing machine is local, and/or be stored in long-range server.
In an embodiment of the present invention, described in the situation that exist virus to recover in the Main Boot Record step of acquiescence, utilize the Main Boot Record of the acquiescence that is stored in the local or long-range server of described computing machine to replace the Main Boot Record that infects virus.
According to a further aspect in the invention, provide a kind of for detection of with the device of dump virus, comprising:
First detects and the removing module, for detection of basic input output system of computer, in the situation that exist virus that it is removed processing; And/or
Second detects and the removing module, for detection of the Main Boot Record of hard disc of computer, in the situation that exist virus to recover the Main Boot Record of acquiescence; And/or
The 3rd detects and the removing module, for detection of the driving layer of computer operating system, in the situation that exist virus to forbid loading the driving of infecting virus; With
The 4th detects and the removing module, for detection of the application layer of computer operating system, in the situation that exist virus that it is removed processing.
In an embodiment of the present invention, described first detects and removes module based on predefined first virus database of the condition code of the virus that comprises basic input output system of computer, whether has virus in the detection computations machine Basic Input or Output System (BIOS).
In an embodiment of the present invention, described second detects and removes module based on predefined second virus database of the condition code of the virus of the Main Boot Record that comprises hard disc of computer, whether has Bootkit virus in the Main Boot Record of detection computations machine hard disk.
In an embodiment of the present invention, the described the 3rd detects and removes module based on predefined the 3rd virus database of the condition code of the virus of the driving layer that comprises computer operating system, whether has Rootkit virus in the driving layer of detection computations machine operation system.
In an embodiment of the present invention, the described the 4th detects and removes module based on the predefined filatow-Dukes disease poison database of the condition code of the virus of the application layer that comprises computer operating system, whether has virus in the application layer of detection computations machine operation system.
In an embodiment of the present invention, described the first detection and removing module, described second detect and remove module, described the 3rd detection and removing module and described the 4th detection and remove module based on the condition code of virus, file to be detected is positioned processing and matching treatment, in the situation of file to be detected and the condition code coupling of virus, having judged File Infection that this is to be detected should virus.
In an embodiment of the present invention, described second detects and removes module based on described predefined the second virus database, utilizes heuristic detection to come whether to have Bootkit virus in the Main Boot Record of detection computations machine hard disk.
In an embodiment of the present invention, described predefined the first virus database, predefined the second virus database, predefined the 3rd virus database, that predefined filatow-Dukes disease poison database is stored in described computing machine is local, and/or be stored in long-range server.
In an embodiment of the present invention, described the second detection and the utilization of removing module are stored in the viral Main Boot Record of Main Boot Record replacement infection of the acquiescence of the local or long-range server of described computing machine.
According to another aspect of the invention, also provide a kind of for detection of with the system of dump virus, comprise above-mentioned for detection of with the device of dump virus, and it is local and/or be stored in predefined virus database in the long-range server to be stored in described computing machine, described predefined virus database comprises above-mentioned predefined the first virus database, predefined the second virus database, and in predefined the 3rd virus database one or more, and comprise above-mentioned predefined filatow-Dukes disease poison database.
The invention provides a kind of for detection of with the method and apparatus of dump virus.According to embodiments of the invention, adopt the multilayer of basic input output system of computer → hard disk master boot record → operating system drive layer → operating system application layer to detect and reset mode, begin virus is detected and remove processing from bottom, can guarantee thoroughly to remove the virus that is present in each layer, overcome exist in the existing checking and killing virus mode can't remove the unlimited write-back hard disk master boot record of virus in the Basic Input or Output System (BIOS)-virus, can't remove virus in the hard disk master boot record-virus brings back to life after restarting the computer, can't remove the virus that drives in the layer-loadings and infect the defective of viral driving, greatly improve the ability of detection and dump virus, guaranteed the safety of computer system.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 be according to an embodiment of the invention for detection of with the process flow diagram of the method for dump virus;
Fig. 2 is the schematic diagram of BMW Viral infection principle;
Fig. 3 is the schematic diagram of the HOOK.ROM file that infects in basic input output system of computer of BMW virus; And
Fig. 4 be according to an embodiment of the invention for detection of with the block diagram of the device of dump virus.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Hereinafter, all types of computer viruses (comprising nonspecific infection venereal disease poison, Word and excel macro virus, leading viruses, script virus, wooden horse, backdoor programs, Key Logger, password robber taker etc.) are referred to as " computer virus ", describe with convenient.It will be understood by those skilled in the art that hereinafter " computer virus " can be any type of computer virus.
Fig. 1 be according to an embodiment of the invention for detection of with the process flow diagram of the method for dump virus.As shown in Figure 1, according to an embodiment of the invention for detection of with the method 100 of dump virus in, at the beginning, execution in step S101: detection computations machine Basic Input or Output System (BIOS), in the situation that exist virus that it is removed processing; Then, execution in step S103: the Main Boot Record of detection computations machine hard disk, in the situation that exist virus to recover the Main Boot Record of acquiescence; Then, execution in step S105: the driving layer of detection computations machine operation system, in the situation that exist virus to forbid loading the driving of infecting virus; At last, execution in step S107: the application layer of detection computations machine operation system, in the situation that exist virus that it is removed processing.
For dissimilar computer virus, according to an embodiment of the invention for detection of comprising different steps with the method 100 of dump virus, specifically, described method 100 can comprise, two or three among step S101, S103, the S105, and comprises step S107.For example, for BMW virus, because the Basic Input or Output System (BIOS) of its infect computers, the Main Boot Record of hard disc of computer, driving layer and the application layer of computer operating system, therefore need to carry out whole four step: S101, S103, S105 and S107 in the described method 100, referring to Fig. 2, wherein show BMW Viral infection principle; And for ghost series virus, because the Main Boot Record of its infect computers hard disk, driving layer and the application layer of computer operating system, therefore need to carry out three step S103, S105 and S107 in the described method 100.Those skilled in the art can be according to actual needs, selects one or more among step S101, S103, the S105 in the method 100 of executive basis embodiments of the invention, and execution in step S107, to detect and to remove for certain computer virus.
According to embodiments of the invention, can select execution in step S101, wherein, detection computations machine Basic Input or Output System (BIOS) is in the situation that exist virus that it is removed processing.Wherein, alternatively, can based on predefined the first virus database, whether there be virus in the detection computations machine Basic Input or Output System (BIOS).Described predefined the first virus database can comprise the condition code of known virus for basic input output system of computer.In testing process, can be based on the condition code of above-mentioned known virus, carry out localization process and the matching treatment of condition code for the file in the Basic Input or Output System (BIOS), in the situation of the condition code coupling of the file that detects and known virus, it is judged to be infected should virus, and for removing processing.For example, for BMW virus, will there be for example HOOK.ROM file shown in Fig. 3 in the basic input output system of computer, need to removes processing to it.Fig. 3 shows the interface of Award Basic Input or Output System (BIOS) editing machine, in editing machine, can partly find at the ISA of Basic Input or Output System (BIOS) ROMs the relevant information of HOOK.ROM file.
According to embodiments of the invention, described removing is processed can comprise following one or more processing: delete the described virus document that contains, namely directly delete for containing virus document; Revise the described entry point address that contains virus document, for example revise the entry point address of the portable execute file that contains virus; To the described specific region writing data blocks that contains virus document, namely data block is carried out in the specific region and fill; Contain copied chunks in the virus document described; Delete the described specific file section that contains virus document, and the described form that contains virus document is adjusted, for example deletion contains the file section of formulating in the portable execute file of virus, and the form of this document is adjusted accordingly; Delete the described data that contain the specific size of virus document head and/or afterbody; The described size that contains virus document is set.
After the virus in the Basic Input or Output System (BIOS) is removed processing, just can stop the unlimited write-back hard disk master boot record of this virus, avoid changing hard disk and also can't thoroughly remove this viral phenomenon generation.
Next, can select execution in step S103, wherein, the Main Boot Record of detection computations machine hard disk is in the situation that exist virus to recover the Main Boot Record of acquiescence.According to embodiments of the invention, the virus in the described Main Boot Record may be Bootkit virus, can based on predefined the second virus database, whether have Bootkit virus in the Main Boot Record of detection computations machine hard disk.In the situation that there is virus, can utilize the Main Boot Record of the acquiescence that is stored in the local or long-range server of described computing machine to replace the Main Boot Record that infects virus.Described predefined the second virus database can comprise the condition code of the virus of known Main Boot Record for hard disk.For example, the condition code of ghost 6 viruses in Main Boot Record is as follows:
Figure BDA00002153753400071
The condition code of BMW wooden horse in Main Boot Record is:
Figure BDA00002153753400072
In testing process, can be based on the condition code of above-mentioned known virus, carry out localization process and the matching treatment of condition code for the file in the Main Boot Record of hard disk, in the situation of the condition code coupling of the file that detects and known virus, it is judged to be infected should virus, in addition, can also adopt didactic method for detecting virus as known in the art.And the described Main Boot Record that is stored in the acquiescence of the local or long-range server of described computing machine be not by virus infections, " clean " Main Boot Record.Like this, just can stop the virus in the Main Boot Record after restarting the computer, to be brought back to life.
Then, can select execution in step S 105, wherein, the driving layer (Ring0) of detection computations machine operation system is in the situation that exist virus to forbid loading the driving of infecting virus.According to embodiments of the invention, the virus that drives in the layer may be Rootkit virus, can based on predefined the 3rd virus database, whether have Rootkit virus in the driving layer of detection computations machine operation system.
Described predefined the 3rd virus database can comprise the known condition code for the virus that drives layer, for example memory features of virus.For example, the memory features of TDL4 virus is for hiding its name information and routing information, and the memory features of BMW virus is for utilizing disk hook (disk hook) to point to false path.In testing process, can be based on the condition code of above-mentioned known virus, carry out localization process and the matching treatment of condition code for the file in the driving layer, in the situation of the condition code coupling of the file that detects and known virus, it is judged to be infected should virus, at this moment, can adopt the driving inactivation technology, utilize the driving of hook infection control virus, forbid loading the driving of infection virus, disturb even stop the normal execution of computer virus detection and sweep-out method with the driving of the virus of protecting from infection.
At last, execution in step S107, wherein, the application layer (Ring3) of detection computations machine operation system is in the situation that exist virus that it is removed processing.According to embodiments of the invention, can based on predefined filatow-Dukes disease poison database, whether there be virus in the application layer of detection computations machine operation system.Described predefined filatow-Dukes disease poison database can comprise the condition code of the virus of known application layer for computer operating system.In testing process, can be based on the condition code of above-mentioned known virus, carry out localization process and the matching treatment of condition code for the file in the application layer, in the situation of the condition code coupling of the file that detects and known virus, it is judged to be infected should virus, and for removing processing.According to embodiments of the invention, above processing and can comprise, described removing for one or more processing of mentioning in the description among the step S101, no longer is repeated in this description at this.
For example, can utilize conventional feature killing (comprising file and Registry Checking), with the performance of program of file to be detected MD5(Message-Digest Algorithm 5 with virus, md5-challenge) feature mates.The said procedure feature can be MD5 identifying code or SHA1 code or the CRC(Cyclic Redundancy Check that draws via the MD5 computing, cyclic redundancy check (CRC)) but code waits the condition code of unique identification original program.For example, if the known procedure feature in the black/white list of the performance of program of file and described predefined filatow-Dukes disease poison database is identical, then all list this performance of program and program behavior thereof in the black/white list; If the program behavior of file is identical or approximate with the known procedure behavior in the black/white list, then all list this unknown program behavior and performance of program thereof in the black/white list.The file that is put on the blacklist namely is judged as and has infected virus.
According to embodiments of the invention, above-mentioned predefined the first virus database, predefined the second virus database, predefined the 3rd virus database, predefined filatow-Dukes disease poison database can be stored in described computing machine this locality, perhaps can be stored in long-range server, also can namely be stored in computing machine this locality, be stored in the remote server simultaneously again.When above-mentioned predefined virus database is stored in the remote server, can adopt the mode of cloud inquiry known in the art to detect and remove processing for computer virus.
The invention provides a kind of for detection of with the method for dump virus.According to embodiments of the invention, adopt the multilayer of basic input output system of computer → hard disk master boot record → operating system drive layer → operating system application layer to detect and reset mode, begin virus is detected and remove processing from bottom, can guarantee thoroughly to remove the virus that is present in each layer, overcome exist in the existing checking and killing virus mode can't remove the unlimited write-back hard disk master boot record of virus in the Basic Input or Output System (BIOS)-virus, can't remove virus in the hard disk master boot record-virus brings back to life after restarting the computer, can't remove the virus that drives in the layer-loadings and infect the defective of viral driving, greatly improve the ability of detection and dump virus, guaranteed the safety of computer system.
The present invention can be introduced into the cloud security framework, to own " cloud security " client is connected in real time with " cloud security " server, client constantly gathers and reports renewal, form huge virus (rogue program) database at server end, and the analyses and comparison of Initiative Defense operation is placed on server end finishes, thereby make whole cloud security network become an Initiative Defense instrument; Collect and be kept at for the program behavior with threat in the database of server, carry out supporting when virus (Malware) is analyzed direct service routine behavior to carry out virus (rogue program) at server end and judge.
Corresponding with above-mentioned method 100, the present invention also provide a kind of for detection of with the device 200 of dump virus, referring to Fig. 4, this device 200 comprises:
First detects and removing module 201, and for detection of basic input output system of computer, in the situation that exist virus that it is removed processing, it can be used for carrying out the step S101 of said method 100; And/or
Second detects and removing module 203, and for detection of the Main Boot Record of hard disc of computer, in the situation that exist virus to recover the Main Boot Record of acquiescence, it can be for the step S103 that carries out said method 100; And/or
The 3rd detects and removing module 205, and for detection of the driving layer of computer operating system, in the situation that exist virus to forbid loading the driving of infecting virus, it can be for the step S105 that carries out said method 100; With
The 4th detects and removing module 207, and for detection of the application layer of computer operating system, in the situation that exist virus that it is removed processing, it can be used for carrying out the step S107 of said method 100.
Similar with the situation of said method 100, according to actual needs, described device 200 can comprise that first detects and remove module 201, second and detect and remove module 203, the 3rd and detect and remove one or more in the module 205, and comprises that the 4th detects and remove module 207.
In an embodiment of the present invention, described first detects and removes module 201 based on predefined first virus database of the condition code of the virus that comprises basic input output system of computer, whether has virus in the detection computations machine Basic Input or Output System (BIOS).
In an embodiment of the present invention, described second detects and removes module 203 based on predefined second virus database of the condition code of the virus of the Main Boot Record that comprises hard disc of computer, whether has Bootkit virus in the Main Boot Record of detection computations machine hard disk.
In an embodiment of the present invention, the described the 3rd detects and removes module 205 based on predefined the 3rd virus database of the condition code of the virus of the driving layer that comprises computer operating system, whether has Rootkit virus in the driving layer of detection computations machine operation system.
In an embodiment of the present invention, the described the 4th detects and removes module 207 based on the predefined filatow-Dukes disease poison database of the condition code of the virus of the application layer that comprises computer operating system, whether has virus in the application layer of detection computations machine operation system.
In an embodiment of the present invention, described the first detection and removing module 201, described second detect and remove module 203, described the 3rd detection and removing module 205 and described the 4th detection and remove module 207 based on the condition code of virus, file to be detected is positioned processing and matching treatment, in the situation of file to be detected and the condition code coupling of virus, having judged File Infection that this is to be detected should virus.
In an embodiment of the present invention, described second detects and removes module 203 based on described predefined the second virus database, utilizes heuristic detection to come whether to have Bootkit virus in the Main Boot Record of detection computations machine hard disk.
In an embodiment of the present invention, described predefined the first virus database, predefined the second virus database, predefined the 3rd virus database, that predefined filatow-Dukes disease poison database is stored in described computing machine is local, and/or be stored in long-range server.
In an embodiment of the present invention, described the second detection and removing module 203 utilize the Main Boot Record of the acquiescence that is stored in the local or long-range server of described computing machine to replace the viral Main Boot Record of infection.
Because above-mentioned respectively to install embodiment corresponding with aforementioned approaches method embodiment, therefore no longer each installed embodiment and be described in detail.
According to another aspect of the invention, also provide a kind of for detection of with the system of dump virus, comprise above-mentioned for detection of with the device 200 of dump virus, and it is local and/or be stored in predefined virus database in the long-range server to be stored in described computing machine, described predefined virus database comprises above-mentioned predefined the first virus database, predefined the second virus database, and in predefined the 3rd virus database one or more, and comprise above-mentioned predefined filatow-Dukes disease poison database.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be in the situation that there be these details to put into practice.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more devices different from this embodiment the module in the device among the embodiment.Can become the some module combinations among the embodiment module or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or module at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or similar purpose alternative features replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
Each device embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of modules in the device of the embodiment of the invention.The present invention can also be embodied as be used to part or all the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.

Claims (19)

  1. One kind for detection of with the method for dump virus, comprising:
    Detection computations machine Basic Input or Output System (BIOS) is in the situation that exist virus that it is removed processing; And/or
    The Main Boot Record of detection computations machine hard disk is in the situation that exist virus to recover the Main Boot Record of acquiescence; And/or
    The driving layer of detection computations machine operation system is in the situation that exist virus to forbid loading the driving of infecting virus; With
    The application layer of detection computations machine operation system is in the situation that exist virus that it is removed processing.
  2. 2. the method for claim 1, wherein in the step of described detection computations machine Basic Input or Output System (BIOS), whether predefined the first virus database based on the condition code of the virus that comprises basic input output system of computer exists virus in the detection computations machine Basic Input or Output System (BIOS).
  3. 3. the method for claim 1, wherein in the step of the Main Boot Record of described detection computations machine hard disk, whether predefined the second virus database based on the condition code of the virus of the Main Boot Record that comprises hard disc of computer exists Bootkit virus in the Main Boot Record of detection computations machine hard disk.
  4. 4. the method for claim 1, wherein in the step of the driving layer of described detection computations machine operation system, whether predefined the 3rd virus database based on the condition code of the virus of the driving layer that comprises computer operating system exists Rootkit virus in the driving layer of detection computations machine operation system.
  5. 5. the method for claim 1, wherein in the step of the application layer of described detection computations machine operation system, whether the predefined filatow-Dukes disease poison database based on the condition code of the virus of the application layer that comprises computer operating system exists virus in the application layer of detection computations machine operation system.
  6. 6. such as each the described method among the claim 2-5, wherein detect and whether exist the step of virus to comprise: based on the condition code of virus, file to be detected is positioned processing and matching treatment, in the situation of file to be detected and the condition code coupling of virus, having judged File Infection that this is to be detected should virus.
  7. 7. method as claimed in claim 3, whether exist the step of Bootkit virus to comprise in predefined second virus database of the condition code of the virus of wherein said Main Boot Record based on comprising hard disc of computer, the Main Boot Record of detection computations machine hard disk: based on described predefined the second virus database, to utilize heuristic detection to come whether to exist in the Main Boot Record of detection computations machine hard disk Bootkit virus.
  8. 8. such as each the described method among the claim 1-5, wherein said predefined the first virus database, predefined the second virus database, predefined the 3rd virus database, that predefined filatow-Dukes disease poison database is stored in described computing machine is local, and/or be stored in long-range server.
  9. 9. the method for claim 1, wherein said in the situation that exist virus to recover in the Main Boot Record step of acquiescence, utilize the Main Boot Record of the acquiescence that is stored in the local or long-range server of described computing machine to replace the Main Boot Record that infects virus.
  10. One kind for detection of with the device (200) of dump virus, comprising:
    First detects and removing module (201), for detection of basic input output system of computer, in the situation that exist virus that it is removed processing; And/or
    Second detects and removing module (203), for detection of the Main Boot Record of hard disc of computer, in the situation that exist virus to recover the Main Boot Record of acquiescence; And/or
    The 3rd detects and removing module (205), for detection of the driving layer of computer operating system, in the situation that exist virus to forbid loading the driving of infecting virus; With
    The 4th detects and removing module (207), for detection of the application layer of computer operating system, in the situation that exist virus that it is removed processing.
  11. 11. device as claimed in claim 10, wherein said first detects and removes module (201) based on predefined first virus database of the condition code of the virus that comprises basic input output system of computer, whether has virus in the detection computations machine Basic Input or Output System (BIOS).
  12. 12. device as claimed in claim 10, wherein said second detects and removes module (203) based on predefined second virus database of the condition code of the virus of the Main Boot Record that comprises hard disc of computer, whether has Bootkit virus in the Main Boot Record of detection computations machine hard disk.
  13. 13. device as claimed in claim 10, the wherein said the 3rd detects and removes module (205) based on predefined the 3rd virus database of the condition code of the virus of the driving layer that comprises computer operating system, whether has Rootkit virus in the driving layer of detection computations machine operation system.
  14. 14. device as claimed in claim 10, the wherein said the 4th detects and removes module (207) based on the predefined filatow-Dukes disease poison database of the condition code of the virus of the application layer that comprises computer operating system, whether has virus in the application layer of detection computations machine operation system.
  15. 15. such as each the described device among the claim 11-14, wherein said the first detection and removing module (201), described second detect and remove module (203), described the 3rd detection and removing module (205) and described the 4th detection and remove module (207) based on the condition code of virus, file to be detected is positioned processing and matching treatment, in the situation of file to be detected and the condition code coupling of virus, having judged File Infection that this is to be detected should virus.
  16. 16. device as claimed in claim 12, wherein said second detects and removes module (203) based on described predefined the second virus database, utilizes heuristic detection to come whether to have Bootkit virus in the Main Boot Record of detection computations machine hard disk.
  17. 17. such as each the described device among the claim 10-14, wherein said predefined the first virus database, predefined the second virus database, predefined the 3rd virus database, that predefined filatow-Dukes disease poison database is stored in described computing machine is local, and/or be stored in long-range server.
  18. 18. device as claimed in claim 10, wherein said the second detection and removing module (203) utilization are stored in the Main Boot Record of the acquiescence of the local or long-range server of described computing machine and replace the viral Main Boot Record of infection.
  19. 19. one kind for detection of with the system of dump virus, comprise such as the described device of claim 10-18 and as described in being stored in computing machine local and/or be stored in predefined virus database in the long-range server, described predefined virus database comprises such as in described predefined the first virus database of claim 11-13, predefined the second virus database and predefined the 3rd virus database one or more, and comprises predefined filatow-Dukes disease poison database as claimed in claim 14.
CN201210347750.7A 2012-09-18 2012-09-18 The method and apparatus of a kind of detection and dump virus Active CN102902921B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201210347750.7A CN102902921B (en) 2012-09-18 2012-09-18 The method and apparatus of a kind of detection and dump virus
PCT/CN2013/083751 WO2014044187A2 (en) 2012-09-18 2013-09-18 A method and device for checking and removing computer viruses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210347750.7A CN102902921B (en) 2012-09-18 2012-09-18 The method and apparatus of a kind of detection and dump virus

Publications (2)

Publication Number Publication Date
CN102902921A true CN102902921A (en) 2013-01-30
CN102902921B CN102902921B (en) 2015-11-25

Family

ID=47575148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210347750.7A Active CN102902921B (en) 2012-09-18 2012-09-18 The method and apparatus of a kind of detection and dump virus

Country Status (2)

Country Link
CN (1) CN102902921B (en)
WO (1) WO2014044187A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103593612A (en) * 2013-11-08 2014-02-19 北京奇虎科技有限公司 Method and device for processing malicious programs
WO2014044187A2 (en) * 2012-09-18 2014-03-27 北京奇虎科技有限公司 A method and device for checking and removing computer viruses
CN104834861A (en) * 2015-05-12 2015-08-12 腾讯科技(深圳)有限公司 Trojan searching and killing method and device
CN105843644A (en) * 2016-03-24 2016-08-10 北京金山安全软件有限公司 Application program installation method and device and electronic equipment
CN106203070A (en) * 2016-06-29 2016-12-07 北京金山安全软件有限公司 Drive loading prevention method and device
CN117746960A (en) * 2023-11-14 2024-03-22 中金金融认证中心有限公司 Self-error correction single disk master boot record protection device and protection method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111666568B (en) * 2020-07-13 2023-01-24 深圳犁陌科技有限公司 Self-breaking data security transmission method for preventing virus invasion

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1316873A2 (en) * 2001-11-29 2003-06-04 Hewlett-Packard Company System and method for identifying infected program instructions
CN1889004A (en) * 2005-06-29 2007-01-03 联想(北京)有限公司 Virus processing method
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
CN102208002A (en) * 2011-06-09 2011-10-05 国民技术股份有限公司 Novel computer virus scanning and killing device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100374969C (en) * 2004-11-18 2008-03-12 联想(北京)有限公司 Method for searching and killing virus and computer therefor
KR100704629B1 (en) * 2005-04-15 2007-04-09 삼성전자주식회사 Apparatus and method for protecting virus at the master boot recode located in altered position
US7757112B2 (en) * 2006-03-29 2010-07-13 Lenovo (Singapore) Pte. Ltd. System and method for booting alternate MBR in event of virus attack
CN102902921B (en) * 2012-09-18 2015-11-25 北京奇虎科技有限公司 The method and apparatus of a kind of detection and dump virus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1316873A2 (en) * 2001-11-29 2003-06-04 Hewlett-Packard Company System and method for identifying infected program instructions
CN1889004A (en) * 2005-06-29 2007-01-03 联想(北京)有限公司 Virus processing method
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
CN102208002A (en) * 2011-06-09 2011-10-05 国民技术股份有限公司 Novel computer virus scanning and killing device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王景中等: "《计算机通信信息安全技术》", 31 March 2006, article "第2章计算机病毒", pages: 27 - 44 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014044187A2 (en) * 2012-09-18 2014-03-27 北京奇虎科技有限公司 A method and device for checking and removing computer viruses
WO2014044187A3 (en) * 2012-09-18 2014-05-22 北京奇虎科技有限公司 A method and device for checking and removing computer viruses
CN103593612A (en) * 2013-11-08 2014-02-19 北京奇虎科技有限公司 Method and device for processing malicious programs
CN103593612B (en) * 2013-11-08 2016-05-18 北京奇虎科技有限公司 A kind of method and device of processing rogue program
CN104834861A (en) * 2015-05-12 2015-08-12 腾讯科技(深圳)有限公司 Trojan searching and killing method and device
CN104834861B (en) * 2015-05-12 2018-10-02 腾讯科技(深圳)有限公司 The checking and killing method and device of wooden horse
CN105843644A (en) * 2016-03-24 2016-08-10 北京金山安全软件有限公司 Application program installation method and device and electronic equipment
CN106203070A (en) * 2016-06-29 2016-12-07 北京金山安全软件有限公司 Drive loading prevention method and device
CN117746960A (en) * 2023-11-14 2024-03-22 中金金融认证中心有限公司 Self-error correction single disk master boot record protection device and protection method

Also Published As

Publication number Publication date
WO2014044187A2 (en) 2014-03-27
WO2014044187A3 (en) 2014-05-22
CN102902921B (en) 2015-11-25

Similar Documents

Publication Publication Date Title
KR101657191B1 (en) Software protection mechanism
EP3039608B1 (en) Hardware and software execution profiling
US8719935B2 (en) Mitigating false positives in malware detection
JP5326062B1 (en) Non-executable file inspection apparatus and method
CN102902921B (en) The method and apparatus of a kind of detection and dump virus
US9323931B2 (en) Complex scoring for malware detection
US8782791B2 (en) Computer virus detection systems and methods
US9087199B2 (en) System and method for providing a secured operating system execution environment
RU2487405C1 (en) System and method for correcting antivirus records
US20110047618A1 (en) Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
JP2017527931A (en) Malware detection method and system
EP2570955A1 (en) Restoration of file damage caused by malware
CN103150506B (en) The method and apparatus that a kind of rogue program detects
EP2795525B1 (en) Augmenting system restore with malware detection
KR20140033349A (en) System and method for virtual machine monitor based anti-malware security
JP2003196112A (en) Virus check method for virus check software
US20210326438A1 (en) Machine Learning Systems And Methods For Reducing The False Positive Malware Detection Rate
CN102882875B (en) Active defense method and device
CN107330328B (en) Method and device for defending against virus attack and server
US11531748B2 (en) Method and system for autonomous malware analysis
US20210182392A1 (en) Method for Detecting and Defeating Ransomware
US20070056039A1 (en) Memory filters to aid system remediation
CN102857519B (en) Active defensive system
KR101311367B1 (en) Method and apparatus for diagnosing attack that bypass the memory protection
CN103679024A (en) Virus treating method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220330

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.