CN102999720A

CN102999720A - Program identification method and system

Info

Publication number: CN102999720A
Application number: CN2012104484921A
Authority: CN
Inventors: 张晓霖; 孙晓骏
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qizhi Business Consulting Co ltd; Beijing Qihoo Technology Co Ltd; 360 Digital Security Technology Group Co Ltd
Priority date: 2012-11-09
Filing date: 2012-11-09
Publication date: 2013-03-27
Anticipated expiration: 2032-11-09
Also published as: CN102999720B

Abstract

The embodiment of the invention discloses a program identification method and system to solve the problem that a malicious DLL (dynamic link library) file is loaded by a malicious program by utilizing a program in a credible white list, and active defense cannot normally intercept a malicious program. The system comprises a client and a server, wherein the client comprises a reading module which is used for reading a preset local identification condition when a program to be executed is detected to establish a process, a matching module which is used for matching the program to be executed and the local identification condition to acquire a matching result, a determination module which is used for determining whether the program to be executed has a hijacked DLL file according to the matching result, and a processing module which is used for executing corresponding operation on the program to be executed according to the checking and killing result of the server; and the server comprises a checking and killing module which is used for checking and killing the hijacked DLL file when the examination result of the determination module of the client is that a hijacked DLL file exists. According to the program identification method and system provided by the embodiment of the invention, malicious programs can be more effectively intercepted.

Description

Program discrimination method and system

Technical field

The present invention relates to the network security technology field, be specifically related to program discrimination method and system.

Background technology

Rogue program is a recapitulative term, refers to that any intentional establishment is used for carrying out without permission and the software program of harmful act normally.Computer virus, backdoor programs, Key Logger, password are stolen taker, Word and excel macro virus, leading viruses, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and ad ware etc., all be some examples that can be referred to as rogue program.

Global rogue program quantity is how much level growths now, in order to adapt to the renewal speed of rogue program, to identify rapidly and the killing rogue program, generally utilizes at present Initiative Defense technology killing rogue program.The real-time protection technology of judgement is independently analyzed in the behavior that the Initiative Defense technology is based on program; it is from the most original definition; directly with the behavior of program as the foundation of judging rogue program; and then derive by in local use characteristic storehouse, the behavior that the behavior threshold value is set and differentiates, tackle rogue program in modes such as the heuristic virus killings in this locality in this locality, thereby reach to a certain extent the purpose of protection client device.

But in order to reduce as far as possible the impact on program feature, the Initiative Defense technology only detects the EXE file of program, and dynamic link library (Dynamic Link Library, the DLL) file that loads of scrutiny program not.Therefore, some rogue programs just utilize this point, by the DLL technology of kidnapping program in white list trusty of the dll file of this rogue program (for example operating system carry program) is packaged in, when user selection is carried out program in this white list, the dll file of rogue program wherein will be loaded, thereby makes the Initiative Defense technology can not successfully tackle this rogue program.

Summary of the invention

In view of the above problems, the present invention has been proposed in order to provide a kind of program identification system that overcomes the problems referred to above or address the above problem at least in part and corresponding program discrimination method.

According to one aspect of the present invention, a kind of program discrimination method is provided, comprising:

When detecting pending program creation process, read the local discrimination condition that sets in advance;

Described pending program and described local discrimination condition are mated, obtain matching result;

Determine according to described matching result whether described pending program exists the dll file of being held as a hostage;

If exist, then by server described dll file of being held as a hostage carried out killing;

According to server killing result described pending program is carried out corresponding operation.

In the embodiment of the invention, described pending program and described local discrimination condition are mated, obtain matching result, comprising:

Obtain the characteristic information of described pending program;

By characteristic information and the described local discrimination condition of described pending program are mated, obtain the dll file information that described pending program need to check, with the described dll file information that need to check as described matching result.

In the embodiment of the invention, determine that according to described matching result whether described pending program exists the dll file of being held as a hostage, and comprising:

Judge the dll file information that whether exists described needs to check under the assigned catalogue, if exist, determine that then there is the dll file of being held as a hostage in described pending program; Wherein, described dll file of being held as a hostage is the dll file that exists under the assigned catalogue, and described assigned catalogue is the relative catalogue of current directory or appointment.

In the embodiment of the invention, the dll file information that needs check after comprising a plurality of program matching conditions in the local discrimination condition and satisfying this program matching condition.

In the embodiment of the invention, the program matching condition comprises the common program matching condition, satisfies that the dll file information of needs inspection is public dll file information after this common program matching condition,

By characteristic information and the described local discrimination condition of described pending program are mated, obtain the DLL information that described pending program need to check, comprising:

Obtain and satisfy the public dll file information that needs check after the described common program matching condition;

The dll file information that described public dll file information need to be checked as described pending program.

According to another aspect of the present invention, a kind of program identification system is provided, comprise client and server, wherein,

Client comprises:

Read module is suitable for when detecting pending program creation process, reads the local discrimination condition that sets in advance;

Matching module is suitable for described pending program and described local discrimination condition are mated, and obtains matching result;

Determination module is suitable for determining according to described matching result whether described pending program exists the dll file of being held as a hostage;

Described server comprises:

The killing module, be suitable for when the check result of the determination module of client when existing, described dll file of being held as a hostage is carried out killing;

Client also comprises:

Processing module is suitable for according to server killing result described pending program being carried out corresponding operation.

Can be when detecting pending program creation process according to program discrimination method of the present invention and system, check according to the local discrimination condition that sets in advance whether described pending program exists the dll file of being held as a hostage, if there is the dll file of being held as a hostage in pending program, then by server described dll file of being held as a hostage is carried out killing, then according to server killing result described pending program is carried out corresponding operation.Solve thus rogue program and utilized the program in the believable white list to load the malice dll file and cause Initiative Defense can't normally tackle the problem of rogue program, obtained the beneficial effect of more effectively tackling rogue program.

Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of drawings

By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:

Fig. 1 shows the according to an embodiment of the invention process flow diagram of program discrimination method;

Fig. 2 shows the according to an embodiment of the invention process flow diagram of program discrimination method;

Fig. 3 shows the according to an embodiment of the invention process flow diagram of program discrimination method;

Fig. 4 shows the synoptic diagram according to the described local discrimination condition of the embodiment of the invention;

Fig. 5 shows the according to an embodiment of the invention structured flowchart of program identification system; And

Fig. 6 shows the according to an embodiment of the invention structured flowchart of program identification system.

Embodiment

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.

The present invention can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, system, set-top box, programmable consumer electronics, NetPC Network PC, minicomputer system, large computer system based on microprocessor and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.

Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.

Embodiment one:

With reference to Fig. 1, show the according to an embodiment of the invention process flow diagram of program discrimination method, the method specifically can comprise:

Step S101 when detecting pending program creation process, reads the local discrimination condition that sets in advance.

Step S102 mates described pending program and described local discrimination condition, obtains matching result.

Step S103 determines according to described matching result whether described pending program exists the dll file of being held as a hostage.

The detailed process of the program discrimination method that proposes for present embodiment will be introduced in the following embodiments in detail.

Can utilize local discrimination condition to detect pending program by above-mentioned steps S101-step S103 and whether have the dll file of being held as a hostage, follow-uply can treat executive routine by testing result and process.There is the dll file of being held as a hostage if detect pending program, then follow-uply can carries out killing to the dll file of being held as a hostage by server, then according to server killing result described pending program is carried out corresponding operation.Solve thus rogue program and utilized the program in the believable white list to load the malice dll file and cause Initiative Defense can't normally tackle the problem of rogue program, can more effectively tackle rogue program.

Embodiment two:

With reference to Fig. 2, show the according to an embodiment of the invention process flow diagram of program discrimination method.

In order to adapt to the renewal speed of rogue program, to identify rapidly and the killing rogue program, generally utilize at present Initiative Defense technology killing rogue program.The real-time protection technology of judgement is independently analyzed in the behavior that the Initiative Defense technology is based on program, by the key position in system intercept point is set the key position of system is protected.When being arranged, program carries out the behavior of these key positions of modification when (such as writing registration table, create plan target, revise the browser homepage, revising the behaviors such as default browser and registration browser plug-in), will tackle this program, need after the interception to judge whether this act of revision is maliciously, usually be by judging whether the program of carrying out this act of revision realizes safely to the judgement of behavior, if program is malice, illustrate that then this act of revision is malice, therefore needs this program implementation of interception.

In general, the Initiative Defense technology checks by the file to program, with the security of trace routine.But when the scrutiny program file, the cryptographic hash that needs calculation document, also need accesses network, these all are more time-consuming operations, and general program can load tens even up to a hundred dll files, even use caching technology to be optimized, or the start-up time of the obvious prolongation program of meeting.Therefore, in order to reduce as far as possible the impact on program feature, the Initiative Defense technology only detects the EXE file of program, and the dll file that loads of scrutiny program not.Therefore, some rogue programs just utilize this point, by the DLL technology of kidnapping program in white list trusty of the dll file of this rogue program (for example operating system carry program) is packaged in, when user selection is carried out program in this white list, the dll file of rogue program wherein will be loaded, thereby makes the Initiative Defense technology can not successfully tackle this rogue program.

In order to prevent that rogue program from utilizing the program in the white list trusty to break through Initiative Defense and successfully execution, the embodiment of the invention has proposed a kind of program discrimination method, and is concrete, and this program discrimination method may further comprise the steps:

Step S201 when detecting pending program creation process, checks according to the local discrimination condition that sets in advance whether described pending program exists the dll file of being held as a hostage.

Need to prove that this step S201 is for checking whether described pending program exists the process of the dll file of being held as a hostage, and with respect to above-described embodiment one, this step S201 can comprise the step S101-step S103 in above-described embodiment one.

Step S202 if exist, then carries out killing by server to described dll file of being held as a hostage.

Step S203 carries out corresponding operation according to server killing result to described pending program.

Can be when there be the dll file of being held as a hostage in pending program by above-mentioned steps S201-step S203, further by server these dll files of being held as a hostage are carried out killing, then according to server killing result described pending program is carried out corresponding operation.For concrete processing procedure, will introduce in detail in the following embodiments.

The program discrimination method that the embodiment of the invention proposes checks by treating the dll file of being held as a hostage in the executive routine, can solve rogue program and utilize the program in the white list trusty to load the malice dll file and cause Initiative Defense can't normally tackle the problem of rogue program, obtain the beneficial effect of more effectively tackling rogue program.

Embodiment three:

Below, be described in detail for concrete program discrimination method.

With reference to Fig. 3, show the according to an embodiment of the invention process flow diagram of program discrimination method, described method comprises:

Step S301 when detecting pending program creation process, checks according to the local discrimination condition that sets in advance whether described pending program exists the dll file of being held as a hostage.

The embodiment of the invention mainly is when pending program creation process, increase is to the query script of dll file, need to check whether pending program exists the dll file of being held as a hostage, if exist, then explanation this pending program might be utilized by rogue program, so will further check whether safety of these dll files of being held as a hostage.

In the present embodiment, check according to the local discrimination condition that sets in advance whether described pending program exists the dll file of being held as a hostage.

Local discrimination condition is stored under the client terminal local catalogue, the dll file information that needs check after comprising a plurality of program matching conditions and satisfy this program matching condition in local discrimination condition, present embodiment is exactly some characteristic informations and the local discrimination condition of pending program will be mated, and then judges according to matching result.

Concrete, this step S301 can comprise following substep:

Substep a1 obtains the characteristic information of described pending program.

Wherein, the characteristic information of pending program comprises at least a in the following information:

The file name information of pending program, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information.

Certainly, the characteristic information of described pending program can also comprise other information, and present embodiment is not limited this.

Substep a2 by characteristic information and the described local discrimination condition of described pending program are mated, obtains the dll file information that described pending program need to check, with the described dll file information that need to check as matching result.

Below, specifically introduce the process of mating with local discrimination condition.

Seen from the above description, the dll file information that needs check after comprising a plurality of program matching conditions and satisfy this program matching condition in local discrimination condition, in embodiments of the present invention, described program matching condition comprises two kinds, be common program matching condition and specific program matching condition, according to the difference of matching condition, carry out different matching processs.

The first: common program matching condition

In local discrimination condition, satisfy that the dll file information of needs inspection is public dll file information after the common program matching condition.

When mating, for the common program matching condition, each pending program will be mated with this common program matching condition, and obtains the dll file information that all satisfy the afterwards needs inspection of common program matching condition.Also namely for each pending program, all to obtain all public dll file information, then further these public dll file information be judged.

Concrete, can comprise for the processing procedure of common program matching condition:

(1) obtains and satisfy the public dll file information that needs check after the described common program matching condition;

The dll file information that (2) described public dll file information need to be checked as described pending program.

Some dll file information commonly used can be set in the common program matching condition in the present embodiment, therefore also can carry out killing for the unknown rogue program of kidnapping dll file commonly used, improve the accuracy of killing.

The second: specific program matching condition

In local discrimination condition, satisfy that the dll file information of needs inspection is specific dll file information after this specific program matching condition.

When mating, for the specific program matching condition, be not that each pending program is complementary with the specific program matching condition.Therefore, characteristic information and the described specific program matching condition of pending program need to be mated, then only obtain and satisfy the specific dll file information that needs check after the specific program matching condition be complementary, if the condition that is complementary less than the characteristic information with pending program in the specific program matching condition then only need be judged the above-mentioned public dll file information of obtaining to get final product.

Because the specific program matching condition need to be mated with the characteristic information of pending program, therefore, in described specific program matching condition, also need the information that comprises that some are corresponding with the characteristic information of program, the specific program matching condition that can find the characteristic information with pending program to be complementary by these information.

In the present embodiment, described specific program matching condition comprises at least a in the following information:

The digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information.

Same, described specific program matching condition can also comprise other information, present embodiment is not limited this.

Concrete, can comprise for the processing procedure of specific program matching condition:

(i) characteristic information and the described specific program matching condition of described pending program are mated;

(ii) obtain and satisfy the specific dll file information that needs check after the specific program matching condition be complementary;

The dll file information that (iii) described specific dll file information need to be checked as described pending program.

Concrete, can describe by following instance.

As shown in Figure 4, be the synoptic diagram of the described local discrimination condition of the embodiment of the invention.

As can be seen from the figure, in this this locality discrimination condition, comprise a plurality of common program matching conditions and specific program matching condition.Wherein, DLL-HIJACK is field name, and what independent DLL-HIJACK field represented is the common program matching condition, and the dll file information in these independent DLL-HIJACK fields is public dll file information; Some other DLL-HIJACK field is combined with specific fields, and what these specific fields (for example " FD@=360 network connection readers ") represented is the specific program matching condition.Fileinfo in the specific fields is the information (such as digital signature information (SP) of file description information (FD), inner name information (IN), Business Name etc.) of the EXE file of program, and these information are mated as the characteristic information of specific program matching condition and pending program.Dll file information in the DLL-HIJACK field of combining with these specific fields is to satisfy the specific dll file information that needs check after the specific program matching condition.In the present embodiment, described dll file information can be the title of dll file.

For example, lpk.dll, usp10.dll, setupapi.dll are (specifically with reference to Fig. 3, enumerate no longer one by one at this) etc. the dll file title in the independent DLL_HIJACK field be public dll file information, and the dll file title is specific dll file information in the DLL-HIJACK field that 360netview.dll, 360nzp.dll, somkernl.dll etc. and specific fields are combined.

For each pending program, when this program and local discrimination condition are mated, at first to obtain the dll file title in the independent DLL_HIJACK field, and then characteristic information that will this pending program and the information in the specific fields are mated, obtain the dll file title in the DLL-HIJACK field of combining with the specific fields that is complementary, at last all dll file titles that get access to are judged.Because for some pending program, it obviously is not different from the information of other program, therefore for these pending programs, can only mate with independent DLL_HIJACK field.

For example, the characteristic information that gets access to current pending program is file description information " 360 network connection reader ", then this document descriptor and local discrimination condition is mated.At first obtain the dll file title in all independent DLL_HIJACK fields, such as " lpk.dll ", " usp10.dll ", " setupapi.dll " etc.; Then file description information " 360 network connection reader " and specific fields are mated, through judging, wherein " | FD@=360 network connection readers | DLL_HIJACK=360netview.dll| " be the information that is complementary with file description information " 360 network connection reader ", therefore, obtain dll file title " 360netview.dll " in the DLL_HIJACK field of combining with this specific fields; The last dll file title in the DLL_HIJACK field that above-mentioned " lpk.dll " that gets access to, " usp10.dll ", " setupapi.dll " etc. are independent and " 360netview.dll " the dll file information that need to check as pending program.

Substep a3 judges the dll file information that whether exists described needs to check under the assigned catalogue, if exist, determines that then there is the dll file of being held as a hostage in described pending program.

In general, dll file can be stored in the system directory, if need to call some dll file when program is carried out, then these dll files is stored under the assigned catalogue, and the dll file that therefore is stored under the assigned catalogue is the dll file that this program is called.In the present embodiment, described assigned catalogue is the relative catalogue of current directory or appointment.

So, after getting access to the dll file information that pending program need to check through above-mentioned substep a2, also need further to judge the dll file information that whether has described needs inspection under the assigned catalogue.If the dll file information that exists described needs to check under the assigned catalogue, illustrate that there is the dll file of being held as a hostage in described pending program, and described dll file of being held as a hostage is the dll file that exists under the assigned catalogue, need to carry out killing to these dll files of being held as a hostage; If the dll file information that does not exist described needs to check under the assigned catalogue illustrates that these dll files can not loaded by pending program, therefore do not need it is carried out killing.

For example, still describe for example with above-mentioned, if the dll file information that the pending program that gets access to need to check is the dll file title " 360netview.dll " in the dll file title in the independent DLL_HIJACK field such as " lpk.dll ", " usp10.dll ", " setupapi.dll " and the DLL_HIJACK field combined with specific fields, then judge whether there are these dll file titles under the assigned catalogue in step a2.

For example, judge the file name that exists under the assigned catalogue and be " lpk.dll ", " usp10.dll " and " 360netview.dll ", the dll file of then dll file " lpk.dll ", " usp 10.dll " and " 360netview.dll " being held as a hostage as pending program.

Need to prove, corresponding to above-described embodiment one, substep a1-substep a2 in the present embodiment is the detailed process of the step S102 in above-described embodiment one, and substep a3 is the detailed process of the step S103 in above-described embodiment one, and present embodiment is discussed no longer in detail at this.

Step S302 obtains EXE file corresponding to described pending program.

Step S303, if the dll file information that exists described needs to check under the assigned catalogue, then the information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage upload onto the server.

Wherein, the information of the file of uploading can comprise the information such as the cryptographic hash, file path of file, and the embodiment of the invention is not limited this.

Because existing Initiative Defense only checks the EXE file of program, and the dll file of scrutiny program not, if rogue program utilizes the program in the believable white list to load the malice dll file, then rogue program just can be walked around the interception of Initiative Defense and successfully carry out.

Therefore, embodiment of the invention proposition not only checks the EXE file of program, dll file to program also checks, but be not that all dll files are checked, but by mating with local discrimination condition, determine the dll file of being held as a hostage in the program, then these dll files of being held as a hostage are carried out killing.

Concrete, file being carried out the process of killing is carried out by server, therefore, if in step S201, judge the dll file that existence is held as a hostage in the pending program, and determined the dll file of being held as a hostage, then the information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage all upload onto the server, and by server these files are carried out killing; Do not have the dll file of being held as a hostage in the pending program if judge, then this pending program of explanation is not utilized by rogue program, and the information of the EXE file that this moment only need to be corresponding with pending program uploads onto the server and gets final product.

For example, in step S301, judge the dll file that pending program is held as a hostage and be respectively " lpk.dll ", " usp 10.dll " and " 360netview.dll ", then the information of dll file " lpk.dll ", " usp 10.dll " and " 360netview.dll " and the file description information information for EXE file corresponding to the pending program of " 360 network connection reader " is uploaded onto the server.

Step S304 carries out killing by server to described dll file of being held as a hostage.

Server namely carries out killing according to described fileinfo to corresponding file after the information of the information of EXE file corresponding to the pending program that receives client upload and described dll file of being held as a hostage.

This step S304 specifically can comprise:

Substep b1 obtains the grade of described EXE file and the grade of described dll file of being held as a hostage by server.

In the present embodiment, described grade comprises safe class, unknown grade, suspicious/highly suspicious grade and malice grade.Setting for grade, can arrange when grade is 10-29 is safe class (file of this grade is text of an annotated book spare), be unknown grade (file of this grade is grey file) when grade is 30-49, be suspicious/highly suspicious grade (file of this grade is apocrypha) when grade is 50-69, grade was malice grade (file of this grade is malicious file) more than or equal to 70 o'clock.Certainly, it is other forms that described grade can also be set, and the present invention is not limited this.

Substep b2 carries out killing according to the grade of described EXE file and the grade of described dll file of being held as a hostage to described dll file of being held as a hostage.

Concrete, can carry out body (Portable Execute by being used for the killing portable, PE) the cloud killing engine of type file, perhaps artificial intelligence engine (Qihoo Virtual Machine, QVM) carries out killing to described EXE file and the dll file of being held as a hostage.Wherein, the PE type file is often referred to the program file on the Windows operating system, and common PE type file comprises the type files such as EXE, DLL, OCX, SYS, COM.

Antivirus engine can be according to the recognition result to the file grade, and according to the blacklist of preserving in the antivirus engine, and/or white list carries out killing to corresponding document.

For concrete killing process, those skilled in the art carry out respective handling according to practical experience and get final product, and present embodiment is discussed no longer in detail at this.

Step S305 carries out corresponding operation according to server killing result to described pending program.

Server is handed down to client with the grade that gets access to after the grade of the dll file that gets access to the EXE file and be held as a hostage, client is carried out corresponding operation according to server killing result to described pending program.

Concrete, this step S305 can comprise following substep:

Substep c1 when at least one is for the malice grade in the grade of the grade of described EXE file and described dll file of being held as a hostage, tackles described pending program implementation.

In the present embodiment, described dll file of being held as a hostage is one or more, if there is the malice grade in the grade of the grade of the EXE file that gets access to and the dll file of being held as a hostage, illustrate that then this pending program is risky, need the described pending program implementation of interception this moment.

Substep c2 when the grade of the grade of described EXE file and described dll file of being held as a hostage is safe class, allows described pending program implementation.

Substep c3, malice grade not in the grade of the grade of described EXE file and described dll file of being held as a hostage, and when the grade of the dll file that at least one is held as a hostage is higher than the grade of described EXE file, obtain wherein the highest grade, the grade of described EXE file is revised as the highest described grade, allow described pending program implementation, and tackle the suspicious operation of initiating after pending program is carried out.

If the grade of the grade of EXE file and the dll file of being held as a hostage does not satisfy two kinds of situations among above-mentioned substep c1 and the substep c2, then the grade with the EXE file is revised as the highest described grade, and can allow described pending program implementation, this moment is because may also there be risk in the EXE file of pending program, when therefore after pending program is carried out, initiating suspicious operation, can tackle these suspicious operations.

For example, determining the dll file that pending program is held as a hostage in step S301 is " lpk.dll ", " usp10.dll " and " 360netview.dll ", the grade that gets access to the EXE file of pending program by server is safe class, the grade of lpk.dll is unknown grade, the grade of usp10.dll is unknown grade, 360netview.dll be suspicious/highly suspicious grade, wherein the highest file grade is suspicious/highly suspicious grade, at this moment, the grade that is about to described EXE file is revised as suspicious/highly suspicious grade.

And, because the grade of EXE file has been modified, therefore follow-up when this pending program is carried out some suspicious operation, can judge whether safety of this program by the grade of EXE file, if the EXE file is suspicious, then can tackle these suspicious operations.

Wherein, suspicious operation can for following any one: file operation, registry operations, process operation and network operation.

For example, can be the file relevant to windows operating system for file operation, the application software that perhaps some charging capacitys are larger (such as qq, Ali Wang Wang etc.), the perhaps operation of the shortcut of desktop etc.;

Can be that program writes registration table and automatically loads for the operation of registration table, and destroy registration table etc.;

For process operation can be mutually inject (some codes are inserted and carried out to a process in another process), process threading operation far away between the process, (for example some rogue program terminates the QQ process to the end process, again login can be truncated to password, perhaps the follow-up certain operations of process) etc.;

For network operation can be driving or service are installed, global hook injects, and the record keyboard operation, revises in the browser web page contents etc.

Certainly, can also comprise some other operation, the embodiment of the invention is not limited this.

Need to prove, present embodiment mainly is to utilize the situation of the program loading malice dll file in the white list trusty to process for rogue program, therefore, the grade of EXE file should be safe class, if have the grade of dll file to be higher than the grade of this EXE file, then revise the grade of EXE file.

Step S306 regularly detects described local discrimination condition and whether satisfies promotion condition, if satisfy, then downloads new discrimination condition from server, and finishes the upgrading renewal of described local discrimination condition by reloading described new discrimination condition.

Local discrimination condition in the present embodiment is to need regularly upgrading to upgrade.Concrete, can in server, dispose promotion condition, client regularly detects described local discrimination condition and whether satisfies promotion condition, when satisfying, just download new local discrimination condition from server, and replace original local discrimination condition with new local discrimination condition, thereby to the renewal of upgrading of original local discrimination condition.

Wherein, promotion condition can judge according to the FileVersion of local discrimination condition, then upgrades during such as version that renewal is arranged, also can specify to upgrade to an indicated release when local version satisfies certain condition, and the embodiment of the invention is not limited this.

For example, if found the new program that is utilized (QQ game), but there is not this program in the local discrimination condition, then can in local discrimination condition, increase a specific program matching condition, comprising the characteristic information of this program (file is described " QQ game ") and the dll file information of needs inspection after satisfying this specific program matching condition.

Certainly, the mode that can also adopt other is to the renewal of upgrading of local discrimination condition, and present embodiment is not limited this.

At last, need to prove that the embodiment of the invention mainly is to utilize the situation of the program loading malice dll file in the white list trusty to process for rogue program.If pending program is the program in the white list trusty, this moment an Initiative Defense technology scrutiny program the EXE file, will judge that this program is safe, thereby allow its execution, if but rogue program utilizes the program in this white list to load the malice dll file, then this rogue program also can successful execution.

Therefore, for this situation, the embodiment of the invention is by when detecting pending program creation process, check according to the local discrimination condition that sets in advance whether described pending program exists the dll file of being held as a hostage, if there is the dll file of being held as a hostage in pending program, then by server described dll file of being held as a hostage is carried out killing, then according to server killing result described pending program is carried out corresponding operation.Solve thus rogue program and utilized the program in the believable white list to load the malice dll file and cause Initiative Defense can't normally tackle the problem of rogue program, obtained the beneficial effect of more effectively tackling rogue program.

Need to prove, for aforesaid embodiment of the method, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the application is not subjected to the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action might not be that the application is necessary.

Embodiment four:

With reference to Fig. 5, show the according to an embodiment of the invention structured flowchart of program identification system, described system comprises client 501 and server 502, wherein,

Client 501 comprises:

Read module 5011 is suitable for when detecting pending program creation process, reads the local discrimination condition that sets in advance;

Matching module 5012 is suitable for described pending program and described local discrimination condition are mated, and obtains matching result;

Determination module 5013 is suitable for determining according to described matching result whether described pending program exists the dll file of being held as a hostage.

Modules by above-mentioned client can utilize local discrimination condition to detect pending program whether to have the dll file of being held as a hostage, there is the dll file of being held as a hostage if detect pending program, then follow-uply can carry out killing to the dll file of being held as a hostage by server, then according to server killing result described pending program be carried out corresponding operation.Utilize the program in the believable white list to load the malice dll file and cause Initiative Defense can't normally tackle the problem of rogue program thereby can solve rogue program, more effectively tackle rogue program.

Embodiment five:

With reference to Fig. 6, show the according to an embodiment of the invention structured flowchart of program identification system, described system comprises client 601 and server 602.

Wherein, client 601 comprises: checking module 6011, EXE file acquisition module 6012, upper transmission module 6013, processing module 6014 and upgrading module 6015; Server 602 comprises killing module 6021.

Checking module 6011 is suitable for when detecting pending program creation process, checks according to the local discrimination condition that sets in advance whether described pending program exists the dll file of being held as a hostage;

Need to prove, above-mentioned checking module mainly is be used to checking whether described pending program exists the dll file of being held as a hostage, with respect to above-described embodiment four, this checking module can comprise read module 5011, matching module 5012 and the determination module 5013 in above-described embodiment four.

Wherein, described pending program is the program in the white list, and described local discrimination condition is stored under the client terminal local catalogue.

Described checking module 6011 comprises:

Characteristic information obtains submodule, is suitable for obtaining the characteristic information of described pending program;

Wherein, the characteristic information of described pending program can comprise at least a in the following information:

Dll file acquisition of information submodule, be suitable for by characteristic information and the described local discrimination condition of described pending program are mated, obtain the dll file information that described pending program need to check, with the described dll file information that need to check as matching result;

Wherein, comprise a plurality of program matching conditions and satisfy the dll file information that needs check after this program matching condition in the described local discrimination condition.

Described program matching condition comprises two kinds: common program matching condition and specific program matching condition.

The first: common program matching condition

Satisfy that the dll file information of needs inspection is public dll file information after this common program matching condition, described dll file acquisition of information submodule comprises:

Public dll file information acquisition unit is suitable for obtaining and satisfies the public dll file information that needs check after the described common program matching condition;

The first determining unit is suitable for the dll file information that described public dll file information need to be checked as described pending program.

The second: specific program matching condition

Satisfy that the dll file information of needs inspection is specific dll file information after this specific program matching condition, described dll file acquisition of information submodule comprises:

Matching unit is suitable for characteristic information and the described specific program matching condition of described pending program are mated;

Described specific program matching condition can comprise at least a in the following information:

The digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information;

Specific dll file information acquisition unit is suitable for obtaining and satisfies the specific dll file information that needs check after the specific program matching condition that is complementary;

The second determining unit is suitable for the dll file information that described specific dll file information need to be checked as described pending program.

Judge submodule, be suitable for judging the dll file information that whether exists described needs to check under the assigned catalogue, if exist, determine that then there is the dll file of being held as a hostage in described pending program; Wherein, described dll file of being held as a hostage is the dll file that exists under the assigned catalogue, and described assigned catalogue is the relative catalogue of current directory or appointment.

Need to prove, corresponding to above-described embodiment four, characteristic information in the present embodiment obtains submodule and dll file acquisition of information submodule can be the submodule that comprises in the matching module in above-described embodiment four, judge that submodule can be the submodule that comprises in the determination module in above-described embodiment four, present embodiment is discussed no longer in detail at this.

EXE file acquisition module 6012 is suitable for obtaining EXE file corresponding to described pending program before the killing module of server is carried out killing to described dll file of being held as a hostage;

Upper transmission module 6013 is suitable for the information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage and uploads onto the server;

Described server 602 comprises:

Killing module 6021, be suitable for when the check result of the checking module of client when existing, described dll file of being held as a hostage is carried out killing;

Described killing module 6021 comprises:

Grade is obtained submodule, is suitable for obtaining the grade of described EXE file and the grade of described dll file of being held as a hostage, and described grade comprises safe class, unknown grade, suspicious/highly suspicious grade and malice grade;

The killing submodule is suitable for according to the grade of described EXE file and the grade of described dll file of being held as a hostage described dll file of being held as a hostage being carried out killing.

Described client also comprises:

Processing module 6014 is suitable for according to server killing result described pending program being carried out corresponding operation;

Wherein, described dll file of being held as a hostage is one or more, and described processing module 4014 comprises:

Program interception submodule is suitable for tackling described pending program implementation when at least one is for grade maliciously in the grade of the grade of described EXE file and described dll file of being held as a hostage;

Implementation sub-module is suitable for allowing described pending program implementation when the grade of the grade of described EXE file and described dll file of being held as a hostage is safe class;

Suspicious operation intercepting submodule, be suitable in the grade of the grade of described EXE file and described dll file of being held as a hostage not malice grade, and when the grade of the dll file that at least one is held as a hostage is higher than the grade of described EXE file, obtain wherein the highest grade, the grade of described EXE file is revised as the highest described grade, allow described pending program implementation, and tackle the suspicious operation of initiating after pending program is carried out.

Wherein, described suspicious operation can for following any one: file operation, registry operations, process operation and network operation, certainly, described suspicious operation can also be other certain operations, the embodiment of the invention is not limited this.

Upgrading module 6015 is suitable for regularly detecting described local discrimination condition and whether satisfies promotion condition, if satisfy, then downloads new discrimination condition from server, and finishes the upgrading renewal of described local discrimination condition by reloading described new discrimination condition;

Wherein, described promotion condition is configured in server.

The program identification system of the embodiment of the invention can check whether pending program exists the dll file of being held as a hostage according to local discrimination condition, and treat the dll file that executive routine is held as a hostage and carry out killing, then treat executive routine according to server killing result and carry out corresponding operation.Solve thus rogue program and utilized the program in the believable white list to load the malice dll file and cause Initiative Defense can't normally tackle the problem of rogue program, obtained the beneficial effect of more effectively tackling rogue program.

For said procedure identification system embodiment because itself and embodiment of the method basic simlarity, so describe fairly simple, relevant part gets final product referring to the part explanation of Fig. 1, Fig. 2 and embodiment of the method shown in Figure 3.

Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.

What those skilled in the art were easy to expect is: it all is feasible that the combination in any of above-mentioned each embodiment is used, so the combination in any between above-mentioned each embodiment all is the application's embodiment, but this instructions has not just described in detail one by one at this as space is limited.

Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.

In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).

In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.

All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the program identification system of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.

It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.

Herein disclosed is A1, a kind of program discrimination method, comprising: when detecting pending program creation process, read the local discrimination condition that sets in advance; Described pending program and described local discrimination condition are mated, obtain matching result; Determine according to described matching result whether described pending program exists the dll file of being held as a hostage; If exist, then by server described dll file of being held as a hostage carried out killing; According to server killing result described pending program is carried out corresponding operation.A2, differentiate the described method of A1 according to program, described described pending program and described local discrimination condition are mated, obtain matching result, comprising: the characteristic information that obtains described pending program; By characteristic information and the described local discrimination condition of described pending program are mated, obtain the dll file information that described pending program need to check, with the described dll file information that need to check as described matching result.A3, differentiate the described method of A2 according to program, the described matching result of described foundation determines whether described pending program exists the dll file of being held as a hostage, comprise: judge the dll file information that whether exists described needs to check under the assigned catalogue, if exist, determine that then there is the dll file of being held as a hostage in described pending program; Wherein, described dll file of being held as a hostage is the dll file that exists under the assigned catalogue, and described assigned catalogue is the relative catalogue of current directory or appointment.A4, differentiate the described method of A2 according to program, the dll file information that needs check after comprising a plurality of program matching conditions in the described local discrimination condition and satisfying this program matching condition.A5, differentiate the described method of A4 according to program, described program matching condition comprises the common program matching condition, satisfy that the dll file information of needs inspection is public dll file information after this common program matching condition, it is described by characteristic information and the described local discrimination condition of described pending program are mated, obtain the DLL information that described pending program need to check, comprising: obtain and satisfy the public dll file information that needs check after the described common program matching condition; The dll file information that described public dll file information need to be checked as described pending program.A6, differentiate the described method of A4 according to program, described program matching condition comprises the specific program matching condition, satisfy that the dll file information of needs inspection is specific dll file information after this specific program matching condition, it is described by characteristic information and the described local discrimination condition of described pending program are mated, obtain the DLL information that described pending program need to check, comprising: characteristic information and the described specific program matching condition of described pending program are mated; Obtain and satisfy the specific dll file information that needs check after the specific program matching condition be complementary; The dll file information that described specific dll file information need to be checked as described pending program.A7, differentiate the described method of A6 according to program, described specific program matching condition comprises at least a in the following information: the digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information; The characteristic information of described pending program comprises at least a in the following information: the file name information of pending program, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information.A8, differentiate the described method of A1 according to program, before by server described dll file of being held as a hostage being carried out killing, also comprise: obtain EXE file corresponding to described pending program; The information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage upload onto the server; Describedly by server described dll file of being held as a hostage is carried out killing, comprise: obtain the grade of described EXE file and the grade of described dll file of being held as a hostage by server, described grade comprises safe class, unknown grade, suspicious/highly suspicious grade and malice grade; According to the grade of described EXE file and the grade of described dll file of being held as a hostage described dll file of being held as a hostage is carried out killing.A9, differentiate the described method of A8 according to program, described dll file of being held as a hostage is one or more, described described pending program the execution accordingly according to server killing result operates, comprise: when at least one is for the malice grade in the grade of the grade of described EXE file and described dll file of being held as a hostage, tackle described pending program implementation; When the grade of the grade of described EXE file and described dll file of being held as a hostage is safe class, allow described pending program implementation; Malice grade not in the grade of the grade of described EXE file and described dll file of being held as a hostage, and when the grade of the dll file that at least one is held as a hostage is higher than the grade of described EXE file, obtain wherein the highest grade, the grade of described EXE file is revised as the highest described grade, allow described pending program implementation, and tackle the suspicious operation of initiating after pending program is carried out.A10, differentiate the described method of A9 according to program, described suspicious be operating as following any one: file operation, registry operations, process operation and network operation.A11, differentiate the described method of A1 according to program, described pending program is the program in the white list.A12, differentiate the described method of A1 according to program, described local discrimination condition is stored under the client terminal local catalogue.A13, differentiate the described method of A1 according to program, also comprise: regularly detect described local discrimination condition and whether satisfy promotion condition, if satisfy, then download new discrimination condition from server, and finish the upgrading renewal of described local discrimination condition by reloading described new discrimination condition; Wherein, described promotion condition is configured in server.

Herein disclosed is B14, a kind of program identification system, comprise client and server, wherein, described client comprises: read module, be suitable for when detecting pending program creation process, and read the local discrimination condition that sets in advance; Matching module is suitable for described pending program and described local discrimination condition are mated, and obtains matching result; Determination module is suitable for determining according to described matching result whether described pending program exists the dll file of being held as a hostage; Described server comprises: the killing module, be suitable for when the check result of the determination module of client when existing, described dll file of being held as a hostage is carried out killing; Described client also comprises: processing module is suitable for according to server killing result described pending program being carried out corresponding operation.B15, differentiate the described system of B14 according to program, described matching module comprises: characteristic information obtains submodule, is suitable for obtaining the characteristic information of described pending program; Dll file acquisition of information submodule, be suitable for by characteristic information and the described local discrimination condition of described pending program are mated, obtain the dll file information that described pending program need to check, with the described dll file information that need to check as described matching result.B16, differentiate the described system of B15 according to program, described determination module comprises: judge submodule, be suitable for judging the dll file information that whether exists described needs to check under the assigned catalogue, if exist, determine that then there is the dll file of being held as a hostage in described pending program; Wherein, described dll file of being held as a hostage is the dll file that exists under the assigned catalogue, and described assigned catalogue is the relative catalogue of current directory or appointment.B17, differentiate the described system of B15 according to program, the dll file information that needs check after comprising a plurality of program matching conditions in the described local discrimination condition and satisfying this program matching condition.B18, differentiate the described system of B17 according to program, described program matching condition comprises the common program matching condition, satisfy that the dll file information of needs inspection is public dll file information after this common program matching condition, described dll file acquisition of information submodule comprises: public dll file information acquisition unit is suitable for obtaining and satisfies the public dll file information that needs check after the described common program matching condition; The first determining unit is suitable for the dll file information that described public dll file information need to be checked as described pending program.B19, differentiate the described system of B17 according to program, described program matching condition comprises the specific program matching condition, satisfy that the dll file information of needs inspection is specific dll file information after this specific program matching condition, described dll file acquisition of information submodule comprises: matching unit is suitable for characteristic information and the described specific program matching condition of described pending program are mated; Specific dll file information acquisition unit is suitable for obtaining and satisfies the specific dll file information that needs check after the specific program matching condition that is complementary; The second determining unit is suitable for the dll file information that described specific dll file information need to be checked as described pending program.B20, differentiate the described system of B19 according to program, described specific program matching condition comprises at least a in the following information: the digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information; The characteristic information of described pending program comprises at least a in the following information: the file name information of pending program, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information.B21, differentiate the described system of B14 according to program, described client also comprises: EXE file acquisition module is suitable for obtaining EXE file corresponding to described pending program before the killing module of server is carried out killing to described dll file of being held as a hostage; Upper transmission module is suitable for the information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage and uploads onto the server; Described killing module comprises: grade is obtained submodule, is suitable for obtaining the grade of described EXE file and the grade of described dll file of being held as a hostage, and described grade comprises safe class, unknown grade, suspicious/highly suspicious grade and malice grade; The killing submodule is suitable for according to the grade of described EXE file and the grade of described dll file of being held as a hostage described dll file of being held as a hostage being carried out killing.B22, differentiate the described system of B21 according to program, described dll file of being held as a hostage is one or more, described processing module comprises: program interception submodule, be suitable for when at least one is for the malice grade in the grade of the grade of described EXE file and described dll file of being held as a hostage, tackling described pending program implementation; Implementation sub-module is suitable for allowing described pending program implementation when the grade of the grade of described EXE file and described dll file of being held as a hostage is safe class; Suspicious operation intercepting submodule, be suitable in the grade of the grade of described EXE file and described dll file of being held as a hostage not malice grade, and when the grade of the dll file that at least one is held as a hostage is higher than the grade of described EXE file, obtain wherein the highest grade, the grade of described EXE file is revised as the highest described grade, allow described pending program implementation, and tackle the suspicious operation of initiating after pending program is carried out.B23, differentiate the described system of B22 according to program, described suspicious be operating as following any one: file operation, registry operations, process operation and network operation.B24, differentiate the described system of B14 according to program, described pending program is the program in the white list.B25, differentiate the described system of B14 according to program, described local discrimination condition is stored under the client terminal local catalogue.B26, differentiate the described system of B14 according to program, described client also comprises: the upgrading module, be suitable for regularly detecting described local discrimination condition and whether satisfy promotion condition, if satisfy, then download new discrimination condition from server, and finish the upgrading renewal of described local discrimination condition by reloading described new discrimination condition; Wherein, described promotion condition is configured in server.

Claims

1. program discrimination method comprises:

2. method according to claim 1 is describedly mated described pending program and described local discrimination condition, obtains matching result, comprising:

Obtain the characteristic information of described pending program;

3. method according to claim 2, the described matching result of described foundation determines that whether described pending program exists the dll file of being held as a hostage, and comprising:

4. method according to claim 2, the dll file information that needs check after comprising a plurality of program matching conditions in the described local discrimination condition and satisfying this program matching condition.

5. method according to claim 4, described program matching condition comprises the common program matching condition, satisfies that the dll file information of needs inspection is public dll file information after this common program matching condition,

Describedly obtain the DLL information that described pending program need to check by characteristic information and the described local discrimination condition of described pending program are mated, comprising:

6. method according to claim 4, described program matching condition comprises the specific program matching condition, satisfies that the dll file information of needs inspection is specific dll file information after this specific program matching condition,

Characteristic information and the described specific program matching condition of described pending program are mated;

Obtain and satisfy the specific dll file information that needs check after the specific program matching condition be complementary;

The dll file information that described specific dll file information need to be checked as described pending program.

7. method according to claim 6,

Described specific program matching condition comprises at least a in the following information:

The characteristic information of described pending program comprises at least a in the following information:

8. method according to claim 1,

Before by server described dll file of being held as a hostage being carried out killing, also comprise:

Obtain EXE file corresponding to described pending program;

The information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage upload onto the server;

Describedly by server described dll file of being held as a hostage is carried out killing, comprising:

Obtain the grade of described EXE file and the grade of described dll file of being held as a hostage by server, described grade comprises safe class, unknown grade, suspicious/highly suspicious grade and malice grade;

According to the grade of described EXE file and the grade of described dll file of being held as a hostage described dll file of being held as a hostage is carried out killing.

9. method according to claim 8, described dll file of being held as a hostage is one or more,

Described described pending program the execution accordingly according to server killing result operates, and comprising:

When at least one is for the malice grade in the grade of the grade of described EXE file and described dll file of being held as a hostage, tackle described pending program implementation;

When the grade of the grade of described EXE file and described dll file of being held as a hostage is safe class, allow described pending program implementation;

Malice grade not in the grade of the grade of described EXE file and described dll file of being held as a hostage, and when the grade of the dll file that at least one is held as a hostage is higher than the grade of described EXE file, obtain wherein the highest grade, the grade of described EXE file is revised as the highest described grade, allow described pending program implementation, and tackle the suspicious operation of initiating after pending program is carried out.

10. method according to claim 1 also comprises:

Regularly detect described local discrimination condition and whether satisfy promotion condition, if satisfy, then download new discrimination condition from server, and finish the upgrading renewal of described local discrimination condition by reloading described new discrimination condition;

Wherein, described promotion condition is configured in server.

11. a program identification system comprises client and server, wherein,

Described client comprises:

Described server comprises:

Described client also comprises:

12. system according to claim 11, described matching module comprises:

Dll file acquisition of information submodule, be suitable for by characteristic information and the described local discrimination condition of described pending program are mated, obtain the dll file information that described pending program need to check, with the described dll file information that need to check as described matching result.

13. system according to claim 12, described determination module comprises:

14. system according to claim 12, the dll file information that needs check after comprising a plurality of program matching conditions in the described local discrimination condition and satisfying this program matching condition.

15. system according to claim 14, described program matching condition comprises the common program matching condition, satisfies that the dll file information of needs inspection is public dll file information after this common program matching condition,

Described dll file acquisition of information submodule comprises:

16. system according to claim 14, described program matching condition comprises the specific program matching condition, satisfies that the dll file information of needs inspection is specific dll file information after this specific program matching condition,

Described dll file acquisition of information submodule comprises:

17. system according to claim 16,

18. system according to claim 11,

Described client also comprises:

EXE file acquisition module is suitable for obtaining EXE file corresponding to described pending program before the killing module of server is carried out killing to described dll file of being held as a hostage;

Upper transmission module is suitable for the information of the EXE file that described pending program is corresponding and the information of described dll file of being held as a hostage and uploads onto the server;

Described killing module comprises:

19. system according to claim 18, described dll file of being held as a hostage is one or more,

Described processing module comprises:

20. system according to claim 11, described client also comprises:

The upgrading module is suitable for regularly detecting described local discrimination condition and whether satisfies promotion condition, if satisfy, then downloads new discrimination condition from server, and finishes the upgrading renewal of described local discrimination condition by reloading described new discrimination condition;

Wherein, described promotion condition is configured in server.