CN102999720B

CN102999720B - Program identification method and system

Info

Publication number: CN102999720B
Application number: CN201210448492.1A
Authority: CN
Inventors: 张晓霖; 孙晓骏
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qizhi Business Consulting Co ltd; Beijing Qihoo Technology Co Ltd; 360 Digital Security Technology Group Co Ltd
Priority date: 2012-11-09
Filing date: 2012-11-09
Publication date: 2015-09-16
Anticipated expiration: 2032-11-09
Also published as: CN102999720A

Abstract

The embodiment of the invention discloses a kind of program identification method and system, utilize the program in believable white list to load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program to solve rogue program.Wherein, system comprises: client and server, and wherein, client comprises: read module, is suitable for when pending program creation process being detected, reads the local discrimination condition pre-set; Matching module, is suitable for pending program to mate with local discrimination condition, obtains matching result; Determination module, is suitable for determining whether pending program exists the dll file of being held as a hostage according to matching result; Server comprises: killing module, is suitable for, when the check result of the determination module of client is for existing, carrying out killing to the dll file of being held as a hostage; Client also comprises: processing module, is suitable for treating executive routine according to server killing result and performs corresponding operation.The embodiment of the present invention can tackle rogue program more effectively.

Description

Program identification method and system

Technical field

The present invention relates to technical field of network security, be specifically related to program identification method and system.

Background technology

Rogue program is a recapitulative term, refers to that any intentional establishment is used for performing without permission and the software program of normally harmful act.Computer virus, backdoor programs, Key Logger, password steal taker, Word and excel macro virus, leading viruses, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and ad ware etc., be all that some can be referred to as the example of rogue program.

Global rogue program quantity is that geometry level increases now, in order to adapt to the renewal speed of rogue program, to identify rapidly and killing rogue program, generally utilizes initiative type safeguard technology killing rogue program at present.Initiative type safeguard technology carries out the autonomous real-time protection technology analyzing judgement based on the behavior of program; it is from the most original definition; directly using the behavior of program as the foundation judging rogue program; and then derive by using feature database in this locality, arranging behavior asset pricing in this locality and differentiating, tackle the behavior of rogue program in modes such as the heuristic virus killings in this locality, thus reach the object of protection client device to a certain extent.

But in order to reduce the impact on program feature as far as possible, initiative type safeguard technology only detects the EXE file of program, and dynamic link library (Dynamic Link Library, the DLL) file of not scrutiny program loading.Therefore, some rogue programs just utilize this point, together with by DLL technology of kidnapping the dll file of this rogue program being packaged in the program (program that such as operating system carries) in white list trusty, when user selects to perform the program in this white list, the dll file of rogue program wherein will be loaded, thus makes initiative type safeguard technology can not successfully tackle this rogue program.

Summary of the invention

In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the program identification system solved the problem at least in part and corresponding program identification method.

According to one aspect of the present invention, provide a kind of program identification method, comprising:

When pending program creation process being detected, read the local discrimination condition pre-set;

Described pending program is mated with described local discrimination condition, obtains matching result;

Determine whether described pending program exists the dll file of being held as a hostage according to described matching result;

If exist, then by server, killing is carried out to described dll file of being held as a hostage;

According to server killing result, corresponding operation is performed to described pending program.

In the embodiment of the present invention, described pending program is mated with described local discrimination condition, obtains matching result, comprising:

Obtain the characteristic information of described pending program;

By being mated with described local discrimination condition by the characteristic information of described pending program, obtain the dll file information that described pending program needs to check, using the described dll file information checked that needs as described matching result.

In the embodiment of the present invention, determine whether described pending program exists the dll file of being held as a hostage, and comprising according to described matching result:

Whether there is the described dll file information needing to check under judging assigned catalogue, if exist, then determine that described pending program exists the dll file of being held as a hostage; Wherein, described in the dll file of being held as a hostage be the dll file existed under assigned catalogue, the relative catalogue that described assigned catalogue is current directory or specifies.

In the embodiment of the present invention, the dll file information that after local discrimination condition comprises multiple procedure match condition and meets this procedure match condition, needs check.

In the embodiment of the present invention, procedure match condition comprises common program matching condition, and the dll file information that after meeting this common program matching condition, needs check is public dll file information,

By the characteristic information of described pending program is mated with described local discrimination condition, obtain the DLL information that described pending program needs to check, comprising:

Obtain the public dll file information that after meeting described common program matching condition, needs check;

Described public dll file information is needed the dll file information of inspection as described pending program.

According to another aspect of the present invention, provide a kind of program identification system, comprise client and server, wherein,

Client comprises:

Read module, is suitable for when pending program creation process being detected, reads the local discrimination condition pre-set;

Matching module, is suitable for described pending program to mate with described local discrimination condition, obtains matching result;

Determination module, is suitable for determining whether described pending program exists the dll file of being held as a hostage according to described matching result;

Described server comprises:

Killing module, is suitable for, when the check result of the determination module of client is for existing, carrying out killing to described dll file of being held as a hostage;

Client also comprises:

Processing module, is suitable for performing corresponding operation according to server killing result to described pending program.

Can when pending program creation process being detected according to program identification method of the present invention and system, check whether described pending program exists the dll file of being held as a hostage according to the local discrimination condition pre-set, if there is the dll file of being held as a hostage in pending program, then by server, killing is carried out to described dll file of being held as a hostage, then according to server killing result, corresponding operation is performed to described pending program.Solving rogue program thus utilizes the program in believable white list load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program, achieves the beneficial effect more effectively tackling rogue program.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows the process flow diagram of program identification method according to an embodiment of the invention;

Fig. 2 shows the process flow diagram of program identification method according to an embodiment of the invention;

Fig. 3 shows the process flow diagram of program identification method according to an embodiment of the invention;

Fig. 4 shows the schematic diagram of the local discrimination condition according to the embodiment of the present invention;

Fig. 5 shows the structured flowchart of program identification system according to an embodiment of the invention; And

Fig. 6 shows the structured flowchart of program identification system according to an embodiment of the invention.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

The present invention can be applied to computer system/server, and it can operate with other universal or special computing system environment numerous or together with configuring.The example of the well-known computing system being suitable for using together with computer system/server, environment and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, minicomputer system, large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.

Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is performed by the remote processing devices by communication network links.In distributed cloud computing environment, program module can be positioned at and comprise on the Local or Remote computing system storage medium of memory device.

Embodiment one:

With reference to Fig. 1, show the process flow diagram of program identification method according to an embodiment of the invention, the method specifically can comprise:

Step S101, when pending program creation process being detected, reads the local discrimination condition pre-set.

Step S102, mates described pending program with described local discrimination condition, obtains matching result.

According to described matching result, step S103, determines whether described pending program exists the dll file of being held as a hostage.

For the detailed process of the program identification method that the present embodiment proposes, will introduce in detail in the following embodiments.

Local discrimination condition can be utilized to detect pending program by above-mentioned steps S101-step S103 and whether there is the dll file of being held as a hostage, follow-uply can treat executive routine by testing result and process.If detect that pending program exists the dll file of being held as a hostage, then follow-uply can carry out killing by server to the dll file of being held as a hostage, then according to server killing result, corresponding operation be performed to described pending program.Solving rogue program thus utilizes the program in believable white list load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program, more effectively can tackle rogue program.

Embodiment two:

With reference to Fig. 2, show the process flow diagram of program identification method according to an embodiment of the invention.

In order to adapt to the renewal speed of rogue program, to identify rapidly and killing rogue program, generally utilize initiative type safeguard technology killing rogue program at present.Initiative type safeguard technology carries out the autonomous real-time protection technology analyzing judgement based on the behavior of program, protects by arranging the key position of intercept point to system at the key position of system.When there being program to perform behavior (such as write registration table, create plan target, revise browser homepage, revise the behavior such as default browser and registration browser plug-in) of these key positions of amendment, will tackle this program, need after interception to judge whether this act of revision is maliciously, usually be by judging whether perform the program of this act of revision realizes safely to the judgement of behavior, if program is malice, then illustrate that this act of revision is malice, therefore need the execution of tackling this program.

In general, initiative type safeguard technology by checking the file of program, with the security of trace routine.But when scrutiny program file, need the cryptographic hash of calculation document, also need accesses network, these are all more time-consuming operations, and general program can load tens even up to a hundred dll files, even if use caching technology to be optimized, or the start-up time of the obvious prolongation program of meeting.Therefore, in order to reduce the impact on program feature as far as possible, initiative type safeguard technology only detects the EXE file of program, and the dll file of not scrutiny program loading.Therefore, some rogue programs just utilize this point, together with by DLL technology of kidnapping the dll file of this rogue program being packaged in the program (program that such as operating system carries) in white list trusty, when user selects to perform the program in this white list, the dll file of rogue program wherein will be loaded, thus makes initiative type safeguard technology can not successfully tackle this rogue program.

In order to prevent rogue program from utilizing program in white list trusty to break through Initiative Defense and successful execution, the embodiment of the present invention proposes a kind of program identification method, concrete, and this program identification method comprises the following steps:

According to the local discrimination condition pre-set, step S201, when pending program creation process being detected, checks whether described pending program exists the dll file of being held as a hostage.

It should be noted that, this step S201 checks whether described pending program exists the process of the dll file of being held as a hostage, and relative to above-described embodiment one, this step S201 can comprise the step S101-step S103 in above-described embodiment one.

Step S202, if exist, then carries out killing by server to described dll file of being held as a hostage.

Step S203, performs corresponding operation according to server killing result to described pending program.

Can when there is the dll file of being held as a hostage in pending program by above-mentioned steps S201-step S203, further by server, killing is carried out to these dll files of being held as a hostage, then according to server killing result, corresponding operation is performed to described pending program.For concrete processing procedure, will introduce in detail in the following embodiments.

The program identification method that the embodiment of the present invention proposes checks by treating the dll file of being held as a hostage in executive routine, can solve rogue program utilizes the program in white list trusty load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program, achieves the beneficial effect more effectively tackling rogue program.

Embodiment three:

Below, concrete program identification method is described in detail.

With reference to Fig. 3, show the process flow diagram of program identification method according to an embodiment of the invention, described method comprises:

According to the local discrimination condition pre-set, step S301, when pending program creation process being detected, checks whether described pending program exists the dll file of being held as a hostage.

The embodiment of the present invention is mainly when pending program creation process, increase the query script to dll file, need to check whether pending program exists the dll file of being held as a hostage, if existed, then illustrate that this pending program is likely utilized by rogue program, therefore will check these dll files of being held as a hostage whether safety further.

In the present embodiment, check whether described pending program exists the dll file of being held as a hostage according to the local discrimination condition pre-set.

Under local discrimination condition is stored in client local directory, the dll file information that needs check after local discrimination condition comprises multiple procedure match condition and meets this procedure match condition, the present embodiment is exactly some characteristic informations of pending program will be mated with local discrimination condition, and then judges according to matching result.

Concrete, this step S301 can comprise following sub-step:

Sub-step a1, obtains the characteristic information of described pending program.

Wherein, the characteristic information of pending program comprises at least one in following information:

The file name information of pending program, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information.

Certainly, the characteristic information of described pending program can also comprise other information, and the present embodiment is not limited this.

Sub-step a2, by being mated with described local discrimination condition by the characteristic information of described pending program, obtains the dll file information that described pending program needs to check, using the described dll file information checked that needs as matching result.

Below, the process of carrying out with local discrimination condition mating specifically is introduced.

Seen from the above description, the dll file information that needs check after local discrimination condition comprises multiple procedure match condition and meets this procedure match condition, in embodiments of the present invention, described procedure match condition comprises two kinds, i.e. common program matching condition and specific program matching condition, according to the difference of matching condition, perform different matching processs.

The first: common program matching condition

In local discrimination condition, the dll file information that after meeting common program matching condition, needs check is public dll file information.

When mating, for common program matching condition, each pending program will be mated with this common program matching condition, and obtain all meet common program matching condition after needs check dll file information.Also namely for each pending program, all to obtain all public dll file information, then further these public dll file information be judged.

Concrete, the processing procedure for common program matching condition can comprise:

(1) the public dll file information that after acquisition meets described common program matching condition, needs check;

(2) described public dll file information is needed the dll file information of inspection as described pending program.

The dll file information that some are conventional can be set in the present embodiment in common program matching condition, therefore also can carry out killing for the unknown rogue program kidnapping conventional dll file, improve the accuracy of killing.

The second: specific program matching condition

In local discrimination condition, the dll file information that after meeting this specific program matching condition, needs check is specific dll file information.

When mating, for specific program matching condition, be not that each pending program matches with specific program matching condition.Therefore, the characteristic information of pending program is needed to mate with described specific program matching condition, then the specific dll file information that after only obtaining the specific program matching condition meeting and match, needs check, if the condition do not matched with the characteristic information of pending program in specific program matching condition, then only need judge the public dll file information of above-mentioned acquisition.

Because specific program matching condition needs to mate with the characteristic information of pending program, therefore, also need to comprise some information corresponding with the characteristic information of program in described specific program matching condition, the specific program matching condition matched with the characteristic information of pending program can be found by these information.

In the present embodiment, described specific program matching condition comprises at least one in following information:

The digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information.

Same, described specific program matching condition can also comprise other information, and the present embodiment is not limited this.

Concrete, the processing procedure for specific program matching condition can comprise:

I the characteristic information of described pending program mates with described specific program matching condition by ();

(ii) the specific dll file information that after obtaining the specific program matching condition meeting and match, needs check;

(iii) described specific dll file information is needed the dll file information of inspection as described pending program.

Concrete, can be described by following instance.

As shown in Figure 4, be the schematic diagram of local discrimination condition described in the embodiment of the present invention.

As can be seen from the figure, multiple common program matching condition and specific program matching condition is comprised in this local discrimination condition.Wherein, DLL-HIJACK is field name, and what independent DLL-HIJACK field represented is common program matching condition, and the dll file information in these independent DLL-HIJACK fields is public dll file information; Some other DLL-HIJACK field is combined with specific fields, and what represent is specific program matching condition to these specific fields (such as " FD@=360 network connects reader ").Fileinfo in specific fields is the information (such as the digital signature information (SP) etc. of file description information (FD), inner name information (IN), Business Name) of the EXE file of program, and these information are mated as the characteristic information of specific program matching condition with pending program.Dll file information in the DLL-HIJACK field combined with these specific fields is the specific dll file information that after meeting specific program matching condition, needs check.In the present embodiment, described dll file information can be the title of dll file.

Such as, lpk.dll, usp10.dll, setupapi.dll are (concrete with reference to Fig. 3, will not enumerate at this) etc. the dll file title in independent DLL_HIJACK field be public dll file information, and in the DLL-HIJACK field that 360netview.dll, 360nzp.dll, somkernl.dll etc. and specific fields are combined, dll file title is specific dll file information.

For each pending program, when this program is mated with local discrimination condition, first the dll file title in independent DLL_HIJACK field will be obtained, and then the characteristic information of this pending program is mated with the information in specific fields, obtain the dll file title in the DLL-HIJACK field combined with the specific fields matched, finally all dll file titles got are judged.Because for some pending program, it is not obviously different from the information of other program, therefore for these pending programs, can only mate with independent DLL_HIJACK field.

Such as, the characteristic information getting current pending program is file description information " 360 networks connect reader ", then this file description information is mated with local discrimination condition.First the dll file title in all independent DLL_HIJACK fields is obtained, as " lpk.dll ", " usp10.dll ", " setupapi.dll " etc.; Then file description information " 360 networks connect reader " is mated with specific fields, through judging, wherein " | FD@=360 network connects reader | DLL_HIJACK=360netview.dll| " and be the information matched with file description information " 360 networks are connected reader ", therefore, the dll file title " 360netview.dll " in the DLL_HIJACK field combined with this specific fields is obtained; Finally the dll file title in DLL_HIJACK field independent for above-mentioned " lpk.dll ", " usp10.dll ", " setupapi.dll " etc. got and " 360netview.dll " are needed as pending program the dll file information that checks.

Whether sub-step a3, exist the described dll file information needing to check, if exist, then determine that described pending program exists the dll file of being held as a hostage under judging assigned catalogue.

In general, dll file can be stored in system directory, if need when program performs to call some dll file, then, under these dll files being stored in assigned catalogue, the dll file be therefore stored under assigned catalogue is the dll file that this program is called.In the present embodiment, the described assigned catalogue relative catalogue that is current directory or specifies.

So, after the dll file information getting the inspection of pending program needs through above-mentioned sub-step a2, under also needing to judge assigned catalogue further, whether there is the dll file information that described needs check.If there is the described dll file information needing to check under assigned catalogue, illustrate that described pending program exists the dll file of being held as a hostage, and described in the dll file of being held as a hostage be assigned catalogue under the dll file that exists, need to carry out killing to these dll files of being held as a hostage; If there is not the described dll file information needing to check under assigned catalogue, illustrate that these dll files can not be loaded by pending program, therefore do not need to carry out killing to it.

Such as, still be described with above-mentioned citing, if whether the dll file title " 360netview.dll " in the dll file title in the DLL_HIJACK field that the dll file information that the pending program got in step a2 needs to check is " lpk.dll ", " usp10.dll ", " setupapi.dll " etc. are independent and the DLL_HIJACK field combined with specific fields, then exist these dll file titles under judging assigned catalogue.

Such as, the file name existed under judging assigned catalogue is " lpk.dll ", " usp10.dll " and " 360netview.dll ", then using dll file that dll file " lpk.dll ", " usp 10.dll " and " 360netview.dll " are held as a hostage as pending program.

It should be noted that, corresponding to above-described embodiment one, sub-step a1-sub-step a2 in the present embodiment is the detailed process of the step S102 in above-described embodiment one, and sub-step a3 is the detailed process of the step S103 in above-described embodiment one, and the present embodiment is discussed no longer in detail at this.

Step S302, obtains the EXE file that described pending program is corresponding.

Step S303, if there is the described dll file information needing to check under assigned catalogue, then uploads onto the server the information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage.

Wherein, the information of the file uploaded can comprise the information such as cryptographic hash, file path of file, and the embodiment of the present invention is not limited this.

Because existing Initiative Defense only checks the EXE file of program, and the dll file of not scrutiny program, if rogue program utilizes program in believable white list to load malice dll file, then rogue program just can walk around the interception of Initiative Defense and successful execution.

Therefore, the embodiment of the present invention proposes not only to check the EXE file of program, the dll file of program is also checked, but be not that all dll files are checked, but by mating with local discrimination condition, determine the dll file of being held as a hostage in program, then killing is carried out to these dll files of being held as a hostage.

Concrete, the process of file being carried out to killing is performed by server, therefore, if judge to there is the dll file of being held as a hostage in pending program in step s 201, and define the dll file of being held as a hostage, then the information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage all is uploaded onto the server, by server, killing is carried out to these files; If judge there is not the dll file of being held as a hostage in pending program, then illustrate that this pending program is not utilized by rogue program, now only need the information of EXE file corresponding for pending program to upload onto the server.

Such as, in step S301, judge that the dll file that pending program is held as a hostage is respectively " lpk.dll ", " usp 10.dll " and " 360netview.dll ", be then that the information of EXE file corresponding to the pending program of " 360 networks are connected reader " uploads onto the server with file description information by the information of dll file " lpk.dll ", " usp 10.dll " and " 360netview.dll ".

Step S304, carries out killing by server to described dll file of being held as a hostage.

Server, after the information of EXE file corresponding to the pending program receiving client upload and the information of described dll file of being held as a hostage, namely carries out killing according to described fileinfo to corresponding file.

This step S304 specifically can comprise:

Sub-step b1, obtains the grade of described EXE file and the grade of described dll file of being held as a hostage by server.

In the present embodiment, described grade comprises safe class, unknown grade, suspicious/height suspicion level and malice grade.For the setting of grade, can arrange when grade is 10-29 is safe class (file of this grade is text of an annotated book part), be unknown grade (file of this grade is grey file) when grade is 30-49, being suspicious/height suspicion level (file of this grade is apocrypha) when grade is 50-69, is malice grade (file of this grade is malicious file) when grade is more than or equal to 70.Certainly, can also arrange described grade is other forms, and the present invention is not limited this.

Sub-step b2, carries out killing according to the grade of described EXE file and the grade of described dll file of being held as a hostage to described dll file of being held as a hostage.

Concrete, can pass through for killing portable perform bulk (Portable Execute, PE) the cloud killing engine of type file, or artificial intelligence engine (Qihoo Virtual Machine, QVM) carries out killing to described EXE file and the dll file of being held as a hostage.Wherein, PE type file is often referred to the program file in Windows operating system, and common PE type file comprises the type files such as EXE, DLL, OCX, SYS, COM.

Antivirus engine can according to the recognition result to file hierarchies, and according to the blacklist preserved in antivirus engine, and/or white list carries out killing to corresponding document.

For concrete killing process, those skilled in the art carry out respective handling according to practical experience, and the present embodiment is discussed no longer in detail at this.

Step S305, performs corresponding operation according to server killing result to described pending program.

Server is after getting EXE file and the grade of dll file of being held as a hostage, and the grade got is handed down to client, and client performs corresponding operation according to server killing result to described pending program.

Concrete, this step S305 can comprise following sub-step:

Sub-step c1, when at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackles the execution of described pending program.

In the present embodiment, described dll file of being held as a hostage is one or more, if there is malice grade in the grade of the EXE file got and the grade of the dll file of being held as a hostage, then illustrate that this pending program is risky, now need the execution of tackling described pending program.

Sub-step c2, when the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allows the execution of described pending program.

Sub-step c3, when there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.

If the grade of EXE file does not meet two kinds of situations in above-mentioned sub-step c1 and sub-step c2 with the grade of the dll file of being held as a hostage, grade the highest described in then the grade of EXE file being revised as, and the execution of described pending program can be allowed, now because the EXE file of pending program also may exist risk, therefore, when initiating suspicious operation after pending program performs, can the operation suspicious to these tackle.

Such as, in step S301, determine that the dll file that pending program is held as a hostage is " lpk.dll ", " usp10.dll " and " 360netview.dll ", the grade being got the EXE file of pending program by server is safe class, the grade of lpk.dll is unknown grade, the grade of usp10.dll is unknown grade, 360netview.dll is suspicious/height suspicion level, wherein the highest file hierarchies is suspicious/height suspicion level, now, the grade by described EXE file is revised as suspicious/height suspicion level.

And, because the grade of EXE file has been modified, therefore follow-up when this pending program performs some suspicious operation, namely judge this program whether safety by the grade of EXE file, if EXE file is suspicious, then can tackle these suspicious operations.

Wherein, suspicious operation can be following any one: file operation, registry operations, process operation and network operation.

Such as, can be the file relevant to windows operating system for file operation, or the application software that some charging capacitys are larger (as qq, Ali Wang Wang etc.), or the operation of the shortcut of desktop etc.;

Operation for registration table can be that program write registration table loads automatically, and destroys registration table etc.;

For process operation can be mutually inject (process inserts in another process and perform some codes), process threading operation far away between process, (such as some rogue program terminates QQ process to end process, again login can be truncated to password, or the follow-up certain operations of process) etc.;

Can be install to drive or service, global hook inject, web page contents etc. in record keyboard operation, amendment browser for network operation.

Certainly, can also comprise some other operation, the embodiment of the present invention is not limited this.

It should be noted that, the situation that the present embodiment mainly utilizes the program in white list trusty to load malice dll file for rogue program processes, therefore, the grade of EXE file should be safe class, if have the grade of dll file higher than the grade of this EXE file, then revise the grade of EXE file.

Step S306, described in periodic detection, whether local discrimination condition meets promotion condition, if meet, then downloads new discrimination condition from server, and the upgrading completing described local discrimination condition by reloading described new discrimination condition upgrades.

Local discrimination condition in the present embodiment needs regularly upgrading to upgrade.Concrete, promotion condition can be configured in the server, described in client periodic detection, whether local discrimination condition meets promotion condition, when meeting, just download new local discrimination condition from server, and replace original local discrimination condition by new local discrimination condition, thus upgrading renewal is carried out to original local discrimination condition.

Wherein, promotion condition can judge according to the FileVersion of local discrimination condition, and then upgrade than if any during the version upgraded, also can specify and upgrade to an indicated release when local version meets certain condition, the embodiment of the present invention is not limited this.

Such as, if found the new program (QQ game) be utilized, but there is not this program in local discrimination condition, then can increase a specific program matching condition in local discrimination condition, comprising the dll file information of the characteristic information (file describe " QQ game ") of this program and needs inspection after meeting this specific program matching condition.

Certainly, other mode can also be adopted to carry out upgrading to local discrimination condition and upgrade, the present embodiment is not limited this.

Finally, it should be noted that, the situation that the embodiment of the present invention mainly utilizes the program in white list trusty to load malice dll file for rogue program processes.If pending program is the program in white list trusty, the now EXE file of an initiative type safeguard technology scrutiny program, will judge that this program is safe, thus allow it to perform, if but rogue program utilizes the program in this white list to load malice dll file, then this rogue program also can successful execution.

Therefore, for this situation, the embodiment of the present invention is by when pending program creation process being detected, check whether described pending program exists the dll file of being held as a hostage according to the local discrimination condition pre-set, if there is the dll file of being held as a hostage in pending program, then by server, killing is carried out to described dll file of being held as a hostage, then according to server killing result, corresponding operation is performed to described pending program.Solving rogue program thus utilizes the program in believable white list load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program, achieves the beneficial effect more effectively tackling rogue program.

It should be noted that, for aforesaid embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the application is not by the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and involved action might not be that the application is necessary.

Embodiment four:

With reference to Fig. 5, show the structured flowchart of program identification system according to an embodiment of the invention, described system comprises client 501 and server 502, wherein,

Client 501 comprises:

Read module 5011, is suitable for when pending program creation process being detected, reads the local discrimination condition pre-set;

Matching module 5012, is suitable for described pending program to mate with described local discrimination condition, obtains matching result;

Determination module 5013, is suitable for determining whether described pending program exists the dll file of being held as a hostage according to described matching result.

Local discrimination condition can be utilized to detect pending program by the modules of above-mentioned client and whether there is the dll file of being held as a hostage, if detect that pending program exists the dll file of being held as a hostage, then follow-uply can carry out killing by server to the dll file of being held as a hostage, then according to server killing result, corresponding operation be performed to described pending program.Thus rogue program can be solved utilize the program in believable white list to load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program, more effectively tackle rogue program.

Embodiment five:

With reference to Fig. 6, show the structured flowchart of program identification system according to an embodiment of the invention, described system comprises client 601 and server 602.

Wherein, client 601 comprises: checking module 6011, EXE file acquisition module 6012, upper transmission module 6013, processing module 6014 and upgraded module 6015; Server 602 comprises killing module 6021.

Checking module 6011, is suitable for when pending program creation process being detected, checks whether described pending program exists the dll file of being held as a hostage according to the local discrimination condition pre-set;

It should be noted that, above-mentioned checking module is mainly used for checking whether described pending program exists the dll file of being held as a hostage, relative to above-described embodiment four, this checking module can comprise read module 5011, matching module 5012 and determination module 5013 in above-described embodiment four.

Wherein, described pending program is the program in white list, under described local discrimination condition is stored in client local directory.

Described checking module 6011 comprises:

Characteristic information obtains submodule, is suitable for the characteristic information obtaining described pending program;

Wherein, the characteristic information of described pending program can comprise at least one in following information:

Dll file acquisition of information submodule, be suitable for by the characteristic information of described pending program is mated with described local discrimination condition, obtain the dll file information that described pending program needs to check, using the described dll file information checked that needs as matching result;

Wherein, described local discrimination condition comprises multiple procedure match condition and meets the dll file information that needs check after this procedure match condition.

Described procedure match condition comprises two kinds: common program matching condition and specific program matching condition.

The first: common program matching condition

The dll file information that after meeting this common program matching condition, needs check is public dll file information, and described dll file acquisition of information submodule comprises:

Public dll file information acquisition unit, is suitable for obtaining the public dll file information that after meeting described common program matching condition, needs check;

First determining unit, is suitable for the dll file information described public dll file information being needed inspection as described pending program.

The second: specific program matching condition

The dll file information that after meeting this specific program matching condition, needs check is specific dll file information, and described dll file acquisition of information submodule comprises:

Matching unit, is suitable for the characteristic information of described pending program to mate with described specific program matching condition;

Described specific program matching condition can comprise at least one in following information:

The digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information;

Specific dll file information acquisition unit, the specific dll file information that after being suitable for obtaining the satisfied specific program matching condition matched, needs check;

Second determining unit, is suitable for the dll file information described specific dll file information being needed inspection as described pending program.

Judge submodule, whether there is the described dll file information needing to check under being suitable for judging assigned catalogue, if exist, then determine that described pending program exists the dll file of being held as a hostage; Wherein, described in the dll file of being held as a hostage be the dll file existed under assigned catalogue, the relative catalogue that described assigned catalogue is current directory or specifies.

It should be noted that, corresponding to above-described embodiment four, characteristic information in the present embodiment obtains submodule and dll file acquisition of information submodule can be the submodule that the matching module in above-described embodiment four comprise, judge the submodule that submodule can comprise as the determination module in above-described embodiment four, the present embodiment is discussed no longer in detail at this.

EXE file acquisition module 6012, the killing module be suitable at server obtains the EXE file that described pending program is corresponding before carrying out killing to described dll file of being held as a hostage;

Upper transmission module 6013, is suitable for the information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage to upload onto the server;

Described server 602 comprises:

Killing module 6021, is suitable for, when the check result of the checking module of client is for existing, carrying out killing to described dll file of being held as a hostage;

Described killing module 6021 comprises:

Grade obtains submodule, is suitable for obtaining the grade of described EXE file and the grade of described dll file of being held as a hostage, and described grade comprises safe class, unknown grade, suspicious/height suspicion level and malice grade;

Killing submodule, is suitable for carrying out killing according to the grade of described EXE file and the grade of described dll file of being held as a hostage to described dll file of being held as a hostage.

Described client also comprises:

Processing module 6014, is suitable for performing corresponding operation according to server killing result to described pending program;

Wherein, described in the dll file of being held as a hostage be one or more, described processing module 4014 comprises:

Program intercepts submodule, is suitable for, when at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackling the execution of described pending program;

Implementation sub-module, is suitable for, when the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allowing the execution of described pending program;

Suspicious operation intercepting submodule, be suitable for when there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.

Wherein, described suspicious operation can be following any one: file operation, registry operations, process operation and network operation, certainly, described suspicious operation can also be other certain operations, and the embodiment of the present invention is not limited this.

Upgraded module 6015, is suitable for local discrimination condition described in periodic detection and whether meets promotion condition, if meet, then downloads new discrimination condition from server, and the upgrading completing described local discrimination condition by reloading described new discrimination condition upgrades;

Wherein, described promotion condition is configured in the server.

According to local discrimination condition, the program identification system of the embodiment of the present invention can check whether pending program exists the dll file of being held as a hostage, and treat the dll file that executive routine is held as a hostage and carry out killing, then treat executive routine according to server killing result and perform corresponding operation.Solving rogue program thus utilizes the program in believable white list load malice dll file and cause Initiative Defense normally cannot tackle the problem of rogue program, achieves the beneficial effect more effectively tackling rogue program.

For said procedure identification system embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method shown in Fig. 1, Fig. 2 and Fig. 3.

Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.

Those skilled in the art are easy to it is envisioned that: the combination in any application of each embodiment above-mentioned is all feasible, therefore the combination in any between each embodiment above-mentioned is all the embodiment of the application, but this instructions does not just detail one by one at this as space is limited.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the program identification system of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Disclosed herein is A1, a kind of program identification method, comprising: when pending program creation process being detected, read the local discrimination condition pre-set; Described pending program is mated with described local discrimination condition, obtains matching result; Determine whether described pending program exists the dll file of being held as a hostage according to described matching result; If exist, then by server, killing is carried out to described dll file of being held as a hostage; According to server killing result, corresponding operation is performed to described pending program.A2, differentiate the method described in A1 according to program, described described pending program to be mated with described local discrimination condition, obtain matching result, comprising: the characteristic information obtaining described pending program; By being mated with described local discrimination condition by the characteristic information of described pending program, obtain the dll file information that described pending program needs to check, using the described dll file information checked that needs as described matching result.A3, differentiate the method described in A2 according to program, describedly determine whether described pending program exists the dll file of being held as a hostage according to described matching result, comprise: under judging assigned catalogue, whether there is the dll file information that described needs check, if exist, then determine that described pending program exists the dll file of being held as a hostage; Wherein, described in the dll file of being held as a hostage be the dll file existed under assigned catalogue, the relative catalogue that described assigned catalogue is current directory or specifies.A4, differentiate the method described in A2 according to program, the dll file information that after described local discrimination condition comprises multiple procedure match condition and meets this procedure match condition, needs check.A5, differentiate the method described in A4 according to program, described procedure match condition comprises common program matching condition, the dll file information that after meeting this common program matching condition, needs check is public dll file information, it is described by the characteristic information of described pending program is mated with described local discrimination condition, obtain the DLL information that described pending program needs to check, comprising: obtain the public dll file information that after meeting described common program matching condition, needs check; Described public dll file information is needed the dll file information of inspection as described pending program.A6, differentiate the method described in A4 according to program, described procedure match condition comprises specific program matching condition, the dll file information that after meeting this specific program matching condition, needs check is specific dll file information, it is described by the characteristic information of described pending program is mated with described local discrimination condition, obtain the DLL information that described pending program needs to check, comprising: the characteristic information of described pending program is mated with described specific program matching condition; The specific dll file information that after obtaining the specific program matching condition meeting and match, needs check; Described specific dll file information is needed the dll file information of inspection as described pending program.A7, differentiate the method described in A6 according to program, described specific program matching condition comprises at least one in following information: the digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information; The characteristic information of described pending program comprises at least one in following information: the file name information of pending program, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information.A8, differentiate the method described in A1 according to program, before by server killing being carried out to described dll file of being held as a hostage, also comprise: obtain the EXE file that described pending program is corresponding; The information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage is uploaded onto the server; Describedly by server, killing is carried out to described dll file of being held as a hostage, comprise: obtain the grade of described EXE file and the grade of described dll file of being held as a hostage by server, described grade comprises safe class, unknown grade, suspicious/height suspicion level and malice grade; According to the grade of described EXE file and the grade of described dll file of being held as a hostage, killing is carried out to described dll file of being held as a hostage.A9, differentiate the method described in A8 according to program, described dll file of being held as a hostage is one or more, described foundation server killing result performs corresponding operation to described pending program, comprise: when at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackle the execution of described pending program; When the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allow the execution of described pending program; When there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.A10, differentiate the method described in A9 according to program, described suspicious be operating as following any one: file operation, registry operations, process operation and network operation.A11, differentiate the method described in A1 according to program, described pending program is the program in white list.A12, differentiate the method described in A1, under described local discrimination condition is stored in client local directory according to program.A13, differentiate the method described in A1 according to program, also comprise: described in periodic detection, whether local discrimination condition meets promotion condition, if meet, then download new discrimination condition from server, and the upgrading completing described local discrimination condition by reloading described new discrimination condition upgrades; Wherein, described promotion condition is configured in the server.

Disclosed herein is B14, a kind of program identification system, comprise client and server, wherein, described client comprises: read module, is suitable for when pending program creation process being detected, reads the local discrimination condition pre-set; Matching module, is suitable for described pending program to mate with described local discrimination condition, obtains matching result; Determination module, is suitable for determining whether described pending program exists the dll file of being held as a hostage according to described matching result; Described server comprises: killing module, is suitable for, when the check result of the determination module of client is for existing, carrying out killing to described dll file of being held as a hostage; Described client also comprises: processing module, is suitable for performing corresponding operation according to server killing result to described pending program.B15, differentiate the system described in B14 according to program, described matching module comprises: characteristic information obtains submodule, is suitable for the characteristic information obtaining described pending program; Dll file acquisition of information submodule, be suitable for by the characteristic information of described pending program is mated with described local discrimination condition, obtain the dll file information that described pending program needs to check, using the described dll file information checked that needs as described matching result.B16, differentiate the system described in B15 according to program, described determination module comprises: judge submodule, whether there is the described dll file information needing to check under being suitable for judging assigned catalogue, if exist, then determine that described pending program exists the dll file of being held as a hostage; Wherein, described in the dll file of being held as a hostage be the dll file existed under assigned catalogue, the relative catalogue that described assigned catalogue is current directory or specifies.B17, differentiate the system described in B15 according to program, the dll file information that after described local discrimination condition comprises multiple procedure match condition and meets this procedure match condition, needs check.B18, differentiate the system described in B17 according to program, described procedure match condition comprises common program matching condition, the dll file information that after meeting this common program matching condition, needs check is public dll file information, described dll file acquisition of information submodule comprises: public dll file information acquisition unit, is suitable for obtaining the public dll file information that after meeting described common program matching condition, needs check; First determining unit, is suitable for the dll file information described public dll file information being needed inspection as described pending program.B19, differentiate the system described in B17 according to program, described procedure match condition comprises specific program matching condition, the dll file information that after meeting this specific program matching condition, needs check is specific dll file information, described dll file acquisition of information submodule comprises: matching unit, is suitable for the characteristic information of described pending program to mate with described specific program matching condition; Specific dll file information acquisition unit, the specific dll file information that after being suitable for obtaining the satisfied specific program matching condition matched, needs check; Second determining unit, is suitable for the dll file information described specific dll file information being needed inspection as described pending program.B20, differentiate the system described in B19 according to program, described specific program matching condition comprises at least one in following information: the digital signature information of file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, Business Name, and the order line information of process, process path information and parent process routing information; The characteristic information of described pending program comprises at least one in following information: the file name information of pending program, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright notification information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information.B21, differentiate the system described in B14 according to program, described client also comprises: EXE file acquisition module, and the killing module be suitable at server obtains the EXE file that described pending program is corresponding before carrying out killing to described dll file of being held as a hostage; Upper transmission module, is suitable for the information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage to upload onto the server; Described killing module comprises: grade obtains submodule, is suitable for obtaining the grade of described EXE file and the grade of described dll file of being held as a hostage, and described grade comprises safe class, unknown grade, suspicious/height suspicion level and malice grade; Killing submodule, is suitable for carrying out killing according to the grade of described EXE file and the grade of described dll file of being held as a hostage to described dll file of being held as a hostage.B22, differentiate the system described in B21 according to program, described dll file of being held as a hostage is one or more, described processing module comprises: program intercepts submodule, be suitable for, when at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackling the execution of described pending program; Implementation sub-module, is suitable for, when the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allowing the execution of described pending program; Suspicious operation intercepting submodule, be suitable for when there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.B23, differentiate the system described in B22 according to program, described suspicious be operating as following any one: file operation, registry operations, process operation and network operation.B24, differentiate the system described in B14 according to program, described pending program is the program in white list.B25, differentiate the system described in B14, under described local discrimination condition is stored in client local directory according to program.B26, differentiate the system described in B14 according to program, described client also comprises: upgraded module, be suitable for local discrimination condition described in periodic detection and whether meet promotion condition, if meet, then download new discrimination condition from server, and the upgrading completing described local discrimination condition by reloading described new discrimination condition upgrades; Wherein, described promotion condition is configured in the server.

Claims

1. a program identification method, comprising:

When pending program creation process being detected, read the local discrimination condition pre-set; Wherein, described local discrimination condition comprises multiple procedure match condition and meets the dll file information that needs check after this procedure match condition;

Described pending program is mated with described local discrimination condition, obtains matching result; Wherein, described matching result comprises the dll file information that needs check;

According to server killing result, corresponding operation is performed to described pending program;

Described in periodic detection, whether local discrimination condition meets promotion condition, if meet, then downloads new discrimination condition from server, and the upgrading completing described local discrimination condition by reloading described new discrimination condition upgrades; Wherein, described procedure match condition comprises specific program matching condition, described promotion condition comprises: increased the program that there is the dll file of being held as a hostage newly and there is not this procedure match condition in described local discrimination condition, then the new discrimination condition corresponding to this promotion condition increases specific program matching condition corresponding to a newly-increased program relative to described local discrimination condition.

2. method according to claim 1, describedly mates described pending program with described local discrimination condition, obtains matching result, comprising:

Obtain the characteristic information of described pending program;

3. method according to claim 2, describedly determine whether described pending program exists the dll file of being held as a hostage, and comprising according to described matching result:

4. method according to claim 2, described procedure match condition also comprises common program matching condition, and the dll file information that after meeting this common program matching condition, needs check is public dll file information,

Described by the characteristic information of described pending program is mated with described local discrimination condition, obtain the DLL information that described pending program needs to check, comprising:

5. method according to claim 2, the dll file information that after meeting specific program matching condition, needs check is specific dll file information,

The characteristic information of described pending program is mated with described specific program matching condition;

The specific dll file information that after obtaining the specific program matching condition meeting and match, needs check;

Described specific dll file information is needed the dll file information of inspection as described pending program.

6. method according to claim 5,

Described specific program matching condition comprises at least one in following information:

The characteristic information of described pending program comprises at least one in following information:

7. method according to claim 1,

Before by server killing being carried out to described dll file of being held as a hostage, also comprise:

Obtain the EXE file that described pending program is corresponding;

The information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage is uploaded onto the server;

Describedly by server, killing is carried out to described dll file of being held as a hostage, comprising:

Obtain the grade of described EXE file and the grade of described dll file of being held as a hostage by server, described grade comprises safe class, unknown grade, suspicious/height suspicion level and malice grade;

According to the grade of described EXE file and the grade of described dll file of being held as a hostage, killing is carried out to described dll file of being held as a hostage.

8. method according to claim 7, described in the dll file of being held as a hostage be one or more,

Described foundation server killing result performs corresponding operation to described pending program, comprising:

When at least one is for malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, tackle the execution of described pending program;

When the grade of described EXE file and the grade of described dll file of being held as a hostage are safe class, allow the execution of described pending program;

When there is no malice grade in the grade of described EXE file and the grade of described dll file of being held as a hostage, and during the grade of the grade of at least one dll file of being held as a hostage higher than described EXE file, obtain wherein the highest grade, grade the highest described in the grade of described EXE file is revised as, allow the execution of described pending program, and tackle the suspicious operation initiated after pending program performs.

9. method according to claim 1,

Wherein, described promotion condition is configured in the server.

10. a program identification system, comprises client and server, wherein,

Described client comprises:

Read module, is suitable for when pending program creation process being detected, reads the local discrimination condition pre-set; Wherein, described local discrimination condition comprises multiple procedure match condition and meets the dll file information that needs check after this procedure match condition;

Matching module, is suitable for described pending program to mate with described local discrimination condition, obtains matching result; Wherein, described matching result comprises the dll file information that needs check;

Described server comprises:

Described client also comprises:

Processing module, is suitable for performing corresponding operation according to server killing result to described pending program;

Upgraded module, is suitable for local discrimination condition described in periodic detection and whether meets promotion condition, if meet, then downloads new discrimination condition from server, and the upgrading completing described local discrimination condition by reloading described new discrimination condition upgrades; Wherein, described procedure match condition comprises specific program matching condition, described promotion condition comprises: increased the program that there is the dll file of being held as a hostage newly and there is not this procedure match condition in described local discrimination condition, then the new discrimination condition corresponding to this promotion condition increases specific program matching condition corresponding to a newly-increased program relative to described local discrimination condition.

11. systems according to claim 10, described matching module comprises:

Dll file acquisition of information submodule, be suitable for by the characteristic information of described pending program is mated with described local discrimination condition, obtain the dll file information that described pending program needs to check, using the described dll file information checked that needs as described matching result.

12. systems according to claim 11, described determination module comprises:

13. systems according to claim 11, described procedure match condition also comprises common program matching condition, and the dll file information that after meeting this common program matching condition, needs check is public dll file information,

Described dll file acquisition of information submodule comprises:

14. systems according to claim 11, the dll file information that after meeting specific program matching condition, needs check is specific dll file information,

Described dll file acquisition of information submodule comprises:

15. systems according to claim 14,

16. systems according to claim 10,

Described client also comprises:

EXE file acquisition module, the killing module be suitable at server obtains the EXE file that described pending program is corresponding before carrying out killing to described dll file of being held as a hostage;

Upper transmission module, is suitable for the information of the information of EXE file corresponding for described pending program and described dll file of being held as a hostage to upload onto the server;

Described killing module comprises:

17. systems according to claim 16, described in the dll file of being held as a hostage be one or more,

Described processing module comprises:

18. systems according to claim 10,

Wherein, described promotion condition is configured in the server.