CN103034809B - Method and device for immunizing file macro virus - Google Patents
Method and device for immunizing file macro virus Download PDFInfo
- Publication number
- CN103034809B CN103034809B CN201210545944.8A CN201210545944A CN103034809B CN 103034809 B CN103034809 B CN 103034809B CN 201210545944 A CN201210545944 A CN 201210545944A CN 103034809 B CN103034809 B CN 103034809B
- Authority
- CN
- China
- Prior art keywords
- file
- behavior
- macrovirus
- office process
- catalogue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 223
- 241000700605 Viruses Species 0.000 title abstract description 13
- 230000003053 immunization Effects 0.000 title abstract 4
- 230000008569 process Effects 0.000 claims description 187
- 238000012545 processing Methods 0.000 claims description 25
- 230000010076 replication Effects 0.000 claims description 10
- 238000012423 maintenance Methods 0.000 claims description 8
- 238000013480 data collection Methods 0.000 claims description 7
- 230000006835 compression Effects 0.000 claims description 6
- 238000007906 compression Methods 0.000 claims description 6
- 238000011112 process operation Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 349
- 230000006870 function Effects 0.000 description 15
- 230000008859 change Effects 0.000 description 7
- 208000015181 infectious disease Diseases 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000009434 installation Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000036039 immunity Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Abstract
The invention discloses a method and a device for immunizing a file macro virus, wherein the method specifically comprises the steps of: intercepting a file behavior request of an Office progress; according to the file behavior request, analyzing to obtain information of corresponding file behaviors; by using the information of the file behaviors, judging whether the file behaviors are macro virus behaviors; when the file behaviors are macro virus behaviors of modifying a template file by the Office progress, allowing the intercepted file behavior request; and when the file behaviors are macro virus behaviors except for the behaviors of modifying the template file by the Office progress, stopping the intercepted file behavior request. According to the invention, the immunizing range of the macro virus can be provided, and the immunizing efficiency of the macro virus is increased.
Description
Technical field
The present invention relates to computer security technique field, be specifically related to a kind of method and apparatus of immune file macrovirus.
Background technology
Macrovirus be a kind of be deposited with document or template grand in computer virus.Once open such document, wherein grand will be performed, so macrovirus will be activated, transfers on computing machine, and resides in template.Hereafter, the document of all automatic preservations all " can infect " this macrovirus, and if other users open infect virus document, macrovirus can be transferred to again on his computing machine.
Because macrovirus is hidden in data file, and its script grammer used is flexible and changeable, and completing a function has a variety of literary style, therefore identifies whether a file has macrovirus very difficult.
The method of a kind of immune file macrovirus of prior art adopts the method accounting for hole, specifically, if find that a certain macrovirus can discharge the file of a specific names, with regard to a newly-built file of the same name, Windows file of the same name and the incompatible mode of file is utilized to stop the propagation of macrovirus; The method only can specific, the existing macrovirus of immunity, and can not new, the unknown virus of immunity, therefore Immune efficiency is not high.
The method of the another kind of immune file macrovirus of prior art forbids all macroefficiency of Office by all grand methods of forbidding; The method can affect the file that normal need uses macroefficiency.
In a word, the technical matters needing those skilled in the art urgently to solve is exactly: the Immune efficiency that how can improve macrovirus.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of method and apparatus of a kind of immune file macrovirus overcoming the problems referred to above or solve the problem at least in part.
According to one aspect of the present invention, provide a kind of method of immune file macrovirus, comprising:
Intercept and capture the file behavior request of Office process;
According to described file behavior request, analyze the information obtaining corresponding document behavior;
Utilize the information of described file behavior, judge whether described file behavior is macrovirus behavior;
When described file behavior is the macrovirus behavior of Office process amendment template file, allow the file behavior request of intercepting and capturing;
When described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stop the file behavior request of intercepting and capturing.
Alternatively, described according to described file behavior request, analyze the step obtaining the information of corresponding document behavior, comprising:
Analyze the parameter of the application programming interfaces API carried in described file behavior request, obtain the information of corresponding document behavior;
It is one or more that the information of described file behavior at least comprises in following information: file path, behavior title, sharing mode and file attribute; It is one or more that described file attribute at least comprises as in properties: common, read-only, hides, encryption and compression.
Alternatively, the described information utilizing described file behavior, judges that whether described file behavior is the step of macrovirus behavior, comprising:
The information of the information of described file behavior with known macrovirus behavior is mated, if the match is successful, then determines that described file behavior is macrovirus behavior.
Alternatively, the described information utilizing described file behavior, judges that whether described file behavior is the step of macrovirus behavior, comprising:
According to the information of described file behavior, judge the existing file do not revised by Office process during described file behavior respective file is this computer run still by new file that Office process was revised;
The judged result of the information of described file behavior and described file behavior respective file is mated with the information of known macrovirus behavior, if the match is successful, then determines that described file behavior is macrovirus behavior.
Alternatively, described method also comprises:
If described file behavior is the macrovirus behavior of Office process amendment template file, then at the end of described Office process, judge that whether amended template file is with grand, if so, then use back up in advance without grand template file replace described amended template file;
Describedly judge that whether amended template file is with grand step, comprising:
Described amended template file is opened with binary form;
Judge whether include grand mark in the binary content of described amended template file, if so, then judge that amended template file is with grand, otherwise judge that amended template file is without grand.
Alternatively, described method also comprises:
When it fails to match, judge that whether described file behavior respective file or catalogue are in white list data centralization;
When described file behavior respective file or catalogue are in white list data centralization, determine that described file behavior is not macrovirus behavior;
When described file behavior respective file or catalogue be not in white list data centralization, judge whether described file behavior respective file or catalogue are concentrated at blacklist data;
When described file behavior respective file or catalogue are concentrated at blacklist data, determine that described file behavior is macrovirus behavior;
When described file behavior respective file or catalogue are not concentrated at blacklist data, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue;
When the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is not macrovirus behavior;
When the new file revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is macrovirus behavior.
Alternatively, the described information according to described file behavior, judges the step of the new file that the existing file do not revised by Office process during described file behavior respective file is this computer run was still revised by Office process, comprising:
Safeguard the first file set and the second file set; Not by the existing file that Office process was revised during described first file set comprises this computer run, described second file set comprises the existing file that Office process operation is crossed;
According to the information of described file behavior, judge described file behavior respective file whether in described first file set or the second file set;
When described file behavior respective file is in described first file set, judge described file behavior respective file during being this computer run not by existing file that Office process was revised;
When described file behavior respective file is in described second file set, judge the new file revised by Office process during described file behavior respective file is this computer run.
Alternatively, it is one or more that described known macrovirus behavior at least comprises in following behavior: the behavior of Office process amendment template file, Office process is to the behavior of template directory written document, Office process performs the executable file of Office process release, Office process performs the script file of Office process release, the behavior of Office process edit the registry, the behavior of Office process replication file.
According to a further aspect in the invention, provide a kind of device of immune file macrovirus, comprising:
Request Interception module, is suitable for the file behavior request of intercepting and capturing Office process;
Requirement analysis module, is suitable for according to described file behavior request, analyzes the information obtaining corresponding document behavior;
Macrovirus judge module, is suitable for the information utilizing described file behavior, judges whether described file behavior is macrovirus behavior;
First processing module, is suitable for, when described file behavior is the macrovirus behavior of Office process amendment template file, allowing the file behavior request of intercepting and capturing; And
Second processing module, is suitable for, when described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stoping the file behavior request of intercepting and capturing.
Alternatively, described request analysis module, is specifically suitable for the parameter analyzing the application programming interfaces API carried in described file behavior request, obtains the information of corresponding document behavior; It is one or more that the information of described file behavior at least comprises in following information: file path, behavior title, sharing mode and file attribute; It is one or more that described file attribute at least comprises as in properties: common, read-only, hides, encryption and compression.
Alternatively, described macrovirus judge module comprises:
First matched sub-block, is suitable for the information of the information of described file behavior with known macrovirus behavior to mate, if the match is successful, then determines that described file behavior is macrovirus behavior.
Alternatively, described macrovirus judge module comprises:
Fileinfo judges submodule, is suitable for the information according to described file behavior, judges the existing file do not revised by Office process during described file behavior respective file is this computer run still by new file that Office process was revised; And
Second matched sub-block, is suitable for the judged result of the information of described file behavior and described file behavior respective file to mate with the information of known macrovirus behavior, if the match is successful, then determines that described file behavior is macrovirus behavior.
Alternatively, described first processing module also comprises:
Grand process submodule, be suitable for when described file behavior be Office process amendment template file macrovirus behavior and at the end of described Office process, judge that whether amended template file is with grand, if so, then use back up in advance without grand template file replace described amended template file;
Described device also comprises: be suitable for judging that whether amended template file is with grand grand judge module, described grand judge module comprises:
Open submodule, be suitable for opening described amended template file with binary form; And
Grand mark judges submodule, is suitable for judging whether include grand mark in the binary content of described amended template file, if so, then judges that amended template file is with grand, otherwise judge that amended template file is without grand.
Alternatively, described device also comprises:
White list data set judge module, is suitable for when it fails to match, judges that whether described file behavior respective file or catalogue are in white list data centralization;
First white list data set processing module, is suitable for, when described file behavior respective file or catalogue are in white list data centralization, determining that described file behavior is not macrovirus behavior;
Second white list data set processing module, is suitable for when described file behavior respective file or catalogue be not in white list data centralization, judges whether described file behavior respective file or catalogue are concentrated at blacklist data;
First blacklist data collection processing module, is suitable for, when described file behavior respective file or catalogue are concentrated at blacklist data, determining that described file behavior is macrovirus behavior;
Second blacklist data collection processing module, be suitable for when described file behavior respective file or catalogue are not concentrated at blacklist data, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue; And
Document processing module, when to be suitable for during described file behavior respective file or catalogue are this computer run the existing file do not revised by Office process or catalogue, determine that described file behavior is not macrovirus behavior, and, when the new file revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is macrovirus behavior.
Alternatively, described fileinfo judges submodule, comprising:
File set maintenance unit, is suitable for maintenance first file set and the second file set; Not by the existing file that Office process was revised during described first file set comprises this computer run, by new file that Office process was revised during described second file set comprises this computer run;
File set judging unit, be suitable for the file path according to described file behavior, judge described file behavior respective file whether in described first file set or the second file set, when described file behavior respective file or catalogue are in described first file set, judge described file behavior respective file during being this computer run not by existing file that Office process was revised, when described file behavior respective file or catalogue are in described second file set, judge the new file revised by Office process during described file behavior respective file is this computer run.
Alternatively, it is one or more that described known macrovirus behavior at least comprises in following behavior: the behavior of Office process amendment template file, Office process is to the behavior of template directory written document, Office process performs the executable file of Office process release, Office process performs the script file of Office process release, the behavior of Office process edit the registry, the behavior of Office process replication file.
The method and apparatus of a kind of immune file macrovirus of the present invention has following beneficial effect:
By the present invention, can, by intercepting and capturing the behavior request of Office process and analyze, if find the situation of macrovirus behavior, just can take to stop measure accordingly, with the infringement preventing the computing machine of user to be subject to macrovirus.Behavior request due to Office process be the behavior of Office macrovirus must through approach, therefore relative to prior art only can immunity specific, existing macrovirus, the present invention can carry out immune-treated for all Office macrovirus behaviors, therefore the present invention can provide the immune scope of macrovirus, improve the Immune efficiency of macrovirus.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention process flow diagram of method of immune file macrovirus;
Fig. 2 shows a kind of according to an embodiment of the invention process flow diagram of method of immune file macrovirus; And
Fig. 3 shows a kind of according to an embodiment of the invention structural drawing of device of immune file macrovirus.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
With reference to Fig. 1, show a kind of according to an embodiment of the invention process flow diagram of method of immune file macrovirus, specifically can comprise:
The file behavior request of step 101, intercepting and capturing Office process;
What expose under Windows is called API(application programming interface to the interface of developer, Application Programming Interface), various application layer applications program is all by calling various API to realize, and Office software is no exception; Also namely, no matter perform the behavior of Office macrovirus or perform the safety behaviors such as the normal file reading of Office, Office process all needs to call corresponding API., change a saying, the request of API is namely called in the file behavior request of Office process.
Usual API is packaged into DLL(dynamic link library) in, when certain application program will call an API, if the DLL at this function place is not loaded in this process, load this DLL, then preserve current environment (each register sum functions called after return address etc.).Then the instruction performed herein is gone in the entry address that program can jump to this API.In view of this, for first calling the function of oneself before calling real API, so can revise the code of the porch of this API, making it first jump to the function address of oneself, then determine whether to call original api function in the function of oneself.
Hook(hook) be a link in windows messaging process, for monitoring message transmission in systems in which.Hook Mechanism allows application program to intercept and capture process Window message or particular event.Hook is actually the program segment of a processing messages, by system call, it is linked into system.Whenever specific message sends, before not arriving object window, hook program just first catches this message, that is Hook Function first obtains control.At this moment namely Hook Function can process process (change) this message, also can not deal with and continue to transmit this message, can also force the transmission of end.
Therefore, the embodiment of the present invention can intercept and capture the file behavior request of Office process by the principle of Hook API, specifically, revise the code of the porch of Office process in advance, like this, when the file behavior request of Office process is performed by Office application program, corresponding API first will jump to the function address of the embodiment of the present invention, further, the embodiment of the present invention can acquire the file behavior request of Office process.
Step 102, according to described file behavior request, analyze the information of corresponding document behavior of obtaining;
In actual applications, in described file behavior request, usually carry the parameter of application programming interfaces API, then described according to described file behavior request, analyze the step obtaining the information of corresponding document behavior, specifically can comprise:
Sub-step S101, analyze the parameter of the application programming interfaces API carried in described file behavior request, obtain the information of corresponding document behavior;
Wherein, what the information of described file behavior at least can comprise in following information is one or more: file path, behavior title, sharing mode and file attribute; It is one or more that described file attribute at least can comprise as in properties: common, read-only, hides, encryption and compression.
For CreateFile function, this API is used to create and open file:
HANDLE CreateFile(
LPCTSTR lpFileName, the pointer of // sensing filename
DWORD dwDesiredAccess, formula (Writing/Reading) is touched in // access
DWORD dwShareMode, // sharing mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, the pointer of // sensing security attribute
DWORD dwCreationDisposition, // how to create
DWORD dwFlagsAndAttributes, // file attribute
HANDLE hTemplateFile//for xcopy handle
)
If application program will call this API, its parameter just needs specified document path, behavior title (writing or read the behavior of file), file-sharing mode etc., and also, the parameter analyzing API can obtain numerous information of corresponding document behavior.
Just exemplarily, in fact, except the API of operation file, the API that the embodiment of the present invention can be intercepted and captured can also comprise other API to the API of certain aforesaid operations file, as the APIRegSetValue etc. of Registry.
LONG RegSetValue (// value of specifying default (not having name) in registry entry is set
HKEY hKey, // point to the handle or predefined handle value of working as front opening
LPCTSTR lpSubKey, // default value of Key subitem is set, if be set to NULL, then hKey list item is set.。
DWORD dwType, // be stored the type of information
LPCTSTR lpData, // the pointer of value that store
The size of DWORD cbData // data, does not comprise final character
)
Step 103, utilize the information of described file behavior, judge whether described file behavior is macrovirus behavior;
The embodiment of the present invention can provide and judge that as follows whether described file behavior is the scheme of macrovirus behavior:
Judgement scheme 1,
The described information utilizing described file behavior, judges that whether described file behavior is the step of macrovirus behavior, specifically can comprise:
Sub-step S201, the information of the information of described file behavior with known macrovirus behavior to be mated, if the match is successful, then determine that described file behavior is macrovirus behavior.
In actual applications, can collect and obtain known macrovirus behavior, and analyze the information obtaining collected known macrovirus behavior further.
In a kind of application example of the present invention, to the research of the macrovirus sample of a large amount of Microsoft Office, can collect and obtain following known macrovirus behavior:
1, the behavior of edit the registry, object: in edit the registry, safe class arranges and arranges to reduce safe class, or in edit the registry, starting up's item writes starting up's item etc. with the executable file that will discharge;
2, dissemination, it utilizes infection template to propagate, such as, to template directory written document etc.; Wherein, different Microsoft office has different infection templates, such as Windows7 system, under default situations
The infection template file of MicrosoftWord be C: Users [user name] AppData Roaming Microsoft Templates normal.dot
The infection template directory of Excel: C: Users [user name] AppData Roaming Microsoft Excel xlstart and Excel installation directory office11 xlstart
3, infection risk: rogue program opens secure file, oneself copies inside secure file, sends the mail etc. comprising virus document to user mail contact person;
4, behavior during outbreak, comprising:
4.1, at certain time period bullet window;
4.2, repeat replication worksheet, affects software and normally uses;
4.3, discharge executable file, specifically can comprise: create file, written document, execute file etc.
It should be noted that, above-mentioned known macrovirus behavior obtains for Microsoft Office research, and it is just as a kind of example of the embodiment of the present invention, and the enforcement not as the embodiment of the present invention limits.
Analyze above-mentioned known macrovirus behavior, can obtain the information of known macrovirus behavior shown in table 1, it specifically can comprise the title of known macrovirus behavior and object two kinds of information of known macrovirus behavior.
Table 1
For sequence number in table 1 be 1 or 2 or 5(Office safe class project is set) corresponding known macrovirus behavior, judgement scheme 1 all can be used to judge to obtain.
In actual applications, registration table can be read in advance, obtain template file and the template directory of Office, such as in win7 system, under default situations, the template file of Word is: C: Users [user name] AppData Roaming Microsoft Templates normal.dot, the template directory of Excel is: C: Users [user name] AppData Roaming Microsoft Excel xlstart, or the installation directory of Excel office11 xlstart.
Do not allow storing documents under the template directory (xlstart catalogue) of usual Excel, if therefore the information of described file behavior shows that corresponding document behavior is for file under xlstart catalogue, therefore can determine that corresponding document behavior is macrovirus behavior.
Judgement scheme 2,
The described information utilizing described file behavior, judges that whether described file behavior is the step of macrovirus behavior, specifically can comprise:
Sub-step S301, information according to described file behavior, judge the existing file do not revised by Office process during described file behavior respective file is this computer run still by new file that Office process was revised;
Sub-step S302, the judged result of the information of described file behavior and described file behavior respective file to be mated with the information of known macrovirus behavior, if the match is successful, then determine that described file behavior is macrovirus behavior.
For sequence number in table 1 be 3 or 4 or the release of 5(Office process or the PE file revise) or the known macrovirus behavior of 6 correspondences, judgement scheme 2 judgement all can be used to obtain.
In the embodiment of the present invention, the key distinction of the new file that the existing file do not revised by Office process was still revised by Office process is, the former content was not revised by Office process, and the content of the latter was revised by Office process.Such as, user opens an existing Word document after this start, but this Word document not edited, namely the content of this Word document was not modified during this computer run yet, then this Word document during belonging to this computer run not by existing file that Office process was revised; And if user opens and edits certain Word document after this start, so no matter this Word document is new document or existing document, the content of this Word document was modified during this computer run, this causes this Word document and there occurs change, then by new file that Office process was revised during this Word document belongs to this computer run.
Take sequence number as the judgement of the known macrovirus behavior of 6, suppose that the behavior name of current file behavior is called the replication of Office process, then can judge the existing file do not revised by Office process during the source file of this replication is this computer run still by new file that Office process was revised; If by new file that Office process was revised during source file is this computer run, the new file revised by Office process during so corresponding file destination is also this computer run, then illustrate that this replication is the behavior of releasing virus file; On the contrary, if source file during being this computer run not by existing file that Office process was revised, so file destination during being also this computer run not by existing file that Office process was revised, the embodiment of the present invention when source file to be just present in computing machine before macrovirus outbreak and content does not send change, think that this source file is safe, think that the file destination after copying also is safe further, therefore the replication can determining in such cases not the behavior of releasing virus file.
In one preferred embodiment of the invention, the described information according to described file behavior, judge that described file behavior respective file is the sub-step S301 of the new file that the existing file do not revised by Office process was still revised by Office process, specifically can comprise:
Sub-step S311, safeguard the first file set and the second file set; Not by the existing file that Office process was revised during described first file set specifically can comprise this computer run, by new file that Office process was revised during described second file set specifically can comprise this computer run;
In specific implementation, various method can be adopted to safeguard the first file set and the second file set.Such as, can after user's start, the behavior of monitoring (user operation or anti-virus operation) Office process, if Office process read certain existing file but not by the content of this existing file of operation amendment, then this article can be had part and put to the first file set during this computer run; On the contrary, if Office process revised certain file by operation during this computer run, then no matter this file was new files or existing file, this file all should be put to the second file set.It should be noted that, constantly can safeguard the first file set and the second file set according to the behavior of Office process during this start, the maintenance of the first file set and the second file set can certainly be carried out in the process performing the embodiment of the present invention.
In one preferred embodiment of the invention, namely the first file set and the second file set effectively, also come into force when this is started shooting during this computer run, lose efficacy when this shuts down.
It should be noted that, first file set and the second file set also can be used for the maintenance of catalogue, such as, if certain catalogue (comprising the content under catalogue itself and catalogue) does not change during this start, then this catalogue can be put to the first file set, if certain catalogue (comprising the content under catalogue itself and catalogue) there occurs change during this start, then this catalogue can be put to the second file set, wait.
Sub-step S312, information according to described file behavior, judge described file behavior respective file whether in described first file set or the second file set;
Sub-step S313, when described file behavior respective file or catalogue are in described first file set, judge described file behavior respective file during being this computer run not by existing file that Office process was revised;
Sub-step S314, when described file behavior respective file or catalogue are in described second file set, judge the new file revised by Office process during described file behavior respective file is this computer run.
Take sequence number as the judgement of the known macrovirus behavior of 3, suppose the behavior title of current file behavior, current file behavior all can be obtained by step 102 analysis for the extension name of file and path, suppose that the behavior name of current file behavior is called the execute file behavior of Office process, current file behavior is called .exe for the expansion of file, current file behavior is searched for the path of file and is obtained in the second file set, so can confirm that current file behavior belongs to the PE file of Office process release, because the file of Office process release is new file certainly.
It should be noted that, the embodiment of the present invention is the judgement of the known macrovirus behavior of 3 or 4 or 5 correspondences for sequence number, third party's plug-in unit can be avoided to be blocked, and main reason is as follows by mistake: the file of macrovirus behavior release is new file certainly, and it can search and obtain in the second file set; And for third party's plug-in unit, when Office program is opened by it, required PE file is copied to certain ad-hoc location Office catalogue by usually from the installation directory of plug-in unit, and the file under the installation directory of plug-in unit is known, that content was not modified file in advance, therefore the embodiment of the present invention is for the judgement of known macrovirus behavior, the behavior of third party's plug-in unit can be foreclosed, avoid third party's plug-in unit to be blocked by mistake.
Step 104, when described file behavior is the macrovirus behavior of Office process amendment template file, allow the file behavior request of intercepting and capturing;
Such as, the template files such as normal.dot or normal.dotm of Word, because these template files all can produce when each closedown Word document, macrovirus often utilizes template file to discharge grand script, but directly stop the behavior of the grand script of release, easily cause Word to run to make mistakes, therefore the embodiment of the present invention is when judging similar macrovirus behavior, takes the strategy allowing the file behavior request of intercepting and capturing.
In one preferred embodiment of the invention, described method can also comprise:
If the described file behavior of step S401 is the macrovirus behavior of Office process amendment template file, then at the end of described Office process, judge that whether amended template file is with grand, if so, then use back up in advance without grand template file replace described amended template file;
Wherein, describedly judge that whether amended template file is with grand step, specifically can comprise:
Sub-step S411, open described amended template file with binary form;
Sub-step S412, judge described amended template file binary content in whether include grand mark, if so, then judge that amended template file is with grand, otherwise judge that amended template file is without grand.
In the embodiment of the present invention, can be backup in advance without grand template file and obtain.Such as, before the embodiment embodiment of the present invention, can judge that whether the template file of local computer is with grand, if not, then backs up, if so, then directly deletes, do not back up.
Grand mark whether is included as in the binary content how judging described amended template file, in practice, can judge that Normal.dot is with or without _ vba_project character, if having, illustrates that Normal.dot is with grand mark, if not, illustrates that Normal.dot is without grand mark; For Normal.dotm, because this file is zip compressed package originally, therefore can judge whether the file after its decompress(ion) has vbaProject.bin to compress item, if having, illustrates that Normal.dotm is with grand, if not, illustrates that Normal.dotm is without grand mark.
Step 105, when described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stop the file behavior request of intercepting and capturing.
Learn that described file behavior is the macrovirus behavior except the behavior of Office process amendment template file if analyzed, the embodiment of the present invention can be taked to stop measure accordingly, with the infringement preventing the computing machine of user to be subject to macrovirus.
It should be noted that, learn that described file behavior is not macrovirus behavior if analyzed, then can allow intercepted and captured file behavior request.
Mention above, when the file behavior request of Office process is performed by Office application program, corresponding API first jumps to the function address of the embodiment of the present invention, so, for the situation stoping the file behavior request of intercepting and capturing, the function of the embodiment of the present invention only can be performed; For the situation allowing the file behavior request of intercepting and capturing, can after the function of the embodiment of the present invention be finished, the original entry address jumping to this file behavior request corresponding A PI is gone to perform corresponding instruction, such as, perform the behavior such as to open file of safe Office process.It should be noted that, the concrete mode of the embodiment of the present invention to the file behavior request that concrete prevention or permission are intercepted and captured is not limited.
With reference to Fig. 2, show a kind of according to an embodiment of the invention process flow diagram of method of immune file macrovirus, specifically can comprise:
The file behavior request of step 201, intercepting and capturing Office process;
Step 202, according to described file behavior request, analyze the information of corresponding document behavior of obtaining;
Step 203, information according to described file behavior, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue;
Step 204, the judged result of the information of described file behavior and described file behavior respective file to be mated with the information of known macrovirus behavior, if the match is successful, then determine that described file behavior is macrovirus behavior;
Step 205, when it fails to match, judge that whether described file behavior respective file or catalogue are in white list data centralization;
Step 206, when described file behavior respective file or catalogue are in white list data centralization, determine that described file behavior is not macrovirus behavior;
Step 207, when described file behavior respective file or catalogue be not in white list data centralization, judge whether described file behavior respective file or catalogue are concentrated at blacklist data;
Step 208, when described file behavior respective file or catalogue are concentrated at blacklist data, determine that described file behavior is macrovirus behavior;
Step 209, when described file behavior respective file or catalogue are not concentrated at blacklist data, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue;
When step 210, the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is not macrovirus behavior;
When step 211, the new file revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is macrovirus behavior;
Step 212, when described file behavior is the macrovirus behavior of Office process amendment template file, allow the file behavior request of intercepting and capturing;
Step 213, when described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stop the file behavior request of intercepting and capturing.
In the embodiment of the present invention, white list data set can be used for representing that user self that user or server are specified determines without the file threatened or catalogue (All Files in catalogue all think users to trust), can not quote in the process scanned or monitor, ignore scanning result; White list data set can be arranged by client user and obtain, or, can by the white list data set of the numerous client of collects, and be synchronized to client and obtain; Usually, the documentary grade of described white list data set record, whether can inquire file according to the hash value etc. of filename or file is safe; In addition, it should be noted that, described white list data set both can be used for the security verifying concrete file and catalogue, again for the security of authenticating documents extension name, such as, user can by putting in white list by the extension name " .txt " of text, the extension name " .jpg/.bmp " of picture file, also a concrete text and catalogue can be put to white list data centralization.
In like manner, blacklist data collection can be used for the file or the catalogue that there are threat that represent the determination that user or server are specified, can quote, ignore scanning result in the process scanned or monitor; White list data set can be arranged by client user and obtain, or, can by the white list data set of the numerous client of collects, and be synchronized to client and obtain.
With reference to Fig. 3, show a kind of according to an embodiment of the invention structural drawing of device of immune file macrovirus, specifically can comprise:
Request Interception module 301, is suitable for the file behavior request of intercepting and capturing Office process;
Requirement analysis module 302, is suitable for according to described file behavior request, analyzes the information obtaining corresponding document behavior;
Macrovirus judge module 303, is suitable for the information utilizing described file behavior, judges whether described file behavior is macrovirus behavior;
First processing module 304, is suitable for, when described file behavior is the macrovirus behavior of Office process amendment template file, allowing the file behavior request of intercepting and capturing; And
Second processing module 305, is suitable for, when described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stoping the file behavior request of intercepting and capturing.
In one preferred embodiment of the invention, described request analysis module 302, specifically can be suitable for the parameter analyzing the application programming interfaces API carried in described file behavior request, obtain the information of corresponding document behavior; It is one or more that the information of described file behavior at least can comprise in following information: file path, behavior title, sharing mode and file attribute; It is one or more that described file attribute at least can comprise as in properties: common, read-only, hides, encryption and compression.
In another preferred embodiment of the invention, described macrovirus judge module 303 specifically can comprise:
First matched sub-block, is suitable for the information of the information of described file behavior with known macrovirus behavior to mate, if the match is successful, then determines that described file behavior is macrovirus behavior.
In another preferred embodiment of the present invention, described macrovirus judge module 303 specifically can comprise:
Fileinfo judges submodule, is suitable for the information according to described file behavior, judges the existing file do not revised by Office process during described file behavior respective file is this computer run still by new file that Office process was revised; And
Second matched sub-block, is suitable for the judged result of the information of described file behavior and described file behavior respective file to mate with the information of known macrovirus behavior, if the match is successful, then determines that described file behavior is macrovirus behavior.
In one preferred embodiment of the invention, described first processing module 304 can also comprise:
Grand process submodule, be suitable for when described file behavior be Office process amendment template file macrovirus behavior and at the end of described Office process, judge that whether amended template file is with grand, if so, then use back up in advance without grand template file replace described amended template file;
Then described device can also comprise: be suitable for judging that whether amended template file is with grand grand judge module, described grand judge module specifically can comprise:
Open submodule, be suitable for opening described amended template file with binary form; And
Grand mark judges submodule, is suitable for judging whether include grand mark in the binary content of described amended template file, if so, then judges that amended template file is with grand, otherwise judge that amended template file is without grand.
In one preferred embodiment of the invention, described device can also comprise:
White list data set judge module, is suitable for when it fails to match, judges that whether described file behavior respective file or catalogue are in white list data centralization;
First white list data set processing module, is suitable for, when described file behavior respective file or catalogue are in white list data centralization, determining that described file behavior is not macrovirus behavior;
Second white list data set processing module, is suitable for when described file behavior respective file or catalogue be not in white list data centralization, judges whether described file behavior respective file or catalogue are concentrated at blacklist data;
First blacklist data collection processing module, is suitable for, when described file behavior respective file or catalogue are concentrated at blacklist data, determining that described file behavior is macrovirus behavior;
Second blacklist data collection processing module, be suitable for when described file behavior respective file or catalogue are not concentrated at blacklist data, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue; And
Document processing module, when to be suitable for during described file behavior respective file or catalogue are this computer run the existing file do not revised by Office process or catalogue, determine that described file behavior is not macrovirus behavior, and, when described file behavior respective file or catalogue be the existing file crossed of Office process operation or catalogue time, determine that described file behavior is macrovirus behavior.
In another preferred embodiment of the invention, described fileinfo judges submodule, specifically can comprise:
File set maintenance unit, is suitable for maintenance first file set and the second file set; Not by the existing file that Office process was revised during described first file set specifically can comprise this computer run, by new file that Office process was revised during described second file set specifically can comprise this computer run;
File set judging unit, be suitable for the file path according to described file behavior, judge described file behavior respective file whether in described first file set or the second file set, when described file behavior respective file or catalogue are in described first file set, judge described file behavior respective file during being this computer run not by existing file that Office process was revised, when described file behavior respective file or catalogue are in described second file set, judge the new file revised by Office process during described file behavior respective file is this computer run.
In another preferred embodiment of the present invention, it is one or more that described known macrovirus behavior at least can comprise in following behavior: the behavior of Office process amendment template file, Office process is to the behavior of template directory written document, Office process performs the executable file of Office process release, Office process performs the script file of Office process release, the behavior of Office process edit the registry, the behavior of Office process replication file.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the equipment of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (16)
1. a method for immune file macrovirus, is characterized in that, comprising:
Intercept and capture the file behavior request of Office process;
According to described file behavior request, analyze the information obtaining corresponding document behavior;
Utilize the information of described file behavior, judge whether described file behavior is macrovirus behavior;
When described file behavior is the macrovirus behavior of Office process amendment template file, allow the file behavior request of intercepting and capturing;
When described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stop the file behavior request of intercepting and capturing;
Wherein, described method also comprises:
If described file behavior is the macrovirus behavior of Office process amendment template file, then at the end of described Office process, judge that whether amended template file is with grand, if so, then use back up in advance without grand template file replace described amended template file.
2. the method for claim 1, is characterized in that, described according to described file behavior request, analyzes the step obtaining the information of corresponding document behavior, comprising:
Analyze the parameter of the application programming interfaces API carried in described file behavior request, obtain the information of corresponding document behavior;
It is one or more that the information of described file behavior at least comprises in following information: file path, behavior title, sharing mode and file attribute; It is one or more that described file attribute at least comprises as in properties: common, read-only, hides, encryption and compression.
3. the method for claim 1, is characterized in that, the described information utilizing described file behavior, judges that whether described file behavior is the step of macrovirus behavior, comprising:
The information of the information of described file behavior with known macrovirus behavior is mated, if the match is successful, then determines that described file behavior is macrovirus behavior.
4. the method for claim 1, is characterized in that, the described information utilizing described file behavior, judges that whether described file behavior is the step of macrovirus behavior, comprising:
According to the information of described file behavior, judge the existing file do not revised by Office process during described file behavior respective file is this computer run still by new file that Office process was revised;
The judged result of the information of described file behavior and described file behavior respective file is mated with the information of known macrovirus behavior, if the match is successful, then determines that described file behavior is macrovirus behavior.
5. method as claimed in claim 1 or 2, is characterized in that, describedly judges that whether amended template file is with grand step, comprising:
Described amended template file is opened with binary form;
Judge whether include grand mark in the binary content of described amended template file, if so, then judge that amended template file is with grand, otherwise judge that amended template file is without grand.
6. the method as described in claim 3 or 4, is characterized in that, also comprises:
When it fails to match, judge that whether described file behavior respective file or catalogue are in white list data centralization;
When described file behavior respective file or catalogue are in white list data centralization, determine that described file behavior is not macrovirus behavior;
When described file behavior respective file or catalogue be not in white list data centralization, judge whether described file behavior respective file or catalogue are concentrated at blacklist data;
When described file behavior respective file or catalogue are concentrated at blacklist data, determine that described file behavior is macrovirus behavior;
When described file behavior respective file or catalogue are not concentrated at blacklist data, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue;
When the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is not macrovirus behavior;
When the new file revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is macrovirus behavior.
7. method as claimed in claim 4, it is characterized in that, the described information according to described file behavior, judges the step of the new file that the existing file do not revised by Office process during described file behavior respective file is this computer run was still revised by Office process, comprising:
Safeguard the first file set and the second file set; Not by the existing file that Office process was revised during described first file set comprises this computer run, described second file set comprises the existing file that Office process operation is crossed;
According to the information of described file behavior, judge described file behavior respective file whether in described first file set or the second file set;
When described file behavior respective file is in described first file set, judge described file behavior respective file during being this computer run not by existing file that Office process was revised;
When described file behavior respective file is in described second file set, judge the new file revised by Office process during described file behavior respective file is this computer run.
8. the method as described in claim 3 or 4, it is characterized in that, it is one or more that described known macrovirus behavior at least comprises in following behavior: the behavior of Office process amendment template file, Office process is to the behavior of template directory written document, Office process performs the executable file of Office process release, Office process performs the script file of Office process release, the behavior of Office process edit the registry, the behavior of Office process replication file.
9. a device for immune file macrovirus, is characterized in that, comprising:
Request Interception module, is suitable for the file behavior request of intercepting and capturing Office process;
Requirement analysis module, is suitable for according to described file behavior request, analyzes the information obtaining corresponding document behavior;
Macrovirus judge module, is suitable for the information utilizing described file behavior, judges whether described file behavior is macrovirus behavior;
First processing module, is suitable for, when described file behavior is the macrovirus behavior of Office process amendment template file, allowing the file behavior request of intercepting and capturing; And
Second processing module, is suitable for, when described file behavior is the macrovirus behavior except the behavior of Office process amendment template file, stoping the file behavior request of intercepting and capturing;
Wherein, described first processing module also comprises:
Grand process submodule, be suitable for when described file behavior be Office process amendment template file macrovirus behavior and at the end of described Office process, judge that whether amended template file is with grand, if so, then use back up in advance without grand template file replace described amended template file.
10. device as claimed in claim 9, is characterized in that, described request analysis module, is specifically suitable for the parameter analyzing the application programming interfaces API carried in described file behavior request, obtains the information of corresponding document behavior; It is one or more that the information of described file behavior at least comprises in following information: file path, behavior title, sharing mode and file attribute; It is one or more that described file attribute at least comprises as in properties: common, read-only, hides, encryption and compression.
11. devices as claimed in claim 9, it is characterized in that, described macrovirus judge module comprises:
First matched sub-block, is suitable for the information of the information of described file behavior with known macrovirus behavior to mate, if the match is successful, then determines that described file behavior is macrovirus behavior.
12. devices as claimed in claim 9, it is characterized in that, described macrovirus judge module comprises:
Fileinfo judges submodule, is suitable for the information according to described file behavior, judges the existing file do not revised by Office process during described file behavior respective file is this computer run still by new file that Office process was revised; And
Second matched sub-block, is suitable for the judged result of the information of described file behavior and described file behavior respective file to mate with the information of known macrovirus behavior, if the match is successful, then determines that described file behavior is macrovirus behavior.
13. devices as described in claim 9 or 10, is characterized in that,
Described device also comprises: be suitable for judging that whether amended template file is with grand grand judge module, described grand judge module comprises:
Open submodule, be suitable for opening described amended template file with binary form; And
Grand mark judges submodule, is suitable for judging whether include grand mark in the binary content of described amended template file, if so, then judges that amended template file is with grand, otherwise judge that amended template file is without grand.
14. devices as described in claim 11 or 12, is characterized in that, also comprise:
White list data set judge module, is suitable for when it fails to match, judges that whether described file behavior respective file or catalogue are in white list data centralization;
First white list data set processing module, is suitable for, when described file behavior respective file or catalogue are in white list data centralization, determining that described file behavior is not macrovirus behavior;
Second white list data set processing module, is suitable for when described file behavior respective file or catalogue be not in white list data centralization, judges whether described file behavior respective file or catalogue are concentrated at blacklist data;
First blacklist data collection processing module, is suitable for, when described file behavior respective file or catalogue are concentrated at blacklist data, determining that described file behavior is macrovirus behavior;
Second blacklist data collection processing module, be suitable for when described file behavior respective file or catalogue are not concentrated at blacklist data, judge the new file that the existing file do not revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue were still revised by Office process or catalogue; And
Document processing module, when to be suitable for during described file behavior respective file or catalogue are this computer run the existing file do not revised by Office process or catalogue, determine that described file behavior is not macrovirus behavior, and, when the new file revised by Office process during described file behavior respective file or catalogue are this computer run or catalogue, determine that described file behavior is macrovirus behavior.
15. devices as claimed in claim 11, it is characterized in that, described fileinfo judges submodule, comprising:
File set maintenance unit, is suitable for maintenance first file set and the second file set; Not by the existing file that Office process was revised during described first file set comprises this computer run, by new file that Office process was revised during described second file set comprises this computer run;
File set judging unit, be suitable for the file path according to described file behavior, judge described file behavior respective file whether in described first file set or the second file set, when described file behavior respective file or catalogue are in described first file set, judge described file behavior respective file during being this computer run not by existing file that Office process was revised, when described file behavior respective file or catalogue are in described second file set, judge the new file revised by Office process during described file behavior respective file is this computer run.
16. devices as described in claim 11 or 12, it is characterized in that, it is one or more that described known macrovirus behavior at least comprises in following behavior: the behavior of Office process amendment template file, Office process is to the behavior of template directory written document, Office process performs the executable file of Office process release, Office process performs the script file of Office process release, the behavior of Office process edit the registry, the behavior of Office process replication file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210545944.8A CN103034809B (en) | 2012-12-14 | 2012-12-14 | Method and device for immunizing file macro virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210545944.8A CN103034809B (en) | 2012-12-14 | 2012-12-14 | Method and device for immunizing file macro virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103034809A CN103034809A (en) | 2013-04-10 |
| CN103034809B true CN103034809B (en) | 2015-06-10 |
Family
ID=48021695
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210545944.8A Active CN103034809B (en) | 2012-12-14 | 2012-12-14 | Method and device for immunizing file macro virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103034809B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106446684B (en) * | 2016-09-22 | 2019-12-03 | 武汉斗鱼网络科技有限公司 | A kind of network account guard method and system based on password control |
| CN109960933A (en) * | 2017-12-26 | 2019-07-02 | 北京安天网络安全技术有限公司 | Means of defence, system and the terminal device of document |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024113A (en) * | 2010-12-22 | 2011-04-20 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008039241A1 (en) * | 2006-04-21 | 2008-04-03 | Av Tech, Inc | Methodology, system and computer readable medium for detecting and managing malware threats |
-
2012
- 2012-12-14 CN CN201210545944.8A patent/CN103034809B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024113A (en) * | 2010-12-22 | 2011-04-20 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
Non-Patent Citations (1)
| Title |
|---|
| "基于免疫联想记忆的病毒检测算法";虞震等;《中国科学技术大学学报》;20040430;第34卷(第2期);第246-252页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103034809A (en) | 2013-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102999726B (en) | File macro virus immunization method and device | |
| CN104885092B (en) | Security system and method for operating system | |
| Ohm et al. | Towards detection of software supply chain attacks by forensic artifacts | |
| US7934261B1 (en) | On-demand cleanup system | |
| US7620990B2 (en) | System and method for unpacking packed executables for malware evaluation | |
| CN102902909B (en) | A kind of system and method preventing file to be tampered | |
| EP1760620A2 (en) | Methods and Systems for Detection of Forged Computer Files | |
| US20120311709A1 (en) | Automatic management system for group and mutant information of malicious codes | |
| TW201812634A (en) | Threat intelligence cloud | |
| CN106372507A (en) | Method and device for detecting malicious document | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| US7337327B1 (en) | Using mobility tokens to observe malicious mobile code | |
| Bellizzi et al. | Responding to targeted stealthy attacks on android using timely-captured memory dumps | |
| CN110192195B (en) | System, method and computer storage medium for secure data access | |
| CN103034809B (en) | Method and device for immunizing file macro virus | |
| Jang et al. | Function-oriented mobile malware analysis as first aid | |
| Cavalli et al. | Design of a secure shield for internet and web-based services using software reflection | |
| CN102982279A (en) | Computer aided design virus infection prevention system and computer aided design virus infection prevention method | |
| CN102982280A (en) | Methods and device of avoiding computer aided design (CAD) virus infection | |
| Rose et al. | IronNetInjector: Weaponizing. NET Dynamic Language Runtime Engines | |
| CN107239703A (en) | A kind of dynamic analysing method of the executable program of dynamic link library missing | |
| US11526609B1 (en) | System and method for recent file malware scanning | |
| Aresta et al. | Malware Static Analysis on Microsoft Macro Attack | |
| Mellberg | Secure Updating of Configurations in a System of Devices | |
| Wapet | Preventing the release of illegitimate applications on mobile markets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |