CN103996005A - Method for monitoring starting of terminal equipment - Google Patents
Method for monitoring starting of terminal equipment Download PDFInfo
- Publication number
- CN103996005A CN103996005A CN201410245479.5A CN201410245479A CN103996005A CN 103996005 A CN103996005 A CN 103996005A CN 201410245479 A CN201410245479 A CN 201410245479A CN 103996005 A CN103996005 A CN 103996005A
- Authority
- CN
- China
- Prior art keywords
- starting outfit
- disk file
- file
- scanning
- disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The invention provides a method for monitoring starting of terminal equipment. The method includes the steps of scanning a disk to determine whether a disk file has viruses, scanning firmware to determine whether firmware starting information is legal, and outputting the scanning results of the disk file and the firmware starting information. Safe starting of the terminal equipment is achieved through scanning and monitoring.
Description
Technical field
The present invention relates to computer realm, relate in particular to the method that terminal device starts, the monitoring method that particularly a kind of terminal device starts.
Background technology
The computer virus of broad sense is a kind of artificial manufacture, can carry out self-replacation, there is the batch processing of the destruction to computer resource or the set of instruction, comprise a series of program or codes with certain dispute such as Trojan Horse, macrovirus, network worm.Computer virus is of a great variety, feature is different, sums up and gets up to have following principal character: the initiative of enforceability (procedural), infectiousness, disguise, latency, ignitionability, destructiveness, attack, specific aim, parasitics (dependency), Unpredictability, temptation duplicity, persistence etc.
Safety problem not only appears in operating system, and the at present increasing commence firing is paid close attention to BIOS.The feature that BIOS attacks is that attack code just exists from pre-boot phase always.Because BIOS started before operating system, so after system starts, the attack code on BIOS also can be brought into play destruction, is all effective at whole this code of cycle that powers on.On hard disk, can not find the vestige of attack.This class attack code does not often exist with ... some hard disk sectors, but waits for an opportunity to bring into play destruction with the startup of system.For same operating system, attack code exist always and can superinfection, repeat to arrange.For different operating system, attack code exist always and can superinfection, repeat to arrange.BIOS attacks and operating system independent, only has direct relation with BIOS, so BIOS attack code can't or be reinstalled and disappears because of the replacing of operating system.These codes still can be propagated by original mode, infect.Be difficult to be detected.The vestige that is difficult to find this attack on hard disk is described, so common antivirus software is difficult to detect accurately such attack code.
The destruction that anti-virus software can effectively protect operating system not to be subject to computer virus, therefore almost becomes the security tool of every computer indispensability.But due to the restriction of instability and the residing enable position of operating system self, some computer viruses can and stash prior to os starting, make cannot find in time these virus after operating system; Some viruses can directly depend on the kernel process of operating system, even found also cannot thoroughly remove by antivirus software; Some viruses can directly make operating system paralysis, and the antivirus software that causes running in operating system cannot start.Situation about losing efficacy for this antivirus software being caused by operating system self-defect and restriction, the automatic start-up mode of traditional " PC/AT " type cannot fundamentally be solved.
Also mainly be conceived in the speed and killing ability of the killing that how to improve diseases prevention software for the research of anti-virus software at present.Existing File Infector Virus detects the principle of work of engine, has analyzed viral behavioral trait, and the virus behavior feature of giving chapter and verse is carried out the improvement strategy that virus detects, and has finally provided by detecting virus behavior and has improved the viral method that detects engine.Existing other document analysises current main several method for detecting virus and the problem of existence, a kind of method for detecting virus based on BP neural network has been proposed.Another kind method is that the problem that computer virus prevention problem is run into Immune System combines, a kind of method for detecting virus based on artificial immunity has been proposed, provide the method for expressing of autologous in computer software, non-autologous, antigen, immunocyte etc., realized the immunologic mechanism such as Negative Selection and Immune Clone Selection.Additive method adopts popular in recent years network cloud virus proof tech, multiple anti-virus softwares are combined and are placed on server end, and the apocrypha that user is submitted to detects.
Especially along with the reinforcement gradually of environmental protection consciousness, water quality is administered with maintenance and has been caused more widely and paid attention to, and water quality on-line instrument develops thereupon, and on-line monitoring system arises at the historic moment.Due to the real-time of on-line monitoring, the hardware and software of on-line monitoring computer equipment is required also to improve constantly, especially need the data transmission that realizes whole monitoring system inside by network with shared.But due to the access of network, inevitably can suffer the invasion of computer virus, but as on-line monitoring computer terminal, once infect virus, the loss suffering is huge, therefore needs badly in the time that computer terminal starts and monitors, and prevents trouble before it happens.
Current research is mostly for method for detecting virus and testing mechanism; although can improve the performance of diseases prevention software; but the realization of these technology is all also taking operating system as carrier; fundamentally do not change the dependence of anti-virus software to operating system; once operating system is collapsed or cannot normally be started, these anti-virus softwares all cannot normally be worked.Therefore be necessary to realize virus scan, run on operating system pre-boot phase, adopt feature code method as main method for detecting virus, realize virus scan to all disk files and the scanning of firmware log-on message.
Summary of the invention
In order to solve the technical matters of existing situation about being lost efficacy by operating system self-defect and the antivirus software that causes of restriction, the invention provides the monitoring method that a kind of terminal device starts, described method comprises: scanning disk determines whether disk file exists virus; Scanning firmware determines that whether firmware log-on message is legal; The scanning result of output disk file and firmware log-on message.
Preferably, wherein, described scanning disk determines whether disk file exists virus to comprise: reading disk file directory; Read one by one each disk file according to disk file catalogue, each read disk file carried out to following processing:
Determine the file type of disk file, enter different scanning branches according to different file types, under different scanning branches, scan described different file type, whether each disk file being read to determine there is virus, and the scanning result of each read disk file is recorded in to the list of disk file scanning result.
Preferably, wherein, the file type of described definite disk file comprises: resolve the file header of each disk file reading, determine the file type of disk file according to the file header of each read disk file.
Preferably, wherein, whether described definite each disk file reading exists virus to comprise: the virus signature in each read disk file and virus base is compared, the disk file that the match is successful is to infect viral disk file, and mating unsuccessful disk file is safe disk file.
Preferably, wherein, described scanning firmware is determined whether firmware log-on message is legal and is comprised: read starting outfit message catalog; Read one by one each starting outfit information according to starting outfit message catalog, each read starting outfit information carried out to following processing:
According to described starting outfit information extraction starting outfit type and attribute information, determine that according to described starting outfit type and attribute information whether the corresponding starting outfit of each starting outfit information reading belongs to legal starting outfit, is recorded in starting outfit information scanning the results list by the scanning result of each read starting outfit information.
Preferably, wherein, describedly determine that according to described starting outfit type and attribute information the starting outfit whether corresponding starting outfit of each starting outfit information reading belongs to mandate comprises: if the legal and described attribute information of described starting outfit type is legal, the corresponding starting outfit of described starting outfit information belongs to legal starting outfit, otherwise the corresponding starting outfit of described starting outfit information belongs to illegal starting outfit.
Preferably, wherein, the scanning result of described output disk file and firmware log-on message comprises: export the list of described disk file scanning result.Export described starting outfit information scanning the results list.
The monitoring method that the terminal device that the application provides starts, because it is independent of operating system, limits thereby fundamentally solved by operating system self a series of safety problems that produce.Owing to not limited by operating system, also can conveniently be transplanted to other operating system platforms simultaneously.The value of the global variable by reading system firmware, obtains all startup item information, and provides in time startup threat early warning according to the potential security threat of obtained information analysis startup item, has ensured the integrality of whole security system.
Brief description of the drawings
Included accompanying drawing is for further understanding the present invention, and its ingredient as instructions is also explained principle of the present invention together with instructions, in the accompanying drawings:
Fig. 1 is the process flow diagram of the monitoring method of the terminal device startup of the preferred embodiment of the present invention.
Embodiment
Fig. 1 is workflow of the present invention.First disk file is carried out to virus scan, then the startup item information of firmware is scanned, finally export the object information of twice sweep, user determines whether start according to starting the option of listing in menu according to the information of printing.If find virus in the process of scanning, user can carry out respective handling to virus document.To be divided into two main functional parts herein: disk file virus scan function and firmware log-on message scan function.
Disk file virus scan part comprises initialization virus base, then scans according to specific scanning strategy, finally deletes virus document or direct output scanning result.The function of disk file sweep test adopts the method for modular design, mainly comprises initialization module, scan module, result treatment module.Wherein the main function of scan module is to determine whether disk file exists virus, specifically comprises: reading disk file directory; Read one by one each disk file according to disk file catalogue, each read disk file is carried out to following processing: the file type of determining disk file, enter different scanning branches according to different file types, under different scanning branches, scanning has the file of different file types, whether each disk file being read to determine there is virus, and the scanning result of each read disk file is recorded in to the list of disk file scanning result.Wherein said disk file directory stores is in the reserve sector of disk, the reserve sector of disk only loads in the time of operating system installation, other times can not be modified, therefore the data of disk reserve sector can be by virus infections, and the disk file of disk file virus scan part scanning comprises except the disk file in other all sectors of disk reserve sector.Because disk comprises file and file, and may also comprise file in file, therefore, reading one by one each disk file can be that range reads one by one or the degree of depth reads one by one.Described file type comprises: executable file, history file, MAIL file, image file etc.The file that scanning has different file types under different scanning branches comprises: the structure extraction condition code of the file based on different file types, accurately to extract viral condition code embedded in disk file, reason is because different file types has different data structures, therefore must cause the extracting method difference of its condition code after different File Infection virus.Determine whether each disk file reading exists virus to comprise: the virus signature in the condition code of each read disk file and virus base is compared, the disk file that the match is successful is to infect viral disk file, and mating unsuccessful disk file is safe disk file.Wherein in virus base, preserve known viral condition code arbitrarily.The file type of described definite disk file comprises: resolve the file header of each disk file reading, determine the file type of disk file according to the file type indication information in the file header of each read disk file.The scanning result of each read disk file is recorded in to the list of disk file scanning result and belongs to interim storage, for example, be stored in impact damper or register.Due to the file type complexity on disk, and a lot of files are all processed, so while scanning, except carrying out normal condition code coupling, also need to do different processing for dissimilar file.This module, from checking that file type starts to carry out, first judges the type of file to be measured.If compressed file first carries out decompression operation, then the file after decompress(ion) is re-started to type judgement.If non-compressed file, directly carries out condition code matching operation.If the match is successful completely, illustrate that this file is infected file, returns to infected mark; If do not had, the match is successful, carries out the next item down inspection.
Firmware log-on message sweep test obtains the correctness of log-on message authorization information before starting the operating system.Be used for obtaining general purpose routine or the positional information of relevant physics or logical device.If handle can not logical mappings to physical equipment, so this handle may be just support equipment path agreement not.Device path has been described the position of the equipment of this handle indication.The size of device path is determined by the structure that forms this equipment.
Type has specified the type of device path.0x01 is hardware device path, and 0x02 is ACPI device path, and 0x03 is messaging device path, and 0x04 is media device path, and 0x05 is that BIOS starts specification device path, and Ox7F is the end mark in hardware device path.SubType is different by type, and OxFF is whole device path end mark, the end of a 0x01 mark one device path example and the beginning in another new equipment path.Length is that Type and Sub-Type have defined data type for concrete device path data, comprises the size of data in Length.The option starting in menu is divided into two types: the equipment and the common option of carrying out that start system.In the time can correctly judging the starting outfit type of startupoptions, only have in the time that the attribute of this option is LOADOPTIONACTIVE, this starting outfit is only safe.In the time cannot judging the starting outfit type of startupoptions, illustrate that this equipment may be common option or the unauthorized starting outfit carried out.Using this startupoptions as the common option carried out, and when the attribute of this startup item be LOADOPTION HIDDEN, and appear at while starting in menu, illustrate that this startupoptions may be unauthorized devices, start need prudent.In a preferred embodiment, scanning firmware is determined whether firmware log-on message is legal and is comprised: read starting outfit message catalog; Read one by one each starting outfit information according to starting outfit message catalog, each read starting outfit information is carried out to following processing: according to described starting outfit information extraction starting outfit type and attribute information, determine that according to described starting outfit type and attribute information whether the corresponding starting outfit of each starting outfit information reading belongs to legal starting outfit, is recorded in starting outfit information scanning the results list by the scanning result of each read starting outfit information.Wherein, the scanning result of each read starting outfit information is recorded in to starting outfit information scanning the results list and belongs to interim storage, for example, be stored in impact damper or register.Wherein, describedly determine that according to described starting outfit type and attribute information the starting outfit whether corresponding starting outfit of each starting outfit information reading belongs to mandate comprises: if the legal and described attribute information of described starting outfit type is legal, the corresponding starting outfit of described starting outfit information belongs to legal starting outfit, otherwise the corresponding starting outfit of described starting outfit information belongs to illegal starting outfit.Wherein, the scanning result of described output disk file and firmware log-on message comprises: export the list of described disk file scanning result; Export described starting outfit information scanning the results list.
The present invention determines by scanning disk whether disk file exists virus and scanning firmware to determine that whether firmware log-on message is legal, make to prevent trouble before it happens in operating system pre-boot phase, make to detect all known viruses by condition code comparison method, ensure that by scanning firmware omnibearing virus detects, and finally realizes the clean boot of terminal device.
Only exemplary about description of the invention above, and the essential features related mainly for the technical problem to be solved in the present invention is described in detail, what it should be clearly know that for those skilled in the art or easily expect does not repeat about other correlative details of the present invention.Should be appreciated that, above-described embodiment is the detailed description of carrying out for specific embodiment, but the present invention is not limited to this embodiment, without departing from the spirit and scope of the present invention, can make various improvement and modification to the present invention.Anyly be familiar with those skilled in the art in the disclosed technical scope of the present invention, be equal to and replace or change according to technical scheme of the present invention and inventive concept thereof, within all should being encompassed in protection scope of the present invention.
Claims (7)
1. the monitoring method that terminal device starts, described method comprises:
Scanning disk determines whether disk file exists virus;
Scanning firmware determines that whether firmware log-on message is legal;
The scanning result of output disk file and firmware log-on message.
2. the monitoring method that terminal device according to claim 1 starts, wherein, described scanning disk determines whether disk file exists virus to comprise:
Reading disk file directory;
Read one by one each disk file according to disk file catalogue, each read disk file carried out to following processing:
Determine the file type of disk file,
Enter different scanning branches according to different file types,
Under different scanning branches, scanning has the file of different file types, is read to determine
Whether each disk file there is virus,
The scanning result of each read disk file is recorded in to the list of disk file scanning result.
3. the monitoring method that terminal device according to claim 2 starts, wherein, the file type of described definite disk file comprises:
Resolve the file header of each disk file reading,
Determine the file type of disk file according to the file header of each read disk file.
4. the monitoring method that terminal device according to claim 3 starts, wherein, whether described definite each disk file reading exists virus to comprise:
Virus signature in the condition code of each read disk file and virus base is compared, and the disk file that the match is successful is to infect viral disk file, and mating unsuccessful disk file is safe disk file.
5. the monitoring method that terminal device according to claim 4 starts, wherein, described scanning firmware is determined whether firmware log-on message is legal and is comprised:
Read starting outfit message catalog;
Read one by one each starting outfit information according to starting outfit message catalog, each read starting outfit information carried out to following processing:
According to described starting outfit information extraction starting outfit type and attribute information,
Determine according to described starting outfit type and attribute information whether the corresponding starting outfit of each starting outfit information reading belongs to legal starting outfit,
The scanning result of each read starting outfit information is recorded in to starting outfit information scanning the results list.
6. the monitoring method that terminal device according to claim 5 starts, wherein, describedly determine that according to described starting outfit type and attribute information the starting outfit whether corresponding starting outfit of each starting outfit information reading belongs to mandate comprises:
If the legal and described attribute information of described starting outfit type is legal, the corresponding starting outfit of described starting outfit information belongs to legal starting outfit, otherwise the corresponding starting outfit of described starting outfit information belongs to illegal starting outfit.
7. the monitoring method that terminal device according to claim 6 starts, wherein, the scanning result of described output disk file and firmware log-on message comprises:
Export the list of described disk file scanning result;
Export described starting outfit information scanning the results list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410245479.5A CN103996005A (en) | 2014-06-05 | 2014-06-05 | Method for monitoring starting of terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410245479.5A CN103996005A (en) | 2014-06-05 | 2014-06-05 | Method for monitoring starting of terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103996005A true CN103996005A (en) | 2014-08-20 |
Family
ID=51310167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410245479.5A Pending CN103996005A (en) | 2014-06-05 | 2014-06-05 | Method for monitoring starting of terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103996005A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107832616A (en) * | 2015-08-28 | 2018-03-23 | Ncr公司 | The checking of computer pre-boot security, implement and repair |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040236960A1 (en) * | 2003-05-19 | 2004-11-25 | Zimmer Vincent J. | Pre-boot firmware based virus scanner |
| CN102208002A (en) * | 2011-06-09 | 2011-10-05 | 国民技术股份有限公司 | Novel computer virus scanning and killing device |
-
2014
- 2014-06-05 CN CN201410245479.5A patent/CN103996005A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040236960A1 (en) * | 2003-05-19 | 2004-11-25 | Zimmer Vincent J. | Pre-boot firmware based virus scanner |
| CN102208002A (en) * | 2011-06-09 | 2011-10-05 | 国民技术股份有限公司 | Novel computer virus scanning and killing device |
Non-Patent Citations (1)
| Title |
|---|
| 王吉发: "基于UEFI的病毒扫描引擎的设计与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107832616A (en) * | 2015-08-28 | 2018-03-23 | Ncr公司 | The checking of computer pre-boot security, implement and repair |
| CN107832616B (en) * | 2015-08-28 | 2021-05-28 | Ncr公司 | Computer pre-boot security verification, enforcement and repair |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8499167B2 (en) | System and method for efficient and accurate comparison of software items | |
| KR101693370B1 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
| US20200193024A1 (en) | Detection Of Malware Using Feature Hashing | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| US9135443B2 (en) | Identifying malicious threads | |
| EP1751649B1 (en) | Systems and method for computer security | |
| JP5326062B1 (en) | Non-executable file inspection apparatus and method | |
| KR101212553B1 (en) | Apparatus and method for detecting malicious files | |
| US11017087B2 (en) | Secure document importation via portable media | |
| US20140181805A1 (en) | System and method for establishing rules for filtering insignificant events for analysis of software program | |
| WO2017053745A1 (en) | Malware detection via data transformation monitoring | |
| JP2010182019A (en) | Abnormality detector and program | |
| JP2009093615A (en) | Method and device for analyzing exploit code in non-executable file using virtual environment | |
| CN103679013A (en) | System rogue program detecting method and device | |
| JP6000465B2 (en) | Process inspection apparatus, process inspection program, and process inspection method | |
| WO2015081791A1 (en) | Method and apparatus for scanning and removing kernel-level malware | |
| US10747879B2 (en) | System, method, and computer program product for identifying a file used to automatically launch content as unwanted | |
| JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
| Aslan | Performance comparison of static malware analysis tools versus antivirus scanners to detect malware | |
| RU2583712C2 (en) | System and method of detecting malicious files of certain type | |
| CN103996005A (en) | Method for monitoring starting of terminal equipment | |
| JP2010182020A (en) | Illegality detector and program | |
| US20080155264A1 (en) | Anti-virus signature footprint | |
| CN112199672A (en) | Account authority lifting behavior detection method and device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140820 |
|
| RJ01 | Rejection of invention patent application after publication |