CN104067284B - Prevent the execution of task scheduling Malware - Google Patents

Abstract

A kind of method for preventing malware attacks, comprise the following steps: the trial of test access task dispatcher on an electronic device, determine the entity being associated with the trial accessing described task dispatcher, determine the Malware state of described entity, and, Malware state based on described entity, it is allowed to or it is denied to the access of the trial of described task dispatcher.Described task dispatcher is configured to initiate one or more application programs in the time specified or interval.

Description

Prevent the execution of task scheduling Malware

Technical field

Put it briefly, the present invention relates to computer security and malware protection, specifically, relate to Prevent from performing task scheduling Malware.

Background technology

Malware infection on computer and other electronic equipments has invasive and is difficult to very much Detection and repairing.Anti-malware solution may require mating malicious code or the signature of file With the software assessed to determine that software is harmful for calculating system.Malware can be by using Polymorphic executable file camouflage oneself, wherein malice changes self to avoid by anti-malware solution party Case detects.In this case, anti-malware solution is at zero-day attacks (zero-day attack) In may not detect the new or Malware of deformation.Malware can include, but does not limits In spyware, concealment tool, password theft device, spam, phishing attack source, refusal service Attack source, virus, logger, wooden horse, ad ware or produce any of undesired activity Other digital content.

Summary of the invention

In one embodiment, a kind of for preventing the method for malware attacks from comprising the following steps: Detection accesses the trial of task dispatcher on an electronic device, determines and the trial accessing task dispatcher The entity being associated, the Malware state determining entity and Malware state based on entity permit Permitted or be denied to the access of trial of task dispatcher.Task dispatcher is configured to specifying One or more application are initiated at time or interval.

In another embodiment, a kind of goods include computer-readable medium and are situated between at computer-readable The computer executable instructions of carrying in matter.Instruction can be read by processor.When reading and execution refer to When making, processor detection is promoted to access the trial of task dispatcher on an electronic device, determine and access Entity that the trial of task dispatcher is associated, determine the Malware state of entity and based on reality The Malware state of body allows or is denied to the access of trial of task dispatcher.Task dispatcher It is configured to initiate one or more application programs in the time specified or interval.

In another embodiment, a kind of for preventing the system of malware attacks from including: to be coupled to The processor of memorizer and the anti-malware module performed by processor.Anti-malware module is resident In memorizer, and it is communicably coupled to task dispatcher on an electronic device.Task dispatcher It is configured to initiate one or more application programs in the time specified or interval.Anti-malware Module is configured to detect and accesses the trial of task dispatcher on an electronic device, determines and appoint with accessing Entity that the trial of business scheduler is associated, the Malware state determining entity and based on entity Malware state allow or be denied to the access of trial of task dispatcher.

Accompanying drawing explanation

For understanding more completely the present invention and its feature and advantage, presently in connection with accompanying drawing with reference to Lower description, wherein:

Fig. 1 is the diagram for preventing from performing the example system of task scheduling Malware；

Fig. 2 is that the task dispatcher being configured in specific time or interval execution work sets Diagram；

Fig. 3 is the diagram of the exemplary operations of the Malware by accessing task dispatcher operation；

Fig. 4 is for preventing malice from attempting accessing the diagram of the exemplary operations of the system of task dispatcher；

Fig. 5 is the further of the exemplary operations for preventing from maliciously attempting accessing the system of task dispatcher Diagram；And

Fig. 6 is the example embodiment for preventing from performing the method for task scheduling Malware.

Detailed description of the invention

Fig. 1 is the diagram for preventing from performing the example system 100 of task scheduling Malware.So Malware can be initiated on the system 100 by task dispatcher 116, or as being scheduled For the result performed by task dispatcher 116.System 100 can include electronic equipment 102, counter dislike Meaning software module 114, reputation server 104, webpage reputation server 106, destination's server 110, With user 111.Anti-malware module 114 can be configured to task based access control scheduling monitoring or sweep Retouch electronic equipment 102 to find Malware.Anti-malware module 114 can be configured to On electronic equipment 102, detection is attempted accessing, revising or use task dispatcher 116.Anti-malice is soft Part module 114 can be communicatively coupled to following equipment and be configured to communicate with following equipment: Anti-malware signature database 120, reputation server 104 and/or webpage reputation server 106, To determine whether the action detected being related to task dispatcher 116 includes that malice infects.Anti-malice Software module 114 can be configured to communicate so that such as with user 111, it is provided that result or determine The action of correction.Anti-malware module 114 can be configured to: in response to detect trial access, Amendment or use task dispatcher 116, take one or more corrective action.

In one embodiment, anti-malware module 114 can be performed on electronic equipment 102.Can To realize anti-malice in executable file, script, function library or any other suitable mechanism Software module 114.Can load on electronic equipment 102 and perform anti-malware module 114. Anti-malware module 114 can pass through network 108 or any other suitable network or communication Scheme, is communicably coupled to reputation server 104 and/or webpage reputation server 106.

In another embodiment, anti-malware module 114 can separate with electronic equipment 102 Equipment on perform.In such embodiments, anti-malware module 114 can be led to by network It is coupled to electronic equipment 102 letter.Anti-malware module 114 can be configured in cloud computing side Case operates, including the software resided on network 108.In such embodiments, anti-malice is soft Part module 114 can not perform with scanning electron equipment 104 on electronic equipment 101.Anti-malice is soft Part module 114 can pass through network 108, is communicably coupled to reputation server 104 and/or webpage name Reputation server 106.Reputation server 104 and/or webpage reputation server 106 can be included in network Server on 108.

Anti-malware module 114 can be communicably coupled to the user 111 of system 100.User 111 Human user can be included, be configured to manage the webserver of operation of electronic equipment 102, net Network security settings and preference or any other is the most machine-processed.In one embodiment, anti-malice Software module 114 can show that result to user 111 and accepts the corrective action selected.At another In embodiment, anti-malware module 114 can be configured to access user 111 to be transmitted in electronics The condition found on equipment 102, and as result, determine the rule or action that will take.

Network 108 can include any suitable network, a series of network or part therein, For in electronic equipment 104, user 111, watch-dog 102, reputation server 104, webpage fame Communicate between server 106 or destination's server 110.Such network can include but not limit In: the Internet, in-house network, wide area network, LAN, backhaul network, point to point network or its In any combination.

Electronic equipment 102 can include being configurable to translation and/or performing programmed instruction and/or process number According to any equipment, include but not limited to: computer, desktop computer, server, laptop computer, Personal digital assistant or smart phone.Electronic equipment 102 can include being communicably coupled to storage The processor 128 of device 130.

Processor 128 can include, such as, is configured to translation and/or performs programmed instruction and/or place The reason microprocessor of data, microcontroller, digital signal processor (DSP), special IC (ASIC) or any other numeral or simulation circuit.In certain embodiments, processor 128 can translate and/or perform to store programmed instruction in memory 130 and/or process is stored in Data in reservoir 130.Memorizer 130 can be configured to: partially or entirely as answering With memorizer, system storage or both.Memorizer 130 can include being configured to Keep and/or accommodate any system, equipment or the device of one or more memory module.Each Memory module can include being configured in a period of time keeping appointing of programmed instruction and/or data What system, equipment or device (such as, computer-readable medium).Anti-malware module 114 Instruction, logic or data may reside within memorizer 130 and perform for processor 128.

Electronic equipment 102 can include task dispatcher 116, its be configured to scheduling perform script, Application program, executable file, process or other entities on electronic equipment 102.Such as, Task dispatcher 116 can be configured to the loading at the time scheduling destination document 126 specified And execution.

Task dispatcher 116 can by such as, script, application program, executable file, process, Autoexec or other entities on electronic equipment 102 realize.In one embodiment, Task dispatcher 116 can be configured to get involved without user and operate.Task dispatcher 116 is permissible Be configured to electronic equipment 102 guiding or start time initiate.In another embodiment, appoint Business scheduler 116 can be initiated by the user of electronic equipment 102.In another embodiment, task Scheduler 116 can be by Windows^TMOperating system service realizes.

Task dispatcher 116 can include that one or more task dispatcher sets 122.Task dispatcher Set 122 can include for storage about the information of the given task performed being scheduled setting, File, script or other mechanism.In one embodiment, to set 122 permissible for task dispatcher Realized by one or more work (job) file.In another embodiment, task dispatcher sets 122 can be by Windows^TM.job file realizes.Task dispatcher 122 can include for given One or more processes of task, script, executable file, file or by be performed other The description that entity and the most such execution should occur.

Task dispatcher 116 can include one or more task dispatcher function 124.Task dispatcher Function 124 can include provide for such as: dispatch, create, revise or delete will by times The function of the task of business scheduler 116 scheduling.Task dispatcher function 124 can be configured to shadow Ring task dispatcher and set 122.

Change to task dispatcher 116 can form malware attacks.To task dispatcher 116 Change Malware can be promoted to be initiated, install or operate.Malware attacks can be with Escape and dispatched by the mode of the detection of anti-malware.Such as, performing destination document 126 can be certainly Body is malice (attacking one or more system resource), or can dislike with download of malware, procreation Meaning software or trial contact hostile network destination.Task based access control scheduler sets 122, and task is adjusted Degree device 116 can be configured to attempt accessing website, the webserver or the reality of other networkings Body (such as destination's server 110).In one embodiment, task dispatcher 116 can be joined Put for making such trial by initiation destination document 126.

122 can be set by directly accessing task dispatcher, or by via task dispatcher merit Can 124 operation set on 122 at task dispatcher and perform such operation, create, revise, Or delete the task of scheduling.Therefore, anti-malware module 114 can be monitored electronic equipment 102 and sought Look for the trial both directly and through execution task dispatcher function 124 that task dispatcher is set 122 Access.

Access to task dispatcher 114 can be by such as operating in the process on electronic equipment 102 Or application program is made.The process or the application program that access task dispatcher 116 can be from electricity Other processes on subset 102 or file procreation.Such as, the loading of source file 118 or hold Row can promote process 112 to be loaded, and it can attempt accessing task dispatcher 116 then.Process 112 Can directly attempt accessing task dispatcher set 122 or task dispatcher function 124 can be accessed To access task dispatcher setting 122.

Anti-malware module 114 can be configured to intercept the trial of task dispatcher 116 Access.Anti-malware module 114 can be configured to be accessed by any suitable mechanism intercepts. Such as, anti-malware module 114 can be configured to Intercept Interview in the following manner: uses For storing the file system mistake of the file of task dispatcher 116 or task dispatcher setting 122 Filter, hook task dispatcher function 124 or be registered in access task dispatcher 124 time callback Function.

When the access attempting task dispatcher 116 being detected, anti-malware module 114 is permissible It is configured to determine whether access originates from malicious entities or include malicious modification.In order to make this The determination of sample, anti-malware module 114 can use the anti-evil of any suitable action, such as consulting Meaning software signature data base 120, access reputation server 104 or access webpage reputation server 106.

Whether it is malice to determine the access of the trial of task dispatcher 116, trial detected Access time, anti-malware module 114 can be configured to analyze that to make the entity of trial (straight Ground connection or by another file or process) and determine whether entity is malice.Anti-malice Software module 114 can be configured to the entity determining to attempt to access task dispatcher 116.Such as, Process 112 may attempt to access task dispatcher 116.Anti-malware module 114 can be configured It is used for determining the source (such as file or process) having multiplied the entity making trial.Such as source file 118 Can have the process 112 of procreation.Make such determine be because, although may be unaware that entity (example As made the process 112 of the access of the trial to task dispatcher 116) it is malice, but hide and make The identity accessing the malicious source of the entity of task dispatcher 116 for fundamentally trying may be by conduct A kind of mechanism.Anti-malware module 114 can be configured to by accessing such as anti-malware Signature database 120 or reputation server 104, determine to attempt to access the reality of task dispatcher 116 Whether body is malice.

Whether it is malice to determine the access of the trial of task dispatcher 116, trial detected Access time, anti-malware module 114 can be configured to analyze the impact of access attempted, And determine whether impact is malice.Anti-malware module 114 can be configured to determine by Can be by the task of changing scheduling attempted or work.In one embodiment, to task dispatcher 116 The change of trial can include designated entities, the destination's literary composition that such as will perform at the specific time Part 126.Although the source of the access attempted is not likely to be known malicious, but destination document 126 can It is associated with Malware, thereby indicate that attempting is malice to be known which are.Anti-malware module 114 Can be configured to by accessing such as anti-malware signature database 120 or reputation server 104, determine whether destination document 126 is malice.In another embodiment, task is adjusted The change of the trial of degree device 116 can include order, instruction, parameter or other instructions, wherein Remote server (such as website) will be accessed by the task as partial scheduling.Such as, task is adjusted The access of the trial of degree device 116 can include instruction: will access destination's server 110, as part The task of scheduling.Although source or destination document are not likely to be known malicious, but destination takes The possible known association of business device 110, in Malware, is therefore attempted accessing task dispatcher 116 and is probably Malice.Malware can use such scheme with, such as, kidnap below the application that is trusted Carry and other Malwares are installed.Anti-malware module 114 can be configured to by accessing example Such as webpage reputation server 106, determine the destination being associated with the trial accessing task dispatcher 116 Whether server 110 is malice.

For entity, such as source file 118, process 112 or destination document 126, anti-malice Software module 114 can be configured to determine digital signature, digital hash value or process or Other mark of file.Such mark can identification procedure or file uniquely.An enforcement In example, anti-malware module 114 can access anti-malware signature database 120 to determine Whether journey or file are known for Malware.Anti-malware module 114 can use into Journey or the signature of file or hashed value are with searching process in anti-malware signature database 120 Or file.In another embodiment, anti-malware module 114 can access reputation server 104 to determine the Malware state of process or file.

Anti-malware signature database 120 can include specifying known Malware rule, Logic or other information.Anti-malware signature database can pass through malicious process or file Unique such known malware of identifier index.Anti-malware signature database 120 can To reside on electronic equipment 102.Anti-malware signature database 120 can by file, record, Or any other suitable structure realizes.The local replica of anti-malware signature database 120 can To require to safeguard and update, because identifying new virus or other Malwares and such The signature of Malware is sent to anti-malware signature database 120.Anti-malware signed data The content in storehouse 120 may not process new Malware.Further, anti-malware signed data Storehouse 120 may lack other examples report from the anti-malware module monitoring other electronic equipments Information.Such information is likely necessary, with identify how to process unknown process or file with Prevent zero-day attacks.

Reputation server 104 can be configured to accept from client (such as anti-malware mould Block 114) to about given process or file (such as source file 118, process 112 or mesh Ground file 110) the request of information of Malware state.Reputation server 104 can be configured It is used for excavating from the various clients being positioned at many diverse locations and recording about process or literary composition The information of part.Reputation server 104 can include or be communicably coupled to reputation data storehouse, and it can To include the information about process or file, including process or file whether be known which are Malware, It is known which are safe or is unknown about Malware state.Reputation data storehouse can be according to example As numeral hashed value or signature index such information.Reputation data storehouse can include enumerator, uses In determining that reporting process or file have how often.Reputation data storehouse can be with any suitable mechanism (example Such as file, record, data base or their any combination) realize.

Based on by the research of the researcher of anti-malware, the quantity of the example of report and distribution and The security website known or the association of alternative document or other suitable standards, given file or Person's process can be determined it is safe by reputation server 104.Based on by anti-malware researcher's Research, the quantity of example of report and distribution and known malicious websites or behavior associate or Other suitable standard of person, given file or process can be by really in reputation server 104 Surely it is unsafe.If there is not abundance in the Malware state about given file or process Information, given file or process can be defined as the evil with the unknown by reputation server 104 Meaning application state.When for the first time from the bar that client (such as anti-malware module 114) report is unknown During mesh, the entry of the unknown can be added in reputation server 104.

Webpage reputation server 106 can be configured to acceptance, and from client, (such as anti-malice is the softest Part module 114) for about given server, website, domain name, line file or other The request of the information of the Malware state of the entity (such as destination's server 110) of networking.Webpage Reputation server 106 can be configured to from the various clients being positioned at many diverse locations Excavate and record the information about the entity networked.Webpage reputation server 106 can include or logical Letter be coupled to webpage reputation data storehouse, its can include about specific server, website, file, Whether domain name or the information of other entities, be known which are Malware including entity, be known which are safety Or be unknown about Malware state.Webpage reputation data storehouse can include enumerator, For determining the mutual of the most how frequently report and the entity specifically networked.Webpage reputation data storehouse Can with any suitable mechanism realize, such as file, record, data base or any they Combination.

Based on by the research of the researcher of anti-malware, the mutual quantity of report and distribution and The association of the security procedure known, website, or file or other suitable standards, the reality of networking Body can be determined it is safe by webpage reputation server 106.Based on by anti-malware researcher's Research, the quantity of the example reported and distribution and known malicious file, process, website, or The association of behavior or other suitable standard, the entity of given networking can be by webpage fame Server 106 determines it is unsafe.If there is not the letter of abundance in the Malware state about it Breath, the entity of networking can be defined as having unknown Malware shape by webpage reputation server 106 State.When for the first time from the entry that client (such as anti-malware module 114) report is unknown, can To add the entry of the unknown in webpage reputation server 106.

The fame of the entity in reputation data storehouse 104 or webpage reputation data storehouse 106 can be based on There is the example of how many entities or reported by various anti-malware modules with the mutual of entity, with And it across what geographic area is reported.Such as, the process that the most do not runs into, file, Or destination's server can be determined that the unknown.Process, file or destination's server May be reported in the short time (be such as arranged as a part for new released version with wide in range distribution New printer driver or can be used on destination's server download new file).Such enter Journey, file or website can be determined to be safe.There is entering of the most only small amounts of report instance Journey, file or website, or it is associated with the process of known malicious websites, file or net Stand, can be determined that it is malice.From reputation server 104 or webpage reputation server 106 Running into the time of new process, file or website for the first time, therefore entity can be designated For unknown, but the extra information obtained based on passing by time, and entity can be referred to again It is set to safe or unsafe.

Anti-malware module 114 can be configured to from reputation server 104 or webpage fame Server receives the Malware state of the process, file or the website that are checking.Based on it Analyzing or information, anti-malware module 114 can be configured to perform about task dispatcher 116 Any suitable action of access of trial.Anti-malware module 114 can be configured to allow Attempt access, refusal attempt access, send extra information to reputation server 104 or net Page reputation server 106, prompting user 111 input, remove process or file from electronic equipment 102, Or take any other suitably to take action.

Fig. 2 is that the task dispatcher being configured in specific time or interval execution work sets 122 Diagram.The task dispatcher shown in fig. 2 sets 122 can reflect that Malware may attempt to Add the type of the information of task dispatcher 116 to.Task dispatcher sets 122 and can include by appointing One or more working documents of business title 201 index, the most each being configured to once is adjusted upper Perform at the execution 203 of degree.Such as, task scheduling setting 122 can include that being scheduling to next time exists 11/11/2011 exercise question performed at 11:11AM is the work of RunApp1；It is scheduling to log in next time The RunApp2 of Shi Zhihang；Be scheduling to when next time is booted up perform RunApp3.

RunApp2 working document 202 can include being configured to instruction or allowing to access to specify The execution of the entity being performed is specified 210.Perform to specify 210 can include applying path 206, refer to Specific executable file, file, script or other the entity that will be performed are shown.If Task dispatcher 116 is accessed to add or amendment RunApp2 working document 202, performs appointment 210 and/or application path 206 may indicate that the identity of destination document 126.Such as, RunApp2 Working document 202 may indicate that and will perform the file corresponding to " c: application pdq.exe ".

RunApp2 working document 202 can include being configured to indicate the use creating working document The comment 212 of family, process or other entities.Such as, comment 212 may indicate that RunApp2 Working document 202 is created by " Process1 ".

RunApp2 working document 202 can include perform configuration file 214, be configured to instruction or Person allows to access and will perform the user of work, configuration file or account under it.Different so User, configuration file or account can have different execution priorities.Such as, perform to join Put file 214 may indicate that RunApp2 working document will by " User1 " user profile it Lower execution.

RunApp2 working document 202 can include dispatching 216, is configured to instruction or allows to access Should when perform with appointed task.Such as, scheduling 216 can include option with every " N " minute, Day, week or the moon run, wherein " N " is selectable integer, start the selectable date and time Between.Scheduling 216 can include that option is to run once at selectable date and time.Scheduler 216 The option run when being booted up or the option run when logging in can be included in.

RunApp2 working document 202 can include the realization choosing being configured to realize the execution of task Item 224.Therefore need not be implemented during working document can be stored in task dispatcher setting 122, And it is implemented in later date.

RunApp3 working document 204 can include similarly being configured to carry out specifying 210 hold Row appointment 218.Performing to specify 218 can include web page address 208, it is with for being held being passed to The parameter of the entity of row.Such web page address 208 can be used to provide for instruction to such as destination File 126.Web page address 208 may indicate that destination's server 110, and it will be by destination document 126 Contact.Such as, RunApp3 working document 204 can include perform appointment 218, its may indicate that by Perform " rst.exe " and transmit " http://def.com/phish.php？A=" web page address 208.

RunApp3 working document 204 can include commenting on 220, indicates working document and is created by GHI Build, scheduling 222 indicate working document will upper once log in time perform and implementation options 224 Indicating working document is to realize.

When the access of the trial detected task dispatcher 116, anti-malware module 114 can Working document (such as RunApp2 working document 202 He will be placed to be configured to determine RunApp3 working document 204) in information.Such information can include destination document 126 Application path 206 or the web page address 208 of destination's server 110 that will be contacted.Anti-malice Software module 114 can determine destination document 126 or destination's server based on such information The Malware state of 110.

Fig. 3 is by accessing the figure that task dispatcher 116 carries out the exemplary operations of the Malware operated Show.Task dispatcher 116 can have as shown in fig. 2 for RunApp2 working document 202 And RunApp3 working document 204, add for " pdq.exe " and “rst.exe/http:/def.com/phish.php？A=" the task of execution.

The execution of RunApp2 working document 202 can cause initiation and the execution of pdq.exe302. Pdq.exe302 may be operative to the destination document 126 as shown in FIG.Pdq.exe302 can To attack various system resources 308, such as system storage, operating system set, user's input is (logical Cross Key Logger) or carry out other behaviors being associated with Malware.

The execution of RunApp3 working document 204 can cause initiation and the execution of rst.exe304. Rst.exe304 may be operative to the destination document 126 as shown in FIG.Rst.exe304 is permissible It is configured to there is address " http://def.com/phish.php at network 108 first line of a couplet cording？A=" remote Journey network entity 310.Such network entity 310 may be operative to the destination as shown in FIG Server 110.Rst.exe304 can be from network entity 310 download of malware.Such malice is soft Part can affect the operation of rst.exe304, in order to rst.exe attacking system resource 308, or can promote Rst.exe is made to initiate extra entity (such as can be with the phish.exe306 of attacking system resource 308).

Therefore anti-malware module 114 can be configured to determine changing task dispatcher 116 Becoming, described task dispatcher 116 is configured to perform local entity and accesses remote network location.

In operation, anti-malware module 114 can operate to protect electronic equipment 102 in case right The malicious modification of task dispatcher 116, it may cause task scheduling Malware.An enforcement In example, anti-malware module 114 can perform on electronic equipment 102.In another embodiment In, anti-malware module 114 can communicate to protect it from such repairing with electronic equipment 102 Change.

Anti-malware module 114 can intercept or detect the task dispatcher 116 of electronic equipment The access of trial of any suitable part, such as arrive task dispatcher set 122 or task adjust The access of degree device 124.Such as, process 112 can attempt accessing task dispatcher 116 and permissible Detected by anti-malware module 114.Anti-malware module 114 may determine that one of process or Multiple sources, such as source file 118.Anti-malware module 114 may determine that task dispatcher 116 Whether the access attempted includes execution or destination's service of the scheduling of the trial of destination document 126 The access of device 110.Anti-malware module 114 may determine that digital hash value, signature or its Whether his identifier is for any such file or process.Anti-malware module 114 can be true Whether fixed have any such file or process to be listed in anti-malware signature database 120 As Malware.Anti-malware module 114 may determine that whether reputation server 104 specifies File or process are safe, malice or the unknown about Malware state.Anti-malice Software module 114 may determine that webpage reputation server 106 whether specify destination's server about Malware state is safe, malice or the unknown.

Determination based on it, anti-malware module 114 may determine that how to process scheduler 116 The access attempted.Can be made how processing tune by such as rule or always input from user 111 The determination of the access of the trial of degree device 116.The rule of the access how processing trial can such as be set Within being scheduled on anti-malware module 114, receive from reputation server 104, or about user The configuration file of 111 or setting are stored and accessed.Anti-malware module 114 can be to user 111 warning Malwares determine, and user 111 can be pointed out to continue about based on such determining how The continuous input carried out.

In one embodiment, if resource file 118, process 112, destination document 126 or Person destination server 110 is not determined to be malice, then anti-malware module 114 is permissible Allow to access.Anti-malware module 114 can transmit result to user 111, and indicates access to incite somebody to action It is allowed to.

In another embodiment, if having any source file 118, process 112, destination document 126, Or destination's server 110 is determined to be malice, then anti-malware module 114 can be refused Access absolutely.Anti-malware module 114 can transmit result to user 111, and indicates the access will not It is allowed to.

In another embodiment, if having any source file 118, process 112, destination document 126, Or destination's server 110 is determined to be the unknown, and anti-malware module 114 can will be attempted Access as suspicious.Suspicious access can according to by user 111, reputation server 104 or The setting that person's anti-malware module 114 provides processes.In some cases, assume that acquiescently Suspicious access is maliciously and therefore anti-malware module 114 can be with denied access.This is permissible It is that the most aggressive way is to prevent task scheduling Malware.May be sent out by such way Raw wrong report, the most legal entity is erroneously determined to Malware.In some cases, acquiescence Assume that suspicious access is safe, and therefore anti-malware module 114 can allow Access.This is probably the most tolerant way for preventing task scheduling Malware.Infected Entity may be allowed to operate by such way.In some cases, acquiescently, use can be accessed Family 111 processes the access of unknown or suspicious trial to determine how.

Fig. 4 is for preventing malice from attempting accessing the exemplary operations of the system 100 of task dispatcher 116 Diagram.Anti-malware module 114 can intercept the access of the trial of task dispatcher 116.Instead Malware module 114 may determine that civilian with source file, process or the destination attempting being associated Whether part is malice, and take the corrective action of any necessity.Anti-malware module 114 can Such to make to access such as anti-malware signature database 120 or reputation server 104 Determine.Reputation server 104 can include reputation data storehouse 420, and it comprises given file or enters The appointment of journey and the determination of the malice state of entity.

Such as, source file (such as jkl.exe402) can initiate process (such as ABC404), its Can attempt accessing task dispatcher 116.The access attempted can include attempt to promote task dispatcher to transport Row destination document (such as stu.exe406).Anti-malware module 114 may determine that process ABC Identifier, hashed value or the signature of 404.Anti-malware module 114 may determine that ABC404 Malice whether it is listed as in anti-malware signature database 120.If it is, then Attempt can be determined that malice.If if it is not, or anti-malware signature database 120 Not there is the information about ABC404, then anti-malware module 114 can be according to reputation service Device 104 determines the state of ABC404.Reputation server 104 can determine from reputation data storehouse 420: ABC404 is known which are safe.

Reputation server 104 may determine that the source of ABC404 is jkl.exe402.Anti-malware mould Block 114 may determine that the identifier of jkl.exe402, hashed value or signature.Anti-malware mould Block 114 may determine that whether jkl.exe402 is listed as in anti-malware signature database 120 Malice.If it is, then attempt can be determined that malice.If not, then anti- Malware module 114 can determine the state of jkl.exe402 according to reputation server 104.Fame Server 104 can determine from reputation data storehouse 420: jkl.exe402 is known which are safe.

Reputation server 104 may determine that the trial accessing task dispatcher 116 includes dispatching stu.exe 406 with the trial performed.Anti-malware module 114 may determine that the identifier of stu.exe406, dissipates Train value or signature.Anti-malware module 114 may determine that stu.exe406 is at anti-malware Whether signature database 120 is listed as malice.If it is, then trial can be by really It is set to malice.If not, then anti-malware module 114 can be according to reputation server 104 Determine the state of stu.exe406.Reputation server 104 can determine stu.exe from reputation data storehouse 420 406 be known which are safe.

Consequently, because jkl.exe402, ABC404 and stu.exe406 have been determined to be safety , anti-malware module 114 can allow the access of the trial of task dispatcher 116.Task is adjusted Degree device 116 can initiate to perform stu.exe406 in the time specified.

In another example, source file (such as mno.exe408) can initiate process (such as DEF 410), it can attempt accessing task dispatcher 116.The access attempted can include promoting task scheduling Device runs the trial of destination document (such as vwx.exe412).Anti-malware module 114 is permissible Determine the identifier of mno.exe408, DEF410 or vwx.exe412, hashed value or sign Name.Anti-malware module 114 may determine that mno.exe408, DEF410 or vwx.exe412 In any one whether whether be listed as in anti-malware signature database 120 malice. If it is, then attempt can be determined that malice.If if it is not, or anti-malice Software signature data base 120 does not have relevant information, then anti-malware module 114 can basis Reputation server 104 determines the state of mno.exe408, DEF410 or vwx.exe412.Name Reputation server 104 can determine from reputation data storehouse 420 mno.exe408, DEF410 or Vwx.exe412 is known which are unsafe.

Consequently, because mno.exe408, DEF410 or vwx.exe412 have been determined as be Unsafe, anti-malware module 114 may determine that the access of trial constitutes malware attacks, And refuse the access of the trial of task dispatcher 116.It is possible to prevent to initiate vwx.exe412.Anti-evil Meaning software module 114 can be taken action on mno.exe408 and/or DEF410, such as, remove Process or file, remove process or file, repair process or file or by process or File is placed in sandbox execution.Anti-malware module 114 can be cancelled, removes or remove Other parts of any assignment file or task dispatcher 116.Can adopt after prompting user 111 Take one or more such corrective action.

In another embodiment, source file (such as pqr.exe414) can initiate process (such as GHI416), it can attempt accessing task dispatcher 116.The access attempted can include promoting task Scheduler runs the trial of destination document (such as xyz.exe418).Anti-malware module 114 May determine that the identifier of pqr.exe414, GHI416 or xyz.exe418, hashed value or Signature.Anti-malware module 114 may determine that pqr.exe414, GHI416 or xyz.exe418 In any one whether be listed as in anti-malware signature database 120 malice.If It is so, then attempt can be determined that malice.If if not or anti-malware label Name database 120 does not have relevant information, then anti-malware module 114 can take according to fame Business device 104 determines the state of pqr.exe414, GHI416 or xyz.exe418.Reputation server 104 can determine pqr.exe414, GHI416 or xyz.exe418 from reputation data storehouse 420 Malware state is unknown.

If the Malware state of pqr.exe414, GHI416 or xyz.exe418 is confirmed as Unknown, then anti-malware module 114 may determine that the access of trial is suspicious.At one In embodiment, if pqr.exe414, GHI416 or xyz.exe418's is one or more by really Surely be unknown and other be determined to be safe, then anti-malware module 114 can be true The fixed access attempted is suspicious.

In another embodiment, anti-malware module 114 can point out user 111 to input: how Process the instruction of the access of the trial of the entity from Malware Status unknown.Anti-malware module 114 can point out user 111 to input: whether allow or refuse the instruction of such access.If refused Exhausted such access, anti-malware module 114 can point out user 111 choose whether remove, delete, Repair or isolation pqr.exe414, GHI416 or xyz.exe418.

In another embodiment, if at least one pqr.exe414, GHI416 or xyz.exe 418 be known which are safe, anti-malware module 114 assume that trial be safe.Anti-malice is soft Part module 114 can allow to perform xyz.exe418.Such hypothesis can cause malware infection Electronic equipment 102, the Malware Status unknown of described Malware, and be presented on pqr.exe414, One or more in GHI416 or xyz.exe418.

In another embodiment, if in pqr.exe414, GHI416 or xyz.exe418 Each is determined to be the unknown, then anti-malware module 114 assume that trial is dangerous 's.Anti-malware module 114 can be refused to perform xyz.exe418.Such hypothesis may cause Wrong report, wherein pqr.exe414, GHI416 or xyz.exe418 are safe but their shape State is unknown.

Fig. 5 is for preventing malice from attempting accessing the exemplary operations of the system 100 of task dispatcher 116 Further diagram.Anti-malware module 114 can intercept the trial of task dispatcher 116 Access.Whether anti-malware module 114 may determine that and attempt destination's server of being associated and be Malice and the corrective action of taking any necessity.Anti-malware module 114 can access such as Webpage reputation server 106 such determines to make.Webpage reputation server 106 can include net Page reputation data storehouse 512, the appointment that it comprises webpage destination and the Malware state that is associated Determine.Webpage reputation data storehouse 512 can index Malware status information in any suitable manner, Including by Internet protocol (" IP ") address, domain name or on such destination server Specific subdivision or content.

Such as, process ABC502 can attempt access task dispatcher 116 with run include perform The task of " xyz.exe/111.111.111.111 ".Anti-malware module 114 may determine that process ABC 502, destination document xyz.exe504 and any source file being associated are safe or have Unknown Malware state.Anti-malware module 114 may determine that destination document xyz.exe504 The access of trial include by the trial to destination's server of " 111.111.111.111 " 506 mark Connection.Anti-malware module 114 can access webpage reputation server 106 to determine The fame of " 111.111.111.111 " 506.Webpage reputation server 106 can be from webpage reputation data It is unsafe or malice that storehouse 512 determines that " 111.111.111.111 " 506 is known which are.

Consequently, because " 111.111.111.111 " 506 has been determined to be unsafe, anti-malice is soft Part module 114 may determine that: the access of trial forms malware attacks and refuses task dispatcher The access of the trial of 116.It is possible to prevent to initiate xyz.exe504.Anti-malware module 114 can be right ABC502 or initiate the entity of ABC502 and take action, such as, remove process or file, clear Except process or file, repairing process or file or process or file are placed in sandbox Run.Anti-malware module 114 can cancel, remove or remove any assignment file or Other part of task dispatcher 116.Prompting user 111 after can take one or more this The corrective action of sample.It is possible to prevent the access of " 111.111.111.111 " 506.

In another example, process ABC502 can attempt accessing task dispatcher 116 to run Including the task of performing " xyz.exe/def.com ".Anti-malware module 114 may determine that process ABC502, destination document xyz.exe504 and any source file of being associated be safe or There is the Malware state of the unknown.Anti-malware module 114 may determine that destination document The access of the trial of xyz.exe504 includes and the trial of the destination's server identified by def.com508 Contact.Anti-malware module 114 can access webpage reputation server 106 to determine def.com The fame of 508.Webpage reputation server 106 can determine def.com from webpage reputation data storehouse 512 508 be known which are safe.

Consequently, because def.com508 is known which are safe, anti-malware module 114 can allow The access of the trial of task dispatcher 116.Task dispatcher 116 can initiate to hold in the time specified Row xyz.exe504.The access of def.com508 can be made.

In another example, process ABC502 can attempt accessing task dispatcher 116, with fortune Row includes the task of performing " xyz.exe/ghi.com/download.html ".Anti-malware module 114 May determine that process ABC502, destination document xyz.exe504 and any source document being associated Part is safe or has the Malware state of the unknown.Anti-malware module 114 may determine that The access of the trial of destination document xyz.exe504 includes and by ghi.com/download.html510 The contact of the trial of destination's server of mark.Anti-malware module 114 can access webpage name Reputation server 106 is to determine the fame of ghi.com/download.html.Webpage reputation server 106 Can determine from webpage reputation data storehouse 512 that ghi.com/download.html510 has the malice of the unknown Application state.

If the Malware state of ghi.com/download.html510 is determined to be the unknown, then Anti-malware module 114 may determine that the access of trial is suspicious.In one embodiment, as Really in ghi.com/download.html510, process, source file or destination document or Multiple be determined to be the unknown and other be determined to be safe, then anti-malware module 114 The access that may determine that trial is suspicious.

In another embodiment, anti-malware module 114 can point out user 111 to input such as where The instruction of access that reason is attempted, wherein will carry out destination's server with Malware Status unknown Contact.Anti-malware module 114 can point out user 111 input whether allow or refuse such The instruction accessed.If refusing such access, anti-malware module 114 can point out user 111 Choose whether to remove, delete, repair or isolate source file, destination document or process.

In another embodiment, if in source file, process or destination document at least one Individual be known which are safe, even if the Malware of destination server ghi.com/download.html510 State is unknown, and anti-malware module 114 assume that trial is safe.Anti-malware Module 114 can allow to perform xyz.exe504.Such hypothesis can cause malice Status unknown And be presented in source file, process or destination document one or more in Malware.

In another embodiment, if ghi.com/download.html510 and source file, process, And each in destination document is determined to be the unknown, then anti-malware module 114 is permissible Assume that trial is unsafe.Anti-malware module 114 can be refused to perform xyz.exe504.This The hypothesis of sample can cause wrong report, and wherein source file, process and destination document are safe, But their state is unknown.

Fig. 6 is the example embodiment for preventing from performing the method 600 of task scheduling Malware.

In step 605, the trial of the task dispatcher to electronic equipment can be intercepted or detect Change.Such change can be to such as, and working document, task dispatcher set or use appoints Business scheduler function is made.

In step 610, it may be determined that the process that trial on an electronic device makes a change.Permissible Determine other identifier of hashed value, digital signature or process.In step 615, can be true Determine identifier whether represent be known which are malice, unsafe or be associated with entering of Malware Journey.Can be done by the anti-malware signature database or reputation server of such as seeking advice from this locality Go out such to determine.If process is known which are malice, then method 600 can proceed to step Rapid 675.

If process is not known malicious, then in step 620, task dispatcher is made and tastes The source of the process of the change of examination can be determined.Such source can include source file or originating process. In step 625, it may be determined that the identifier in hashed value, digital signature or other sources.In step In rapid 630, it may be determined that whether identifier represents is known which are malice, unsafe or association Source in Malware.Can be by the local anti-malware signature database of such as consulting or fame Server is made and such being determined.If source be known which are malice, then method 600 can continue into Row is to step 675.Step 620-630 can repeat alternatively for the source in source, like this, with really Any part of the file of the raw trial accessing task dispatcher of fixed output quota or the level of process whether with evil Meaning software is associated.

If process is not known malicious, then in step 635, the change of trial can be analyzed Impact.The task of task dispatcher or the file road of work will be added to for example, it is possible to analyze Footpath, and may determine that the destination document that will be performed by task dispatcher.In step 650, may be used To determine other identifiers of hashed value, digital signature or destination document.In step 655, May determine that identifier whether represent be known which are malice, unsafe or be associated with malice the softest The source of part.Permissible by such as seeking advice from local anti-malware signature database or reputation server Make and such determining.If destination document is known which are malice, then method 600 can continue Proceed to step 675.

If destination document is not known malicious, then in step 650, trial can be analyzed The other influences of change.Such as can analyze and will be added to task or the work of task dispatcher File path, and may determine that the IP address that will be accessed by the task of dispatching or global resources are fixed Position device (" URL ").In step 655, it may be determined that whether IP address or URL represent known It is malice, unsafe or be associated with the network destination of Malware.By such as seeking advice from Local Black list or webpage reputation server can be made and such determining.If network destination is Know it is malice, then method 600 can proceed to step 675.

If network destination is not known malicious, then in step 660, it may be determined that whether The Malware state of any source, process, destination document, IP address or URL.If it is not, So method 600 can proceed to step 665.If it is then method 600 can continue into Row is to step 670.

In step 660, it may be determined that the access of the trial of task dispatcher is safe.Analysis source, The result of process, destination document or IP address can be presented to user.Trial can be remembered Record.User can be pointed out to carry out suitable action.In one embodiment, can allow acquiescently to taste Examination.

In step 665, it may be determined that the access of the trial of task dispatcher relates to Malware state Unknown entity.The result of analysis source, process, destination document or IP address can be presented to User.Trial can be recorded.User can be pointed out to carry out suitable action.In one embodiment, Can will attempt treating as safety acquiescently.In another embodiment, acquiescently can be by Attempt treating as malice.Result and the analysis attempted can be reported to reputation server and carry out Further analyze.

In step 670, it may be determined that the access of the trial of task dispatcher is unsafe, maliciously Or be associated with Malware.Analysis source, process, destination document or the knot of IP address Fruit can present to user.Trial can be recorded.It is possible to prevent the access of the trial of task dispatcher. Source, destination document and process can be eliminated, remove, repair or isolate, or can To take any other suitable corrective action.In one embodiment, malice it is designated acquiescently Specific part (i.e. source, process, destination document or IP address) can be blocked or clear Remove, and other are so used for corrective action to the part of ID.

The system or any other the operable system with implementation method 600 that use Fig. 1-2 and 4-5 can With implementation method 600.Similarly, preferably to the initial point of method 600 with include method 600 The order of step can be according to the realization selected.In certain embodiments, some steps can be alternatively Omit, repeat or combination.In certain embodiments, method 600 can be by partially or wholly Realize in the software in being embodied in computer-readable medium.

For purposes of this disclosure, computer-readable medium can include retaining data and/or instruction Any instrument of a period of time or the polymerization of instrument.Computer-readable medium can include, without being limited to Storage medium, such as DASD (such as, hard disk or floppy disk), sequential access storage Equipment (such as tape reel driver), CD, CD-ROM, DVD, random access storage device (RAM), Read only memory (ROM), Electrically Erasable Read Only Memory (EEPROM) and/or flash memory； And communication media, such as electric wire, optical fiber and other electromagnetism and/or light carrier；And/or it is aforesaid Any combination.

Although the disclosure of having been described in, it should be understood that can be without departing from by claims institute In the case of the spirit and scope of the disclosure limited, it is made various change, replacement, Yi Jibian Change.

Claims (17)

1., for the method preventing malware attacks, comprise the following steps:

It is determined by being added to the information of task dispatcher to appoint described in test access on an electronic device The trial of business scheduler, described task dispatcher is configured to initiate in the time specified or interval One or more application programs；

Determine based on the described information being added to task dispatcher and be associated with the described task scheduling of access The entity of the trial of device, including determine due to described information is added to described task dispatcher and will quilt The network destination accessed；

It is determined by the Malware state of described network destination to determine the Malware of described entity State；And

Malware state based on described entity, it is allowed to or it is denied to tasting of described task dispatcher The access of examination.

2. the method for claim 1, wherein:

Determine that the entity being associated with described trial includes determining to attempt to access entering of described task dispatcher Journey；And

Determine that the Malware state of described entity includes determining the Malware state of described process.

3. the method for claim 1, wherein:

Determine and be associated with the process that the entity of described trial includes determining to attempt to access described task dispatcher Source；And

Determine that the Malware state of described entity includes determining the Malware state in described source.

4. the method for claim 1, wherein:

Determine that the entity being associated with described trial includes determining owing to accessing tasting of described task dispatcher Examination, and the destination document that will be initiated；And

Determine that the Malware state of described entity includes determining the Malware shape of described destination document State.

5. the method for claim 1, wherein:

Determine that the entity being associated with described trial includes:

Determine in the following two or more:

Attempt accessing the process of described task dispatcher；

Attempt accessing the source of the process of described task dispatcher；

Owing to accessing the trial of described task dispatcher, and the destination document that will be initiated； And

Owing to accessing the trial of described task dispatcher, and network destination will be accessed for；

Determine in described process, described source, described destination document and described network destination In two or more between relation；And

Determine that the Malware state of described entity includes determining described process, described source, described purpose The Malware state of two or more in ground file and described network destination.

6. method as claimed in claim 5, farther includes:

Determine in described process, described source, described destination document and described network destination The Malware state of individual or multiple is not malice；And

It is denied to the access of the trial of described task dispatcher.

7. for preventing a device for malware attacks, including:

Test access institute on an electronic device is come for being determined by being added to the information of task dispatcher State the module of the trial of task dispatcher, described task dispatcher be configured in the time specified or Person is spaced the one or more application programs of initiation；

It is associated with the described task of access for determining based on the described information being added to task dispatcher The module of the entity of the trial of scheduler, including for determining owing to described information being added to described appointing Business scheduler and the module of network destination to be accessed；

For being determined by the Malware state of described network destination to determine the malice of described entity The module of application state；

For Malware state based on described entity, it is allowed to or it is denied to described task dispatcher The module of access of trial.

8. device as claimed in claim 7, wherein:

For determining that the module of the entity being associated with described trial includes that access is described appoints for determining to attempt to The module of the process of business scheduler；And

For determining that the module of the Malware state of described entity includes the evil for determining described process The module of meaning application state.

9. device as claimed in claim 7, wherein:

For determining that the module of the entity being associated with described trial includes that access is described appoints for determining to attempt to The module in the source of the process of business scheduler；And

For determining that the module of the Malware state of described entity includes the malice for determining described source The module of application state.

10. device as claimed in claim 7, wherein:

For determining that the module of the entity being associated with described trial includes for determining owing to accessing described appointing The trial of business scheduler, and the module of destination document that will be initiated；And

For determining that the module of the Malware state of described entity includes for determining described destination literary composition The module of the Malware state of part.

11. devices as claimed in claim 7, wherein:

For determining that the module of the entity being associated with described trial includes:

For determining two or more the module in the following:

Attempt accessing the process of described task dispatcher；

Attempt accessing the source of the process of described task dispatcher；

Owing to accessing the trial of described task dispatcher, and the destination document that will be initiated； And

Owing to accessing the trial of described task dispatcher, and network destination will be accessed for； And

For determining at described process, described source, described destination document and described network mesh Ground in two or more between the module of relation；

For determining that the module of the Malware state of described entity includes for determining described process, institute State the Malware of two or more in source, described destination document and described network destination The module of state.

12. devices as claimed in claim 11, also include:

For determining in described process, described source, described destination document and described network destination The Malware state of one or more be not the module of malice；And

For being denied to the module of the access of the trial of described task dispatcher.

13. 1 kinds of systems being used for preventing malware attacks, including:

It is coupled to the processor of memorizer；And

On an electronic device, performed by processor, resident in memory and communicatedly Being coupled to the anti-malware module of task dispatcher, described task dispatcher is configured to specifying Time or interval initiate one or more application programs；

Described anti-malware module is configured to:

The information being determined by being added to described task dispatcher to examine on described electronic equipment Survey the trial accessing described task dispatcher；

Determine based on the described information being added to described task dispatcher and be associated with described in access The entity of the trial of task dispatcher, including determining owing to adding described information to described task scheduling Device and network destination to be accessed；

It is determined by the Malware state of described network destination to determine the malice of described entity Application state；

Malware state based on described entity, it is allowed to or it is denied to described task dispatcher The access of trial.

14. systems as claimed in claim 13, wherein:

Determine that the entity being associated with described trial includes determining to attempt to access entering of described task dispatcher Journey；And

Determine that the Malware state of described entity includes determining the Malware state of described process.

15. systems as claimed in claim 13, wherein:

Determine and be associated with the process that the entity of described trial includes determining to attempt to access described task dispatcher Source；And

Determine that the Malware state of described entity includes determining the Malware state in described source.

16. systems as claimed in claim 13, wherein:

Determine that the entity being associated with described trial includes determining owing to accessing tasting of described task dispatcher Examination, and the destination document that will be initiated；And

Determine that the Malware state of described entity includes determining the Malware shape of described destination document State.

17. systems as claimed in claim 13, wherein:

Determine that the entity being associated with described trial includes:

Determine in the following two or more:

Attempt accessing the process of described task dispatcher；

Attempt accessing the source of the process of described task dispatcher；

Owing to accessing the trial of described task dispatcher, and the destination document that will be initiated； And

Owing to accessing the trial of described task dispatcher, and network destination will be accessed for； And

Determine in described process, described source, described destination document and described network destination In two or more between relation；And

Determine that the Malware state of described entity includes determining described process, described source, described purpose The Malware state of two or more in ground file and described network destination.