CN104573511A - Method and system for searching and killing Rootkit virus - Google Patents
Method and system for searching and killing Rootkit virus Download PDFInfo
- Publication number
- CN104573511A CN104573511A CN201310481967.1A CN201310481967A CN104573511A CN 104573511 A CN104573511 A CN 104573511A CN 201310481967 A CN201310481967 A CN 201310481967A CN 104573511 A CN104573511 A CN 104573511A
- Authority
- CN
- China
- Prior art keywords
- virus
- caryogram
- cleaning scheme
- interior
- described interior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method and electronic equipment for searching and killing a Rootkit virus. The method comprises the following step: acquiring a clearing scheme of the Rootkit virus through a basic input-output system which is provided with an extensible firmware interface before an operating system is started, wherein the clearing scheme comprises the storage address of the Rootkit virus; confirming the position of the Rootkit virus according to the storage address; clearing data stored at the position. When the method or the electronic equipment, which is disclosed by the invention, is adopted, the Rootkit virus can be cleared before the Rootkit virus enters a system kernel in a mode of a driving program, so that the safety of the operating system is improved.
Description
Technical field
The present invention relates to computer safety field, particularly relate to the method and system of caryogram virus in a kind of killing.
Background technology
Along with the development of network technology, the safety problem of the operating system of electronic equipment becomes more and more important.At present, for the security threat of the operating system of electronic equipment maximum remain various types of Virus.
Inside many Virus Types, allowing people disgustful is most exactly interior caryogram (Rootkit) virus.Time many, antivirus software can detect this virus, but cannot effectively remove.The feature of this viroid is, before antivirus software starts, this viroid can be linked into system kernel in the mode of driver, then can set up secret back door, replacement system normal file, process hiding, monitor network, record keystroke sequence, some Rootkit virus even can also close antivirus software.
Visible, checking and killing virus method of the prior art, for the virus of interior caryogram, cannot effectively remove.
Summary of the invention
The object of this invention is to provide the method and system of caryogram virus in a kind of killing, before Rootkit virus is linked into system kernel in the mode of driver, Rootkit virus can be removed, thus increase the security of operating system.
For achieving the above object, the invention provides following scheme:
A method for caryogram virus in killing, described method comprises:
Before os starting, obtained the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface; Described cleaning scheme comprises the memory address of described interior caryogram virus;
The position of described interior caryogram virus is determined according to described memory address;
Remove the data that described position stores.
Optionally, after the data that the described position of described removing stores, also comprise:
From described cleaning scheme, determine the relevant information of described interior caryogram virus in registration table;
Remove described relevant information.
Optionally, after the data that the described position of described removing stores, also comprise:
The boot sequence of antivirus software when os starting is set to first preferentially start, to prevent interior caryogram virus from loading before described antivirus software starts.
Optionally, after described os starting, described method also comprises:
Detect described operating system in real time by described antivirus software and whether be loaded with described interior caryogram virus;
When detecting that described operating system is loaded with described interior caryogram virus, obtain the cleaning scheme of described interior caryogram virus from the server of network side;
There is the Basic Input or Output System (BIOS) of Extensible Firmware Interface, to remove described interior caryogram virus during startup next time of described Basic Input or Output System (BIOS) described in being write by the cleaning scheme of described interior caryogram virus.
Optionally, the described server from network side obtains the cleaning scheme of described interior caryogram virus, comprising:
The characteristic information of described interior caryogram virus is sent to described server;
Receive the cleaning scheme of the described interior caryogram virus matched with described characteristic information that described server sends.
Optionally, the cleaning scheme of the described interior caryogram virus of described acquisition, comprising:
The first cleaning scheme of described interior caryogram virus is obtained from this locality; Described first cleaning scheme be to be write by antivirus software after starting the described operating system last time described in there is the Basic Input or Output System (BIOS) of Extensible Firmware Interface;
Or, the second cleaning scheme of described interior caryogram virus is obtained from the server of network side.
A kind of electronic equipment, described electronic equipment comprises:
First cleaning scheme acquiring unit, for before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface;
Position determination unit, for determining the position of described interior caryogram virus according to described memory address;
Data dump unit, for removing the data that described position stores.
Optionally, also comprise:
Relevant information determining unit, for remove data that described position stores at described data dump unit after, from described cleaning scheme, determines the relevant information of described interior caryogram virus in registration table;
Relevant information clearing cell, for removing described relevant information.
Optionally, also comprise:
Boot sequence setting unit, for remove at described data dump unit described position store data after, the boot sequence of antivirus software when os starting is set to first preferentially start, to prevent interior caryogram virus from loading before described antivirus software starts.
Optionally, described electronic equipment also comprises:
Virus detection element, for after described os starting, detects described operating system in real time by described antivirus software and whether is loaded with described interior caryogram virus;
Second cleaning scheme acquiring unit, for when detecting that described operating system is loaded with described interior caryogram virus, obtains the cleaning scheme of described interior caryogram virus from the server of network side;
Cleaning scheme writing unit, for the Basic Input or Output System (BIOS) by having Extensible Firmware Interface described in the write of the cleaning scheme of described interior caryogram virus, to remove described interior caryogram virus during startup next time of described Basic Input or Output System (BIOS).
Optionally, described second cleaning scheme acquiring unit, comprising:
Characteristic information sends subelement, for sending the characteristic information of described interior caryogram virus to described server;
Cleaning scheme receives subelement, for receiving the cleaning scheme of the described interior caryogram virus matched with described characteristic information that described server sends.
Optionally, described first cleaning scheme acquiring unit, comprising:
First cleaning scheme first obtains subelement, for obtaining the first cleaning scheme of described interior caryogram virus from this locality; Described first cleaning scheme be to be write by antivirus software after starting the described operating system last time described in there is the Basic Input or Output System (BIOS) of Extensible Firmware Interface;
First cleaning scheme second obtains subelement, for obtaining the second cleaning scheme of described interior caryogram virus from the server of network side.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
The method of caryogram virus and electronic equipment in killing of the present invention, the Basic Input or Output System (BIOS) by having Extensible Firmware Interface before os starting obtains the cleaning scheme of described interior caryogram virus; The position of described interior caryogram virus is determined according to the memory address in described cleaning scheme; Remove the data that described position stores; Before Rootkit virus is linked into system kernel in the mode of driver, Rootkit virus can be removed, thus increases the security of operating system.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow diagram of the embodiment of the method 1 of caryogram virus in killing of the present invention;
Fig. 2 is the process flow diagram of the embodiment of the method 2 of caryogram virus in killing of the present invention;
Fig. 3 is the process flow diagram of the embodiment of the method 3 of caryogram virus in killing of the present invention;
Fig. 4 is the process flow diagram of the embodiment of the method 4 of caryogram virus in killing of the present invention;
Fig. 5 is the structural drawing of electronic equipment embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, and below in conjunction with the drawings and specific embodiments, the present invention is further detailed explanation.
The method of caryogram virus in killing of the present invention, is applied to the electronic equipment of the Basic Input or Output System (BIOS) (BIOS) with Extensible Firmware Interface (EFI).Described electronic equipment can be the electronic equipments such as desktop computer, all-in-one.
As everyone knows, in prior art, in the process that PC starts, BIOS is responsible for initiating hardware, detection hardware function, and guides the responsibility of operating system.In the ROM (read-only memory) that after bios program deposits in a power down, content can not be lost, during system power-up, the address of the Article 1 instruction of processor can be positioned in the storer of BIOS, is convenient to initialize routine is performed.
EFI BIOS is a kind of new BIOS that latest developments are got up.EFI BIOS is by modularization, the parameter stack transfer mode of C language style, the system of the form structure of dynamic link, and more traditional BIOS is easier to realize, fault-tolerant stronger with error correction characteristic, can shorten the time of system research and development.It utilizes the form loading EFI and drive, and identifies and operational hardware.EFI BIOS is conceptually very similar to the operating system of a low order, and has the ability of manipulation all hardware resource.
Core concept of the present invention is, utilize EFI BIOS before os starting, just have the ability of manipulation hardware resource, before os starting, interior caryogram virus is removed from the element of electronic equipment, make electronic equipment in the process of os starting, interior caryogram virus does not exist, and prevents before antivirus software starts, and the mode of interior caryogram virus with driver in the process of os starting is linked into system kernel.
Fig. 1 is the process flow diagram of the embodiment of the method 1 of caryogram virus in killing of the present invention.As shown in Figure 1, the method can comprise:
Step 101: before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) (EFI BIOS) with Extensible Firmware Interface; Described cleaning scheme comprises the memory address of described interior caryogram virus;
Described operating system can be windows or linux operating system.
EFI BIOS, can the hardware function units of electronic equipment described in initialization before os starting; Obtain the control to described hardware function units.
Concrete, EFI BIOS can load the driver of the network communication unit belonging to hardware function units, makes described network communication unit enable; Load the driver belonging to the first storage unit of hardware function units, make described first storage unit enable; Obtain the cleaning scheme with described interior caryogram virus based on enable described network communication unit from service terminal, and be stored in described first storage unit.
When the cleaning scheme of described interior caryogram virus has been stored in the first storage unit of local electronic equipment in advance by other means, also based on enable described first storage unit, the cleaning scheme of the described interior caryogram virus that described first storage unit stores can directly be obtained.
In the following ways cleaning scheme can be stored in advance on local electronic equipment: when once can start on described electronic equipment, by antivirus software, electronic equipment is detected.When detect described electronic equipment has interior caryogram virus time, cleaning scheme for this interior caryogram virus can be downloaded by antivirus software from the server network, described cleaning scheme is stored in the storage unit of electronic equipment.Described server can be the server that the manufacturer of antivirus software is arranged, and also can be third-party server.
Described cleaning scheme at least comprises behavioural characteristic and the memory address of described interior caryogram virus.Described interior caryogram virus can be identified according to described behavioural characteristic.The position of described interior caryogram virus can be determined according to described memory address.
Step 102: the position determining described interior caryogram virus according to described memory address;
Described memory address can represent described interior caryogram virus is positioned at which memory location of storage unit.Concrete, when described storage unit is hard disk, described memory address can represent described interior caryogram virus is positioned at which sector of hard disk.
Step 103: remove the data that described position stores.
Because EFI BIOS has the control to hardware function units, so can by the clear operation of EFI BIOS execution to the data in storage unit.Because now operating system does not also start, interior caryogram virus also cannot load, so EFI BIOS is now thoroughly for the removing of interior caryogram virus.
In sum, in the present embodiment, the Basic Input or Output System (BIOS) by having Extensible Firmware Interface before os starting obtains the cleaning scheme of described interior caryogram virus; The position of described interior caryogram virus is determined according to the memory address in described cleaning scheme; Remove the data that described position stores; Before Rootkit virus is linked into system kernel in the mode of driver, Rootkit virus can be removed, thus increases the security of operating system.
Fig. 2 is the process flow diagram of the embodiment of the method 2 of caryogram virus in killing of the present invention.As shown in Figure 2, the method can comprise:
Step 201: before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface; Described cleaning scheme comprises the memory address of described interior caryogram virus;
Step 202: the position determining described interior caryogram virus according to described memory address;
Step 203: remove the data that described position stores.
Step 204: from described cleaning scheme, determines the relevant information of described interior caryogram virus in registration table.
In the present embodiment, the relevant information of described interior caryogram virus in registration table in described cleaning scheme, can also be included.
Usually, virus, as a kind of program of specific type, also can write relevant information in the registration table of operating system.Described relevant information can cause the startup of system or travelling speed to reduce on the one hand; On the other hand, when virus is not thoroughly removed, when after os starting, likely according to the described relevant information in registration table, again generate Virus.
Therefore, remove described relevant information, the completeness for interior caryogram virus sweep in the present embodiment can be guaranteed further.
Step 205: remove described relevant information.
Concrete, before os starting, file system can be called by EFI BIOS.After calling file system, EFI BIOS directly can carry out the associative operations such as removing information to registry file.
Fig. 3 is the process flow diagram of the embodiment of the method 3 of caryogram virus in killing of the present invention.As shown in Figure 3, the method can comprise:
Step 301: before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface; Described cleaning scheme comprises the memory address of described interior caryogram virus;
Step 302: the position determining described interior caryogram virus according to described memory address;
Step 303: remove the data that described position stores.
Step 304: the boot sequence of antivirus software when os starting is set to first and preferentially starts, to prevent interior caryogram virus from loading before described antivirus software starts.
In the present embodiment, by the boot sequence of adjustment antivirus software when os starting, the boot sequence of antivirus software is set to first and preferentially starts, can prevent other the interior caryogram virus do not removed from loading before described antivirus software starts.
Fig. 4 is the process flow diagram of the embodiment of the method 4 of caryogram virus in killing of the present invention.As shown in Figure 4, the method can comprise:
Step 401: before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface; Described cleaning scheme comprises the memory address of described interior caryogram virus;
Step 402: the position determining described interior caryogram virus according to described memory address;
Step 403: remove the data that described position stores.
Step 404: the boot sequence of antivirus software when os starting is set to first and preferentially starts, to prevent interior caryogram virus from loading before described antivirus software starts.
Step 405: detect described operating system in real time by described antivirus software and whether be loaded with described interior caryogram virus;
Because described antivirus software is the first preferentially startup, therefore described antivirus software can carry out complete monitoring to the whole start-up course of described operating system, whether is loaded with described interior caryogram virus to detect described operating system.
Concrete, can comprise:
Steps A: obtain described operating system when starting, the instruction that each program sends;
Step B: the instruction that the behavioural characteristic of described instruction and interior caryogram virus represents is compared;
The behavioural characteristic of different interior caryogram virus can be different.Can from the virus base file providing the acquisition of the server of the manufacturer of checking and killing virus about interior caryogram virus.The behavior characteristic information of caryogram virus in can comprising often kind in described virus base file.Described behavior characteristic information can represent the instruction that interior caryogram virus is operationally sent.
Step C: when described instruction is identical with the instruction that described behavioural characteristic represents, is defined as described interior caryogram virus by the program sending described instruction.
Step 406: when detecting that described operating system is loaded with described interior caryogram virus, obtains the cleaning scheme of described interior caryogram virus from the server of network side;
Concrete, the characteristic information of described interior caryogram virus can be sent to described server; Described characteristic information can be the filename of described interior caryogram virus.
Receive the cleaning scheme of the described interior caryogram virus matched with described characteristic information that described server sends.
Step 407: the Basic Input or Output System (BIOS) described in being write by the cleaning scheme of described interior caryogram virus with Extensible Firmware Interface, to remove described interior caryogram virus during startup next time of described Basic Input or Output System (BIOS).
In the present embodiment, by when the startup of operating system, preferential loading antivirus software, by antivirus software, complete monitoring is carried out to the start-up course of operating system, can detect in real time caryogram virus in existing in electronic equipment, and cleaning scheme for interior caryogram virus can be obtained from the server of network side, so as described electronic equipment upper once start time, described interior caryogram virus can be directly removed, the security of further raising system by EFI BIOS.
It should be noted that, in killing of the present invention the method for caryogram virus each embodiment in, the cleaning scheme of the described interior caryogram virus of described acquisition, this step, all can comprise two kinds of modes:
The first cleaning scheme of described interior caryogram virus is obtained from this locality; Described first cleaning scheme be to be write by antivirus software after starting the described operating system last time described in there is the Basic Input or Output System (BIOS) of Extensible Firmware Interface;
Or, the second cleaning scheme of described interior caryogram virus is obtained from the server of network side.
The invention also discloses a kind of electronic equipment.Described electronic equipment can be desktop computer or all-in-one.Fig. 5 is the structural drawing of electronic equipment embodiment of the present invention.As shown in Figure 5, this electronic equipment can comprise:
First cleaning scheme acquiring unit 501, for before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface;
Position determination unit 502, for determining the position of described interior caryogram virus according to described memory address;
Data dump unit 503, for removing the data that described position stores.
In the present embodiment, the Basic Input or Output System (BIOS) by having Extensible Firmware Interface before os starting obtains the cleaning scheme of described interior caryogram virus; The position of described interior caryogram virus is determined according to the memory address in described cleaning scheme; Remove the data that described position stores; Before Rootkit virus is linked into system kernel in the mode of driver, Rootkit virus can be removed, thus increases the security of operating system.
In practical application, this electronic equipment can also comprise:
Relevant information determining unit, for remove data that described position stores at described data dump unit 503 after, from described cleaning scheme, determines the relevant information of described interior caryogram virus in registration table;
Relevant information clearing cell, for removing described relevant information.
Can also comprise:
Boot sequence setting unit, for remove at described data dump unit 503 described position store data after, the boot sequence of antivirus software when os starting is set to first preferentially start, to prevent interior caryogram virus from loading before described antivirus software starts.
Described electronic equipment can also comprise:
Virus detection element, for after described os starting, detects described operating system in real time by described antivirus software and whether is loaded with described interior caryogram virus;
Second cleaning scheme acquiring unit, for when detecting that described operating system is loaded with described interior caryogram virus, obtains the cleaning scheme of described interior caryogram virus from the server of network side;
Cleaning scheme writing unit, for the Basic Input or Output System (BIOS) by having Extensible Firmware Interface described in the write of the cleaning scheme of described interior caryogram virus, to remove described interior caryogram virus during startup next time of described Basic Input or Output System (BIOS).
Wherein, described second cleaning scheme acquiring unit, can comprise:
Characteristic information sends subelement, for sending the characteristic information of described interior caryogram virus to described server;
Cleaning scheme receives subelement, for receiving the cleaning scheme of the described interior caryogram virus matched with described characteristic information that described server sends.
In above-described embodiment, described first cleaning scheme acquiring unit 501, can comprise:
First cleaning scheme first obtains subelement, for obtaining the first cleaning scheme of described interior caryogram virus from this locality; Described first cleaning scheme be to be write by antivirus software after starting the described operating system last time described in there is the Basic Input or Output System (BIOS) of Extensible Firmware Interface;
First cleaning scheme second obtains subelement, for obtaining the second cleaning scheme of described interior caryogram virus from the server of network side.
Finally, also it should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required hardware platform by software and realize, can certainly all be implemented by hardware, but in a lot of situation, the former is better embodiment.Based on such understanding, what technical scheme of the present invention contributed to background technology can embody with the form of software product in whole or in part, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
In this instructions, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar portion mutually see.For electronic equipment disclosed in embodiment, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part illustrates see method part.
Apply specific case herein to set forth principle of the present invention and embodiment, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications.In sum, this description should not be construed as limitation of the present invention.
Claims (12)
1. the method for caryogram virus in killing, it is characterized in that, described method comprises:
Before os starting, obtained the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface; Described cleaning scheme comprises the memory address of described interior caryogram virus;
The position of described interior caryogram virus is determined according to described memory address;
Remove the data that described position stores.
2. method according to claim 1, is characterized in that, after the data that the described position of described removing stores, also comprises:
From described cleaning scheme, determine the relevant information of described interior caryogram virus in registration table;
Remove described relevant information.
3. method according to claim 1, is characterized in that, after the data that the described position of described removing stores, also comprises:
The boot sequence of antivirus software when os starting is set to first preferentially start, to prevent interior caryogram virus from loading before described antivirus software starts.
4. method according to claim 3, is characterized in that, after described os starting, described method also comprises:
Detect described operating system in real time by described antivirus software and whether be loaded with described interior caryogram virus;
When detecting that described operating system is loaded with described interior caryogram virus, obtain the cleaning scheme of described interior caryogram virus from the server of network side;
There is the Basic Input or Output System (BIOS) of Extensible Firmware Interface, to remove described interior caryogram virus during startup next time of described Basic Input or Output System (BIOS) described in being write by the cleaning scheme of described interior caryogram virus.
5. method according to claim 4, is characterized in that, the described server from network side obtains the cleaning scheme of described interior caryogram virus, comprising:
The characteristic information of described interior caryogram virus is sent to described server;
Receive the cleaning scheme of the described interior caryogram virus matched with described characteristic information that described server sends.
6. the method according to any one of claim 1-5, is characterized in that, the cleaning scheme of the described interior caryogram virus of described acquisition, comprising:
The first cleaning scheme of described interior caryogram virus is obtained from this locality; Described first cleaning scheme be to be write by antivirus software after starting the described operating system last time described in there is the Basic Input or Output System (BIOS) of Extensible Firmware Interface;
Or, the second cleaning scheme of described interior caryogram virus is obtained from the server of network side.
7. an electronic equipment, is characterized in that, described electronic equipment comprises:
First cleaning scheme acquiring unit, for before os starting, obtains the cleaning scheme of described interior caryogram virus by the Basic Input or Output System (BIOS) with Extensible Firmware Interface;
Position determination unit, for determining the position of described interior caryogram virus according to described memory address;
Data dump unit, for removing the data that described position stores.
8. electronic equipment according to claim 7, is characterized in that, also comprises:
Relevant information determining unit, for remove data that described position stores at described data dump unit after, from described cleaning scheme, determines the relevant information of described interior caryogram virus in registration table;
Relevant information clearing cell, for removing described relevant information.
9. electronic equipment according to claim 7, is characterized in that, also comprises:
Boot sequence setting unit, for remove at described data dump unit described position store data after, the boot sequence of antivirus software when os starting is set to first preferentially start, to prevent interior caryogram virus from loading before described antivirus software starts.
10. electronic equipment according to claim 9, is characterized in that, described electronic equipment also comprises:
Virus detection element, for after described os starting, detects described operating system in real time by described antivirus software and whether is loaded with described interior caryogram virus;
Second cleaning scheme acquiring unit, for when detecting that described operating system is loaded with described interior caryogram virus, obtains the cleaning scheme of described interior caryogram virus from the server of network side;
Cleaning scheme writing unit, for the Basic Input or Output System (BIOS) by having Extensible Firmware Interface described in the write of the cleaning scheme of described interior caryogram virus, to remove described interior caryogram virus during startup next time of described Basic Input or Output System (BIOS).
11. electronic equipments according to claim 10, is characterized in that, described second cleaning scheme acquiring unit, comprising:
Characteristic information sends subelement, for sending the characteristic information of described interior caryogram virus to described server;
Cleaning scheme receives subelement, for receiving the cleaning scheme of the described interior caryogram virus matched with described characteristic information that described server sends.
12. electronic equipments according to any one of claim 7-11, it is characterized in that, described first cleaning scheme acquiring unit, comprising:
First cleaning scheme first obtains subelement, for obtaining the first cleaning scheme of described interior caryogram virus from this locality; Described first cleaning scheme be to be write by antivirus software after starting the described operating system last time described in there is the Basic Input or Output System (BIOS) of Extensible Firmware Interface;
First cleaning scheme second obtains subelement, for obtaining the second cleaning scheme of described interior caryogram virus from the server of network side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310481967.1A CN104573511B (en) | 2013-10-15 | 2013-10-15 | The method and system of caryogram virus in a kind of killing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310481967.1A CN104573511B (en) | 2013-10-15 | 2013-10-15 | The method and system of caryogram virus in a kind of killing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104573511A true CN104573511A (en) | 2015-04-29 |
| CN104573511B CN104573511B (en) | 2018-01-23 |
Family
ID=53089549
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310481967.1A Active CN104573511B (en) | 2013-10-15 | 2013-10-15 | The method and system of caryogram virus in a kind of killing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104573511B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106681813A (en) * | 2016-12-15 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method and device for system management |
| CN110851831A (en) * | 2019-11-12 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Virus processing method and device, computer equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101042719A (en) * | 2006-03-21 | 2007-09-26 | 联想(北京)有限公司 | System and method for killing ROOTKIT |
| CN101877039A (en) * | 2009-11-23 | 2010-11-03 | 浪潮电子信息产业股份有限公司 | Fault detection technology of server operating system |
| CN102208002A (en) * | 2011-06-09 | 2011-10-05 | 国民技术股份有限公司 | Novel computer virus scanning and killing device |
-
2013
- 2013-10-15 CN CN201310481967.1A patent/CN104573511B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101042719A (en) * | 2006-03-21 | 2007-09-26 | 联想(北京)有限公司 | System and method for killing ROOTKIT |
| CN101877039A (en) * | 2009-11-23 | 2010-11-03 | 浪潮电子信息产业股份有限公司 | Fault detection technology of server operating system |
| CN102208002A (en) * | 2011-06-09 | 2011-10-05 | 国民技术股份有限公司 | Novel computer virus scanning and killing device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106681813A (en) * | 2016-12-15 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method and device for system management |
| WO2018108051A1 (en) * | 2016-12-15 | 2018-06-21 | 腾讯科技(深圳)有限公司 | Method and device for system administration, and storage medium |
| CN106681813B (en) * | 2016-12-15 | 2020-06-12 | 腾讯科技(深圳)有限公司 | System management method and device |
| CN110851831A (en) * | 2019-11-12 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Virus processing method and device, computer equipment and computer readable storage medium |
| CN110851831B (en) * | 2019-11-12 | 2023-04-28 | 腾讯科技(深圳)有限公司 | Virus processing method, device, computer equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104573511B (en) | 2018-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107870968B (en) | Performing real-time updates to a file system volume | |
| CN102736978B (en) | A kind of method and device detecting the installment state of application program | |
| CN102663288B (en) | Virus killing method and device thereof | |
| US20120017276A1 (en) | System and method of identifying and removing malware on a computer system | |
| US20170286234A1 (en) | System and method for live virtual incremental restoring of data from cloud storage | |
| US9286468B2 (en) | Option read-only memory use | |
| US9983791B2 (en) | System management controller and method of configuration file backup and recovery | |
| US20120101996A1 (en) | Apparatus and method for snapshot image segmentation | |
| US9330260B1 (en) | Detecting auto-start malware by checking its aggressive load point behaviors | |
| CN107357908B (en) | Method and device for detecting system file of virtual machine | |
| US9384353B2 (en) | System and method for encryption of disk based on pre-boot compatibility testing | |
| CN104346194A (en) | Method, device and electronic equipment for starting file loading | |
| CN105637521A (en) | Data processing method and intelligent terminal | |
| US20130276117A1 (en) | Method and apparatus for detecting a malware in files | |
| CN110472381B (en) | Root permission hiding method and system based on android system and storage medium | |
| US8949588B1 (en) | Mobile telephone as bootstrap device | |
| KR20160138523A (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
| US11416614B2 (en) | Statistical detection of firmware-level compromises | |
| CN103279334A (en) | Android software rapid dynamic detection device and method | |
| CN104573511A (en) | Method and system for searching and killing Rootkit virus | |
| CN104598281A (en) | Method for upgrading system of electronic device | |
| JPWO2005103909A1 (en) | Security maintenance method, data storage device, security maintenance server, and recording medium recording the program | |
| US10255435B1 (en) | Systems and methods for establishing a reputation for related program files | |
| US20130311761A1 (en) | Intelligently Loading Legacy Option ROMs In A Computing System | |
| KR101143909B1 (en) | Dual backup system based on cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |