CN104766007A - Method for quickly recovering sandbox based on file system filter driver - Google Patents
Method for quickly recovering sandbox based on file system filter driver Download PDFInfo
- Publication number
- CN104766007A CN104766007A CN201510141931.8A CN201510141931A CN104766007A CN 104766007 A CN104766007 A CN 104766007A CN 201510141931 A CN201510141931 A CN 201510141931A CN 104766007 A CN104766007 A CN 104766007A
- Authority
- CN
- China
- Prior art keywords
- apocrypha
- sandbox
- file
- virtual machine
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the field of detection of malicious files, and aims at providing method for quickly recovering a sandbox based on a file system filter driver. The method comprises the steps of registering a monitoring driver in an operation system of a sandbox virtual machine; executing the malicious files by an on-hook manner after the operation system of the sand box virtual machine receives a malicious file detection task; introducing the monitoring program to catch the action information of suspicious files; transmitting the progress ID into the monitoring driver to re-direct the files and registries; returning the caught behavior information to the external task scheduling program through the virtual machine operation system after executing the malicious files, and quickly recovering the sandbox environment. With the adoption of the method, the sandbox environment recovery efficiency can be increased; the time of detecting single malicious file can be reduced, and the detection efficiency of the sandbox to the malicious files can be increased.
Description
Technical field
The invention relates to malicious file detection field, particularly a kind of method realizing the fast quick-recovery of sandbox based on file system filter driver.
Background technology
In recent years, along with becoming increasingly conspicuous of network security problem, sandbox technology is applied in malicious file detection by people more and more.Apocrypha to be submitted in sandbox dynamic similation run, unknown malicious act not only can be avoided the destruction of real system, can also the behavioural information of apocrypha be caught and be analyzed, thus provide a kind of new scheme for the detection of malicious file.
The sandbox application that current malicious file detects, mainly contain task dispatch and virtual machine composition, task dispatch is responsible for receiving Detection task, is imported in the operating system of virtual machine by apocrypha by specific transmission mode, and analyzes from virtual middle acquisition apocrypha behavioural information.Under normal circumstances, in virtual machine, operating system has corresponding program and communicates with scheduler program, ensures that the mode that program can be specified according to task dispatch in virtual machine performs.In dummy machine system, also (behavior monitoring is generally inject the process space corresponding to apocrypha by DLL to there is task execution module and behavior monitoring module, the behavioural informations such as the api function of apocrypha call operation system and correlation parameter are obtained by HOOK mode), the behavioural information of behavior monitoring module apocrypha the most at last sends outside task dispatch to.Malicious act is wherein caught and analyzed to task dispatch, by screening these behavioural informations further, finally judges whether detected apocrypha is malicious file.
For ensureing completeness and the robustness of sandbox system, after each apocrypha dynamic similation has run, all need to carry out environment restoration to sandbox, finally to guarantee that the running orbit of next apocrypha can not be subject to the interference of previous apocrypha operation result.Current sandbox dynamic similation runs detection system, general is all based on the own mirror image reduction technique of virtual machine, namely a virtual machine image under open state can be carried when system is dispatched from the factory, before apocrypha is submitted to sandbox detection, first can carry out mirror image reduction to operating system in virtual machine, ensure that the running environment of each apocrypha is pure and stalwartness.Due to a large amount of I/O operation can be related to the mirror image reduction of operating system in virtual machine, and reduction mirrored procedure can relate to switching on and shutting down to operating system in virtual machine, can produce more time overhead, cause the problem that unit detection time of current sandbox detection system is longer, detectability is lower further.
Summary of the invention
Fundamental purpose of the present invention is to overcome deficiency of the prior art, provides a kind of and can save a large amount of IO expenses produced because of the mirror image reduction of operating system in virtual machine, and the malicious file detection method of energy significant increase detection efficiency.For solving the problems of the technologies described above, solution of the present invention is:
A kind of method realizing the fast quick-recovery of sandbox based on file system filter driver is provided, for utilizing sandbox virtual machine, detect the apocrypha that outside task dispatch is submitted to, the described method realizing the fast quick-recovery of sandbox based on file system filter driver specifically comprises the steps:
Steps A: the operating system in sandbox virtual machine and external tasks scheduler program, sets up apocrypha Detection task submission interface to arrange network communication mode; Described external tasks scheduler program is used to control the program that sandbox virtual machine is recovered, apocrypha is submitted to, apocrypha behavioural information is analyzed;
Step B: in the operating system of sandbox virtual machine, registration monitoring drives, and is redirected for the file operation to appointment process ID and all subprocesss thereof, registry operations;
Described monitoring drives, under Windows, use the program that filter Driver on FSD framework (SFilter or MiniFilter) is write, for realizing file redirection and registration table is redirected, namely monitoring drives is the Windows driver of file system filter driver based on operating system;
Step C: after the operating system of sandbox virtual machine receives apocrypha Detection task, (or opening) apocrypha is performed in hang-up mode, inject watchdog routine in order to catch the behavioural information of apocrypha, process ID is imported in monitoring driving, is redirected in order to file, registration table; Described watchdog routine (behavior monitoring module) energy (passing through DLL) injecting program process space, and obtain the api function of apocrypha call operation system and the behavioural information of correlation parameter by HOOK mode;
Step D: after apocrypha is complete, VME operating system externally task dispatch returns the behavioural information of catching, and fast quick-recovery sandbox environment, prepare the Detection task receiving next apocrypha.
In the present invention, described monitoring drives and is redirected the file operation of the process of appointment (tree), is realized by following manner:
Be inserted in the chain of messages of Windows system IO manager in sandbox virtual machine by monitoring is driven, about the operation of the establishment to file, reading and writing etc. in all I/O request bag (IRP and FastIO) of interception appointment process (tree), the file data realized appointment process (tree) produces is redirected.
In the present invention, described monitoring drives and is redirected the registration table of the process of appointment (tree), adopts the mode of framework call-back manner or API HOOK to process, realizes especially by following method:
When carrying out monitoring and driving initialization, first create the file of a HIVE form, then by the file mount of HIVE form in registration table; Then in sandbox virtual machine operating system environment, registration monitoring drives, and after initialization completes, create the redirection file catalogue of stochastic generation, initialization is redirected registration table path at random.
In the present invention, described step C specifically comprises following process:
Process C1: the operating system in sandbox virtual machine, from task dispatch, receives apocrypha to be detected;
Process C2: the operating system in sandbox virtual machine performs (or opening) apocrypha in hang-up mode, and process ID corresponding for apocrypha is imported into during the monitoring of registering in step B drives, monitoring drives and is used for being redirected the file of process (tree) corresponding to apocrypha and registry operations;
Process C3: watchdog routine is injected in the corresponding process space of apocrypha, prepares the behavioural information of monitoring apocrypha;
Process C4: performed by the apocrypha process resumption hung up, start the Detection task of apocrypha, watchdog routine continues the behavioural information of catching apocrypha, and behavioural information comprises api function and the correlation parameter of apocrypha call operation system.
In the present invention, described step D specifically comprises following process:
Process D1: apocrypha is complete, or after the opening time of non-PE file exceedes the detection time preset, terminate the monitoring to described apocrypha;
Process D2: the operating system externally task dispatch of sandbox virtual machine, return the behavioural information of the apocrypha that watchdog routine captures, external tasks scheduler program screens the behavioural information of acceptance further, catch and the malicious act in analytical behavior information, whether the apocrypha that final judgement is detected is malicious file;
Process D3: empty the information in redirected catalogue and redirected registration table path, recovers the original state after sandbox virtual machine to mirror image reduction.
Core concept of the present invention is: by the file system filter driver message mechanism of operating system, filter the behavior of detected apocrypha, then redirecting technique is passed through, apocrypha is performed the generation that (or opening) process relates to, amendment or the information such as the file deleted and registration table, be redirected to monitoring and drive the path of specifying during initialization, these paths are including but not limited to file path and registration table path, thus avoid causing substantial change to sandbox environment, after apocrypha has been detected, only need to clear up monitoring and drive the path of specifying during initialization, get final product fast quick-recovery sandbox environment, thus promote the detection efficiency of sandbox further.
Compared with prior art, the invention has the beneficial effects as follows:
The present invention compares with the sandbox detection system based on virtual machine image reduction technique, owing to not needing the operating system mirror image reduction technique using virtual machine when recovering sandbox environment, thus save the system overhead that a large amount of I/O operation brings, avoid the switching on and shutting down operation of the operating system related to because of mirror image reduction further simultaneously, thus improve the efficiency of sandbox environment recovery, greatly reduce the time that single apocrypha is detected, further, the significant increase detection efficiency of sandbox to apocrypha.
Accompanying drawing explanation
Fig. 1 is that sandbox of the present invention detects and environment restoration process flow diagram.
Embodiment
First it should be noted that, the present invention relates to malicious file detection field, is the application branch of computer technology in field of information security technology.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely.This category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail:
Realize a method for the fast quick-recovery of sandbox based on file system filter driver, utilize sandbox virtual machine, the apocrypha that outside task dispatch is submitted to is detected.The described method realizing the fast quick-recovery of sandbox based on file system filter driver, treatment scheme as shown in Figure 1, specifically comprises the steps:
Step 1: the operating system in sandbox virtual machine is in open state, prepares to receive apocrypha and detects.
A mirror image restoring operation can be carried out by the virtual machine all to sandbox, to ensure that the operating system (as Windows XP system) in virtual machine is pure and unpolluted, to guarantee the correctness checked apocrypha after sandbox system starts.After sandbox starts, the operating system in virtual machine will be in open state all the time, and preparation reception apocrypha detects.
Step 2: sandbox receives apocrypha, starts to carry out testing process.
Sandbox receives the apocrypha that external tasks scheduler program sends, and the mode that the file reception interface of outside scheduler program can be arranged with any network communication (as TCP socket communication) realizes.After completing the reception to apocrypha, start malicious file testing process.
Step 3: judge whether that registered monitoring drives.
By obtaining the activation bit (herein for monitoring drives title) of create name from operating system, if monitoring drives unregistered, then cannot get corresponding activation bit, and needing first to register monitoring and drive.
Step 4: registration monitoring drives.
In sandbox virtual machine operating system environment, registration monitoring drives, and initialization monitoring drives, and create redirection file catalogue, initialization is redirected registration table path.For preventing sandbox from escaping, the equal stochastic generation of file directory and registration table path.
Step 5: perform (or opening) apocrypha to hang up mode.
Monitoring performs (or opening) apocrypha to hang up mode under driving chartered situation, and obtains corresponding process ID.
Step 6: inject watchdog routine.
Watchdog routine, generally by the DLL injecting program process space, obtains the behavioural informations such as the api function of apocrypha call operation system and correlation parameter by HOOK mode.By creating remote thread, watchdog routine (dynamic link library) being injected in the process space of apocrypha, preparing the behavioural information of monitoring apocrypha.
Step 7: the process ID of apocrypha is passed to monitoring and drives.
The apocrypha got in step 5 is performed process ID corresponding to (or opening) pass in monitoring driving, monitoring drives and the file of all subprocesss to this process and this process, registry operations is monitored and be redirected.
Step 8: apocrypha place process of resuming operation.
To resume operation apocrypha place process.
Step 9: redirection file operates specified path, is redirected registration table to appointment registry-location.
After monitoring drives and obtains apocrypha process and subprocess ID thereof, by the file system filter driver message mechanism of operating system, filter behavior, then be redirected to the redirection file catalogue created in step 4 by redirecting technique the increase to file related in apocrypha process and all subprocess operational processs, amendment and Delete Row, the insertion of the registration table related to, amendment and deletion action be redirected to the registration table path created in step 4.
Further, if existed in apocrypha process, alternative document content is inquired about, or to the behavior that registration table content is inquired about, because apocrypha process itself may to being queried file or registration table key assignments upgrades, and be redirected in the file directory of specifying or the registry-location of specifying, so need in Query Result to merge to original file content with to the redirection file content of this file, need to merge the redirected key assignments of the original key assignments of registry entry and this registry entry, to guarantee the accuracy of the result inquired.
Step 10: monitor and record apocrypha behavioural information.
Watchdog routine obtains the behavioural informations such as the api function of apocrypha call operation system and correlation parameter in the mode of HOOK, and with the discernible form of outside task dispatch carry out preserving (or with the mode of the network communication of agreement externally task dispatch return the behavioural information of catching in real time).
Step 11: apocrypha is complete or overtime.
Apocrypha dynamic similation end of run, or the opening time of non-PE file (as Office Word document), after reaching the longest dry run time of the single apocrypha that sandbox system presets, sandbox initiatively can terminate the dry run of this apocrypha, thus terminates the detection to this apocrypha.
Step 12: return apocrypha behavioural information.
With agreement network communication mode externally task dispatch return the behavioural information of catching, carry out malicious judgement for external tasks scheduler program, to confirm whether this apocrypha is malicious file.
Step 13: delete redirection information, fast quick-recovery sandbox environment.
For ensureing completeness and the robustness of sandbox system, after each apocrypha dynamic similation has run, all need to carry out environment restoration to sandbox, finally to guarantee that the operation of next apocrypha can not be subject to the interference of previous apocrypha operation result.In described method of the present invention, the dry run of apocrypha is except changing the redirection file catalogue and redirected registration table path of specifying in step 4, do not change other any file and registry information in VME operating system, so only need simply to empty the information in redirected catalogue and redirected registration table path, just can recover the original state after virtual machine to mirror image reduction rapidly, thus save a large amount of time overhead because of the IO expense needed for mirror image reduction and virtual machine switching on and shutting down, make sandbox detection efficiency have significant increase.
So far, the Detection task of an apocrypha terminates, and sandbox environment also completes recovery.
Finally; it should be noted that above what enumerate is only preferred embodiment of the present invention, not in order to limit the present invention; all distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should be included in protection scope of the present invention.
Claims (5)
1. one kind realizes the method for the fast quick-recovery of sandbox based on file system filter driver, for utilizing sandbox virtual machine, the apocrypha that outside task dispatch is submitted to is detected, it is characterized in that, the described method realizing the fast quick-recovery of sandbox based on file system filter driver specifically comprises the steps:
Steps A: the operating system in sandbox virtual machine and external tasks scheduler program, sets up apocrypha Detection task submission interface to arrange network communication mode; Described external tasks scheduler program is used to control the program that sandbox virtual machine is recovered, apocrypha is submitted to, apocrypha behavioural information is analyzed;
Step B: in the operating system of sandbox virtual machine, registration monitoring drives, and is redirected for the file operation to appointment process ID and all subprocesss thereof, registry operations;
Described monitoring drives, and is under Windows, uses the program that filter Driver on FSD framework is write, and for realizing file redirection and registration table is redirected, namely monitoring drives is the Windows driver of file system filter driver based on operating system;
Step C: after the operating system of sandbox virtual machine receives apocrypha Detection task, apocrypha is performed in hang-up mode, inject watchdog routine in order to catch the behavioural information of apocrypha, process ID is imported in monitoring driving, is redirected in order to file, registration table; The described watchdog routine energy injecting program process space, and obtain the api function of apocrypha call operation system and the behavioural information of correlation parameter by HOOK mode;
Step D: after apocrypha is complete, VME operating system externally task dispatch returns the behavioural information of catching, and fast quick-recovery sandbox environment, prepare the Detection task receiving next apocrypha.
2. a kind of method realizing the fast quick-recovery of sandbox based on file system filter driver according to claim 1, is characterized in that, described monitoring drives and is redirected the file operation of the process of appointment, is realized by following manner:
Be inserted in the chain of messages of Windows system IO manager in sandbox virtual machine by monitoring is driven, about the operation of the establishment to file, reading and writing etc. in all I/O request bags of interception appointment process, the file data realized appointment process produces is redirected.
3. a kind of method realizing the fast quick-recovery of sandbox based on file system filter driver according to claim 1, it is characterized in that, described monitoring drives and is redirected the registration table of the process of appointment, adopt the mode of framework call-back manner or APIHOOK to process, realize especially by following method:
When carrying out monitoring and driving initialization, first create the file of a HIVE form, then by the file mount of HIVE form in registration table; Then in sandbox virtual machine operating system environment, registration monitoring drives, and after initialization completes, create the redirection file catalogue of stochastic generation, initialization is redirected registration table path at random.
4. a kind of method realizing the fast quick-recovery of sandbox based on file system filter driver according to claim 1, it is characterized in that, described step C specifically comprises following process:
Process C1: the operating system in sandbox virtual machine, from task dispatch, receives apocrypha to be detected;
Process C2: the operating system in sandbox virtual machine performs apocrypha in hang-up mode, and process ID corresponding for apocrypha is imported into during the monitoring of registering in step B drives, monitoring drives and is used for being redirected the file of process corresponding to apocrypha and registry operations;
Process C3: watchdog routine is injected in the corresponding process space of apocrypha, prepares the behavioural information of monitoring apocrypha;
Process C4: performed by the apocrypha process resumption hung up, start the Detection task of apocrypha, watchdog routine continues the behavioural information of catching apocrypha, and behavioural information comprises api function and the correlation parameter of apocrypha call operation system.
5. a kind of method realizing the fast quick-recovery of sandbox based on file system filter driver according to claim 1, it is characterized in that, described step D specifically comprises following process:
Process D1: apocrypha is complete, or after the opening time of non-PE file exceedes the detection time preset, terminate the monitoring to described apocrypha;
Process D2: the operating system externally task dispatch of sandbox virtual machine, return the behavioural information of the apocrypha that watchdog routine captures, external tasks scheduler program screens the behavioural information of acceptance further, catch and the malicious act in analytical behavior information, whether the apocrypha that final judgement is detected is malicious file;
Process D3: empty the information in redirected catalogue and redirected registration table path, recovers the original state after sandbox virtual machine to mirror image reduction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510141931.8A CN104766007B (en) | 2015-03-27 | 2015-03-27 | A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510141931.8A CN104766007B (en) | 2015-03-27 | 2015-03-27 | A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104766007A true CN104766007A (en) | 2015-07-08 |
| CN104766007B CN104766007B (en) | 2017-07-21 |
Family
ID=53647829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510141931.8A Active CN104766007B (en) | 2015-03-27 | 2015-03-27 | A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104766007B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| CN106709330A (en) * | 2016-07-29 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and device for recording file execution behavior |
| CN107171894A (en) * | 2017-06-15 | 2017-09-15 | 北京奇虎科技有限公司 | The method of terminal device, distributed high in the clouds detecting system and pattern detection |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107832105A (en) * | 2017-11-24 | 2018-03-23 | 南昌黑鲨科技有限公司 | A kind of application program launching method, starter and computer-readable recording medium |
| CN107992355A (en) * | 2017-12-21 | 2018-05-04 | 中兴通讯股份有限公司 | A kind of method, apparatus and virtual machine of application deployment software |
| CN108334773A (en) * | 2017-09-11 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method and apparatus for the different branches executing file detection behavior |
| CN108830077A (en) * | 2018-06-14 | 2018-11-16 | 腾讯科技(深圳)有限公司 | A kind of script detection method, device and terminal |
| CN109472133A (en) * | 2017-12-01 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of sandbox monitoring method and device |
| CN109800577A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | A kind of method and device of identification escape security monitoring behavior |
| CN112379973A (en) * | 2020-12-01 | 2021-02-19 | 腾讯科技(深圳)有限公司 | Heavy loading method and device |
| CN113064877A (en) * | 2021-03-26 | 2021-07-02 | 山东英信计算机技术有限公司 | Big data interaction method and system for multi-level management unit of server |
| WO2022247300A1 (en) * | 2021-05-26 | 2022-12-01 | 荣耀终端有限公司 | Sandbox initialization method, graphical interface and related apparatus |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1845120A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic analysis system and method for malicious code |
| CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| US20120079594A1 (en) * | 2010-09-27 | 2012-03-29 | Hyun Cheol Jeong | Malware auto-analysis system and method using kernel callback mechanism |
| CN103365758A (en) * | 2013-08-05 | 2013-10-23 | 北京搜狐新媒体信息技术有限公司 | Process monitoring method and system in virtualization environment |
| CN103902903A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Malicious code analyzing method and system based on dynamic sandbox environment |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
-
2015
- 2015-03-27 CN CN201510141931.8A patent/CN104766007B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1845120A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic analysis system and method for malicious code |
| CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| US20120079594A1 (en) * | 2010-09-27 | 2012-03-29 | Hyun Cheol Jeong | Malware auto-analysis system and method using kernel callback mechanism |
| CN103365758A (en) * | 2013-08-05 | 2013-10-23 | 北京搜狐新媒体信息技术有限公司 | Process monitoring method and system in virtualization environment |
| CN103902903A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Malicious code analyzing method and system based on dynamic sandbox environment |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| CN106709330A (en) * | 2016-07-29 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and device for recording file execution behavior |
| CN106709330B (en) * | 2016-07-29 | 2020-04-21 | 腾讯科技(深圳)有限公司 | Method and device for recording file execution behaviors |
| CN107171894A (en) * | 2017-06-15 | 2017-09-15 | 北京奇虎科技有限公司 | The method of terminal device, distributed high in the clouds detecting system and pattern detection |
| CN108334773A (en) * | 2017-09-11 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method and apparatus for the different branches executing file detection behavior |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107609396B (en) * | 2017-09-22 | 2020-06-23 | 杭州安恒信息技术股份有限公司 | Escape detection method based on sandbox virtual machine |
| CN107832105A (en) * | 2017-11-24 | 2018-03-23 | 南昌黑鲨科技有限公司 | A kind of application program launching method, starter and computer-readable recording medium |
| CN109472133A (en) * | 2017-12-01 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of sandbox monitoring method and device |
| CN107992355A (en) * | 2017-12-21 | 2018-05-04 | 中兴通讯股份有限公司 | A kind of method, apparatus and virtual machine of application deployment software |
| CN107992355B (en) * | 2017-12-21 | 2021-07-13 | 中兴通讯股份有限公司 | Method and device for deploying application software and virtual machine |
| CN108830077A (en) * | 2018-06-14 | 2018-11-16 | 腾讯科技(深圳)有限公司 | A kind of script detection method, device and terminal |
| CN109800577A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | A kind of method and device of identification escape security monitoring behavior |
| CN109800577B (en) * | 2018-12-29 | 2020-10-16 | 360企业安全技术(珠海)有限公司 | Method and device for identifying escape safety monitoring behavior |
| CN112379973A (en) * | 2020-12-01 | 2021-02-19 | 腾讯科技(深圳)有限公司 | Heavy loading method and device |
| CN112379973B (en) * | 2020-12-01 | 2023-10-24 | 腾讯科技(深圳)有限公司 | Heavy load method and device |
| CN113064877A (en) * | 2021-03-26 | 2021-07-02 | 山东英信计算机技术有限公司 | Big data interaction method and system for multi-level management unit of server |
| WO2022247300A1 (en) * | 2021-05-26 | 2022-12-01 | 荣耀终端有限公司 | Sandbox initialization method, graphical interface and related apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104766007B (en) | 2017-07-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104766007A (en) | Method for quickly recovering sandbox based on file system filter driver | |
| CN105117645A (en) | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive | |
| CN102314561B (en) | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK | |
| CN104200161B (en) | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method | |
| CN104268055B (en) | The monitoring method and device of a kind of program exception | |
| CN101799751B (en) | Method for building monitoring agent software of host machine | |
| CN104461786B (en) | The restoration methods of android system and the recovery system of android system | |
| CN106502747A (en) | A kind of method of application upgrade and mobile terminal | |
| CN110391937B (en) | Internet of things honey net system based on SOAP service simulation | |
| CN107992407A (en) | System and method using USB flash disk to android terminal equipment debugging | |
| CN107273748A (en) | A kind of method that Android system Hole Detection is realized based on leak poc | |
| CN113867913A (en) | Business request processing method, device, equipment and storage medium for microservice | |
| CN101382904A (en) | Method and system for implementing automatic installation of intelligent cipher key equipment | |
| CN112528296B (en) | Vulnerability detection method and device, storage medium and electronic equipment | |
| CN109062590A (en) | A kind of method and system of game SDK online updating | |
| CN104052769B (en) | It is a kind of to mobile terminal apply comprising resource updates methods, devices and systems | |
| CN104462943A (en) | Non-intrusive performance monitoring device and method for service system | |
| CN111651352B (en) | Warehouse code merging method and device | |
| US8813029B2 (en) | Remote card content management using synchronous server-side scripting | |
| CN105205398B (en) | It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours | |
| CN105426751A (en) | Method and device for preventing system time from being tampered | |
| CN104572428A (en) | Complicated control testing method based on windows operating system | |
| CN106843963A (en) | The device and method of automatic deployment JAVA application programs in K UX operating systems | |
| CN109471776A (en) | A kind of vxworks operating system log collecting method based on Ethernet | |
| CN102968479A (en) | Safety zone crossing database backup method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15 Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building Patentee before: Dbappsecurity Co.,ltd. |
|
| CP03 | Change of name, title or address | ||
| CP02 | Change in the address of a patent holder |
Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15 Patentee before: Hangzhou Annan information technology Limited by Share Ltd |
|
| CP02 | Change in the address of a patent holder |