CN105550573A - Bundled software interception method and apparatus - Google Patents

Bundled software interception method and apparatus Download PDF

Info

Publication number
CN105550573A
CN105550573A CN201510982443.XA CN201510982443A CN105550573A CN 105550573 A CN105550573 A CN 105550573A CN 201510982443 A CN201510982443 A CN 201510982443A CN 105550573 A CN105550573 A CN 105550573A
Authority
CN
China
Prior art keywords
software
file
installation procedure
characteristic information
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510982443.XA
Other languages
Chinese (zh)
Other versions
CN105550573B (en
Inventor
王亮
何博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510982443.XA priority Critical patent/CN105550573B/en
Publication of CN105550573A publication Critical patent/CN105550573A/en
Application granted granted Critical
Publication of CN105550573B publication Critical patent/CN105550573B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a bundled software interception method and apparatus. The apparatus comprises an acquisition unit used for acquiring feature information of a created file after an installation program creates the file in a hard disk, an identification unit used for identifying software to be installed by the installation program according to the feature information acquired by the acquisition unit, a judgment unit used for judging whether the software to be installed by the installation program, obtained by the identification unit is bundled software or not, and an execution unit used for executing a corresponding interception policy after the judgment unit judges that the software to be installed by the installation program is the bundled software. According to the bundled software interception method and apparatus, the problem that bundled software bypasses bundled software interception in a mode of hiding or replacing feature information of an installation package can be solved, so that the effectiveness of bundled software interception is greatly improved; and the bundled software can be prevented from bypassing the identification through disguising or hiding the feature information to a certain extent, so that the use security of a user terminal is further guaranteed.

Description

The method and apparatus of interception bundled software
Technical field
The present invention relates to field of computer technology, be specifically related to a kind of method and apparatus tackling bundled software.
Background technology
Now, promote software in binding mode and become a kind of trend, and tied application program almost relate to computer every aspect used in everyday, such as instant messaging, network browsing, web search, checking and killing virus, audio-visual broadcasting, English-Chinese dictionary, word processing, image procossing etc.Although some bundled softwares with prompting message recommend user installation mode can also accept by some users, but also have a lot of bundled software all with give tacit consent to plug-in unit install and unpredictalbe mandatory installation carry out, this not only there will be the situation repeating to install, more may be installed into user terminal because of a large amount of bundled softwares under user cannot select even unwitting situation, and cause storage resources and run resource being consumed in a large number, the serious performance reducing user terminal.More it is a risk that, some bundled software inherently rogue program, it can install under user cannot select even unwitting situation, causes the leakage of the systemic breakdown of user terminal or the personal information of user, brings unpredicted economic loss to user.
To this, some protection capacity of safety protection software existing can be tackled by the installation of feature identification to bundled software of the installation kit to software, but increasing bundled software can adopt the mode of the characteristic information hiding or replace installation kit to walk around this detection of protection capacity of safety protection software at present.Such as, the characteristic of bundled software can be identified according to the dbase in installation kit for protection capacity of safety protection software, some bundled software can erase the dbase in installation kit, or falsely use other to install by the dbase of trusting software, and make protection capacity of safety protection software carry out clearance process due to bundled software can not be identified to the installation behavior of bundled software.
Summary of the invention
For defect of the prior art, the invention provides a kind of method and apparatus tackling bundled software, bundled software can be solved and adopt the mode of the characteristic information hiding or replace installation kit to walk around the problem of binding interception.
First aspect, the invention provides a kind of device tackling bundled software, comprising:
Acquiring unit, for obtaining the characteristic information of the file be created after installation procedure creates file in a hard disk;
Recognition unit, for the software that installation procedure described in the characteristic information identification that obtains according to described acquiring unit will be installed;
Judging unit, for judging whether the software that the installation procedure that described recognition unit obtains will be installed is bundled software;
Performance element, after judging that at described judging unit software that described installation procedure will install is as bundled software, performs and tackles strategy accordingly.
Alternatively, following any one or be multinomially stored in the webserver:
For the first strategy of the particular type of the characteristic information of file be created described in determining;
For the database of the software that installation procedure according to described characteristic information identification will be installed;
For judging that whether software that described installation procedure will install be the second strategy of bundled software;
Described interception strategy.
Alternatively, described performance element comprises:
Monitoring modular, for monitoring described installation procedure, to obtain the descriptor of the current behavior of described installation procedure;
Matching module, the descriptor for the current behavior of installation procedure obtained by described monitoring modular is mated with described interception strategy;
Processing module, tackles for the current behavior of matching result to installation procedure obtained according to described matching module or lets pass.
Alternatively, correspond to the described descriptor of process of letting pass in described interception strategy, comprise following any one or multiple:
The descriptor of the operation behavior performed by user-driven;
The descriptor of the behavior of the process of trust list has been added into by user;
The descriptor of the behavior of message is sent to user.
Alternatively, described characteristic information comprises following any one or multinomial: filename; Expand name; File size; File path; Timestamp; File signature; File eigenvalue.
Second aspect, present invention also offers a kind of method of tackling bundled software, comprising:
After installation procedure creates file in a hard disk, obtain the characteristic information of the file be created;
The software that installation procedure will be installed according to described characteristic information identification;
Judge whether the software that described installation procedure will be installed is bundled software;
After judging that software that described installation procedure will be installed is as bundled software, perform and tackle strategy accordingly.
Alternatively, following any one or be multinomially stored in the webserver:
For the first strategy of the particular type of the characteristic information of file be created described in determining;
For the database of the software that installation procedure according to described characteristic information identification will be installed;
For judging that whether software that described installation procedure will install be the second strategy of bundled software;
Described interception strategy.
Alternatively, described after judging that software that described installation procedure will be installed is as bundled software, perform and tackle strategy accordingly, comprising:
Monitor described installation procedure, to obtain the descriptor of the current behavior of described installation procedure;
The descriptor of the current behavior of installation procedure is mated with described interception strategy;
Tackle according to the current behavior of matching result to installation procedure or let pass.
Alternatively, correspond to the described descriptor of process of letting pass in described interception strategy, comprise following any one or multiple:
The descriptor of the operation behavior performed by user-driven;
The descriptor of the behavior of the process of trust list has been added into by user;
The descriptor of the behavior of message is sent to user.
Alternatively, described characteristic information comprises following any one or multinomial: filename; Expand name; File size; File path; Timestamp; File signature; File eigenvalue.
As shown from the above technical solution, the characteristic information of the present invention's file of adopting installation procedure to create in disk is to judge installation procedure and in fact installing or to prepare the software installed.Thus, no matter how the characteristic information of software installation kit is hidden or replaces, and the present invention all can identify bundled software exactly, solves bundled software in prior art and adopts the mode of the characteristic information hiding or replace installation kit to walk around the problem of binding interception.
Compared to the feature of the installation kit used in prior art, the characteristic information of file of the present invention has sufficiently high stability usually, namely bundled software is difficult to the characteristic information changing its file in extension process, key resource file of such as file directory title, master routine title, user interface associated documents, required loading etc.Can find out, the present invention can promote the validity of interception bundled software greatly for the popularization characteristic of bundled software, and can prevent bundled software from passing through to pretend to a certain extent or hiding characteristic information walks around identification, ensure the use safety of user terminal further.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, simply introduce doing one to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of steps flow chart schematic diagram tackling the method for bundled software in one embodiment of the invention;
Fig. 2 is the steps flow chart schematic diagram performing interception strategy in one embodiment of the invention;
Fig. 3 is a kind of structured flowchart tackling the device of bundled software in one embodiment of the invention.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is a kind of steps flow chart schematic diagram tackling the method for bundled software in one embodiment of the invention.See Fig. 1, the method comprises:
Step 101: after installation procedure creates file in a hard disk, obtains the characteristic information of the file be created;
Step 102: the software that installation procedure will be installed according to described characteristic information identification;
Step 103: judge whether the software that described installation procedure will be installed is bundled software;
Step 104: after judging that software that described installation procedure will be installed is as bundled software, performs and tackles strategy accordingly.
Wherein be understandable that, the method of interception bundled software of the present invention can be executed on any one terminal device, such as personal computer (as desktop computer, notebook computer, panel computer, all-in-one), smart mobile phone, e-book, intelligent television, digital album (digital photo frame), Intelligent navigator etc. any one can the equipment of mounting software.
It will also be appreciated that, above-mentioned installation procedure is the application program performed in the operating system of terminal device, it can be the installation procedure (installation procedure of such as certain player software) specifying target software, also can be the application program relating to software installation function of such as software house keeper one class, can also be the application program that may have bundled software risk that any one is specified by user or preset security strategy is specified, the present invention limit this.
It can be seen, the characteristic information of the file that the embodiment of the present invention adopts installation procedure to create in disk is in fact installing to judge installation procedure or is preparing the software of installation.Thus, no matter how the characteristic information of software installation kit is hidden or replaces, the embodiment of the present invention all can identify bundled software exactly, solves bundled software in prior art and adopts the mode of the characteristic information hiding or replace installation kit to walk around the problem of binding interception.
Compared to the feature of the installation kit used in prior art, the characteristic information of the file that the embodiment of the present invention adopts has sufficiently high stability usually, namely bundled software is difficult to the characteristic information changing its file in extension process, key resource file of such as file directory title, master routine title, user interface associated documents, required loading etc.Can find out, the embodiment of the present invention can promote the validity of interception bundled software greatly for the popularization characteristic of bundled software, and can prevent bundled software from passing through to pretend to a certain extent or hiding characteristic information walks around identification, ensure the use safety of user terminal further.
See Fig. 1, in the steps flow chart of the method for the interception bundled software of the embodiment of the present invention:
In above-mentioned steps 101, " create file in a hard disk " and can relate generally to the file read-write operations on hard disk (belonging to the external storage of terminal device), therefore the judgement of this condition can be realized by the situation of calling such as monitoring the file read-write function of specifying.Certainly, also can adopt monitoring file directory in docuterm or its equivalent way to determine whether installation procedure creates file in a hard disk, and the present invention does not limit this.After installation procedure creates file in a hard disk, this operation for installation procedure can get the characteristic information of the file be created.Wherein, herein alleged by the characteristic information of file can comprise: filename, expand name, file size, file path, timestamp, file signature, file eigenvalue or other any one can distinguish the attribute of different file.And after specifically determining the scope that characteristic information is contained, required characteristic information can be got directly or indirectly.Such as, it can comprise the filename of direct file reading and expand name, also can comprise and call corresponding tool and calculate the MD5 value of this file as its condition code.Certainly, because characteristic information is mainly used in the software that identifies that described installation procedure will be installed, so the scope of the characteristic information that will obtain specifically determined by the needs that can be adapted to identify.
Be understandable that in above-mentioned steps 102, the characteristic information of the file that this step mainly obtains based on step 101, obtains the process of the software that above-mentioned installation procedure will be installed.Such as, the installation process of each software and the characteristic information of file that creates after installing can in the database set up in advance with the software corresponding record that will install, and identifying can search coupling to realize by the characteristic information of file in this database.For another example, the data of such as copyright information, digital signature one class can be extracted according to the characteristic information of file according to file type, thus obtained the information of the software installed used for this file by these data.To this, the embodiment of the present invention does not limit the concrete means identified.And wherein it should be noted that, the recognition result of software can be that any one can distinguish the information of different software, can comprise the dbase under various forms, issue Business Name, master program file name, signer etc.Certainly, recognition result can be single software also can be a class software, and the judgement that can be adapted to bundled software needs to adjust concrete form.
As one example more specifically, above-mentioned identifying according to file type and file directory classification process, and can allow to there is the situation that can not identify.For example, the file system operation flow process of regular software installation procedure mainly comprises: under CACHE DIRECTORY, write document; Create the installation directory of software; The subject matter of software is write under the installation directory of software.Thus, for the situation of installation procedure writing in files (file path namely in characteristic information meets the feature of cache file folder) under CACHE DIRECTORY, coupling can be searched to reduce seek scope in the scope of the document of database, also can in the file type of file for (file type of the file be created is dynamic link library) during dynamic link library directly carries out the identification of the software that installation procedure will be installed according to the digital signature of file.For the situation of writing in files under the installation directory of software (file path namely in characteristic information meets the feature of the installation directory of software), coupling can be searched to reduce seek scope in the scope of the subject matter of database, also the file name when file meets the feature of master program file directly according to file can carry out the identification of the software that installation procedure will be installed.Certainly, the characteristic information being created file may be there is very few and the situation that identifies cannot be used for, now directly can skipping this file, or be added in characteristic information set, waiting for the characteristic information of more file after adding in the lump for identifying.
In above-mentioned steps 103, whether the software will installed for described installation procedure is that the judgement of bundled software can be carried out according to the strategy preset.Whether the software that the recognition result that this strategy is mainly used in obtaining according to step 102 will be installed installation procedure is that bundled software judges, can come from that user is arranged, the local default policy stored, or the issuing of the webserver.For example, according to this strategy, terminal device can obtain have been known by user and have been permitted the information of installable software for installation procedure, and compares with the recognition result that step 102 obtains, and determines whether the software that installation procedure will be installed is bundled software.Certainly, this strategy can also comprise the Rule of judgment for different application scene setting, to carry out it according to the environmental information of described installation procedure whether for the judgement of bundled software.For being judged to be the situation not belonging to bundled software, can disregard.
In above-mentioned steps 104, with reference to the coping style of existing bundled software, the bundled software be determined can be tackled according to corresponding interception strategy.Such as, if determine the media player that installation procedure installs in step 102 and step 103 to belong to bundled software, so can obtain the interception strategy of this media player, and according to this interception strategy, the operation that installation procedure is associated with this media player is tackled, the part of having installed is cleared up.Or, according to general interception strategy, the behavior of the file write of installation procedure in the installation directory of this media player is tackled, and carries out the cleaning of garbage files after installation is complete.
As a kind of concrete example, above-mentioned steps 104: after judging that software that described installation procedure will be installed is as bundled software, performs and tackles strategy accordingly, specifically can comprise following step as shown in Figure 2:
Step 104a: monitoring installation procedure, to obtain the descriptor of the current behavior of installation procedure;
Step 104b: the descriptor of the current behavior of installation procedure is mated with interception strategy;
Step 104c: tackle according to the current behavior of matching result to installation procedure or let pass.
For example, when installation procedure creates erection schedule, create the current behavior that erection schedule is installation procedure, now step 104a can link up with interface (hookapi) and can capture and create the function creatproces of erection schedule, thus it is any one or more to get in the version number of this erection schedule, the issue Business Name of installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, order line information.Thus, the descriptor acquired and the corresponding information in interception strategy can be compared, to learn whether this erection schedule meets the feature of the bundled software determined in step 102 and step 103 in step 104b.If met, so step 104c can comprise the interception operation to creating this behavior of erection schedule; If do not met, so step 104c can comprise the clearance operation to creating this behavior of erection schedule.Be understandable that, because step 102 and step 103 have determined concrete bundled software, therefore directly can tackle with the installation of blacklist pattern to this bundled software, effectively can reduce the resource consumption of interception bundled software and improve the order of accuarcy tackled.
But the above-mentioned operation of the interception for bundled software has influence on the use of user sometimes.To this, the described descriptor corresponding to process of letting pass in above-mentioned interception strategy can be made, comprise following any one or multiple:
The descriptor of the operation behavior performed by user-driven;
The descriptor of the behavior of the process of trust list has been added into by user;
The descriptor of the behavior of message is sent to user.
Based on this, the operation behavior performed by user-driven, be added into the behavior of the process of trust list by user, and special intercept process can not be done, to avoid the normal use affecting user to the behavior that user sends message.
In addition, in the flow process of above-mentioned steps 101 to step 104, following any one or multinomially can be stored in the webserver: for the first strategy of the particular type of the characteristic information of file be created described in determining; For the database of the software that installation procedure according to described characteristic information identification will be installed; For judging that whether software that described installation procedure will install be the second strategy of bundled software; Described interception strategy.
Be understandable that, above-mentioned first strategy, database, the second strategy and interception strategy all can be set up by the mode of cloud service and be safeguarded in the webserver, it not only can reduce the occupancy of the resource to terminal device, and the powerful information of the webserver and computing power can also be utilized to ensure the implementation effect of said method.
For example, above-mentioned first strategy can according to the load of characteristic information to operating system obtaining file under different running environment in the webserver, adjust the concrete scope of characteristic information and the frequency of acquisition, make the collection of characteristic information can be adapted to the use needs of terminal device.Above-mentioned database can constantly gather and upgrade the characteristic information of the file used in the installation process of known software in the webserver, thus can identify according to the characteristic information of file the software that installation procedure will install more rapidly and accurately.
Fig. 3 is a kind of structured flowchart tackling the device of bundled software in one embodiment of the invention.See Fig. 3, the device of this interception bundled software comprises:
Acquiring unit 31, for obtaining the characteristic information of the file be created after installation procedure creates file in a hard disk;
Recognition unit 32, for the software that installation procedure described in the characteristic information identification that obtains according to described acquiring unit 31 will be installed;
Judging unit 33, for judging whether the software that the installation procedure that described recognition unit 32 obtains will be installed is bundled software;
Performance element 34, after judging that at described judging unit 33 software that described installation procedure will install is as bundled software, performs and tackles strategy accordingly.
Wherein be understandable that, the device of interception bundled software of the present invention can be applied to any one terminal device, such as personal computer (as desktop computer, notebook computer, panel computer, all-in-one), smart mobile phone, e-book, intelligent television, digital album (digital photo frame), Intelligent navigator etc. any one can the equipment of mounting software.
It will also be appreciated that, above-mentioned installation procedure is the application program performed in the operating system of terminal device, it can be the installation procedure (installation procedure of such as certain player software) specifying target software, also can be the application program relating to software installation function of such as software house keeper one class, can also be the application program that may have bundled software risk that any one is specified by user or preset security strategy is specified, the present invention limit this.
It can be seen, the characteristic information of the file that the embodiment of the present invention adopts installation procedure to create in disk is in fact installing to judge installation procedure or is preparing the software of installation.Thus, no matter how the characteristic information of software installation kit is hidden or replaces, the embodiment of the present invention all can identify bundled software exactly, solves bundled software in prior art and adopts the mode of the characteristic information hiding or replace installation kit to walk around the problem of binding interception.
Compared to the feature of the installation kit used in prior art, the characteristic information of the file that the embodiment of the present invention adopts has sufficiently high stability usually, namely bundled software is difficult to the characteristic information changing its file in extension process, key resource file of such as file directory title, master routine title, user interface associated documents, required loading etc.Can find out, the embodiment of the present invention can promote the validity of interception bundled software greatly for the popularization characteristic of bundled software, and can prevent bundled software from passing through to pretend to a certain extent or hiding characteristic information walks around identification, ensure the use safety of user terminal further.
About above-mentioned acquiring unit 31: " creating file in a hard disk " can relate generally to the file read-write operations on hard disk (belonging to the external storage of terminal device), therefore the judgement of this condition can be realized by the situation of calling such as monitoring the file read-write function of specifying.Certainly, also can adopt monitoring file directory in docuterm or its equivalent way to determine whether installation procedure creates file in a hard disk, and the present invention does not limit this.After installation procedure creates file in a hard disk, this operation for installation procedure can get the characteristic information of the file be created.Wherein, herein alleged by the characteristic information of file can comprise: filename, expand name, file size, file path, timestamp, file signature, file eigenvalue or other any one can distinguish the attribute of different file.And after specifically determining the scope that characteristic information is contained, required characteristic information can be got directly or indirectly.Such as, it can comprise the filename of direct file reading and expand name, also can comprise and call corresponding tool and calculate the MD5 value of this file as its condition code.Certainly, because characteristic information is mainly used in the software that identifies that described installation procedure will be installed, so the scope of the characteristic information that will obtain specifically determined by the needs that can be adapted to identify.
About above-mentioned recognition unit 32: the major function of this unit is the characteristic information of the file obtained based on acquiring unit 31, obtains the software that above-mentioned installation procedure will be installed.Such as, the installation process of each software and the characteristic information of file that creates after installing can in the database set up in advance with the software corresponding record that will install, and identifying can search coupling to realize by the characteristic information of file in this database.For another example, the data of such as copyright information, digital signature one class can be extracted according to the characteristic information of file according to file type, thus obtained the information of the software installed used for this file by these data.To this, the embodiment of the present invention does not limit the concrete means identified.And wherein it should be noted that, the recognition result of software can be that any one can distinguish the information of different software, can comprise the dbase under various forms, issue Business Name, master program file name, signer etc.Certainly, recognition result can be single software also can be a class software, and the judgement that can be adapted to bundled software needs to adjust concrete form.
As one example more specifically, above-mentioned identifying according to file type and file directory classification process, and can allow to there is the situation that can not identify.For example, the file system operation flow process of regular software installation procedure mainly comprises: under CACHE DIRECTORY, write document; Create the installation directory of software; The subject matter of software is write under the installation directory of software.Thus, for the situation of installation procedure writing in files (file path namely in characteristic information meets the feature of cache file folder) under CACHE DIRECTORY, coupling can be searched to reduce seek scope in the scope of the document of database, also can in the file type of file for (file type of the file be created is dynamic link library) during dynamic link library directly carries out the identification of the software that installation procedure will be installed according to the digital signature of file.For the situation of writing in files under the installation directory of software (file path namely in characteristic information meets the feature of the installation directory of software), coupling can be searched to reduce seek scope in the scope of the subject matter of database, also the file name when file meets the feature of master program file directly according to file can carry out the identification of the software that installation procedure will be installed.Certainly, the characteristic information being created file may be there is very few and the situation that identifies cannot be used for, now directly can skipping this file, or be added in characteristic information set, waiting for the characteristic information of more file after adding in the lump for identifying.
About judging unit 33: whether the software will installed for described installation procedure is that the judgement of bundled software can be carried out according to the strategy preset.Whether the software that the recognition result that this strategy is mainly used in obtaining according to recognition unit 32 will be installed installation procedure is that bundled software judges, can come from that user is arranged, the local default policy stored, or the issuing of the webserver.For example, according to this strategy, terminal device can obtain have been known by user and have been permitted the information of installable software for installation procedure, and compares with the recognition result that recognition unit 32 obtains, and determines whether the software that installation procedure will be installed is bundled software.Certainly, this strategy can also comprise the Rule of judgment for different application scene setting, to carry out it according to the environmental information of described installation procedure whether for the judgement of bundled software.For being judged to be the situation not belonging to bundled software, can disregard.
About performance element 34: particularly, performance element 34 with reference to the coping style of existing bundled software, can be tackled according to corresponding interception strategy the bundled software be determined.Such as, if recognition unit 32 and judging unit 33 determine the media player that installation procedure installs belong to bundled software, so can obtain the interception strategy of this media player, and according to this interception strategy, the operation that installation procedure is associated with this media player is tackled, the part of having installed is cleared up.Or, according to general interception strategy, the behavior of the file write of installation procedure in the installation directory of this media player is tackled, and carries out the cleaning of garbage files after installation is complete.
As a kind of concrete example, described performance element 34 specifically can comprise not shown following structure:
Monitoring modular, for monitoring described installation procedure, to obtain the descriptor of the current behavior of described installation procedure;
Matching module, the descriptor for the current behavior of installation procedure obtained by described monitoring modular is mated with described interception strategy;
Processing module, tackles for the current behavior of matching result to installation procedure obtained according to described matching module or lets pass.
For example, when installation procedure creates erection schedule, create the current behavior that erection schedule is installation procedure, now monitoring modular can be linked up with interface (hookapi) and can capture and create the function creatproces of erection schedule, thus it is any one or more to get in the version number of this erection schedule, the issue Business Name of installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, order line information.Thus the descriptor acquired and the corresponding information in interception strategy can compare by matching module, to learn whether this erection schedule meets the feature of the bundled software that recognition unit 32 and judging unit 33 are determined.If met, so processing module can perform the interception operation to creating this behavior of erection schedule; If do not met, so processing module can perform the clearance operation to creating this behavior of erection schedule.Be understandable that, because recognition unit 32 and judging unit 33 have determined concrete bundled software, therefore directly can tackle with the installation of blacklist pattern to this bundled software, effectively can reduce the resource consumption of interception bundled software and improve the order of accuarcy tackled.
But the above-mentioned operation of the interception for bundled software has influence on the use of user sometimes.To this, the described descriptor corresponding to process of letting pass in above-mentioned interception strategy can be made, comprise following any one or multiple:
The descriptor of the operation behavior performed by user-driven;
The descriptor of the behavior of the process of trust list has been added into by user;
The descriptor of the behavior of message is sent to user.
Based on this, the operation behavior performed by user-driven, be added into the behavior of the process of trust list by user, and special intercept process can not be done, to avoid the normal use affecting user to the behavior that user sends message.
In addition, in the flow process of above-mentioned steps 101 to step 104, following any one or multinomially can be stored in the webserver: for the first strategy of the particular type of the characteristic information of file be created described in determining; For the database of the software that installation procedure according to described characteristic information identification will be installed; For judging that whether software that described installation procedure will install be the second strategy of bundled software; Described interception strategy.
Be understandable that, above-mentioned first strategy, database, the second strategy and interception strategy all can be set up by the mode of cloud service and be safeguarded in the webserver, it not only can reduce the occupancy of the resource to terminal device, and the powerful information of the webserver and computing power can also be utilized to ensure the implementation effect of said method.
For example, above-mentioned first strategy can according to the load of characteristic information to operating system obtaining file under different running environment in the webserver, adjust the concrete scope of characteristic information and the frequency of acquisition, make the collection of characteristic information can be adapted to the use needs of terminal device.Above-mentioned database can constantly gather and upgrade the characteristic information of the file used in the installation process of known software in the webserver, thus can identify according to the characteristic information of file the software that installation procedure will install more rapidly and accurately.
In instructions of the present invention, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, to disclose and to help to understand in each inventive aspect one or more to simplify the present invention, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should not explained the following intention in reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
It will be understood by those skilled in the art that adaptively to change the module in the equipment in embodiment and they are arranged and be in one or more equipment that this embodiment is different.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit is mutually exclusive part, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize a kind of some or all parts tackled in the device of bundled software according to the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme, it all should be encompassed in the middle of the scope of claim of the present invention and instructions.

Claims (10)

1. tackle a device for bundled software, it is characterized in that, comprising:
Acquiring unit, for obtaining the characteristic information of the file be created after installation procedure creates file in a hard disk;
Recognition unit, for the software that installation procedure described in the characteristic information identification that obtains according to described acquiring unit will be installed;
Judging unit, for judging whether the software that the installation procedure that described recognition unit obtains will be installed is bundled software;
Performance element, after judging that at described judging unit software that described installation procedure will install is as bundled software, performs and tackles strategy accordingly.
2. device according to claim 1, is characterized in that, following any one or be multinomially stored in the webserver:
For the first strategy of the particular type of the characteristic information of file be created described in determining;
For the database of the software that installation procedure according to described characteristic information identification will be installed;
For judging that whether software that described installation procedure will install be the second strategy of bundled software;
Described interception strategy.
3. device according to claim 1, is characterized in that, described performance element comprises:
Monitoring modular, for monitoring described installation procedure, to obtain the descriptor of the current behavior of described installation procedure;
Matching module, the descriptor for the current behavior of installation procedure obtained by described monitoring modular is mated with described interception strategy;
Processing module, tackles for the current behavior of matching result to installation procedure obtained according to described matching module or lets pass.
4. device according to claim 1, is characterized in that, corresponds to the described descriptor of process of letting pass, comprise following any one or multiple in described interception strategy:
The descriptor of the operation behavior performed by user-driven;
The descriptor of the behavior of the process of trust list has been added into by user;
The descriptor of the behavior of message is sent to user.
5. device according to claim 1, is characterized in that, described characteristic information comprises following any one or multinomial: filename; Expand name; File size; File path; Timestamp; File signature; File eigenvalue.
6. tackle a method for bundled software, it is characterized in that, comprising:
After installation procedure creates file in a hard disk, obtain the characteristic information of the file be created;
The software that installation procedure will be installed according to described characteristic information identification;
Judge whether the software that described installation procedure will be installed is bundled software;
After judging that software that described installation procedure will be installed is as bundled software, perform and tackle strategy accordingly.
7. method according to claim 6, is characterized in that, following any one or be multinomially stored in the webserver:
For the first strategy of the particular type of the characteristic information of file be created described in determining;
For the database of the software that installation procedure according to described characteristic information identification will be installed;
For judging that whether software that described installation procedure will install be the second strategy of bundled software;
Described interception strategy.
8. method according to claim 6, is characterized in that, described after judging that software that described installation procedure will be installed is as bundled software, performs and tackles strategy accordingly, comprising:
Monitor described installation procedure, to obtain the descriptor of the current behavior of described installation procedure;
The descriptor of the current behavior of installation procedure is mated with described interception strategy;
Tackle according to the current behavior of matching result to installation procedure or let pass.
9. method according to claim 6, is characterized in that, corresponds to the described descriptor of process of letting pass, comprise following any one or multiple in described interception strategy:
The descriptor of the operation behavior performed by user-driven;
The descriptor of the behavior of the process of trust list has been added into by user;
The descriptor of the behavior of message is sent to user.
10. method according to claim 6, is characterized in that, described characteristic information comprises following any one or multinomial: filename; Expand name; File size; File path; Timestamp; File signature; File eigenvalue.
CN201510982443.XA 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software Active CN105550573B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510982443.XA CN105550573B (en) 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510982443.XA CN105550573B (en) 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software

Publications (2)

Publication Number Publication Date
CN105550573A true CN105550573A (en) 2016-05-04
CN105550573B CN105550573B (en) 2019-01-15

Family

ID=55829760

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510982443.XA Active CN105550573B (en) 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software

Country Status (1)

Country Link
CN (1) CN105550573B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106355079A (en) * 2016-08-18 2017-01-25 北京奇虎科技有限公司 Method and device for optimizing installation of application program and terminal
CN107766722A (en) * 2016-08-18 2018-03-06 北京搜狗科技发展有限公司 A kind of application software installation process method, apparatus and electronic equipment
CN108734006A (en) * 2018-05-25 2018-11-02 山东华软金盾软件股份有限公司 A method of disabling Windows installation procedures
CN110399721A (en) * 2018-12-28 2019-11-01 腾讯科技(深圳)有限公司 A kind of software identification method and server and client

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104123489A (en) * 2014-07-02 2014-10-29 珠海市君天电子科技有限公司 Method and device for monitoring executable program
CN104660606A (en) * 2015-03-05 2015-05-27 中南大学 Method for remotely monitoring safety of application program
CN104850779A (en) * 2015-06-04 2015-08-19 北京奇虎科技有限公司 Safe application program installing method and safe application program installing device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104123489A (en) * 2014-07-02 2014-10-29 珠海市君天电子科技有限公司 Method and device for monitoring executable program
CN104660606A (en) * 2015-03-05 2015-05-27 中南大学 Method for remotely monitoring safety of application program
CN104850779A (en) * 2015-06-04 2015-08-19 北京奇虎科技有限公司 Safe application program installing method and safe application program installing device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106355079A (en) * 2016-08-18 2017-01-25 北京奇虎科技有限公司 Method and device for optimizing installation of application program and terminal
CN107766722A (en) * 2016-08-18 2018-03-06 北京搜狗科技发展有限公司 A kind of application software installation process method, apparatus and electronic equipment
CN107766722B (en) * 2016-08-18 2022-06-24 北京搜狗科技发展有限公司 Application software installation processing method and device and electronic equipment
CN108734006A (en) * 2018-05-25 2018-11-02 山东华软金盾软件股份有限公司 A method of disabling Windows installation procedures
CN110399721A (en) * 2018-12-28 2019-11-01 腾讯科技(深圳)有限公司 A kind of software identification method and server and client

Also Published As

Publication number Publication date
CN105550573B (en) 2019-01-15

Similar Documents

Publication Publication Date Title
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
CN104049986B (en) plug-in loading method and device
CN100538625C (en) Increase the method, system and device of software part with expanding system process function
US8713680B2 (en) Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program
US8640240B2 (en) Apparatus and method for using information on malicious application behaviors among devices
CN102263773B (en) Real-time protection method and apparatus thereof
EP2784715B1 (en) System and method for adaptive modification of antivirus databases
US8640233B2 (en) Environmental imaging
CN101542446A (en) System analysis and management
CN103368904A (en) Mobile terminal, and system and method for suspicious behavior detection and judgment
CN104573515A (en) Virus processing method, device and system
WO2016019893A1 (en) Application installation method and apparatus
CN105550573A (en) Bundled software interception method and apparatus
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN102831021A (en) Method and device for interrupting or cleaning plugin
CN103778373A (en) Virus detection method and device
CN105631312A (en) Method and system for processing rogue programs
CN106055375A (en) Application program installation method and device
CN104252594A (en) Virus detection method and device
CN107103243B (en) Vulnerability detection method and device
US9990493B2 (en) Data processing system security device and security method
KR20140044974A (en) Method of enhancing security based on permission detection for android applications, and computer-readable recording medium with android security program based on permission detection for the same
US9176974B1 (en) Low priority, multi-pass, server file discovery and management
CN112579330B (en) Processing method, device and equipment for abnormal data of operating system
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220330

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.