CN105550573B - The method and apparatus for intercepting bundled software - Google Patents

The method and apparatus for intercepting bundled software Download PDF

Info

Publication number
CN105550573B
CN105550573B CN201510982443.XA CN201510982443A CN105550573B CN 105550573 B CN105550573 B CN 105550573B CN 201510982443 A CN201510982443 A CN 201510982443A CN 105550573 B CN105550573 B CN 105550573B
Authority
CN
China
Prior art keywords
software
installation procedure
file
characteristic information
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510982443.XA
Other languages
Chinese (zh)
Other versions
CN105550573A (en
Inventor
王亮
何博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510982443.XA priority Critical patent/CN105550573B/en
Publication of CN105550573A publication Critical patent/CN105550573A/en
Application granted granted Critical
Publication of CN105550573B publication Critical patent/CN105550573B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Abstract

The present invention provides a kind of method and apparatus for intercepting bundled software, and device therein includes: acquiring unit, for obtaining the characteristic information for the file being created after installation procedure creates file in a hard disk;Recognition unit, the characteristic information for being obtained according to the acquiring unit identify installation procedure institute software to be installed;Judging unit, whether the installation procedure institute software to be installed for judging that the recognition unit obtains is bundled software;Execution unit, for after the judging unit determines installation procedure institute software to be installed for bundled software, executing corresponding interception strategy.Based on this, the present invention can solve the problem of bundled software is intercepted by the way of hiding or replacement installation kit characteristic information around binding in the prior art, greatly promote the validity for intercepting bundled software, and can prevent to a certain extent bundled software by camouflage or hiding characteristic information around identification, further ensure user terminal using safe.

Description

The method and apparatus for intercepting bundled software
Technical field
The present invention relates to field of computer technology, and in particular to a kind of method and apparatus for intercepting bundled software.
Background technique
Now, software is promoted with binding mode and has become a kind of trend, and tied application program almost relates to Computer every aspect used in everyday, for example, instant messaging, web browsing, web search, checking and killing virus, it is audio-visual play, it is English-Chinese Dictionary, word processing, image procossing etc..Although some bundled softwares can be in such a way that prompting message recommended user installs Received by some users, but is all to default plug-in unit installation and unpredictalbe mandatory installation there are also many bundled softwares It carries out, this not only will appear the case where repetition is installed, and being more likely to can be because a large amount of bundled software can not select very in user It is installed into user terminal in unwitting situation, and storage resource and operation resource is caused largely to be consumed, serious reduce is used The performance of family terminal.More it is a risk that some bundled softwares inherently rogue program, can not select even not in user Know in the case where installed, cause the leakage of the systemic breakdown of user terminal or the personal information of user, to user with Carry out unpredicted economic loss.
In this regard, existing certain protection capacity of safety protection software can be identified by the feature of the installation kit to software come soft to bundling The installation of part is intercepted, but more and more bundled softwares can adopt the side of hiding or replacement installation kit characteristic information at present Formula bypasses this detection of protection capacity of safety protection software.For example, can be according to the dbase in installation kit for protection capacity of safety protection software Identify the characteristic of bundled software, certain bundled softwares can erase the dbase in installation kit, or falsely use other trusts The dbase of software is installed, and makes the protection capacity of safety protection software due to cannot recognize that bundled software and to bundled software Installation behavior carry out clearance processing.
Summary of the invention
For the defects in the prior art, the present invention provides a kind of method and apparatus for intercepting bundled software, can solve The problem of bundled software is intercepted by the way of hiding or replacement installation kit characteristic information around binding.
In a first aspect, the present invention provides a kind of devices for intercepting bundled software, comprising:
Acquiring unit, for obtaining the characteristic information for the file being created after installation procedure creates file in a hard disk;
Recognition unit, the characteristic information for being obtained according to the acquiring unit identify that the installation procedure institute is to be mounted Software;
Judging unit, for judging whether the installation procedure institute software to be installed that the recognition unit obtains is that binding is soft Part;
Execution unit, for the judging unit determine installation procedure institute's software to be installed for bundled software it Afterwards, corresponding interception strategy is executed.
Optionally, it following any one or multinomial is stored in network server:
First strategy of the concrete type of the characteristic information of the file for being created described in determination;
For identifying the database of installation procedure institute software to be installed according to the characteristic information;
For judge installation procedure institute software to be installed whether be bundled software second strategy;
The interception strategy.
Optionally, the execution unit includes:
Monitoring modular, for monitoring the installation procedure, to obtain the description information of the current behavior of the installation procedure;
Matching module, the description information of the current behavior of the installation procedure for obtaining the monitoring modular are blocked with described Strategy is cut to be matched;
Processing module, the matching result for being obtained according to the matching module block the current behavior of installation procedure It cuts or lets pass.
Optionally, described to intercept the description information for corresponding to processing of letting pass in strategy, including any one following Or it is a variety of:
By the description information for the operation behavior that user-driven executes;
The description information of the behavior of the process of trust list has been added to by user;
The description information of the behavior of message is sent to user.
Optionally, the characteristic information includes following any one or multinomial: filename;Expand name;File size; File path;Timestamp;File signature;File eigenvalue.
Second aspect, the present invention also provides a kind of methods for intercepting bundled software, comprising:
After installation procedure creates file in a hard disk, the characteristic information for the file being created is obtained;
Installation procedure institute software to be installed is identified according to the characteristic information;
Judge whether installation procedure institute software to be installed is bundled software;
After determining installation procedure institute software to be installed for bundled software, corresponding interception strategy is executed.
Optionally, it following any one or multinomial is stored in network server:
First strategy of the concrete type of the characteristic information of the file for being created described in determination;
For identifying the database of installation procedure institute software to be installed according to the characteristic information;
For judge installation procedure institute software to be installed whether be bundled software second strategy;
The interception strategy.
Optionally, described after determining installation procedure institute software to be installed for bundled software, it executes corresponding Intercept strategy, comprising:
The installation procedure is monitored, to obtain the description information of the current behavior of the installation procedure;
The description information of the current behavior of installation procedure is matched with the interception strategy;
It is intercepted or is let pass according to current behavior of the matching result to installation procedure.
Optionally, described to intercept the description information for corresponding to processing of letting pass in strategy, including any one following Or it is a variety of:
By the description information for the operation behavior that user-driven executes;
The description information of the behavior of the process of trust list has been added to by user;
The description information of the behavior of message is sent to user.
Optionally, the characteristic information includes following any one or multinomial: filename;Expand name;File size; File path;Timestamp;File signature;File eigenvalue.
As shown from the above technical solution, the characteristic information of the file that the present invention is created in disk using installation procedure is sentenced The software of installation is actually being installed or prepared to disconnected installation procedure.Characteristic information as a result, regardless of software installation packet Be hidden or replace, the present invention can accurately identify bundled software, solve in the prior art bundled software using hidden The problem of mode of the characteristic information of hiding or replacement installation kit intercepts around binding.
The characteristic information of the feature of installation kit used in compared with the prior art, file of the present invention usually has There is sufficiently high stability, i.e. bundled software is difficult to change the characteristic information of its file, such as file directory in extension process Title, main program title, user interface associated documents, required key resource file to be loaded etc..As can be seen that the present invention The validity for intercepting bundled software can be greatly promoted for the popularization characteristic of bundled software, and can be prevented to a certain extent Bundled software by camouflage or hiding characteristic information around identification, further ensure user terminal using safe.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to make one simply to introduce, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of step flow diagram for the method for intercepting bundled software in one embodiment of the invention;
Fig. 2 is that the step flow diagram for intercepting strategy is executed in one embodiment of the invention;
Fig. 3 is a kind of structural block diagram for the device for intercepting bundled software in one embodiment of the invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of step flow diagram for the method for intercepting bundled software in one embodiment of the invention.Referring to figure 1, this method comprises:
Step 101: after installation procedure creates file in a hard disk, obtaining the characteristic information for the file being created;
Step 102: installation procedure institute software to be installed is identified according to the characteristic information;
Step 103: judging whether installation procedure institute software to be installed is bundled software;
Step 104: after determining installation procedure institute software to be installed for bundled software, executing corresponding intercept Strategy.
Wherein it is understood that the method for interception bundled software of the invention can be implemented in any one terminal device On, such as personal computer (such as desktop computer, laptop, tablet computer, all-in-one machine), smart phone, e-book, intelligence electricity Depending on, any one equipment that can install software such as Digital Frame, Intelligent navigator.
It will also be appreciated that above-mentioned installation procedure is the application program executed in the operating system of terminal device, It can be and specify the installation procedure (such as installation procedure of certain player software) of target software, be also possible to such as software pipe Family's one kind is related to the application program of software installation function, can also be that any one specifies or preset security strategy by user Specified possibility has the application program of bundled software risk, and the present invention is without limitation.
It can be seen that the characteristic information of the file that the embodiment of the present invention is created in disk using installation procedure is sentenced The software of installation is actually being installed or prepared to disconnected installation procedure.Characteristic information as a result, regardless of software installation packet It is hidden or replaces, the embodiment of the present invention can accurately identify bundled software, solve bundled software in the prior art The problem of being intercepted by the way of hiding or replacement installation kit characteristic information around binding.
The feature of installation kit used in compared with the prior art, the characteristic information of file used by the embodiment of the present invention Usually there is sufficiently high stability, i.e. bundled software is difficult to change the characteristic information of its file in extension process, such as text Part directory name, main program title, user interface associated documents, required key resource file to be loaded etc..As can be seen that The embodiment of the present invention can greatly promote the validity for intercepting bundled software for the popularization characteristic of bundled software, and can be one Determine to prevent bundled software from, around identification, further ensureing the use peace of user terminal by camouflage or hiding characteristic information in degree Entirely.
Referring to Fig. 1, in the step process of the method for the interception bundled software of the embodiment of the present invention:
In above-mentioned steps 101, " creating file in a hard disk " can relate generally to hard disk and (belong to the external storage of terminal device Device) on file read-write operations, therefore the condition determine can be for example, by monitoring the calling of specified file read-write function Situation is realized.It is of course also possible to use monitoring docuterm or its equivalent way in file directory to determine installation procedure Whether file is created in a hard disk, and the present invention is without limitation.After installation procedure creates file in a hard disk, for installation The available characteristic information to the file being created of this operation of program.Wherein, the characteristic information of herein referred file May include: filename, expand name, file size, file path, timestamp, file signature, file eigenvalue or other One kind of anticipating can distinguish the attribute of different files.And it is specific determine the range that is covered of characteristic information after, can directly or Person gets required characteristic information indirectly.For example, it may include the filename and expansion name for directly reading file, It may include that corresponding tool is called to calculate the MD5 value of this document as its condition code.Certainly, since characteristic information is mainly used for knowing The not described installation procedure institute software to be installed, it is possible to be adapted to needing specifically to determine the feature to be obtained for identification The range of information.
It is understood that the step is mainly based upon the feature letter for the file that step 101 obtains in above-mentioned steps 102 Breath, obtains the process of above-mentioned installation procedure institute software to be installed.For example, being created after the installation process and installation of each software The characteristic information of file can be in the database pre-established with institute's software to be installed corresponding record, and identification process can It is realized with being matched by lookup of the characteristic information of file in the database.It for another example, can be according to the characteristic information of file The data of such as copyright information, digital signature one kind are extracted according to file type, to be obtained used in this document as the data In the information of the software of installation.In this regard, the embodiment of the present invention to the specific means of identification with no restrictions.And wherein need to illustrate It is that the recognition result of software, which can be any one, can distinguish the information of different software, may include soft under various forms Part title, publication Business Name, master program file name, signer etc..Certainly, recognition result can be single software can also To be a kind of software, and the judgement for being adapted to bundled software needs to adjust specific form.
As a kind of more specific example, above-mentioned identification process can according to file type and file directory classification processing, And allow to have the situation that cannot be identified.For example, the file system operation process of regular software installation procedure is mainly wrapped It includes: document is written under CACHE DIRECTORY;Create the installation directory of software;The master of software is written under the installation directory of software Body file.To which file is written under CACHE DIRECTORY for installation procedure, and (file path i.e. in characteristic information meets caching text The feature of part folder) situation, can search and be matched to reduce seeking scope in the range of the document of database, can also be with (file type for the file being created is dynamic link library) the direct basis when the file type of file is dynamic link library The digital signature of file carries out the identification of installation procedure institute software to be installed.For file is written under the installation directory of software The situation of (feature that the file path i.e. in characteristic information meets the installation directory of software), can be in the subject matter of database In the range of search matching to reduce seeking scope, can also be when file meets the feature of master program file directly according to file File name carry out installation procedure institute software to be installed identification.It is of course possible in the presence of the characteristic information for being created file Situation that is very few and being not used to identification can directly skip this document at this time, or be added into characteristic information set, wait After the characteristic information addition of more files together for identification.
It whether is that the judgement of bundled software can be with for installation procedure institute software to be installed in above-mentioned steps 103 It is carried out according to preset strategy.The strategy is mainly used for pacifying installation procedure according to the recognition result that step 102 obtains Whether the software of dress is that bundled software is determined, the default policy or network that may come from user setting, be locally stored Server issues.For example, according to the strategy, terminal device is available to be known by user for installation procedure And the information of perhaps installable software, and be compared with the recognition result that step 102 obtains, to determine that installation procedure to be pacified Whether the software of dress is bundled software.Certainly, which can also include the Rule of judgment for different application scene setting, with Carried out according to the environmental information of the installation procedure its whether be bundled software judgement.It is soft for being judged to being not belonging to bundling The situation of part can be disregarded.
In above-mentioned steps 104, it is referred to the coping style of existing bundled software, to the bundled software being determined It is intercepted according to the corresponding strategy that intercepts.For example, if being determined what installation procedure was installed in step 102 and step 103 Media player belongs to bundled software, then the interception strategy of the available media player, and it is right according to the interception strategy Installation procedure operation associated with the media player is intercepted, and is cleared up installed part.Alternatively, according to General interception strategy intercepts the behavior of file write-in of the installation procedure in the installation directory of the media player, And the cleaning of garbage files is carried out after installation is complete.
As a kind of specific example, above-mentioned steps 104: determining installation procedure institute's software to be installed for binding After software, corresponding interception strategy is executed, following step as shown in Figure 2 can be specifically included:
Step 104a: monitoring installation procedure, to obtain the description information of the current behavior of installation procedure;
Step 104b: the description information of the current behavior of installation procedure is matched with strategy is intercepted;
Step 104c: it is intercepted or is let pass according to current behavior of the matching result to installation procedure.
For example, when installation procedure creates erection schedule, creation erection schedule is the current behavior of installation procedure, Step 104a, which can be hooked interface (hook api), at this time can capture the function creatproces of creation erection schedule, from And get the version number of the erection schedule, the publication Business Name of installation file, name of product, internal title, signer, label It is the name date, installation file size, fitting limit, the timestamp of installation file, any one or more in order row information.From And the description information that can be will acquire in step 104b is compared with the corresponding information intercepted in strategy, to learn Whether the erection schedule meets the feature of the bundled software determined in step 102 and step 103.If met, step 104c may include the interception operation to creation this behavior of erection schedule;If do not met, step 104c may include To the exit-entry operation of creation this behavior of erection schedule.It is understood that because step 102 has determined that with step 103 Specific bundled software, therefore directly the installation of the bundled software can be intercepted with blacklist mode, it can be effective Reduce the order of accuarcy for intercepting the resource consumption of bundled software and improving interception.
However, the above-mentioned use for influencing whether user sometimes for the interception operation of bundled software.In this regard, can make above-mentioned The description information for corresponding to processing of letting pass in strategy is intercepted, including any one or more following:
By the description information for the operation behavior that user-driven executes;
The description information of the behavior of the process of trust list has been added to by user;
The description information of the behavior of message is sent to user.
Based on this, the behavior of the operation behavior, the process for being added to trust list by user that are executed by user-driven, with And special intercept process can not be done to the behavior that user sends message, to avoid the normal use for influencing user.
In addition, in the process of above-mentioned steps 101 to step 104, following any one or multinomial can store In network server: the first strategy of the concrete type of the characteristic information of the file for being created described in determination;For basis The characteristic information identifies the database of installation procedure institute software to be installed;For judging that the installation procedure to be pacified The software of dress whether be bundled software second strategy;The interception strategy.
It is understood that above-mentioned first strategy, database, the second strategy and interception strategy can pass through cloud service Mode establish and safeguard in network server, can not only reduce the occupancy to the resource of terminal device, can be with The implementation effect that ensures the above method is collected using the powerful information of network server with computing capability.
For example, above-mentioned first strategy can be in network server according to the spy for obtaining file under different running environment Reference ceases the load to operating system, to adjust the specific range of characteristic information and the frequency of acquisition, so that characteristic information is adopted Collection is adapted to the use needs of terminal device.Above-mentioned database can constantly be acquired in network server and be updated known The characteristic information of file used in the installation process of software, so as to more rapidly accurately be known according to the characteristic information of file It Chu not installation procedure institute software to be installed.
Fig. 3 is a kind of structural block diagram for the device for intercepting bundled software in one embodiment of the invention.Referring to Fig. 3, this is blocked Cut bundled software device include:
Acquiring unit 31, the feature for obtaining the file being created after installation procedure creates file in a hard disk are believed Breath;
Recognition unit 32, the characteristic information for being obtained according to the acquiring unit 31 identify that the installation procedure to be pacified The software of dress;
Judging unit 33, whether the installation procedure institute software to be installed for judging that the recognition unit 32 obtains is bundle Tie up software;
Execution unit 34 is soft to bundle for determining installation procedure institute's software to be installed in the judging unit 33 After part, corresponding interception strategy is executed.
Wherein it is understood that the device of interception bundled software of the invention can be applied to any one terminal and set It is standby, such as personal computer (such as desktop computer, laptop, tablet computer, all-in-one machine), smart phone, e-book, intelligence electricity Depending on, any one equipment that can install software such as Digital Frame, Intelligent navigator.
It will also be appreciated that above-mentioned installation procedure is the application program executed in the operating system of terminal device, It can be and specify the installation procedure (such as installation procedure of certain player software) of target software, be also possible to such as software pipe Family's one kind is related to the application program of software installation function, can also be that any one specifies or preset security strategy by user Specified possibility has the application program of bundled software risk, and the present invention is without limitation.
It can be seen that the characteristic information of the file that the embodiment of the present invention is created in disk using installation procedure is sentenced The software of installation is actually being installed or prepared to disconnected installation procedure.Characteristic information as a result, regardless of software installation packet It is hidden or replaces, the embodiment of the present invention can accurately identify bundled software, solve bundled software in the prior art The problem of being intercepted by the way of hiding or replacement installation kit characteristic information around binding.
The feature of installation kit used in compared with the prior art, the characteristic information of file used by the embodiment of the present invention Usually there is sufficiently high stability, i.e. bundled software is difficult to change the characteristic information of its file in extension process, such as text Part directory name, main program title, user interface associated documents, required key resource file to be loaded etc..As can be seen that The embodiment of the present invention can greatly promote the validity for intercepting bundled software for the popularization characteristic of bundled software, and can be one Determine to prevent bundled software from, around identification, further ensureing the use peace of user terminal by camouflage or hiding characteristic information in degree Entirely.
About above-mentioned acquiring unit 31: " creating file in a hard disk " can relate generally to hard disk and (belong to terminal device External memory) on file read-write operations, therefore the condition determine can be for example, by monitoring specified file read-write function Calling situation realize.It is of course also possible to use the docuterm or its equivalent way in monitoring file directory are pacified to determine Whether dress program creates file in a hard disk, and the present invention is without limitation.After installation procedure creates file in a hard disk, needle The characteristic information to the file being created available to this operation of installation procedure.Wherein, the spy of herein referred file Reference breath may include: filename, expand name, file size, file path, timestamp, file signature, file eigenvalue or Any other one kind can distinguish the attribute of different files.And it is specific determine the range that is covered of characteristic information after, can be with Directly or indirectly get required characteristic information.For example, it may include directly reading the filename of file and opening up Name is opened up, also may include that corresponding tool is called to calculate the MD5 value of this document as its condition code.Certainly, due to characteristic information master It will installation procedure institute software to be installed for identification, it is possible to which the needs for being adapted to identification to be obtained specifically to determine The range of the characteristic information taken.
About above-mentioned recognition unit 32: the major function of the unit is the feature letter of the file obtained based on acquiring unit 31 Breath, obtains above-mentioned installation procedure institute software to be installed.For example, the file created after the installation process and installation of each software Characteristic information can be in the database pre-established with institute's software to be installed corresponding record, and identification process can pass through Lookup of the characteristic information of file in the database matches to realize.It for another example, can be according to the characteristic information of file according to text Part type-collection goes out the data of such as copyright information, digital signature one kind, to obtain installation used in this document as the data Software information.In this regard, the embodiment of the present invention to the specific means of identification with no restrictions.And wherein it should be noted that soft The recognition result of part, which can be any one, can distinguish the information of different software, may include the software name under various forms Claim, issue Business Name, master program file name, signer etc..Certainly, recognition result can be single software and be also possible to A kind of software, and the judgement for being adapted to bundled software needs to adjust specific form.
As a kind of more specific example, above-mentioned identification process can according to file type and file directory classification processing, And allow to have the situation that cannot be identified.For example, the file system operation process of regular software installation procedure is mainly wrapped It includes: document is written under CACHE DIRECTORY;Create the installation directory of software;The master of software is written under the installation directory of software Body file.To which file is written under CACHE DIRECTORY for installation procedure, and (file path i.e. in characteristic information meets caching text The feature of part folder) situation, can search and be matched to reduce seeking scope in the range of the document of database, can also be with (file type for the file being created is dynamic link library) the direct basis when the file type of file is dynamic link library The digital signature of file carries out the identification of installation procedure institute software to be installed.For file is written under the installation directory of software The situation of (feature that the file path i.e. in characteristic information meets the installation directory of software), can be in the subject matter of database In the range of search matching to reduce seeking scope, can also be when file meets the feature of master program file directly according to file File name carry out installation procedure institute software to be installed identification.It is of course possible in the presence of the characteristic information for being created file Situation that is very few and being not used to identification can directly skip this document at this time, or be added into characteristic information set, wait After the characteristic information addition of more files together for identification.
About judging unit 33: whether being that the judgement of bundled software can be with for installation procedure institute software to be installed It is carried out according to preset strategy.The strategy is mainly used for wanting installation procedure according to the recognition result that recognition unit 32 obtains Whether the software of installation is that bundled software is determined, the default policy or net that may come from user setting, be locally stored Network server issues.For example, according to the strategy, terminal device is available to be known by user for installation procedure The information of installable software is known and is permitted, and the recognition result obtained with recognition unit 32 is compared, to determine installation procedure Whether institute's software to be installed is bundled software.Certainly, which can also include the judgement for different application scene setting Condition, with carried out according to the environmental information of the installation procedure its whether be bundled software judgement.For being judged to not belonging to In the situation of bundled software, can disregard.
About execution unit 34: specifically, execution unit 34 is referred to the coping style of existing bundled software, to Bundled software through being determined is intercepted according to the corresponding strategy that intercepts.For example, if recognition unit 32 and judging unit 33 The media player for being determined that installation procedure is installed belongs to bundled software, then the interception plan of the available media player Slightly, and installation procedure operation associated with the media player is intercepted according to the interception strategy, to installed Part is cleared up.Alternatively, according to general interception strategy, to text of the installation procedure in the installation directory of the media player The behavior of part write-in is intercepted, and carries out the cleaning of garbage files after installation is complete.
As a kind of specific example, the execution unit 34 can specifically include not shown following structures:
Monitoring modular, for monitoring the installation procedure, to obtain the description information of the current behavior of the installation procedure;
Matching module, the description information of the current behavior of the installation procedure for obtaining the monitoring modular are blocked with described Strategy is cut to be matched;
Processing module, the matching result for being obtained according to the matching module block the current behavior of installation procedure It cuts or lets pass.
For example, when installation procedure creates erection schedule, creation erection schedule is the current behavior of installation procedure, Monitoring modular, which can be hooked interface (hook api), at this time can capture the function creatproces of creation erection schedule, from And get the version number of the erection schedule, the publication Business Name of installation file, name of product, internal title, signer, label It is the name date, installation file size, fitting limit, the timestamp of installation file, any one or more in order row information.From And the description information that matching module can will acquire is compared with the corresponding information intercepted in strategy, to learn the peace Put into the feature whether journey meets the bundled software that recognition unit 32 and judging unit 33 determine.If met, mould is handled Block can execute the interception operation to creation this behavior of erection schedule;If do not met, processing module can be executed pair Create the exit-entry operation of this behavior of erection schedule.It is understood that because recognition unit 32 and judging unit 33 really Determine specific bundled software, therefore directly the installation of the bundled software can have been intercepted with blacklist mode, it can be with The order of accuarcy for intercepting the resource consumption of bundled software and improving interception is effectively reduced.
However, the above-mentioned use for influencing whether user sometimes for the interception operation of bundled software.In this regard, can make above-mentioned The description information for corresponding to processing of letting pass in strategy is intercepted, including any one or more following:
By the description information for the operation behavior that user-driven executes;
The description information of the behavior of the process of trust list has been added to by user;
The description information of the behavior of message is sent to user.
Based on this, the behavior of the operation behavior, the process for being added to trust list by user that are executed by user-driven, with And special intercept process can not be done to the behavior that user sends message, to avoid the normal use for influencing user.
In addition, in the process of above-mentioned steps 101 to step 104, following any one or multinomial can store In network server: the first strategy of the concrete type of the characteristic information of the file for being created described in determination;For basis The characteristic information identifies the database of installation procedure institute software to be installed;For judging that the installation procedure to be pacified The software of dress whether be bundled software second strategy;The interception strategy.
It is understood that above-mentioned first strategy, database, the second strategy and interception strategy can pass through cloud service Mode establish and safeguard in network server, can not only reduce the occupancy to the resource of terminal device, can be with The implementation effect that ensures the above method is collected using the powerful information of network server with computing capability.
For example, above-mentioned first strategy can be in network server according to the spy for obtaining file under different running environment Reference ceases the load to operating system, to adjust the specific range of characteristic information and the frequency of acquisition, so that characteristic information is adopted Collection is adapted to the use needs of terminal device.Above-mentioned database can constantly be acquired in network server and be updated known The characteristic information of file used in the installation process of software, so as to more rapidly accurately be known according to the characteristic information of file It Chu not installation procedure institute software to be installed.
In specification of the invention, numerous specific details are set forth.It is to be appreciated, however, that the embodiment of the present invention can be with It practices without these specific details.In some instances, well known method, structure and skill is not been shown in detail Art, so as not to obscure the understanding of this specification.
Similarly, it should be understood that disclose to simplify the present invention and help to understand one or more in each inventive aspect A, in the above description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into individually sometimes In embodiment, figure or descriptions thereof.However, should not explain the method for the disclosure is in reflect an intention that be wanted Ask protection the present invention claims features more more than feature expressly recited in each claim.More precisely, such as As following claims reflect, inventive aspect is all features less than single embodiment disclosed above. Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right is wanted Ask itself all as a separate embodiment of the present invention.
It will be understood by those skilled in the art that can be adaptively changed to the module in the equipment in embodiment And they are provided in the different one or more equipment of the embodiment.Can in embodiment module or unit or Component is combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or subgroups Part.In addition to such feature and/or at least some of process or unit are mutually exclusive places, any combination can be used To all features disclosed in this specification (including adjoint claims and drawing) and so disclosed any method or All process or units of person's equipment are combined.Unless expressly stated otherwise, this specification (including adjoint claim and Attached drawing) disclosed in each feature can be replaced with an alternative feature that provides the same, equivalent, or similar purpose.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) realize a kind of device for intercepting bundled software according to an embodiment of the present invention In some or all components some or all functions.The present invention is also implemented as described herein for executing Some or all device or device programs (for example, computer program and computer program product) of method.In this way Realization program of the invention can store on a computer-readable medium, or can have the shape of one or more signal Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme should all cover within the scope of the claims and the description of the invention.

Claims (10)

1. a kind of device for intercepting bundled software characterized by comprising
Acquiring unit, if for the file in the calling situation or monitoring file directory by the specified file read-write function of monitoring Project judgement learns that installation procedure has carried out document creation in a hard disk, obtains quilt after installation procedure creates file in a hard disk The characteristic information of the file of creation;
Recognition unit, the characteristic information for being obtained according to the acquiring unit identify that the installation procedure institute is to be mounted soft Part;
Judging unit, whether the installation procedure institute software to be installed for judging that the recognition unit obtains is bundled software;
Execution unit is used for after the judging unit determines installation procedure institute software to be installed for bundled software, Execute corresponding interception strategy.
2. the apparatus according to claim 1, which is characterized in that following any one multinomial is stored in network service In device:
First strategy of the concrete type of the characteristic information of the file for being created described in determination;
For identifying the database of installation procedure institute software to be installed according to the characteristic information;
For judge installation procedure institute software to be installed whether be bundled software second strategy;
The interception strategy.
3. the apparatus according to claim 1, which is characterized in that the execution unit includes:
Monitoring modular, for monitoring the installation procedure, to obtain the description information of the current behavior of the installation procedure;
Matching module, the description information of the current behavior of the installation procedure for obtaining the monitoring modular and the interception plan Slightly matched;
Processing module, matching result for being obtained according to the matching module current behavior of installation procedure intercept or Person lets pass.
4. the apparatus according to claim 1, which is characterized in that described to intercept the description letter for corresponding to processing of letting pass in strategy Breath, including any one or more following:
By the description information for the operation behavior that user-driven executes;
The description information of the behavior of the process of trust list has been added to by user;
The description information of the behavior of message is sent to user.
5. the apparatus according to claim 1, which is characterized in that the characteristic information includes following any one or more : filename;Expand name;File size;File path;Timestamp;File signature;File eigenvalue.
6. a kind of method for intercepting bundled software characterized by comprising
If the docuterm judgement in the calling situation or monitoring file directory that pass through the specified file read-write function of monitoring is learnt Installation procedure has carried out document creation in a hard disk, after installation procedure creates file in a hard disk, obtains the file being created Characteristic information;
Installation procedure institute software to be installed is identified according to the characteristic information;
Judge whether installation procedure institute software to be installed is bundled software;
After determining installation procedure institute software to be installed for bundled software, corresponding interception strategy is executed.
7. according to the method described in claim 6, it is characterized in that, following any one or multinomial being stored in network service In device:
First strategy of the concrete type of the characteristic information of the file for being created described in determination;
For identifying the database of installation procedure institute software to be installed according to the characteristic information;
For judge installation procedure institute software to be installed whether be bundled software second strategy;
The interception strategy.
8. according to the method described in claim 6, it is characterized in that, described determining installation procedure institute software to be installed After bundled software, corresponding interception strategy is executed, comprising:
The installation procedure is monitored, to obtain the description information of the current behavior of the installation procedure;
The description information of the current behavior of installation procedure is matched with the interception strategy;
It is intercepted or is let pass according to current behavior of the matching result to installation procedure.
9. according to the method described in claim 6, it is characterized in that, described intercept the description letter for corresponding to processing of letting pass in strategy Breath, including any one or more following:
By the description information for the operation behavior that user-driven executes;
The description information of the behavior of the process of trust list has been added to by user;
The description information of the behavior of message is sent to user.
10. according to the method described in claim 6, it is characterized in that, the characteristic information include following any one or It is multinomial: filename;Expand name;File size;File path;Timestamp;File signature;File eigenvalue.
CN201510982443.XA 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software Active CN105550573B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510982443.XA CN105550573B (en) 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510982443.XA CN105550573B (en) 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software

Publications (2)

Publication Number Publication Date
CN105550573A CN105550573A (en) 2016-05-04
CN105550573B true CN105550573B (en) 2019-01-15

Family

ID=55829760

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510982443.XA Active CN105550573B (en) 2015-12-23 2015-12-23 The method and apparatus for intercepting bundled software

Country Status (1)

Country Link
CN (1) CN105550573B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107766722B (en) * 2016-08-18 2022-06-24 北京搜狗科技发展有限公司 Application software installation processing method and device and electronic equipment
CN106355079B (en) * 2016-08-18 2019-12-06 北京奇虎科技有限公司 Method and device for optimizing installation of application program and terminal
CN108734006A (en) * 2018-05-25 2018-11-02 山东华软金盾软件股份有限公司 A method of disabling Windows installation procedures
CN110399721B (en) * 2018-12-28 2023-04-07 腾讯科技(深圳)有限公司 Software identification method, server and client

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104123489A (en) * 2014-07-02 2014-10-29 珠海市君天电子科技有限公司 Method and device for monitoring executable program
CN104660606A (en) * 2015-03-05 2015-05-27 中南大学 Method for remotely monitoring safety of application program
CN104850779A (en) * 2015-06-04 2015-08-19 北京奇虎科技有限公司 Safe application program installing method and safe application program installing device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104123489A (en) * 2014-07-02 2014-10-29 珠海市君天电子科技有限公司 Method and device for monitoring executable program
CN104660606A (en) * 2015-03-05 2015-05-27 中南大学 Method for remotely monitoring safety of application program
CN104850779A (en) * 2015-06-04 2015-08-19 北京奇虎科技有限公司 Safe application program installing method and safe application program installing device

Also Published As

Publication number Publication date
CN105550573A (en) 2016-05-04

Similar Documents

Publication Publication Date Title
US11625485B2 (en) Method of malware detection and system thereof
US10417424B2 (en) Method of remediating operations performed by a program and system thereof
CN104885092B (en) Security system and method for operating system
JP6100898B2 (en) Method and device for processing messages
US20160065613A1 (en) System and method for detecting malicious code based on web
US20170346843A1 (en) Behavior processing method and device based on application program
US20130247198A1 (en) Emulator updating system and method
EP1760620A2 (en) Methods and Systems for Detection of Forged Computer Files
CN105550573B (en) The method and apparatus for intercepting bundled software
WO2013026320A1 (en) Method and system for detecting webpage trojan embedded
WO2016019893A1 (en) Application installation method and apparatus
US8336097B2 (en) Apparatus and method for monitoring and protecting system resources from web browser
CN107665306B (en) A kind of method, apparatus, client and the server of the injection of detection illegal file
CN105631312B (en) The processing method and system of rogue program
CA2674327C (en) Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor
CN106228067A (en) Malicious code dynamic testing method and device
CN106897607A (en) A kind of method for monitoring application program and device
CN111191243A (en) Vulnerability detection method and device and storage medium
CN104640105A (en) Method and system for mobile phone virus analyzing and threat associating
JP2006330864A (en) Control method for server computer system
CN103970574B (en) The operation method and device of office programs, computer system
CN105718793A (en) Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
CN104426836A (en) Invasion detection method and device
Grace et al. Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20220330

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.

TR01 Transfer of patent right