CN105608372A - Method and device for detecting application virus condition reported by antivirus software - Google Patents
Method and device for detecting application virus condition reported by antivirus software Download PDFInfo
- Publication number
- CN105608372A CN105608372A CN201610028702.XA CN201610028702A CN105608372A CN 105608372 A CN105608372 A CN 105608372A CN 201610028702 A CN201610028702 A CN 201610028702A CN 105608372 A CN105608372 A CN 105608372A
- Authority
- CN
- China
- Prior art keywords
- antivirus software
- window
- application
- bullet
- detected application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a method and device for detecting application virus condition reported by antivirus software. The method includes the steps that the application to be detected is executed in a popup window detection environment, and whether the antivirus software has a popup window targeted to the application to be detected or not or whether a file of the application to be detected is complete or not is detected according to the popup window configuration information; whether the application is in the virus condition reported by the antivirus software or not is determined based on the detection result. It can be seen from the method and device that the application to be detected is executed in the popup window detection environment, and the popup window of reported viruses and the completeness of the application file are detected, so that the method and device can be close to the real environment of a client in which the antivirus software is installed and the executed application, and whether the client application is in the virus condition reported by the antivirus software or not is detected automatically and effectively.
Description
[technical field]
The present invention relates to field of computer technology, relate in particular to and a kind ofly detect application by antivirus software report poisonMethod and apparatus.
[background technology]
Internet is a white war, and the application product of client usually can be killed virus by some softPart report poison, and client application is reported after poison and conventionally can not continued application by client again.
Client application is had two kinds of situations by antivirus software report poison:
One is antivirus software malice report poison, or wrong report;
Another kind is that developer is unfamiliar with virus characteristic, in the code of writing, contains virus characteristic.
But, no matter be any situation, client application is in fact all nontoxic, therefore kills virus softPart all can bring infringement to image product to the report poison of nontoxic client application, causes misleading to user.
In prior art, conventionally adopt two kinds of methods to check that application is whether by antivirus software report poison:
One is to check that to specific report poison website checks, it checks that principle is that client is carried out to cloudLook into. This method is easy, but shortcoming is the truth of not being close to the users, and user is generally that installation is a certainPlant antivirus software, then this antivirus software carries out local killing and high in the clouds killing to this file;
Another is that then the manual antivirus software of installing manually checks that antivirus software has or not bullet window. But thisThe shortcoming of method is consuming time, and can not monitor for a long time.
The truth that does not also have a kind of mode to be close to the users in prior art, examines automatically and effectivelyWhether survey application by antivirus software report poison.
[summary of the invention]
The invention provides and a kind ofly detect application by the method and apparatus of antivirus software report poison, in order to automatically andWhether effectively detect application by antivirus software report poison.
Concrete technical scheme is as follows:
The invention provides a kind of detection and apply by the method for antivirus software report poison, described method comprises:
In bullet window testing environment, carry out detected application, whether have according to playing window configuration information detection antivirus softwareFor the bullet window of described detected application or whether detect the file of described detected application complete;
Determine that based on testing result whether described detected application is by antivirus software report poison.
According to one preferred embodiment of the present invention, described method also comprises: according to the antivirus software of needs detectionDescribed bullet window testing environment is prepared in list.
According to one preferred embodiment of the present invention, the described bullet window of described preparation testing environment comprises:
Install and carry out antivirus software according to needing the antivirus software list detecting;
Start the detection procedure to antivirus software bullet window.
According to one preferred embodiment of the present invention, described antivirus software list and play window configuration information and established by main detectionStandby obtaining, and antivirus software and the bullet window configuration information corresponding with antivirus software are distributed to from checkout equipment;
By carry out the processing of preparing described testing environment and described detection from checkout equipment.
According to one preferred embodiment of the present invention, described antivirus software list and play window configuration information and be responsible for by high in the cloudsSafeguard and be handed down to described main checkout equipment.
Whether according to one preferred embodiment of the present invention, described have pin according to playing window configuration information detection antivirus softwareBullet window to described application comprises:
In monitoring antivirus software, generate the function that plays window;
In the time that the function of described generation bullet window is called, determine the bullet window information and the described bullet window that in function, generateWhether configuration information mates;
If coupling, defines the bullet window for described application.
According to one preferred embodiment of the present invention, detect whether complete the comprising of file of described detected application:
Obtain the listed files of the detected application generating in advance;
The listed files of the detected application under described listed files and installation directory is compared;
If comparative result is identical, determine that the file of detected application is complete;
Otherwise the file of detected application is imperfect.
According to one preferred embodiment of the present invention, if testing result is the bullet window having for detected application,Determine that detected application is by antivirus software report poison;
If testing result is complete without playing window and detected application file, determine that detected application is not killedPoison software report poison.
According to one preferred embodiment of the present invention, if being without playing window, testing result is detected application file not completeWhole:
Judge whether described bullet window configuration information lost efficacy;
If lost efficacy, determined that described detected application was by antivirus software report poison;
Do not lose efficacy if play window configuration information, determined that described detected application was not by antivirus software report poison.
According to one preferred embodiment of the present invention, describedly in window testing environment, carry out detected application and comprise playing:In bullet window testing environment, pacify loading, unloading, upgrading, the described detected application of operation.
The present invention also provides a kind of and has detected application by the device of antivirus software report poison, and described device comprises:
Detecting unit, for playing the detected application of window testing environment execution, detects according to playing window configuration informationWhether antivirus software has for the bullet window of described detected application or the file that detects described detected applicationNo complete;
Determining unit, for determining that based on testing result whether described detected application is by antivirus software report poison.
According to one preferred embodiment of the present invention, described device also comprises the preparatory unit being arranged at from checkout equipment,For preparing described bullet window testing environment according to the antivirus software list that needs detection.
According to one preferred embodiment of the present invention, described preparatory unit is by carrying out following operation to prepare described bulletWindow testing environment:
Install and carry out antivirus software according to needing the antivirus software list detecting;
Start the detection procedure to antivirus software bullet window.
According to one preferred embodiment of the present invention, described detecting unit and determining unit are arranged at from checkout equipment;
This device also comprises: be arranged at the acquiring unit of main checkout equipment, for obtaining described antivirus software rowTable and play window configuration information, and by antivirus software and the bullet window configuration information corresponding with antivirus software be distributed to fromCheckout equipment.
According to one preferred embodiment of the present invention, described antivirus software list and play window configuration information and be responsible for by high in the cloudsSafeguard and be handed down to described main checkout equipment.
According to one preferred embodiment of the present invention, described detecting unit also comprises bullet window detecting unit, for monitoringIn antivirus software, generate the function that plays window; In the time that the function of described generation bullet window is called, determine in function rawWhether the bullet window information becoming mates with described bullet window configuration information; If coupling, defines for described and answersWith bullet window.
According to one preferred embodiment of the present invention, described detecting unit also comprises file detecting unit, for obtainingThe listed files of the detected application generating in advance; By detected the answering under described listed files and installation directoryWith listed files compare; If comparative result is identical, determine that the file of detected application is complete;Otherwise the file of detected application is imperfect.
According to one preferred embodiment of the present invention, if testing result is the bullet window having for detected application,Described determining unit determines that detected application is by antivirus software report poison;
If testing result is complete without playing window and detected application file, described definite detected application is notBy antivirus software report poison.
According to one preferred embodiment of the present invention, if being without playing window, testing result is detected application file not completeIt is whole,
Described determining unit judges whether described bullet window configuration information lost efficacy;
If lost efficacy, determined that described detected application was by antivirus software report poison;
Do not lose efficacy if play window configuration information, determined that described detected application was not by antivirus software report poison.
According to one preferred embodiment of the present invention, describedly in window testing environment, carry out detected application bag playingDraw together: in bullet window testing environment, pacify loading, unloading, upgrading, the described detected application of operation.
As can be seen from the above technical solutions, the present invention by carrying out detected answering in bullet window testing environmentWith, and report poison to play window and detect the integrality of application file by detection, thereby can press close to installThere is antivirus software and carry out the true environment of the client of application, client automatically and effectively detectedWhether application is by antivirus software report poison.
[brief description of the drawings]
Fig. 1 for the embodiment of the present invention one provide a kind of detect application by the method flow of antivirus software report poisonFigure;
A kind of method flow diagram of preparing to play window testing environment that Fig. 2 provides for the embodiment of the present invention one;
Fig. 3 for the embodiment of the present invention two provide a kind of detect application by the apparatus structure of antivirus software report poisonSchematic diagram.
[detailed description of the invention]
The present invention detects client application whether by antivirus software report poison by two aspects: the one, and inspectionSurvey has or not the antivirus software bullet window generation for detected application, and the 2nd, detect the installation order that is detected applicationWhether the file under record is deleted.
In order to make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing and concreteEmbodiment describes the present invention.
Embodiment mono-,
Fig. 1 for the embodiment of the present invention one provide a kind of detect application by the method flow of antivirus software report poisonFigure. As described in Figure 1, the idiographic flow of the method comprises:
101, prepare to play window testing environment according to the antivirus software list that needs to detect.
This step is mainly used for generating for detecting the antivirus software bullet window having or not for detected application, withAnd the whether deleted testing environment that provides of file under the installation directory of applying is provided in detection.
A kind of method flow diagram of preparing to play window testing environment that Fig. 2 provides for the embodiment of the present invention one, asShown in Fig. 2, prepare to play window testing environment and can also be subdivided into following steps:
1011, under safeguarding that the antivirus software list of needs inspection and the bullet window configuration information of antivirus software are alsoIssue main checkout equipment.
In this antivirus software list, having recorded may be soft to the virus killing of detected client application report poisonPart.
Because antivirus software is numerous, therefore can get the forward antivirus software of rank and generate antivirus software rowTable, this rank can be by professional institution to existing antivirus software according to importance degree or conventional degree etc.Rule sorts, thereby uses the forward antivirus software of rank to become list next life, or also can pass throughThe application and development end of Application and Development product is determined which antivirus software is monitored and examined according to actual needsSurvey.
Because the bullet window of antivirus software can be divided into report poison bullet window or non-report poison bullet window, and report poison bullet window again canWith the application report poison for different. Therefore the present embodiment is in order to determine whether antivirus software is for detectedApplication report poison, can with each antivirus software respectively corresponding bullet window configuration information distinguish above-mentioned report poisonPlay window and non-report poison bullet window, and bullet window is reported the concrete application of poison.
Particularly, this bullet window configuration information unique identification the report poison of this antivirus software play window, kill virus softThe bullet window configuration information of part comprises window title, class name, window handle etc., thus by playing window configuration letterWhether breath can distinguish the bullet window of generation for detected application, and can determine that this is report poisonPlay window but not other bullet windows of antivirus software.
In addition, because the bullet window mark of antivirus software may change, therefore can adopt by high in the clouds and tie upProtect the method for antivirus software bullet window home banking, the bullet window mark of each antivirus software set up to a feature database,Thereby bullet window configuration information is handed down to main checkout equipment (or claiming Master equipment) in needs.
Control flexibly for the antivirus software list that can detect needs, antivirus software list also canBe responsible for maintenance by high in the clouds, and issue antivirus software list to Master equipment by high in the clouds.
1012, main checkout equipment obtains antivirus software list and plays window configuration information, and by antivirus software andThe bullet window configuration information corresponding with antivirus software is distributed to from checkout equipment.
In this step, main checkout equipment can be dispatched from checkout equipment (or claiming Slave equipment), will obtainThe antivirus software of getting and bullet window configuration information are distributed to Slave equipment.
Main checkout equipment can be selected an antivirus software from antivirus software list, and by this antivirus softwareAnd the bullet window configuration information corresponding with it distribute to multiple from checkout equipment one, and can be from killingIn poison software matrix, select another antivirus software, and by this another antivirus software and the bullet corresponding with itWindow configuration information is distributed to another from checkout equipment, thereby, can utilize Master-Slave to distributeThe antivirus software in the soft list of virus killing is disperseed the inspection that plays window from checkout equipment to multiple by formula frameworkSurvey, can increase and decrease easily Slave node, improve detection efficiency.
Main checkout equipment by for each from checkout equipment distribute antivirus software ID, by from checkout equipment foundationID obtains the mode of antivirus software code, or directly distributes antivirus software code to each from checkout equipmentMode, make to obtain and carry out corresponding antivirus software from checkout equipment.
1013, prepare to play window testing environment.
In this step, preparing to play window testing environment can comprise:
Install and carry out antivirus software, i.e. Mater equipment utilization according to needing the antivirus software list detectingThe antivirus software that needs the antivirus software list detecting need to detect to each Slave devices allocation, SlaveThe antivirus software that distribution comes is installed and carried out to equipment;
The detection procedure of Slave device start to antivirus software bullet window.
102, playing the detected application of execution in window testing environment, detect and kill virus according to bullet window configuration informationFor the bullet window of described detected application or the file that detects described detected application whether whether software haveComplete.
Whether wherein, have according to bullet window configuration information detection antivirus software can for the bullet window of detected applicationTo comprise following flow process:
Carry out client application at Slave equipment, carry out application can comprise peace loading, unloading, upgrading,Operations etc., in the time that application is carried out, generate the function that plays window in monitoring antivirus software; When described generation bullet windowFunction when called, determine whether the bullet window information generating in function mates with described bullet window configuration information;If coupling, determines that application is by antivirus software report poison.
Particularly, because antivirus software just need to call as long as generate bullet window the function that generates bullet window, soGenerate by continuing monitoring the function that plays window, determine that whether this function is called, if called, rightWhether the bullet window configuration information of the bullet window information (title, class name, window handle etc.) that ratio generates and acquisitionIdentical, just can identify antivirus software and whether carry out report poison bullet window. Identification information title herein, class name,The bullet window configuration informations such as window handle can play window by one of unique identification, and not labile letterBreath.
If by relatively finding that the window title, handle or the class name that generate have hit the bullet of antivirus softwareWindow configuration information, determines that detected application is by antivirus software report poison.
Can utilize the detection procedure of antivirus software bullet window to monitor the function that generates bullet window in antivirus software,Check the whether content in walloping window configuration information of this bullet window, if hit in bullet window configuration informationContent, illustrate that antivirus software is to detected client application bullet window report poison.
Preferably, because antivirus software generally has self-protection function, itself operate in exactly operation systemSystem ring0 layer, has very high authority, can access the data of all layers, and other drives journey by this layerTagmeme is in ring1, ring2 layer, and every one deck can only be accessed this layer and the more data of low layer of authority. ThereforeCan make antivirus software bullet window detection procedure monitor at operating system ring0 layer. Can use hookMonitoring antivirus software generates the function that plays window, whether meets antivirus software bullet window thereby detect the bullet window generatingMark (in title, class name, handle one), determines that whether antivirus software is to detected client thusEnd application report poison.
By monitoring playing window function at operating system ring0 layer, as long as antivirus software is to clientPlay window,, efficient detection accurate with regard to energy goes out this bullet window.
Due in the time doing antivirus software detection, only have client application operating, other product does not haveOperate, and operating system itself is clean, thus the report of antivirus software poison play window be generally forJust, in this client application of executable operations, certainly also likely there is the situation of exception. For fear of exampleThe generation of outer situation, therefore when play in window walloping window configuration information content time, can cut this bullet windowFigure, and be saved in the assigned address from checkout equipment by playing window sectional drawing. The bullet window of antivirus software is cutThe object of figure, is this sectional drawing to be sent to mail by Master send to after project team member, item designMember again hand inspection once this play window whether for be detected client application. Sectional drawing canThe positional information of taking window is write down.
Wherein, whether the file of detection application is complete can comprise following flow process:
Obtain the listed files of the detected application generating in advance; By under described listed files and installation directoryThe listed files of detected application compares; If comparative result is identical, determine the literary composition of detected applicationPart is complete; Otherwise the file of detected application is imperfect.
Wherein, the listed files of the detected application under installation directory can be system registry, and from inspectionMeasurement equipment can obtain in advance from outside a set of complete listed files of performed application, can pass throughThe listed files obtaining in advance and executory system registry are compared, thereby check detected answeringWhile being used in execution basic operation, whether be modified registration table.
Detect application file whether complete can by Slave equipment carry out application basic operation time,The behavior being applied in use procedure is detected, also can, in the time that application is installed, installation behavior be enteredRow detects, and can also carry out the detection of file integrality to application unloading or upgrading behavior.
In addition, can be by peace loading, unloading, upgrading, the fortune of the execution application of Slave equipment automatizationThe basic operations such as row, the mode of this automation can realize by writing code; Or, also can lead toCross and manually complete above-mentioned basic operation.
103, determine that based on testing result whether detected application is by antivirus software report poison.
In the time that whether the detected application of detection is malicious by antivirus software report, can obtain at least following several detectionsAs a result, comprising: have for the bullet window of detected application, without playing window but application file is imperfect, without playing windowAnd application file is complete.
If the first testing result is the bullet window having for detected application, no matter whether application file is completeWhole, all determine that application is by antivirus software report poison;
If the second testing result is complete without playing window and application file, determine that application is not by antivirus softwareReport poison.
If the 3rd testing result is without playing window but application file is imperfect, need to do further judgement.
For thirdly, particularly, if but the detected imperfect window that do not play of application file, having canCan exist antivirus software to detected application report poison, but cause because antivirus software bullet window information loses efficacyDo not play the situation of window, although may exist application file imperfect, this application file is imperfect yetBe by the caused situation of antivirus software report poison, in order to distinguish above-mentioned two situations, therefore need first to judge instituteWhether state bullet window configuration information lost efficacy; If lost efficacy, determine that application is by antivirus software report poison; If bullet windowConfiguration information did not lose efficacy, and determined that described detected application is not by antivirus software report poison.
Cause the reason that plays the inefficacy of window configuration information to be: because antivirus software bullet window configuration information changesBullet window do not detected and cause, when having changed after bullet window configuration information, if title, handle, class name etc.All can not hit, now just cannot monitor the bullet window of antivirus software.
The problem that may change for bullet window configuration information, can adopt following two kinds of modes to separateCertainly:
The one, if but find that the deleted antivirus software of file under installation directory does not play window, just thinksKill soft bullet window and likely lost efficacy, now reporting information, to server, has server to check this antivirus softwareBullet window configuration information whether lost efficacy, if lost efficacy, upgrade the antivirus software bullet window configuration information in high in the clouds.
The 2nd, whether the bullet window configuration information of making regular check on antivirus software comes into force.
By automatically reporting the information that antivirus software bullet window is subject to variation and making regular check on, can ensure high in the cloudsThe bullet window configuration information of the antivirus software bullet window of safeguarding did not lose efficacy.
If determine that through aforesaid way playing window configuration information did not lose efficacy, but the whole implementation of detected applicationWhile also end, for example detected application monitors has been carried out installation and operation, does not also carry out upgrading or unloadingWhile operation Deng other, can continue to carry out the detection procedure of antivirus software bullet window, utilize antivirus software bullet windowDetection procedure other basic operations of continuing detected application to carry out monitor, exist with complete monitoringIn the whole implementation of detected application, possibility is by antivirus software report poison.
104, main checkout equipment gathers and output detections result.
In this step, whether there are being antivirus software bullet window sectional drawing and installation directory by Slave equipment inspectionUnder file whether complete after, result is returned to Master equipment. Master equipment merges above-mentioned knotFruit output.
Wherein, can export accordingly result to dependence test personnel by the mode that sends mail.
After tester gets the mail, can manually again check and play window sectional drawing, with to client applicationReport poison is analyzed, or checks the whether designated antivirus software deletion of file, can carry out artificial inspectionAfter surveying result screening, notify other staff, the personnel of for example project team to reporting malicious event to process.
Embodiment bis-,
Fig. 3 for the embodiment of the present invention two provide a kind of detect application by the apparatus structure of antivirus software report poisonSchematic diagram. As shown in Figure 3, this device can comprise the detecting unit being arranged at from checkout equipment 2022022 and determining unit 2023, wherein detecting unit 2022 may further include and plays window detecting unit2022A or file detecting unit 2022B, should can also comprise and be arranged at it from checkout equipment 202 in additionIn preparatory unit 2021; This device can also comprise the acquiring unit that is arranged at main checkout equipment 2012011, in addition, main checkout equipment 201 can also comprise the result generation unit 2012 being arranged at wherein.This device is described in detail as follows:
Main checkout equipment 201, needs the antivirus software list detecting to distributing from checkout equipment for foundationNeed the antivirus software detecting, and for gathering and output detections result.
Main checkout equipment 201 comprises the acquiring unit 2011 being arranged at wherein, soft for obtaining described virus killingPart list and bullet window configuration information, and antivirus software and the bullet window configuration information corresponding with antivirus software are dividedIssue from checkout equipment 202.
Wherein, can safeguard and need the antivirus software list of inspection and the bullet window of antivirus software by high in the cloudsConfiguration information is also handed down to main checkout equipment 201.
Particularly, in this antivirus software list, having recorded may be to detected client application report poisonAntivirus software.
Can get the forward antivirus software of rank and generate antivirus software list, this rank can be by specialtyMechanism sorts according to the rule of importance degree or conventional degree etc. to existing antivirus software, thereby usesThe forward antivirus software of rank becomes list next life, or also can pass through the application and development of Application and Development productEnd is determined which antivirus software is monitored and detected according to actual needs.
With each antivirus software respectively corresponding bullet window configuration information can be used for distinguishing report poison and play window and non-reportPoison plays window, and bullet window is reported the concrete application of poison.
This bullet window configuration information unique identification the report poison of this antivirus software play window, the bullet window of antivirus softwareConfiguration information comprises window title, class name, window handle etc.
Main checkout equipment 201 (or claiming Master equipment) can be dispatched from checkout equipment and (or claim SlaveEquipment), the antivirus software being obtained by acquiring unit 2011 and bullet window configuration information are distributed to SlaveEquipment.
Main checkout equipment 201 can be selected an antivirus software from antivirus software list, and by this virus killingSoftware and the bullet window configuration information corresponding with it are distributed to multiple from checkout equipment one, and canFrom antivirus software list, select another antivirus software, and by this another antivirus software and corresponding with itBullet window configuration information distribute to another from checkout equipment, thereby, can utilize Master-SlaveBy virus killing, antivirus software in soft list disperses to play window to multiple from checkout equipment distributed structure/architectureDetect, can increase and decrease easily Slave node, improve detection efficiency.
Main checkout equipment by for each from checkout equipment distribute antivirus software ID, by from checkout equipment foundationID obtains the mode of antivirus software code, or directly distributes antivirus software code to each from checkout equipmentMode, make to obtain and carry out corresponding antivirus software from checkout equipment.
From checkout equipment 202, for playing the detected application of window testing environment execution, believe according to playing window configurationWhether breath detects antivirus software has for the bullet window of described detected application or detects described detected applicationWhether file is complete; Determine that based on testing result whether described detected application is by antivirus software report poison.
Should also comprise preparatory unit 2021 from checkout equipment, for preparing to play window testing environment.
Particularly, preparatory unit can prepare to play window testing environment by carrying out following operation:
Install and carry out antivirus software according to needing the antivirus software list detecting;
Start the detection procedure to antivirus software bullet window.
Whether main checkout equipment 201 also comprises result generation unit 2012, killed for merging to detect to applyTesting result the output of poison software report poison.
Also comprise detecting unit 2022 from checkout equipment 202, for carrying out tested at bullet window testing environmentSurvey application, whether have the bullet window for described detected application according to playing window configuration information detection antivirus softwareOr whether the file that detects described detected application is complete.
Wherein detecting unit 2022 comprises bullet window detecting unit 2022A, for examining according to playing window configuration informationWhether survey antivirus software has the bullet window for detected application, particularly:
Slave equipment starts to carry out client application, carry out application can comprise peace loading, unloading, upgrading,Operations etc., in the time that application is carried out, play in window detecting unit 2022A monitoring antivirus software and generate the letter that plays windowNumber, in the time that the function of described generation bullet window is called, determines the bullet window information and the described bullet that in function, generateWhether window configuration information mates; If coupling, determines that application is by antivirus software report poison.
Because antivirus software just need to call as long as generate bullet window the function that generates bullet window, detect so play windowUnit 2022A generates by continuing monitoring the function that plays window, determines that whether this function is called, if quiltCall, the bullet window information (title, class name, window handle etc.) that contrast generates is joined with the bullet window obtainingWhether the information of putting is identical, just can identify antivirus software and whether carry out report poison bullet window. Identification information hereinThe bullet window configuration informations such as title, class name, window handle can play window by one of unique identification, andNot labile information.
If by relatively finding that the window title, handle or the class name that generate have hit the bullet of antivirus softwareWindow configuration information, determines that detected application is by antivirus software report poison.
Playing window detecting unit 2022A can utilize the detection procedure of antivirus software bullet window to monitor antivirus softwareThe function of middle generation bullet window.
Preferably, can make antivirus software bullet window detection procedure monitor at operating system ring0 layer.And can use hook monitoring antivirus software to generate the function that plays window, thereby whether detect the bullet window that generatesMeet antivirus software bullet window mark (in title, class name, handle).
After determining that application is by antivirus software report poison, playing window detecting unit 2022A can cut this bullet windowFigure.
Also comprise file detecting unit 2022B from checkout equipment 202, whether complete for detection of the file of application,Particularly:
File detecting unit 2022B can obtain the listed files of the detected application generating in advance; Described in inciting somebody to actionThe listed files of the detected application under listed files and installation directory compares; If comparative result is identical,The file of determining detected application is complete; Otherwise the file of detected application is imperfect.
Wherein, the listed files of the detected application under installation directory can be system registry, and from inspectionMeasurement equipment can obtain in advance from outside a set of complete listed files of performed application.
Detect application file whether complete can by Slave equipment carry out application basic operation time,The behavior being applied in use procedure is detected, also can, in the time that application is installed, installation behavior be enteredRow detects, and can also carry out the detection of file integrality to application unloading or upgrading behavior.
In addition, can be by peace loading, unloading, upgrading, the fortune of the execution application of Slave equipment automatizationThe basic operations such as row, the mode of this automation can realize by writing code; Or, also can lead toCross and manually complete above-mentioned basic operation.
Comprise determining unit 2023 from checkout equipment 202, for determine detected application based on testing resultWhether by antivirus software report poison.
In the time that whether the detected application of detection is malicious by antivirus software report, can obtain at least following several detectionsAs a result, comprising: have for the bullet window of detected application, without playing window but application file is imperfect, without playing windowAnd application file is complete.
Determining unit 2023 determines that whether detected application by the mode of antivirus software report poison can be:
If the first testing result is the bullet window having for detected application, no matter whether application file is completeWhole, all determine that application is by antivirus software report poison;
If the second testing result is complete without playing window and application file, determine that application is not by antivirus softwareReport poison.
If the 3rd testing result is without playing window but application file is imperfect, need to do further judgement.
For thirdly, particularly, if but detected imperfect window, the Ke Yijin of not playing of application fileOne step judges whether described bullet window configuration information lost efficacy; If lost efficacy, determine that application is by antivirus software report poison;Do not lose efficacy if play window configuration information, determined that described detected application was not by antivirus software report poison.
The problem that may lose efficacy or change for bullet window configuration information, can adopt following two kinds of modesSolve:
The one, if but find that the deleted antivirus software of file under installation directory does not play window, just thinksKill soft bullet window and likely lost efficacy, now reporting information, to server, has server to check this antivirus softwareBullet window configuration information whether lost efficacy, if lost efficacy, upgrade the antivirus software bullet window configuration information in high in the clouds.
The 2nd, whether the bullet window configuration information of making regular check on antivirus software comes into force.
If determine that through aforesaid way playing window configuration information did not lose efficacy, but the whole implementation of detected applicationWhile also end, for example detected application monitors has been carried out installation and operation, does not also carry out upgrading or unloadingWhile operation Deng other, can continue to carry out the detection procedure of antivirus software bullet window, utilize antivirus software bullet windowDetection procedure other basic operations of continuing detected application to carry out monitor, exist with complete monitoringIn the whole implementation of detected application, possibility is by antivirus software report poison.
Finally, checked whether have antivirus software bullet window sectional drawing and installation directory by Slave equipment 202Under file whether complete after, result is returned to Master equipment 201. The knot of Master equipment 201Fruit generation unit 2012 merges the above results output.
Wherein, can export accordingly result to dependence test personnel by the mode that sends mail.
After tester gets the mail, can manually again check and play window sectional drawing, with to client applicationReport poison is analyzed, or checks the whether designated antivirus software deletion of file, can carry out artificial inspectionAfter surveying result screening, notify other staff, the personnel of for example project team to reporting malicious event to process.
In actual applications, tester and the personnel of project team can check antivirus software bullet automationThe method of window for daily test, reach the standard grade before test, daily monitoring etc., find that in time client application isNo by third party's antivirus software report poison, process and stop loss in time.
By carrying out technical scheme of the present invention, can automation detect antivirus software have or not to detected shouldWith product report poison, and cloud control issue need check antivirus software list, by distributed inspection, thenSummarized results, can control the antivirus software that needs detection flexibly, and shortens detection time.
In several embodiment provided by the present invention, should be understood that, disclosed method and apparatus,Can realize by another way. For example, device embodiment described above is only schematically,For example, the division of described unit, is only that a kind of logic function is divided, and when actual realization, can have in additionDividing mode.
The described unit as separating component explanation can or can not be also physically to separate, and doesThe parts that show for unit can be or can not be also physical locations, can be positioned at a place,Or also can be distributed on multiple NEs. Can select according to the actual needs part wherein orPerson realizes whole unit the object of the present embodiment scheme.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing unitIn, can be also that the independent physics of unit exists, also can be integrated in one in two or more unitIn individual unit. Above-mentioned integrated unit both can adopt the form of hardware to realize, and also can adopt hardware to addThe form of SFU software functional unit realizes.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all at thisWithin the spirit and principle of invention, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of protection of the invention.
Claims (20)
1. detect application by a method for antivirus software report poison, it is characterized in that, described method comprises:
In bullet window testing environment, carry out detected application, whether have according to playing window configuration information detection antivirus softwareFor the bullet window of described detected application or whether detect the file of described detected application complete;
Determine that based on testing result whether described detected application is by antivirus software report poison.
2. method according to claim 1, is characterized in that, described method also comprises: according to needing inspectionDescribed bullet window testing environment is prepared in the antivirus software list of surveying.
3. method according to claim 2, is characterized in that, the described bullet window of described preparation testing environment bagDraw together:
Install and carry out antivirus software according to needing the antivirus software list detecting;
Start the detection procedure to antivirus software bullet window.
4. method according to claim 2, is characterized in that, described antivirus software list and the configuration of bullet windowInformation is obtained by main checkout equipment, and by antivirus software and the bullet window configuration information distribution corresponding with antivirus softwareGive from checkout equipment;
By carry out the processing of preparing described testing environment and described detection from checkout equipment.
5. method according to claim 4, is characterized in that, described antivirus software list and the configuration of bullet windowInformation is responsible for safeguarding and is handed down to described main checkout equipment by high in the clouds.
6. method according to claim 1, is characterized in that, describedly detects and kills according to playing window configuration informationWhether poison software has for the bullet window of described application comprises:
In monitoring antivirus software, generate the function that plays window;
In the time that the function of described generation bullet window is called, determine the bullet window information and the described bullet window that in function, generateWhether configuration information mates;
If coupling, defines the bullet window for described application.
7. method according to claim 1, is characterized in that, the file that detects described detected application isNo complete comprising:
Obtain the listed files of the detected application generating in advance;
The listed files of the detected application under described listed files and installation directory is compared;
If comparative result is identical, determine that the file of detected application is complete;
Otherwise the file of detected application is imperfect.
8. according to the method described in claim 1-7 any one, it is characterized in that,
If testing result is the bullet window having for detected application, determine that detected application is by antivirus softwareReport poison;
If testing result is complete without playing window and detected application file, determine that detected application is not killedPoison software report poison.
9. according to the method described in claim 1-7 any one, it is characterized in that, if testing result is without bulletWindow but detected application file is imperfect:
Judge whether described bullet window configuration information lost efficacy;
If lost efficacy, determined that described detected application was by antivirus software report poison;
Do not lose efficacy if play window configuration information, determined that described detected application was not by antivirus software report poison.
10. according to the method described in claim 1-6 any one, it is characterized in that, described at bullet window detection ringIn border, carrying out detected application comprises: in bullet window testing environment, pacify loading, unloading, upgrading, the described quilt of operationDetect application.
11. 1 kinds are detected application by the device of antivirus software report poison, it is characterized in that, described device comprises:
Detecting unit, for playing the detected application of window testing environment execution, detects according to playing window configuration informationWhether antivirus software has for the bullet window of described detected application or the file that detects described detected applicationNo complete;
Determining unit, for determining that based on testing result whether described detected application is by antivirus software report poison.
12. devices according to claim 11, is characterized in that, described device also comprise be arranged at from inspectionThe preparatory unit of measurement equipment, for preparing described bullet window testing environment according to the antivirus software list that needs detection.
13. devices according to claim 12, is characterized in that, described preparatory unit is by below carrying outOperation is to prepare described bullet window testing environment:
Install and carry out antivirus software according to needing the antivirus software list detecting;
Start the detection procedure to antivirus software bullet window.
14. devices according to claim 12, is characterized in that, described detecting unit and determining unit are establishedBe placed in from checkout equipment;
This device also comprises: be arranged at the acquiring unit of main checkout equipment, for obtaining described antivirus software rowTable and play window configuration information, and by antivirus software and the bullet window configuration information corresponding with antivirus software be distributed to fromCheckout equipment.
15. devices according to claim 14, is characterized in that, described antivirus software list and bullet window are joinedThe information of putting is responsible for safeguarding and is handed down to described main checkout equipment by high in the clouds.
16. devices according to claim 11, is characterized in that, described detecting unit also comprises that playing window examinesMeasurement unit, generates for monitoring antivirus software the function that plays window; When the function of described generation bullet window is calledTime, determine whether the bullet window information generating in function mates with described bullet window configuration information; If coupling,Define the bullet window for described application.
17. devices according to claim 11, is characterized in that, described detecting unit also comprises file inspectionMeasurement unit, for obtaining the listed files of the detected application generating in advance; By described listed files and installationThe listed files of the detected application under catalogue compares; If comparative result is identical, determine detectedThe file of application is complete; Otherwise the file of detected application is imperfect.
18. according to the device described in claim 11-17 any one, it is characterized in that,
If testing result is the bullet window having for detected application, described determining unit is determined detected answeringWith by antivirus software report poison;
If testing result is complete without playing window and detected application file, described definite detected application is notBy antivirus software report poison.
19. according to the device described in claim 11-17 any one, it is characterized in that, if testing result isNothing plays window but detected application file is imperfect,
Described determining unit judges whether described bullet window configuration information lost efficacy;
If lost efficacy, determined that described detected application was by antivirus software report poison;
Do not lose efficacy if play window configuration information, determined that described detected application was not by antivirus software report poison.
20. according to the device described in claim 11-16 any one, it is characterized in that, described in the detection of bullet windowIn environment, carrying out detected application comprises: in bullet window testing environment, pacify described in loading, unloading, upgrading, operationDetected application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610028702.XA CN105608372B (en) | 2016-01-15 | 2016-01-15 | A kind of detection application is by the method and apparatus of antivirus software report poison |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610028702.XA CN105608372B (en) | 2016-01-15 | 2016-01-15 | A kind of detection application is by the method and apparatus of antivirus software report poison |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105608372A true CN105608372A (en) | 2016-05-25 |
| CN105608372B CN105608372B (en) | 2019-07-23 |
Family
ID=55988300
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610028702.XA Active CN105608372B (en) | 2016-01-15 | 2016-01-15 | A kind of detection application is by the method and apparatus of antivirus software report poison |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105608372B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6779117B1 (en) * | 1999-07-23 | 2004-08-17 | Cybersoft, Inc. | Authentication program for a computer operating system |
| CN102594780A (en) * | 2011-01-12 | 2012-07-18 | 西门子公司 | Method and device for detecting and clearing mobile terminal viruses |
| CN102968590A (en) * | 2012-10-23 | 2013-03-13 | 北京奇虎科技有限公司 | Pop window suppression method and system |
| CN103019687A (en) * | 2012-11-20 | 2013-04-03 | 北京奇虎科技有限公司 | Method and device for displaying pop window information |
| CN103164654A (en) * | 2013-03-28 | 2013-06-19 | 北京奇虎科技有限公司 | Method of carrying out information cue on popup window and user interface display device |
| CN103488490A (en) * | 2013-10-08 | 2014-01-01 | 深圳市金立通信设备有限公司 | Method and device for determining application corresponding to pop-up window and terminal |
| CN103714289A (en) * | 2013-12-02 | 2014-04-09 | 百度在线网络技术(北京)有限公司 | Method and device for determining mobile application antivirus results |
| CN104008340A (en) * | 2014-06-09 | 2014-08-27 | 北京奇虎科技有限公司 | Virus scanning and killing method and device |
| CN104021342A (en) * | 2014-05-06 | 2014-09-03 | 可牛网络技术(北京)有限公司 | Method and device for processing application program |
| CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
| CN104484599A (en) * | 2014-12-16 | 2015-04-01 | 北京奇虎科技有限公司 | Behavior processing method and device based on application program |
-
2016
- 2016-01-15 CN CN201610028702.XA patent/CN105608372B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6779117B1 (en) * | 1999-07-23 | 2004-08-17 | Cybersoft, Inc. | Authentication program for a computer operating system |
| CN102594780A (en) * | 2011-01-12 | 2012-07-18 | 西门子公司 | Method and device for detecting and clearing mobile terminal viruses |
| CN102968590A (en) * | 2012-10-23 | 2013-03-13 | 北京奇虎科技有限公司 | Pop window suppression method and system |
| CN103019687A (en) * | 2012-11-20 | 2013-04-03 | 北京奇虎科技有限公司 | Method and device for displaying pop window information |
| CN103164654A (en) * | 2013-03-28 | 2013-06-19 | 北京奇虎科技有限公司 | Method of carrying out information cue on popup window and user interface display device |
| CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
| CN103488490A (en) * | 2013-10-08 | 2014-01-01 | 深圳市金立通信设备有限公司 | Method and device for determining application corresponding to pop-up window and terminal |
| CN103714289A (en) * | 2013-12-02 | 2014-04-09 | 百度在线网络技术(北京)有限公司 | Method and device for determining mobile application antivirus results |
| CN104021342A (en) * | 2014-05-06 | 2014-09-03 | 可牛网络技术(北京)有限公司 | Method and device for processing application program |
| CN104008340A (en) * | 2014-06-09 | 2014-08-27 | 北京奇虎科技有限公司 | Virus scanning and killing method and device |
| CN104484599A (en) * | 2014-12-16 | 2015-04-01 | 北京奇虎科技有限公司 | Behavior processing method and device based on application program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105608372B (en) | 2019-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11177999B2 (en) | Correlating computing network events | |
| US7421490B2 (en) | Uniquely identifying a crashed application and its environment | |
| US8091127B2 (en) | Heuristic malware detection | |
| CN109522095B (en) | Cloud host abnormal fault detection and recovery system and method and cloud platform | |
| US7984334B2 (en) | Call-stack pattern matching for problem resolution within software | |
| US9741017B2 (en) | Interpreting categorized change information in order to build and maintain change catalogs | |
| US7689688B2 (en) | Multiple-application transaction monitoring facility for debugging and performance tuning | |
| US8996684B2 (en) | Scoring and interpreting change data through inference by correlating with change catalogs | |
| US20140059385A1 (en) | Compliance testing engine for integrated computing system | |
| US7231550B1 (en) | Event protocol and resource naming scheme | |
| CN108322446A (en) | Intranet assets leak detection method, device, computer equipment and storage medium | |
| US20140136692A1 (en) | Diagnosing distributed applications using application logs and request processing paths | |
| US8381036B2 (en) | Systems and methods for restoring machine state history related to detected faults in package update process | |
| EP1577783A1 (en) | Operation managing method and operation managing server | |
| US20080059973A1 (en) | Thread Interception and Analysis | |
| US7136916B2 (en) | Method for event management | |
| CN105224441B (en) | Virtual machine information acquisition device, method and virtual machine information maintaining method and system | |
| US8554908B2 (en) | Device, method, and storage medium for detecting multiplexed relation of applications | |
| US20170195178A1 (en) | System and method for contextual clustering of granular changes in configuration items | |
| JP2009217637A (en) | Security state display, security state display method, and computer program | |
| KR20180130630A (en) | Vulnerability diagnosing and managing system and method of information system using automatic diagnosis tool | |
| CN105608372A (en) | Method and device for detecting application virus condition reported by antivirus software | |
| CN110909352B (en) | Malicious process detection method under Linux server | |
| JP6441742B2 (en) | Security level management system, security level management device, security level management method and program | |
| EP1997018B1 (en) | Thread interception and analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |