CN106407799A - Method and device for detecting installation of malicious file, terminal and server - Google Patents

Method and device for detecting installation of malicious file, terminal and server Download PDF

Info

Publication number
CN106407799A
CN106407799A CN201610950768.4A CN201610950768A CN106407799A CN 106407799 A CN106407799 A CN 106407799A CN 201610950768 A CN201610950768 A CN 201610950768A CN 106407799 A CN106407799 A CN 106407799A
Authority
CN
China
Prior art keywords
file
terminal
characteristic
announcement information
malicious
Prior art date
Application number
CN201610950768.4A
Other languages
Chinese (zh)
Inventor
袁国庆
Original Assignee
北京金山安全软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京金山安全软件有限公司 filed Critical 北京金山安全软件有限公司
Priority to CN201610950768.4A priority Critical patent/CN106407799A/en
Publication of CN106407799A publication Critical patent/CN106407799A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis

Abstract

The invention discloses a method and device for detecting the installation of a malicious file, a terminal and a server. The method comprises the following steps: detecting whether a system file is being installed in the terminal at present; if so, extracting file characteristics of the system file; sending the file characteristics of the system file to the server, wherein the server judges whether the file characteristics are present in a pre-generated white list when receiving the file characteristics, and generates first notification information when the file characteristics are not present in the white list; receiving the first notification information fed back by the server; and judging whether the system file is a malicious file according to the first notification information, and controlling the terminal to stop installing the system file. By adoption of the method, viruses released into the system can be discovered more timely and accurately, thereby guaranteeing the economic benefits of a user and the security of privacy information of the user, and being able to simply the operation steps of the terminal and reduce the load of the terminal.

Description

Detection method, device, terminal and server that malicious file is installed
Technical field
The present invention relates to technical field of software security, more particularly, to a kind of detection method of malicious file installation, device, end End and server.
Background technology
With the fierce for a long time antagonism of viral (i.e. malicious file) and anti-viruss author, virus authors are in order to avoid viral quilt Fail-safe software (as antivirus software etc.) is deleted, and fractionated viral can utilize the leak of operating system to obtain the highest weight of operating system Limit, then virus document is discharged into so as to become system file in the middle of operating system, so can lead to this virus document can not Easily remove and identify, infringement user's economic interests and leakage are used in an operating system to lead to the long-term reservation of virus document Family privacy information etc..
Content of the invention
The purpose of the present invention is intended at least solve to a certain extent one of above-mentioned technical problem.
For this reason, the first of the present invention purpose is to propose the detection method that a kind of malicious file is installed.The method can Find exactly much sooner to be discharged into system inner virus it is ensured that the safety of the economic interests of user and user privacy information, And the operating procedure of terminal can be simplified, reduce the load of terminal.
Second object of the present invention is to propose the detection method that another kind of malicious file is installed.
Third object of the present invention is to propose the detection means that a kind of malicious file is installed.
Fourth object of the present invention is to propose the detection means that another kind of malicious file is installed.
5th purpose of the present invention is to propose a kind of terminal.
6th purpose of the present invention is to propose a kind of server.
For reaching above-mentioned purpose, the detection method of the malicious file installation that first aspect present invention embodiment proposes, application In terminal, methods described includes:Whether monitor in described terminal currently has system file to be mounted;If currently there being system File is mounted, then extract the file characteristic of described system file;The file characteristic of described system file is sent to clothes Business device, wherein, described server, when receiving described file characteristic, judges described file characteristic with the presence or absence of in previously generating White list in, and when described file characteristic is not present in described white list, generate the first announcement information;Receive described clothes First announcement information of business device feedback;Described system file is judged as malicious file according to described first announcement information, and controls Described terminal stops installing described system file.
Whether the detection method that malicious file according to embodiments of the present invention is installed, currently can have system literary composition in monitor terminal Part is mounted, if so, the file characteristic of then extraction system file, and the file characteristic of system file is sent to service Device, wherein, server, when receiving file characteristic, judges that file characteristic whether there is in the white list previously generating, and When file characteristic is not present in white list, generate the first announcement information, afterwards, can the reception server feedback first notice Information, finally, is malicious file according to the first announcement information decision-making system file, and control terminal stops installation system file. I.e. by being monitored to the installation of system file, whether to judge this system file as malicious file, can be accurate much sooner Really find to be discharged into system inner virus it is ensured that the safety of the economic interests of user and user privacy information, and by sentencing Whether the system file that disconnected terminal is currently being installed is that the process of malicious file is put in server, and terminal only need to be pacified from Extract its file characteristic in the system file of dress, and this document feature is sent to server, simplify the behaviour of terminal Make step, reduce the load of terminal.
According to one embodiment of present invention, described system file includes system application and/or BIN file.
According to one embodiment of present invention, currently system file whether is had to be mounted in described monitor terminal, bag Include:Monitor and under the system directory in the operating system of described terminal, whether have new file to create;If described system directory Under have new file to create, then judge in described terminal, currently have system file to be mounted.
According to one embodiment of present invention, when described system file is applied for system, current in described monitor terminal System file whether is had to be mounted, including:Whether the application program that detection takies the display screen of described terminal is installing pipe Reason device;If the application program taking the display screen of described terminal is described installation manager, judge current in described terminal System file is had to be mounted.
According to one embodiment of present invention, methods described also includes:Receive the second notice letter of described server feedback Breath, wherein, described second announcement information be by described server when judging that described file characteristic is present in described white list Generate;Described system file is judged as legitimate files according to described second announcement information, and controls described terminal to continue to install Described system file.
For reaching above-mentioned purpose, the detection method of the malicious file installation that second aspect present invention embodiment proposes, application In server, methods described includes:Receiving terminal send system file file characteristic, wherein, described file characteristic be by Terminal currently has system file to extract from described system file when being mounted in monitoring;Judge that described file characteristic is No it is present in the white list previously generating;If described file characteristic is not present in described white list, generates first and lead to Know information;Described first announcement information is fed back to described terminal, wherein, described terminal is according to the first announcement information judges System file is malicious file, and stops installing described system file.
The detection method that malicious file according to embodiments of the present invention is installed, can the literary composition of system file that sends of receiving terminal Part feature, wherein, file characteristic is that currently have system file to extract from system file when being mounted by terminal in monitoring , and judge that file characteristic whether there is in the white list previously generating, and if it is not, then generating the first announcement information, finally, will First announcement information feeds back to terminal, and wherein, terminal is malicious file according to the first announcement information decision-making system file, and stops Installation system file.I.e. by being monitored to the installation of system file, whether to judge this system file as malicious file, energy Enough find to be discharged into system inner virus it is ensured that the peace of the economic interests of user and user privacy information much sooner exactly Entirely, and by will determine that whether system file that terminal currently installing is that the process of malicious file is put in server, eventually Its file characteristic only need to be extracted from the system file installed in end, and this document feature is sent to server, Simplify the operating procedure of terminal, reduce the load of terminal.
According to one embodiment of present invention, previously generate described white list by following steps:Collect great amount of samples eventually The system information at end, and collect the file characteristic of mounted system application and mounted BIN literary composition in described sample terminal The file characteristic of part;Set up system information described mounted system application with described sample terminal of described sample terminal Corresponding relation between the file characteristic of file characteristic and mounted BIN file;According to described system information, described The file characteristic of system application, the file characteristic of described mounted BIN file and the described corresponding relation installed generate institute State white list.
According to one embodiment of present invention, methods described also includes:Collect and may be mounted in the operating system of terminal System application and BIN file;Updated according to the system application in the described operating system that may be mounted to terminal and BIN file Described white list.
According to one embodiment of present invention, methods described also includes:If described file characteristic is present in described white name Dan Zhong, then generate the second announcement information;Described second announcement information is fed back to described terminal, wherein, described terminal is according to institute State the second announcement information and judge described system file as legitimate files, and continue described system file is installed.
For reaching above-mentioned purpose, the detection means of the malicious file device that third aspect present invention embodiment proposes, application In terminal, described device includes:Whether monitoring module, currently have system file to be mounted for monitoring in described terminal; Extraction module, for when currently there being system file to be mounted, extracting the file characteristic of described system file;Send mould Block, for sending the file characteristic of described system file to server, wherein, described server is receiving described file spy When levying, judge that described file characteristic whether there is in the white list previously generating, and be not present in institute in described file characteristic When stating in white list, generate the first announcement information;Receiver module, for receiving the first announcement information of described server feedback; Determination module, for judging described system file as malicious file according to described first announcement information;Control module, in institute When stating determination module and judging described system file as malicious file, described terminal is controlled to stop described system file is installed.
The detection means of malicious file device according to embodiments of the present invention, can be by current in monitoring module monitor terminal System file whether is had to be mounted, if so, the file characteristic of then extraction module extraction system file, sending module is by system The file characteristic of file sends to server, and wherein, server, when receiving file characteristic, judges that file characteristic whether there is In the white list previously generating, and when file characteristic is not present in white list, generate the first announcement information, afterwards, connect Receive module can the reception server feedback the first announcement information, determination module according to the first announcement information decision-making system file be dislike Meaning file, control module control terminal stops installation system file.I.e. by being monitored to the installation of system file, to judge Whether this system file is malicious file, can find to be discharged into system inner virus it is ensured that the warp of user much sooner exactly Ji interests and the safety of user privacy information, and by will determine that whether the system file that terminal is currently being installed is malice The process of file is put in server, and terminal only need to extract its file characteristic from the system file installed, and by this article Part feature sends to server, simplifies the operating procedure of terminal, reduces the load of terminal.
According to one embodiment of present invention, described system file includes system application and/or BIN file.
According to one embodiment of present invention, described monitoring module includes:Monitoring unit, for monitoring the behaviour of described terminal Make under the system directory in system, whether have new file to create;First identifying unit, for having under described system directory When new file creates, judge currently have system file to be mounted in described terminal.
According to one embodiment of present invention, when described system file is applied for system, described monitoring module includes:Inspection Survey unit, whether the application program taking the display screen of described terminal for detection is installation manager;Second identifying unit, uses In when taking the application program of display screen of described terminal for described installation manager, judge currently there is system in described terminal File is mounted.
According to one embodiment of present invention, described receiver module is additionally operable to receive the second notice of described server feedback Information, wherein, described second announcement information is to be present in described white list judging described file characteristic by described server Shi Shengcheng's;Described determination module is additionally operable to judge described system file as legitimate files according to described second announcement information;Institute State control module to be additionally operable to, when described determination module judges described system file as legitimate files, control described terminal to continue peace Fill described system file.
For reaching above-mentioned purpose, the detection means of the malicious file device that fourth aspect present invention embodiment proposes, including: Receiver module, the file characteristic of the system file sending for receiving terminal, wherein, described file characteristic is in monitoring by terminal System file is currently had to extract from described system file when being mounted;Judge module, special for judging described file Levy with the presence or absence of in the white list previously generating;Generation module, for being not present in described white list in described file characteristic When middle, generate the first announcement information;Feedback module, for described first announcement information is fed back to described terminal, wherein, described Terminal judges described system file as malicious file according to the first announcement information, and stops installing described system file.
The detection means of malicious file device according to embodiments of the present invention, can by can receiving terminal send system literary composition The file characteristic of part, wherein, file characteristic be by terminal monitoring currently have system file be mounted when from system file Middle extraction, judge module judges that file characteristic whether there is in the white list previously generating, if it is not, then generation module generates First announcement information, the first announcement information is fed back to terminal by feedback module, and wherein, terminal judges system according to the first announcement information System file is malicious file, and stops installation system file.I.e. by being monitored to the installation of system file, to judge that this is Whether system file is malicious file, can find to be discharged into system inner virus the economic profit it is ensured that user much sooner exactly Benefit and the safety of user privacy information, and by will determine that whether the system file that terminal is currently being installed is malicious file Process be put in server, terminal only need to extract its file characteristic from the system file installed, and will be special for this document Levy and deliver in server, simplify the operating procedure of terminal, reduce the load of terminal.
According to one embodiment of present invention, described device also includes:Pretreatment module, is used for previously generating described white name Single;Wherein, described pretreatment module includes:First collector unit, for collecting the system information of great amount of samples terminal, and collects The file characteristic of the file characteristic of mounted system application and mounted BIN file in described sample terminal;Set up single Unit, the file for setting up system information described mounted system application with described sample terminal of described sample terminal is special Levy and the file characteristic of mounted BIN file between corresponding relation;Signal generating unit, for according to described system information, The file characteristic of described mounted system application, the file characteristic of described mounted BIN file and described corresponding relation Generate described white list.
According to one embodiment of present invention, described pretreatment module also includes:Second collector unit, can pacify for collecting It is attached to system application and the BIN file in the operating system of terminal;Updating block, for according to the described terminal of may be mounted to System application in operating system and BIN file update described white list.
According to one embodiment of present invention, described generation module is additionally operable to described file characteristic and is present in described white list When middle, generate the second announcement information;Described feedback module is additionally operable to for described second announcement information to feed back to described terminal, its In, described terminal judges described system file as legitimate files according to described second announcement information, and continues to install described system File.
For reaching above-mentioned purpose, the terminal that fifth aspect present invention embodiment proposes, including:Housing, processor, storage Device, circuit board and power circuit, wherein, described circuit board is placed in the interior volume that described housing surrounds, described processor and Described memorizer is arranged on described circuit board;Described power circuit, for being each circuit of described terminal or device is powered; Described memorizer is used for storing executable program code;Described processor passes through to read the executable journey of storage in described memorizer Sequence code running program corresponding with described executable program code, for executing following steps:Monitor in described terminal Currently system file whether is had to be mounted;If currently there being system file to be mounted, extract described system file File characteristic;The file characteristic of described system file is sent to server, wherein, described server is receiving described literary composition During part feature, judge that described file characteristic whether there is in the white list previously generating, and do not exist in described file characteristic When in described white list, generate the first announcement information;Receive the first announcement information of described server feedback;According to described One announcement information judges described system file as malicious file, and controls described terminal to stop installing described system file.
For reaching above-mentioned purpose, the server that sixth aspect present invention embodiment proposes, including:Processor;For storing The memorizer of processor executable;Wherein, described processor is configured to:The file of the system file that receiving terminal sends Feature, wherein, described file characteristic be by terminal monitoring currently have system file be mounted when from described system file Middle extraction;Judge that described file characteristic whether there is in the white list previously generating;If described file characteristic does not exist In described white list, then generate the first announcement information;Described first announcement information is fed back to described terminal, wherein, described Terminal judges described system file as malicious file according to the first announcement information, and stops installing described system file.
The aspect that the present invention adds and advantage will be set forth in part in the description, and partly will become from the following description Obtain substantially, or recognized by the practice of the present invention.
Brief description
The above-mentioned and/or additional aspect of the present invention and advantage will become from the following description of the accompanying drawings of embodiments Substantially and easy to understand, wherein,
Fig. 1 is the flow chart of the detection method that malicious file according to an embodiment of the invention is installed;
Fig. 2 is the structural representation of the detection means that malicious file according to an embodiment of the invention is installed;
The structural representation of the detection means that Fig. 3 installs according to the malicious file of one specific embodiment of the present invention;
The structural representation of the detection means that Fig. 4 installs according to the malicious file of another specific embodiment of the present invention;
Fig. 5 is the flow chart of the detection method that malicious file according to an embodiment of the invention is installed;
Fig. 6 is the structural representation of the detection means of malicious file device according to an embodiment of the invention;
Fig. 7 is the structural representation of the detection means of the malicious file device according to one specific embodiment of the present invention;
Fig. 8 is the structural representation of terminal according to an embodiment of the invention;
Fig. 9 is the structural representation of server according to an embodiment of the invention.
Specific embodiment
Embodiments of the invention are described below in detail, the example of described embodiment is shown in the drawings, wherein from start to finish The element that same or similar label represents same or similar element or has same or like function.Below with reference to attached The embodiment of figure description is exemplary it is intended to be used for explaining the present invention, and is not considered as limiting the invention.
Below with reference to the accompanying drawings describe the detection method that malicious file according to embodiments of the present invention installs, device, terminal with And server.
Fig. 1 is the flow chart of the detection method that malicious file according to an embodiment of the invention is installed.Need explanation It is that the detection method that the malicious file of the embodiment of the present invention is installed can be applicable to the inspection that the malicious file of the embodiment of the present invention is installed Survey device, this detection means can be configured in terminal that is to say, that the present embodiment is described from end side.Wherein, terminal can To be PC, mobile terminal (as mobile phone, panel computer etc. have the hardware device of various operating systems) etc..
Also, it should be noted in order to realize the malicious file in system file is detected, the present invention is implemented The detection means that the malicious file of example is installed should have the authority at the highest level of terminal.
As shown in figure 1, the detection method that this malicious file is installed can include:
Whether S110, currently have system file to be mounted in monitor terminal.
As a kind of example, this system file may include system application and/or binary file BIN file.Wherein, this is System application can be regarded as being mountable to the application program of operating system, and this application program has the highest administration of this operating system Authority;BIN file can be regarded as being responsible for keeping System Privileges or protecting application program not unloaded.
It is appreciated that no matter system file be system application or BIN file, terminal install this system file when, all New file can be put under the system directory of operating system, to realize the installation of this system file.For this reason, being based on this characteristic, In this step, new file whether can be had to be created by under monitoring system catalogue, you can to judge whether terminal currently has system File is mounted.As a kind of example, in monitor terminal, currently whether there is mounted the implementing of system file Process can be as follows:New file whether is had to create under system directory in the operating system of monitor terminal;If system directory Under have new file to create, then judge terminal in currently have system file to be mounted.
It is further appreciated that when system file is applied for system, terminal by judging the installation manager in terminal can be No running, to judge currently whether have system application to be mounted.As a kind of example, when system file is applied for system When, in monitor terminal, the current process that implements whether having system file being mounted can be as follows:Detection occupied terminal Whether the application program of display screen is installation manager;If the application program of the display screen of occupied terminal is installation manager, Then judge currently have system file to be mounted in terminal.
That is, determining whether that the mode that BIN file is installed can be in the following way:Whether judge under system directory New file is had to create;Determine whether that the mode that system application is installed can be by the following two kinds mode:1) judge under system directory New file whether is had to create;2) judge whether the installation manager in terminal is currently running, if so, then can determine that currently there is system Application is mounted.
S120, if currently there being system file to be mounted, the file characteristic of extraction system file.
Specifically, system file (as system application and/or BIN file etc.) is currently had to be pacified in monitoring terminal During dress, can extract the file characteristic of this system file.As a kind of example, this document feature can be the MD5 value of system file Deng.
S130, the file characteristic of system file is sent to server, wherein, server when receiving file characteristic, Judge that file characteristic whether there is in the white list previously generating, and when file characteristic is not present in white list, generate First announcement information.
It is appreciated that while sending the file characteristic of this system file to server, also can be by the mark of this terminal Knowledge information sent along to server so that server can according to this identification information return corresponding feedback information.Wherein, this mark Knowledge information can be MAC (Media Access Control, media access control) address, device number etc. of terminal.Server When receiving this document feature of terminal transmission, this document feature can be mated in white list, to judge this white list In whether contain this document feature, if not containing this document feature in this white list, can determine that this document feature is white in this List mismatches, and now can generate the first announcement information, and for example, this first announcement information can be for " this document feature is not present in In white list, its corresponding system file is malicious file ", and can will be anti-according to the identification information of terminal for this first announcement information Feed corresponding terminal, to inform that the system file that terminal is currently being installed is malicious file.
S140, the first announcement information of the reception server feedback.
S150, is malicious file according to the first announcement information decision-making system file, and control terminal stops installation system literary composition Part.
Specifically, after the first announcement information receiving server feedback, the interior of this first announcement information can be analyzed Hold, and the current system file installed is judged as malicious file according to analysis result, now can control terminal and stop installing This system file.Preferably, while control terminal stops installing this system file, the installation of this system file can also be deleted Bag, to reach the purpose of complete protection system safety.
In order to improve availability and the feasibility of the present invention, further, in one embodiment of the invention, this inspection Survey method may also include:Second announcement information of the reception server feedback, wherein, the second announcement information is to be judged by server Generate when file characteristic is present in white list;It is legitimate files according to the second announcement information decision-making system file, and control Terminal continues installation system file.
Specifically, server is present in white list judging above-mentioned file characteristic, and that is, this document feature is in white list Timing, can generate corresponding second announcement information, and for example, this second announcement information can be for " this document feature is present in white list In, its corresponding system file is legitimate files ", afterwards, this second announcement information can be sent to by correspondence according to identification information Terminal.Terminal, when receiving the second announcement information of server feedback, can analyze the content of this second announcement information, and root Judge the current system file installed as legitimate files according to analysis result, now can control terminal and continue installation system literary composition Part.
To sum up, the detection method that the malicious file of the embodiment of the present invention is installed, currently has new system in monitoring terminal File is mounted, when applying the system that is installed to or new BIN file to be discharged under system directory if any new system, Can extract the file characteristic of this system file, and this document feature is sent to server and detected.Server passes through in advance The white list that generates and this document feature, and will judging new system file that this terminal is being installed whether as malicious file Judged result notifies to terminal, if this new system file is malicious file, terminal can stop installing this new system file, no Then continue this new system file is installed.
Whether the detection method that malicious file according to embodiments of the present invention is installed, currently can have system literary composition in monitor terminal Part is mounted, if so, the file characteristic of then extraction system file, and the file characteristic of system file is sent to service Device, wherein, server, when receiving file characteristic, judges that file characteristic whether there is in the white list previously generating, and When file characteristic is not present in white list, generate the first announcement information, afterwards, can the reception server feedback first notice Information, finally, is malicious file according to the first announcement information decision-making system file, and control terminal stops installation system file. I.e. by being monitored to the installation of system file, whether to judge this system file as malicious file, can be accurate much sooner Really find to be discharged into system inner virus it is ensured that the safety of the economic interests of user and user privacy information, and by sentencing Whether the system file that disconnected terminal is currently being installed is that the process of malicious file is put in server, and terminal only need to be pacified from Extract its file characteristic in the system file of dress, and this document feature is sent to server, simplify the behaviour of terminal Make step, reduce the load of terminal.
Corresponding with the detection method that the malicious file that above-mentioned several embodiments provide is installed, a kind of embodiment of the present invention Also provide the detection means that a kind of malicious file is installed, the detection means installed due to malicious file provided in an embodiment of the present invention Inspection that is corresponding with the detection method that the malicious file that above-mentioned several embodiments provide is installed, therefore installing in aforementioned malicious file The embodiment of survey method is also applied for the detection means that the malicious file of the present embodiment offer is installed, in the present embodiment no longer Describe in detail.Fig. 2 is the structural representation of the detection means that malicious file according to an embodiment of the invention is installed.Need Bright, the detection means that the malicious file of the present embodiment is installed can be configured in terminal.
As shown in Fig. 2 the detection means that this malicious file is installed can include:Monitoring module 110, extraction module 120, send out Send module 130, receiver module 140, determination module 150 and control module 160.
Specifically, monitoring module 110 can be used for currently whether having system file to be mounted in monitor terminal.Wherein, In one embodiment of the invention, system file may include system application and/or BIN file.
It is appreciated that no matter system file be system application or BIN file, terminal install this system file when, all New file can be put under the system directory of operating system, to realize the installation of this system file.For this reason, being based on this characteristic, In this step, new file whether can be had to be created by under monitoring system catalogue, you can to judge whether terminal currently has system File is mounted.As a kind of example, as shown in figure 3, this monitoring module 110 may include:Monitoring unit 111 and first is sentenced Order unit 112.Wherein, monitoring unit 111 can be used for whether thering is new file under the system directory in the operating system of monitor terminal Create.When first identifying unit 112 can be used for having new file to create under system directory, judge currently have in terminal System file is mounted.
It is further appreciated that when system file is applied for system, terminal by judging the installation manager in terminal can be No running, to judge currently whether have system application to be mounted.As a kind of example, when system file is applied for system When, as shown in figure 4, this monitoring module 110 may include:Detector unit 113 and the second identifying unit 114.Wherein, detector unit Whether the application program of 113 display screens that can be used for detection occupied terminal is installation manager.Second identifying unit 114 can be used for When the application program of the display screen of occupied terminal is installation manager, judge currently have system file to be pacified in terminal Dress.
Extraction module 120 can be used for when currently there being system file to be mounted, the file characteristic of extraction system file.
Sending module 130 can be used for sending the file characteristic of system file to server, and wherein, server is receiving During file characteristic, judge that file characteristic whether there is in the white list previously generating, and be not present in white name in file characteristic When in list, generate the first announcement information.
Receiver module 140 can be used for the first announcement information of the reception server feedback.
It is malicious file that determination module 150 can be used for according to the first announcement information decision-making system file.
Control module 160 can be used for when determination module 150 decision-making system file is malicious file, and control terminal stops peace Dress system file.
In order to improve availability and the feasibility of the present invention, further, in one embodiment of the invention, receive Module 140 is additionally operable to the second announcement information of the reception server feedback, and wherein, the second announcement information is to judge literary composition by server Part feature generates when being present in white list.Determination module 150 is additionally operable to Legitimate files.Control module 160 is additionally operable to when determination module 150 decision-making system file is legitimate files, and control terminal continues Installation system file.
The detection means of malicious file device according to embodiments of the present invention, can be by current in monitoring module monitor terminal System file whether is had to be mounted, if so, the file characteristic of then extraction module extraction system file, sending module is by system The file characteristic of file sends to server, and wherein, server, when receiving file characteristic, judges that file characteristic whether there is In the white list previously generating, and when file characteristic is not present in white list, generate the first announcement information, afterwards, connect Receive module can the reception server feedback the first announcement information, determination module according to the first announcement information decision-making system file be dislike Meaning file, control module control terminal stops installation system file.I.e. by being monitored to the installation of system file, to judge Whether this system file is malicious file, can find to be discharged into system inner virus it is ensured that the warp of user much sooner exactly Ji interests and the safety of user privacy information, and by will determine that whether the system file that terminal is currently being installed is malice The process of file is put in server, and terminal only need to extract its file characteristic from the system file installed, and by this article Part feature sends to server, simplifies the operating procedure of terminal, reduces the load of terminal.
In order to realize above-described embodiment, the present invention also proposes the detection method that another kind of malicious file is installed.Fig. 5 is basis The flow chart of the detection method that the malicious file of one embodiment of the invention is installed.It should be noted that the embodiment of the present invention The detection method that malicious file is installed can be applicable to the detection means that the malicious file of the embodiment of the present invention is installed, this detection means Server can be configured in that is to say, that the present embodiment is described from server side.
As shown in figure 5, the detection method that this malicious file is installed can include:
S510, the file characteristic of the system file that receiving terminal sends, wherein, file characteristic is current in monitoring by terminal System file is had to extract from system file when being mounted.
Currently system file whether is had to be mounted it should be noted that terminal can first monitor, if so, then extracting this is System file file characteristic, for example, this document feature can be MD5 value etc., afterwards, can by the file characteristic that this extracts send to Server.It is appreciated that while sending this document feature to server, also can be by the identification information of terminal (as MAC Location etc.) sent along to server.Server can the file characteristic that sends of receiving terminal, it is current just that this document feature is terminal File characteristic in the system file installed.
S520, judges that file characteristic whether there is in the white list previously generating.
It will be understood that in an embodiment of the present invention, above-mentioned white list can previously generate for application for convenience, As a kind of example, white list can be previously generated by following steps:
521) collect the system information of great amount of samples terminal, and collect the file of mounted system application in sample terminal Feature and the file characteristic of mounted BIN file;
Wherein, in an embodiment of the present invention, this system information may include but be not limited to the unit type of terminal, terminal Version number of operating system etc..
522) set up the system information of sample terminal and system application mounted in sample terminal file characteristic and Corresponding relation between the file characteristic of mounted BIN file;
523) special according to the file of system information, the file characteristic of mounted system application, mounted BIN file Levy and corresponding relation generates white list.
Specifically, can in advance the system information of collection terminal, the file characteristic of system application installed in terminal, with And the file characteristic of mounted BIN file, and set up right between the system information of terminal and the file characteristic of system file Should be related to, as such, it is possible to determine which version of which kind of terminal has which legal system application and a BIN file, finally, according to The file characteristic of the system information of terminal and system file is combined by this corresponding relation, to form above-mentioned white list.
In order to improve white list, improve the degree of accuracy of testing result further it is preferable that in one embodiment of the present of invention In, also can collect system application and the BIN file in the operating system that may be mounted to terminal;According to the behaviour that may be mounted to terminal Make the system application in system and BIN file updates white list.As a kind of example, may be mounted in the operating system of terminal System application and BIN file, can for carry power class application it will be understood that this carry power class application can be attached to terminal be In system, and the authority at the highest level of this system can be extracted.
It is appreciated that in actual applications, having some to propose power class application is legitimate files, for this reason, also needing to put forward power by this Class application is added to white list.That is, the system application being attached in system, BIN file also can be collected, and extract The file characteristic of these system files, and these file characteristics are added to white list, and to the file characteristic in white list Carry out duplicate removal process, to avoid the redundancy of information.
S530, if file characteristic is not present in white list, generates the first announcement information.
That is, mismatching in this white list in judgement this document feature, the first announcement information, example now can be generated If this first announcement information can be " this document feature is not present in white list, and its corresponding system file is malicious file ".
S540, the first announcement information is fed back to terminal, and wherein, terminal according to the first announcement information decision-making system file is Malicious file, and stop installation system file.
In order to improve availability and the feasibility of the present invention, further, in one embodiment of the invention, this inspection Survey method may also include:If file characteristic is present in white list, generate the second announcement information;Will be anti-for the second announcement information It is fed to terminal, wherein, terminal is legitimate files according to the second announcement information decision-making system file, and continues installation system file.
Specifically, it is present in white list judging above-mentioned file characteristic, that is, this document feature, can when white list mates Generate corresponding second announcement information, for example, this second announcement information can be for " this document feature is present in white list, and it is right The system file answered is legitimate files ", this second announcement information can be sent to corresponding terminal afterwards.Terminal is receiving clothes During the second announcement information of business device feedback, the content of this second announcement information can be analyzed, and just judged currently according to analysis result It is legitimate files in the system file installed, now can control terminal and continue installation system file.
The detection method that malicious file according to embodiments of the present invention is installed, can the literary composition of system file that sends of receiving terminal Part feature, wherein, file characteristic is that currently have system file to extract from system file when being mounted by terminal in monitoring , and judge that file characteristic whether there is in the white list previously generating, and if it is not, then generating the first announcement information, finally, will First announcement information feeds back to terminal, and wherein, terminal is malicious file according to the first announcement information decision-making system file, and stops Installation system file.I.e. by being monitored to the installation of system file, whether to judge this system file as malicious file, energy Enough find to be discharged into system inner virus it is ensured that the peace of the economic interests of user and user privacy information much sooner exactly Entirely, and by will determine that whether system file that terminal currently installing is that the process of malicious file is put in server, eventually Its file characteristic only need to be extracted from the system file installed in end, and this document feature is sent to server, Simplify the operating procedure of terminal, reduce the load of terminal.
Corresponding with the detection method that the malicious file that above-mentioned several embodiments provide is installed, a kind of embodiment of the present invention Also provide the detection means that a kind of malicious file is installed, the detection means installed due to malicious file provided in an embodiment of the present invention Inspection that is corresponding with the detection method that the malicious file that above-mentioned several embodiments provide is installed, therefore installing in aforementioned malicious file The embodiment of survey method is also applied for the detection means that the malicious file of the present embodiment offer is installed, in the present embodiment no longer Describe in detail.Fig. 6 is the structural representation of the detection means of malicious file device according to an embodiment of the invention.As Fig. 6 Shown, the detection means of this malicious file device can include:Receiver module 210, judge module 220, generation module 230 and anti- Feedback module 240.
Specifically, receiver module 210 can be used for the file characteristic of the system file of receiving terminal transmission, and wherein, file is special Levy is currently to have system file to extract from system file when being mounted by terminal in monitoring.
Judge module 220 can be used for judging that file characteristic whether there is in the white list previously generating.
It will be understood that in an embodiment of the present invention, above-mentioned white list can previously generate for application for convenience, As a kind of example, as shown in fig. 7, this detection means may also include:Pretreatment module 250, pretreatment module 250 can be used for pre- First generate white list.Wherein, in an embodiment of the present invention, this pretreatment module 250 may include:First collector unit 251, build Vertical unit 252 and signal generating unit 253.Wherein, the first collector unit 251 is used for collecting the system information of great amount of samples terminal, and Collect the file characteristic of the file characteristic of mounted system application and mounted BIN file in sample terminal.Set up single Unit 252 is used for setting up the file characteristic with system application mounted in sample terminal for the system information, the Yi Jiyi of sample terminal Corresponding relation between the file characteristic of BIN file installed.Signal generating unit 253 is used for according to system information, mounted system The file characteristic of system application, the file characteristic of mounted BIN file and corresponding relation generate white list.
In order to improve white list, improve the degree of accuracy of testing result further it is preferable that in an embodiment of the present invention, As shown in fig. 7, this pretreatment module 250 may also include the second collector unit 254 and updating block 255.Wherein, second collect list Unit 254 is used for collecting the system application that may be mounted in the operating system of terminal and BIN file.Updating block 255 is used for root Update white list according to the system application in the operating system that may be mounted to terminal and BIN file.
Generation module 230 can be used for, when file characteristic is not present in white list, generating the first announcement information.
Feedback module 240 can be used for for the first announcement information feeding back to terminal, and wherein, terminal is sentenced according to the first announcement information Determining system file is malicious file, and stops installation system file.
In order to improve availability and the feasibility of the present invention, further, in one embodiment of the invention, generate When module 230 is additionally operable to file characteristic and is present in white list, generate the second announcement information.Feedback module 240 is additionally operable to Two notify feedback of the information to terminal, and wherein, terminal is legitimate files according to the second announcement information decision-making system file, and continues to pacify Dress system file.
The detection means of malicious file device according to embodiments of the present invention, can by can receiving terminal send system literary composition The file characteristic of part, wherein, file characteristic be by terminal monitoring currently have system file be mounted when from system file Middle extraction, judge module judges that file characteristic whether there is in the white list previously generating, if it is not, then generation module generates First announcement information, the first announcement information is fed back to terminal by feedback module, and wherein, terminal judges system according to the first announcement information System file is malicious file, and stops installation system file.I.e. by being monitored to the installation of system file, to judge that this is Whether system file is malicious file, can find to be discharged into system inner virus the economic profit it is ensured that user much sooner exactly Benefit and the safety of user privacy information, and by will determine that whether the system file that terminal is currently being installed is malicious file Process be put in server, terminal only need to extract its file characteristic from the system file installed, and will be special for this document Levy and deliver in server, simplify the operating procedure of terminal, reduce the load of terminal.
In order to realize above-described embodiment, the invention allows for a kind of terminal.
Fig. 8 is the structural representation of terminal according to an embodiment of the invention.As shown in figure 8, this terminal can include: Housing 81, processor 82, memorizer 83, circuit board 84 and power circuit 85, wherein, circuit board 84 is placed in what housing 81 surrounded Interior volume, processor 82 and memorizer 83 are arranged on circuit board 84;Power circuit 85, for for terminal each circuit or Device is powered;Memorizer 83 is used for storing executable program code;Processor 82 is by holding of storing in reading memorizer 83 Line program code running program corresponding with executable program code, for executing following steps:
Whether S810, currently have system file to be mounted in monitor terminal.
S820, if currently there being system file to be mounted, the file characteristic of extraction system file.
S830, the file characteristic of system file is sent to server, wherein, server when receiving file characteristic, Judge that file characteristic whether there is in the white list previously generating, and when file characteristic is not present in white list, generate First announcement information.
S840, the first announcement information of the reception server feedback.
S850, is malicious file according to the first announcement information decision-making system file, and control terminal stops installation system literary composition Part.
Whether terminal according to embodiments of the present invention, currently can have system file to be mounted, if so, in monitor terminal The then file characteristic of extraction system file, and the file characteristic of system file is sent to server, wherein, server is receiving During to file characteristic, judge that file characteristic whether there is in the white list previously generating, and be not present in file characteristic white When in list, generate the first announcement information, afterwards, can the reception server feedback the first announcement information, finally, logical according to first Know that information decision-making system file is malicious file, and control terminal stops installation system file.I.e. by the peace to system file Dress is monitored, and whether to judge this system file as malicious file, can find exactly much sooner to be discharged in system Virus it is ensured that the safety of the economic interests of user and user privacy information, and by will determine that what terminal was currently being installed Whether system file is that the process of malicious file is put in server, and terminal only need to extract it from the system file installed File characteristic, and this document feature is sent to server, simplify the operating procedure of terminal, reduce the negative of terminal Lotus.
In order to realize above-described embodiment, the invention allows for a kind of server.
Fig. 9 is the structural representation of server according to an embodiment of the invention.As shown in figure 9, this server is permissible Including processor 91;For storing the memorizer 92 of processor 91 executable instruction;Wherein, processor 91 is configured to:
S910, the file characteristic of the system file that receiving terminal sends, wherein, file characteristic is current in monitoring by terminal System file is had to extract from system file when being mounted.
S920, judges that file characteristic whether there is in the white list previously generating.
S930, if file characteristic is not present in white list, generates the first announcement information.
S940, the first announcement information is fed back to terminal, and wherein, terminal according to the first announcement information decision-making system file is Malicious file, and stop installation system file.
Server according to embodiments of the present invention, can receiving terminal send system file file characteristic, wherein, file Feature is that currently have system file to extract from system file when being mounted by terminal in monitoring, and judges file characteristic With the presence or absence of in the white list previously generating, if it is not, then generating the first announcement information, finally, the first announcement information is fed back To terminal, wherein, terminal is malicious file according to the first announcement information decision-making system file, and stops installation system file.I.e. By being monitored to the installation of system file, to judge that this system file, can be accurate much sooner whether as malicious file Ground finds to be discharged into system inner virus it is ensured that the safety of the economic interests of user and user privacy information, and by will determine that Whether the system file that terminal is currently being installed is that the process of malicious file is put in server, and terminal only need to be installed from System file in extract its file characteristic, and this document feature is sent to server, simplifies the operation of terminal Step, reduces the load of terminal.
In describing the invention it is to be understood that term " first ", " second " are only used for describing purpose, and can not It is interpreted as indicating or imply relative importance or the implicit quantity indicating indicated technical characteristic.Thus, define " the One ", the feature of " second " can be expressed or implicitly include at least one this feature.In describing the invention, " multiple " It is meant that at least two, such as two, three etc., unless otherwise expressly limited specifically.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or the spy describing with reference to this embodiment or example Point is contained at least one embodiment or the example of the present invention.In this manual, to the schematic representation of above-mentioned term not Identical embodiment or example must be directed to.And, the specific features of description, structure, material or feature can be in office Combine in an appropriate manner in one or more embodiments or example.Additionally, in the case of not conflicting, the skill of this area The feature of the different embodiments described in this specification or example and different embodiment or example can be tied by art personnel Close and combine.
In flow chart or here any process described otherwise above or method description are construed as, represent and include The module of the code of executable instruction of one or more steps for realizing specific logical function or process, fragment or portion Point, and the scope of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discuss suitable Sequence, including according to involved function by substantially simultaneously in the way of or in the opposite order, carry out perform function, this should be by the present invention Embodiment person of ordinary skill in the field understood.
Represent in flow charts or here logic described otherwise above and/or step, for example, it is possible to be considered as to use In the order list of the executable instruction realizing logic function, may be embodied in any computer-readable medium, for Instruction execution system, device or equipment (system as computer based system, including processor or other can hold from instruction Row system, device or equipment instruction fetch the system of execute instruction) use, or with reference to these instruction execution systems, device or set Standby and use.For the purpose of this specification, " computer-readable medium " can any can be comprised, store, communicate, propagate or pass Defeated program is for instruction execution system, device or equipment or the dress using with reference to these instruction execution systems, device or equipment Put.The more specifically example (non-exhaustive list) of computer-readable medium includes following:There is the electricity of one or more wirings Connecting portion (electronic installation), portable computer diskette box (magnetic device), random access memory (RAM), read only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device, and portable optic disk is read-only deposits Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program thereon or other are suitable Medium, because edlin, interpretation or if necessary with it can then be entered for example by carrying out optical scanning to paper or other media His suitable method is processed to electronically obtain described program, is then stored in computer storage.
It should be appreciated that each several part of the present invention can be realized with hardware, software, firmware or combinations thereof.Above-mentioned In embodiment, the software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realizing.For example, if realized with hardware, and the same in another embodiment, can use well known in the art under Any one of row technology or their combination are realizing:There is the logic gates for data signal is realized with logic function Discrete logic, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are appreciated that to realize all or part step that above-described embodiment method carries Suddenly the program that can be by completes come the hardware to instruct correlation, and described program can be stored in a kind of computer-readable storage medium In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
Additionally, can be integrated in a processing module in each functional unit in each embodiment of the present invention it is also possible to It is that unit is individually physically present it is also possible to two or more units are integrated in a module.Above-mentioned integrated mould Block both can be to be realized in the form of hardware, it would however also be possible to employ the form of software function module is realized.Described integrated module is such as Fruit using in the form of software function module realize and as independent production marketing or use when it is also possible to be stored in a computer In read/write memory medium.
Storage medium mentioned above can be read only memory, disk or CD etc..Although having shown that above and retouching Embodiments of the invention are stated it is to be understood that above-described embodiment is exemplary it is impossible to be interpreted as the limit to the present invention System, those of ordinary skill in the art can be changed to above-described embodiment, change, replace and become within the scope of the invention Type.

Claims (10)

1. the detection method that a kind of malicious file is installed, is applied to terminal it is characterised in that comprising the following steps:
Whether monitor in described terminal currently has system file to be mounted;
If currently there being system file to be mounted, extract the file characteristic of described system file;
The file characteristic of described system file is sent to server, wherein, described server is receiving described file characteristic When, judge that described file characteristic whether there is in the white list previously generating, and be not present in described file characteristic described When in white list, generate the first announcement information;
Receive the first announcement information of described server feedback;
Described system file is judged as malicious file according to described first announcement information, and it is described to control described terminal to stop installation System file.
2. the detection method that malicious file as claimed in claim 1 is installed it is characterised in that wherein, described system file bag Include system application and/or BIN file.
3. the detection method that malicious file as claimed in claim 1 is installed is it is characterised in that in described monitor terminal be currently No have system file to be mounted, including:
Monitor and under the system directory in the operating system of described terminal, whether have new file to create;
If having new file to create under described system directory, judge in described terminal, currently have system file to be pacified Dress.
4. the detection method that malicious file as claimed in claim 2 is installed is it is characterised in that working as described system file is system During application, in described monitor terminal, currently system file whether is had to be mounted, including:
Whether the application program that detection takies the display screen of described terminal is installation manager;
If the application program taking the display screen of described terminal is described installation manager, judge currently have in described terminal System file is mounted.
5. malicious file as any one of Claims 1-4 is installed detection method is it is characterised in that methods described Also include:
Receive the second announcement information of described server feedback, wherein, described second announcement information is to be sentenced by described server Disconnected described file characteristic generates when being present in described white list;
Described system file is judged as legitimate files according to described second announcement information, and it is described to control described terminal to continue installation System file.
6. the detection method that a kind of malicious file is installed, is applied to server it is characterised in that including:
The file characteristic of the system file that receiving terminal sends, wherein, described file characteristic is that currently had in monitoring by terminal to be System file extracts when being mounted from described system file;
Judge that described file characteristic whether there is in the white list previously generating;
If described file characteristic is not present in described white list, generate the first announcement information;
Described first announcement information is fed back to described terminal, wherein, described terminal judges described system according to the first announcement information System file is malicious file, and stops installing described system file.
7. the detection method that malicious file as claimed in claim 6 is installed is it is characterised in that previously generated by following steps Described white list:
Collect the system information of great amount of samples terminal, and it is special to collect the file of mounted system application in described sample terminal Levy and mounted BIN file file characteristic;
Set up the system information of described sample terminal with described sample terminal the file characteristic of described mounted system application, And the corresponding relation between the file characteristic of mounted BIN file;
According to described system information, the file characteristic of described mounted system application, described mounted BIN file file Feature and described corresponding relation generate described white list.
8. a kind of detection means of malicious file device, is applied to server it is characterised in that including:
Receiver module, the file characteristic of the system file sending for receiving terminal, wherein, described file characteristic is to be existed by terminal Monitoring currently has system file to extract from described system file when being mounted;
Judge module, for judging described file characteristic with the presence or absence of in the white list previously generating;
Generation module, for when described file characteristic is not present in described white list, generating the first announcement information;
Feedback module, for described first announcement information is fed back to described terminal, wherein, described terminal notifies letter according to first Breath judges described system file as malicious file, and stops installing described system file.
9. a kind of terminal is it is characterised in that include:Housing, processor, memorizer, circuit board and power circuit, wherein, described Circuit board is placed in the interior volume that described housing surrounds, and described processor and described memorizer are arranged on described circuit board; Described power circuit, for being each circuit of described terminal or device is powered;Described memorizer is used for storing executable program Code;Described processor is run and described executable program by reading the executable program code of storage in described memorizer The corresponding program of code, for executing following steps:
Whether monitor in described terminal currently has system file to be mounted;
If currently there being system file to be mounted, extract the file characteristic of described system file;
The file characteristic of described system file is sent to server, wherein, described server is receiving described file characteristic When, judge that described file characteristic whether there is in the white list previously generating, and be not present in described file characteristic described When in white list, generate the first announcement information;
Receive the first announcement information of described server feedback;
Described system file is judged as malicious file according to described first announcement information, and it is described to control described terminal to stop installation System file.
10. a kind of server is it is characterised in that include:
Processor;
For storing the memorizer of processor executable;
Wherein, described processor is configured to:
The file characteristic of the system file that receiving terminal sends, wherein, described file characteristic is that currently had in monitoring by terminal to be System file extracts when being mounted from described system file;
Judge that described file characteristic whether there is in the white list previously generating;
If described file characteristic is not present in described white list, generate the first announcement information;
Described first announcement information is fed back to described terminal, wherein, described terminal judges described system according to the first announcement information System file is malicious file, and stops installing described system file.
CN201610950768.4A 2016-10-26 2016-10-26 Method and device for detecting installation of malicious file, terminal and server CN106407799A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610950768.4A CN106407799A (en) 2016-10-26 2016-10-26 Method and device for detecting installation of malicious file, terminal and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610950768.4A CN106407799A (en) 2016-10-26 2016-10-26 Method and device for detecting installation of malicious file, terminal and server

Publications (1)

Publication Number Publication Date
CN106407799A true CN106407799A (en) 2017-02-15

Family

ID=58014167

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610950768.4A CN106407799A (en) 2016-10-26 2016-10-26 Method and device for detecting installation of malicious file, terminal and server

Country Status (1)

Country Link
CN (1) CN106407799A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107292173A (en) * 2017-06-06 2017-10-24 北京奇虎科技有限公司 File safety protection method, device and equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368957A (en) * 2013-07-04 2013-10-23 北京奇虎科技有限公司 Method, system, client and server for processing webpage access behavior
CN103744686A (en) * 2013-10-18 2014-04-23 青岛海信传媒网络技术有限公司 Control method and system for installing application in intelligent terminal
JP2014137661A (en) * 2013-01-16 2014-07-28 Nec Infrontia Corp Security system, security control method and security control program
CN104246788A (en) * 2012-04-18 2014-12-24 迈克菲公司 Detection and prevention of installation of malicious mobile applications
CN104765629A (en) * 2015-03-24 2015-07-08 广东欧珀移动通信有限公司 System application installation method and device
CN105320886A (en) * 2015-09-22 2016-02-10 北京奇虎科技有限公司 Method for detecting malware in mobile terminal and mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104246788A (en) * 2012-04-18 2014-12-24 迈克菲公司 Detection and prevention of installation of malicious mobile applications
JP2014137661A (en) * 2013-01-16 2014-07-28 Nec Infrontia Corp Security system, security control method and security control program
CN103368957A (en) * 2013-07-04 2013-10-23 北京奇虎科技有限公司 Method, system, client and server for processing webpage access behavior
CN103744686A (en) * 2013-10-18 2014-04-23 青岛海信传媒网络技术有限公司 Control method and system for installing application in intelligent terminal
CN104765629A (en) * 2015-03-24 2015-07-08 广东欧珀移动通信有限公司 System application installation method and device
CN105320886A (en) * 2015-09-22 2016-02-10 北京奇虎科技有限公司 Method for detecting malware in mobile terminal and mobile terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107292173A (en) * 2017-06-06 2017-10-24 北京奇虎科技有限公司 File safety protection method, device and equipment

Similar Documents

Publication Publication Date Title
CN105206114B (en) Fly control, license, security maintenance method and apparatus, server, aircraft
Nappa et al. Driving in the cloud: An analysis of drive-by download operations and abuse reporting
AU2014334840B2 (en) Method and system for dynamic and comprehensive vulnerability management
CN104813332B (en) The prestige that instant Email embeds URL determines
US9146953B1 (en) Method and system to audit physical copy data leakage
CN103782303B (en) System and method for the detection based on unsigned of malice process
KR102017756B1 (en) Apparatus and method for detecting abnormal behavior
CN103679031B (en) A kind of immune method and apparatus of file virus
CN102984121B (en) Access supervision method and signal conditioning package
CN101569129B (en) Network security systems and methods
US9984171B2 (en) Systems and methods for detecting false code
US8141132B2 (en) Determining an invalid request
CN105320883B (en) File security loads implementation method and device
KR101558715B1 (en) System and Method for Server-Coupled Malware Prevention
Wiles et al. The best damn cybercrime and digital forensics book period
US7802298B1 (en) Methods and apparatus for protecting computers against phishing attacks
JP5157318B2 (en) Document monitoring apparatus, document monitoring program, and document monitoring system
US8621624B2 (en) Apparatus and method for preventing anomaly of application program
US10142310B2 (en) Method and cloud server for managing device
CN103329090B (en) Print relay system, image processing system and system control method
US8321945B2 (en) Security measure status self-checking system
US20040199587A1 (en) Company-only electronic mail
CN103124973B (en) The use of interactive component during proving bootup process
US20080040243A1 (en) Notification of mail deliveries in remote post office mailboxes
CN102624677B (en) Method and server for monitoring network user behavior

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170215