CN106446681A - Virus searching and killing method and apparatus - Google Patents
Virus searching and killing method and apparatus Download PDFInfo
- Publication number
- CN106446681A CN106446681A CN201510484452.6A CN201510484452A CN106446681A CN 106446681 A CN106446681 A CN 106446681A CN 201510484452 A CN201510484452 A CN 201510484452A CN 106446681 A CN106446681 A CN 106446681A
- Authority
- CN
- China
- Prior art keywords
- virus
- behavior sequence
- application program
- track
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a virus searching and killing method and apparatus. The method comprises the following steps of recording a behavior sequence track of an application; performing matching on the behavior sequence track of the application and a pre-stored behavior sequence track of a virus; if the matching succeeds, judging that the application is the virus; and clearing the application judged to be the virus. According to the virus searching and killing method, a behavior sequence tree of the application and a pre-stored behavior sequence tree of the virus are subjected to matching, and if the matching succeeds, the application is judged to be the virus, and the application is cleared; information on a terminal does not need to be uploaded to a cloud end, so that user information is prevented from being leaked and the security is improved; and each virus file does not need to be pre-stored and compared with a detected file, the behavior sequence tree of the virus is adopted, and the detected behavior sequence tree of the application is compared with the behavior sequence tree of the virus, so that the universality is high.
Description
Technical field
The present invention relates to computer safety field, more particularly to a kind of checking and killing virus method and apparatus.
Background technology
With the development of network technology, the propagation of computer virus is also in aggravation, the peace to user profile for the virus
Complete and user's property causes greatly to endanger, and how to carry out efficient killing to virus becomes everybody focus of attention.
Traditional checking and killing virus mode mainly has cloud killing.Cloud killing needs the corresponding file that is stored with beyond the clouds, and
And this document has been differentiated out whether be virus, then the file on subscriber computer is calculated cryptographic Hash
Upload to high in the clouds, the cryptographic Hash of the file that the file cryptographic Hash of upload is stored by high in the clouds with high in the clouds is compared,
Judge whether this document is virus, so need for the cryptographic Hash of the file on subscriber computer to upload to cloud
End, privacy of user is easily stolen, and safety is low, and whether the file that only high in the clouds stores could differentiate it
For virus, poor universality.
Content of the invention
Based on this it is necessary to look into that viricidal mode safety is low for traditional high in the clouds and the asking of poor universality
Topic, provides a kind of checking and killing virus method, can improve safety and highly versatile.
Additionally, there is a need to a kind of checking and killing virus device of offer, safety and highly versatile can be improved.
A kind of checking and killing virus method, comprises the following steps:
The behavior sequence track of records application program;
The behavior sequence track of application program is mated with the behavior sequence track of the virus prestoring;
If the behavior sequence track of application program is successful with the behavior sequence path matching of the virus prestoring,
Then judge described application program as virus;
Remove the application program being judged to virus.
A kind of checking and killing virus device, including:
Logging modle, for the behavior sequence track of records application program;
Matching module, for by the behavior sequence of the behavior sequence track of application program and the virus prestoring
Track is mated;
Determination module, if the behavior sequence of behavior sequence track and the virus prestoring for application program
Path matching success, then judge described application program as virus;
Remove module, for removing the application program being judged to virus.
Above-mentioned checking and killing virus method and apparatus, by by the behavior sequence track of application program with prestore
The behavior sequence track of virus is mated, if the match is successful, judges this application program as virus, removes
This application program, is not required to for the information in terminal to upload to high in the clouds, prevents user profile compromised, improve
Safety, and be not required to be prestored each virus document, then again by the file of detection and virus literary composition
Part compares, and uses the behavior sequence track of virus, by the behavior sequence track of the file of detection and virus
Behavior sequence track is compared, highly versatile.
Brief description
Fig. 1 is the internal structure schematic diagram of terminal in an embodiment;
Fig. 2 is the internal structure schematic diagram of server in an embodiment;
Fig. 3 is the flow chart of checking and killing virus method in an embodiment;
Fig. 4 is the flow chart of checking and killing virus method in another embodiment;
Fig. 5 is the schematic diagram of the behavior sequence tree of example;
Fig. 6 is the behavior sequence tree schematic diagram of the virus prestoring;
Fig. 7 is by the behavior sequence of the virus prestoring in the behavior sequence tree of the example in Fig. 5 and Fig. 6
Schematic diagram after row tree coupling;
Fig. 8 is the structured flowchart of checking and killing virus device in an embodiment;
Fig. 9 is the structured flowchart of checking and killing virus device in another embodiment.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, below in conjunction with accompanying drawing and reality
Apply example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only
Only in order to explain the present invention, it is not intended to limit the present invention.
Fig. 1 is the internal structure schematic diagram of terminal in an embodiment.As shown in figure 1, this terminal includes passing through
Processor that system bus connects, storage medium, internal memory and network interface, voice collection device, display screen,
Speaker and input equipment.Wherein, the storage medium of terminal is stored with operating system, also includes a kind of virus
Killing device, this checking and killing virus device is used for realizing a kind of checking and killing virus method.This processor is based on providing
Calculate and control ability, support the operation of whole terminal.The checking and killing virus in storage medium are saved as in terminal
The operation of device provides environment, and network interface is used for carrying out network service with server, such as sends request of data
Data returning to server, the reception server etc..The display screen of terminal can be LCDs or electricity
Sub- ink display screen etc., input equipment can be the touch layer or terminal enclosure covering on display screen
The button of upper setting, trace ball or Trackpad or external keyboard, Trackpad or mouse etc..Should
Terminal can be mobile phone, panel computer or personal digital assistant.It will be understood by those skilled in the art that Fig. 1
Shown in structure, the only block diagram of the part-structure related to application scheme, do not constitute to this Shen
Please the restriction of terminal that is applied thereon of scheme, specific terminal can include more more than shown in figure or more
Few part, or combine some parts, or there are different part arrangements.
Fig. 2 is the internal structure schematic diagram of server in an embodiment.As shown in Fig. 2 this server includes
Processor, storage medium, internal memory and the network interface being connected by system bus.Wherein, this server
Storage medium is stored with operating system, data base and checking and killing virus device, stores virulent row in data base
For sequence track, this checking and killing virus device is for realizing being applied to a kind of checking and killing virus method of server.Should
The processor of server is used for providing calculating and control ability, supports the operation of whole server.This server
The operation inside saving as the checking and killing virus device in storage medium provides environment.The network interface of this server is used
Communicated by network connection with outside terminal according to this, such as receiving terminal send request of data and to
Terminal returned data etc..Server can be with the server of independent server or multiple server composition
Cluster is realizing.It will be understood by those skilled in the art that the structure shown in Fig. 2, only with the application side
The block diagram of the related part-structure of case, does not constitute the limit of the server that application scheme is applied thereon
Fixed, specific server can include ratio part more or less of shown in figure, or combines some parts,
Or there are different part arrangements.
Fig. 3 is the flow chart of checking and killing virus method in an embodiment.As shown in figure 3, this checking and killing virus side
Method, runs in the terminal in Fig. 1, comprises the following steps:
Step 302, the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refers in application program running sequentially in time
And/or relevant information produced by logical order.For example, the behavior sequence track of application program may include application
The process initiation of program, other behaviors of the process of application program, application program process in system process
Create an executable file again after one thread of establishment, establishment thread, write registration table or other behaviors again
Deng.Process refers to an application program being currently running in terminal or server system.Thread refers in process
One relatively independent, schedulable performance element, is the elementary cell that system is independently dispatched and assigned.Note
Volume table refers to an important data base in windows system, for the setting of storage system and application program
Information.
The step of the behavior sequence track of records application program includes:The critical behavior track of records application program,
This critical behavior track includes process initiation, creates thread, create executable file, write one in registration table
Plant or multiple.Reduce record data by recording critical behavior track, reduce subsequently and prestore
The amount of calculation that the behavior sequence track of virus is compared, improves computational efficiency.
Step 304, the behavior sequence track of the behavior sequence track of application program and the virus prestoring is entered
Row coupling.
Specifically, analyze first and store viral behavior sequence track.Behavior sequence rail by application program
Mark is compared with the behavior sequence track prestoring virus, if the behavior sequence track of application program comprises
The behavior sequence track of the virus prestoring, then the match is successful, judge this application program as virus, if
The behavior sequence track of application program comprises the behavior sequence track of virus partly prestoring or does not comprise pre-
The behavior sequence track of the virus first storing, then it fails to match, judges this application program not as virus.
The behavior sequence track of this virus prestoring may include process initiation, process and creates in system process
Build thread, the thread creation executable file creating in system process and write registration table.
In one embodiment, the behavior sequence track of the virus prestoring includes system creation process, enters
Journey creates thread, the thread creation executable file creating in system process and write registration in system process
Table;
The behavior sequence track of the application program obtaining includes receiving the trigger action to application file, root
Create thread, the line creating in system process according to trigger action system creation process, process in system process
Journey creates executable file and write registration table;
The behavior sequence track of application program is mated with the behavior sequence track of the virus prestoring,
Contain the behavior sequence track of the virus prestoring in the behavior sequence track of the program that is applied, that is, wrap
Contain system creation process, process and create thread, the thread creation creating in system process in system process
Executable file and write registration table, then the match is successful, judges this application program as virus.
Step 306, if the behavior sequence track of the behavior sequence track of application program and the virus prestoring
It is made into work(, then judge this application program as virus.
Step 308, removes the application program being judged to virus.
Specifically, the application program being cleared to virus can be the process of this application program of deletion, or rollback should
The behavior of application program.
The process deleting application program refers to that application program launching opens process after running, and deletes this process.
The behavior of rollback application program refer to according to record application program behavior sequence track, can with reverse operating,
The behavior sequence track of such as application program is one thread of establishment, then rollback application program in system process
Behavior be close create thread.
Above-mentioned checking and killing virus method, by by the behavior sequence track of application program and the virus prestoring
Behavior sequence track is mated, if the match is successful, judges that this application program, as virus, removes this application
Program, is not required to for the information in terminal to upload to high in the clouds, prevents user profile compromised, improve safety,
And be not required to be prestored each virus document, then again the file of detection is compared with virus document,
Use the behavior sequence track of virus, by the behavior sequence track of the file of detection and virus behavior sequence
Track is compared, highly versatile.
In one embodiment, the behavior sequence track of the virus prestoring can be formed the behavior sequence of virus
Behavior sequence time shafts of the behavior sequence chart of row tree or formation virus or formation virus etc..
Specifically, the behavior sequence tree of virus refers to that logically relation or time relationship are formed for viral behavior
Sequence tree structure.The behavior sequence chart of virus refers to close viral behavior sequence according to time or logic
System is depicted as chart.The behavior sequence time shafts of virus refer to show the behavior sequence of virus according to time shafts form
Row.
Fig. 4 is the flow chart of checking and killing virus method in another embodiment.The virus prestoring in Fig. 4
Behavior sequence track formed virus behavior sequence tree.As shown in figure 4, a kind of checking and killing virus method, bag
Include:
Step 402, the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refers in application program running sequentially in time
And/or relevant information produced by logical order.For example, the behavior sequence track of application program may include application
The process initiation of program, other behaviors of the process of application program, application program process in system process
Create an executable file again after one thread of establishment, establishment thread, write registration table or other behaviors again
Deng.Process refers to an application program being currently running in terminal or server system.Thread refers in process
One relatively independent, schedulable performance element, is the elementary cell that system is independently dispatched and assigned.Note
Volume table refers to an important data base in windows system, for the setting of storage system and application program
Information.
The step of the behavior sequence track of records application program includes:The critical behavior track of records application program,
This critical behavior track includes process initiation, creates thread, create executable file, write one in registration table
Plant or multiple.Reduce record data by recording critical behavior track, reduce subsequently and prestore
The amount of calculation that the behavior sequence track of virus is compared, improves computational efficiency.
Step 404, sets up the behavior sequence tree of this application program according to the behavior sequence track of application program.
Specifically, the behavior sequence track of application program being set up according to time order and function order or logical order should
Behavior sequence tree with program.
Step 406, the behavior sequence tree of application program and the behavior sequence tree of virus prestoring are carried out
Join.
Specifically, analyze first and store viral behavior sequence track, and according to viral behavior sequence rail
Mark forms the behavior sequence tree of virus.By the behavior sequence tree of application program and the behavior sequence prestoring virus
Tree is compared row, if the behavior sequence tree of application program contains the behavior sequence tree of the virus prestoring,
Then the match is successful, judges this application program as virus, if the behavior sequence track of application program comprise partly pre-
The behavior sequence tree of the virus that the behavior sequence tree of the virus first storing or do not comprise prestores, then coupling lose
Lose, judge this application program not as virus.
The behavior sequence tree of this virus prestoring may include process initiation, process and creates in system process
The thread creation executable file creating in thread, system process and write registration table.
In one embodiment, the behavior sequence tree of preformed virus includes system creation process, process
Thread, the thread creation executable file creating in system process and write registration table is created in system process;
The behavior sequence tree of the application program set up includes receiving the trigger action to application file, basis
Trigger action system creation process, process create thread, the thread creating in system process in system process
Create executable file and write registration table;
The behavior sequence tree of application program is mated with the behavior sequence tree of preformed virus, is obtained
Contain the behavior sequence tree of preformed virus in the behavior sequence tree of application program, that is, contain system
The thread creation that establishment process, process create thread in system process, creates in system process can perform literary composition
Part and write registration table, then the match is successful, judges this application program as virus.
Step 408, if the behavior sequence tree of application program is mated into the behavior sequence tree of the virus prestoring
Work(, then judge this application program as virus.
Step 410, removes the application program being judged to virus.
Specifically, the application program being cleared to virus can be the process of this application program of deletion, or rollback should
The behavior of application program.
The process deleting application program refers to that application program launching opens process after running, and deletes this process.
The behavior of rollback application program refer to according to record application program behavior sequence track, can with reverse operating,
The behavior sequence track of such as application program is one thread of establishment, then rollback application program in system process
Behavior be close create thread.
Above-mentioned checking and killing virus method, by by the behavior sequence tree of application program and the row of virus prestoring
Mated for sequence tree, if the match is successful, judged that this application program, as virus, removes this application program,
It is not required to for the information in terminal to upload to high in the clouds, prevent user profile compromised, improve safety, and not
Each virus document need to be prestored, then again the file of detection be compared with virus document, be adopted
Be virus behavior sequence tree, by the behavior sequence tree of application program detecting and virus behavior sequence tree ratio
Relatively, highly versatile, and the behavior sequence tree of application program is mated with the behavior sequence tree of virus, knot
Structure is clear, is easy to compare.
It should be noted that the behavior sequence track of virus forms the behavior sequence chart of virus or forms virus
Behavior sequence time shafts aforesaid way may also be employed mated, will not be described here.
In one embodiment, above-mentioned checking and killing virus method also includes:Regularly update the behavior sequence rail of virus
Mark or the behavior sequence tree regularly updating virus.
Specifically, the behavior sequence track of virus or behavior sequence tree on server etc. can be regularly updated, eventually
End can be from the behavior sequence track of the local virus of server down loading updating or behavior sequence tree.Regularly update disease
Poison behavior sequence track, can the new virus of killing, improve killing accuracy rate.
Illustrate the operation principle of checking and killing virus method with reference to specific example.With sample virus.exe
As a example, the behavior sequence track of sample virus.exe includes:
(1) receive user double-clicks virus.exe file;
(2) system creation process A;
(3) process A creates thread b in system process explorer;
Specifically, system process explorer is windows file management process, act as Fileview etc..
(4) the thread b of system process explorer is in c:Executable file c.exe is created under windows;
(5) the thread b write registration table of system process explorer, that is, in system
HKLM SOFTWARE Wow6432Node Microsoft Windows CurrentVersion Run registration
Creating registry key rb value under table is c:\windows\c.exe.
Fig. 5 is the schematic diagram of the behavior sequence tree of example.As shown in figure 5, the behavior sequence rail according to example
Mark forms the behavior sequence tree of example.After user double-clicks virus.exe file, process A starts, and is then entering
Create thread b in journey explorer, then establishment file c.exe, write run item and other behaviors.Run item refers to
Write the run item (startup item) of registration table.
Fig. 6 is the behavior sequence tree schematic diagram of the virus prestoring.As shown in fig. 6, the behavior sequence of virus
Row tree includes the startup of process x, process x creates thread x, establishment file x.exe in explorer, writes run
, wherein, x represents any coupling.
Fig. 7 is by the behavior sequence of the virus prestoring in the behavior sequence tree of the example in Fig. 5 and Fig. 6
Schematic diagram after row tree coupling.As shown in fig. 7, contain in the behavior sequence tree of example process A start,
Process A creates thread b, establishment file c.exe in explorer, writes run item, with the disease prestoring
The behavior sequence tree of poison is consistent, and that is, the match is successful, and this example is virus.
Fig. 8 is the structured flowchart of checking and killing virus device in an embodiment.As shown in figure 8, a kind of virus is looked into
Kill device, including logging modle 810, matching module 820, determination module 830 and removing module 840.Its
In:
Logging modle 810 is used for the behavior sequence track of records application program.
Specifically, the behavior sequence track of application program refers in application program running sequentially in time
And/or relevant information produced by logical order.For example, the behavior sequence track of application program may include application
The process initiation of program, other behaviors of the process of application program, application program process in system process
Create an executable file again after one thread of establishment, establishment thread, write registration table or other behaviors again
Deng.Process refers to an application program being currently running in terminal or server system.Thread refers in process
One relatively independent, schedulable performance element, is the elementary cell that system is independently dispatched and assigned.Note
Volume table refers to an important data base in windows system, for the setting of storage system and application program
Information.
In the present embodiment, logging modle 810 is additionally operable to the critical behavior track of records application program, this key
Action trail includes process initiation, creates thread, create executable file, write one kind or many in registration table
Kind.Reduce record data by recording critical behavior track, reduce virus that is follow-up and prestoring
The amount of calculation that behavior sequence track is compared, improves computational efficiency.
Matching module 820 is used for the behavior sequence of the behavior sequence track of application program and the virus prestoring
Row track is mated.
Specifically, analyze first and store viral behavior sequence track.Behavior sequence rail by application program
Mark is compared with the behavior sequence track prestoring virus, if the behavior sequence track of application program comprises
The behavior sequence track of the virus prestoring, then the match is successful, judge this application program as virus, if
The behavior sequence track of application program comprises the behavior sequence track of virus partly prestoring or does not comprise pre-
The behavior sequence track of the virus first storing, then it fails to match, judges this application program not as virus.
The behavior sequence track of this virus prestoring may include process initiation, process and creates in system process
Build thread, the thread write registration table creating executable file, creating in system process.
If determination module 830 is used for, and the match is successful, judge this application program as virus.
Specifically, the behavior sequence path matching of the behavior sequence track of application program and the virus prestoring
Success, then judge this application program as virus.
In one embodiment, the behavior sequence track of the virus prestoring includes system creation process, enters
Journey creates thread, the thread creation executable file creating in system process and write registration in system process
Table;
The behavior sequence track of the application program that logging modle 810 obtains includes receiving to application file
Trigger action, thread is created in system process according to trigger action system creation process, process, system is entered
The thread creation executable file creating in journey and write registration table;
Matching module 820 is by the behavior sequence rail of the behavior sequence track of application program and the virus prestoring
Mark is mated, and contains the behavior sequence of the virus prestoring in the behavior sequence track of the program that is applied
Row track, that is, contain system creation process, process and create thread, wound in system process in system process
The thread creation executable file built and write registration table, then the match is successful, and determination module 830 judges should
It is virus with program.
Remove module 840 to be used for removing the application program being judged to virus.
Specifically, the application program being cleared to virus can be the process of this application program of deletion, or rollback should
The behavior of application program.
The process deleting application program refers to that application program launching opens process after running, and deletes this process.
The behavior of rollback application program refer to according to record application program behavior sequence track, can with reverse operating,
The behavior sequence track of such as application program is one thread of establishment, then rollback application program in system process
Behavior be close create thread.
Above-mentioned checking and killing virus device, by by the behavior sequence track of application program and the virus prestoring
Behavior sequence track is mated, if the match is successful, judges that this application program, as virus, removes this application
Program, is not required to for the information in terminal to upload to high in the clouds, prevents user profile compromised, improve safety,
And be not required to be prestored each virus document, then again the file of detection is compared with virus document,
Use the behavior sequence track of virus, by the behavior sequence track of the file of detection and virus behavior sequence
Track is compared, highly versatile.
Fig. 9 is the structured flowchart of checking and killing virus device in another embodiment.As shown in figure 9, a kind of virus
Killing device, except including logging modle 810, matching module 820, determination module 830 and removing module 840,
Also include setting up module 850, form module 860 and update module 870.Wherein:
Set up module 850 for after the behavior sequence track of this records application program, according to application program
Behavior sequence track set up the behavior sequence tree of this application program.
Form module 860 to be used for the behavior sequence track of the virus prestoring forms the behavior sequence of virus
Tree.The behavior sequence tree of virus refers to viral behavior, and logically relation or time relationship formation sequence are tree-like
Structure.
Matching module 820 is additionally operable to the behavior sequence of the behavior sequence tree of application program and the virus prestoring
Tree is mated row.
Specifically, analyze first and store viral behavior sequence track, and according to viral behavior sequence rail
Mark forms the behavior sequence tree of virus.By the behavior sequence tree of application program and the behavior sequence prestoring virus
Tree is compared row, if the behavior sequence tree of application program contains the behavior sequence tree of the virus prestoring,
Then the match is successful, judges this application program as virus, if the behavior sequence track of application program comprise partly pre-
The behavior sequence tree of the virus that the behavior sequence tree of the virus first storing or do not comprise prestores, then coupling lose
Lose, judge this application program not as virus.
The behavior sequence tree of this virus prestoring may include process initiation, process and creates in system process
The thread creation executable file creating in thread, system process and write registration table.
In one embodiment, the behavior sequence tree of preformed virus includes system creation process, process
Thread, the thread creation executable file creating in system process and write registration table is created in system process;
The behavior sequence tree inclusion reception setting up the application program of module 850 foundation is touched to application file
Send out operation, thread, system process are created in system process according to trigger action system creation process, process
The thread creation executable file of middle establishment and write registration table;
The behavior sequence tree of the behavior sequence tree of application program and preformed virus is entered by matching module 820
Row coupling, contains the behavior sequence tree of preformed virus in the behavior sequence tree of the program that is applied,
Contain system creation process, process and create thread, the thread creating in system process in system process
Create executable file and write registration table, then the match is successful, determination module 830 judge this application program as
Virus.
If the behavior sequence tree that determination module 830 is additionally operable to application program and the behavior sequence of the virus prestoring
The match is successful for row tree, then judge this application program as virus.
Update module 870 is used for regularly updating the behavior sequence track of virus.
Specifically, the behavior sequence track of virus or behavior sequence tree on server etc. can be regularly updated, eventually
End can be from the behavior sequence track of the local virus of server down loading updating or behavior sequence tree.Regularly update disease
Poison behavior sequence track, can the new virus of killing, improve killing accuracy rate.
In other embodiments, the behavior sequence track of the virus prestoring can be formed the behavior sequence of virus
Behavior sequence time shafts of row chart or formation virus etc..
Specifically, the behavior sequence chart of virus referred to viral behavior sequence according to time or logical relation
It is depicted as chart.The behavior sequence time shafts of virus refer to show the behavior sequence of virus according to time shafts form.
Above-mentioned checking and killing virus device, by by the behavior sequence tree of application program and the row of virus prestoring
Mated for sequence tree, if the match is successful, judged that this application program, as virus, removes this application program,
It is not required to for the information in terminal to upload to high in the clouds, prevent user profile compromised, improve safety, and not
Each virus document need to be prestored, then again the file of detection be compared with virus document, be adopted
Be virus behavior sequence tree, by the behavior sequence tree of application program detecting and virus behavior sequence tree ratio
Relatively, highly versatile, and the behavior sequence tree of application program is mated with the behavior sequence tree of virus, knot
Structure is clear, is easy to compare.
One of ordinary skill in the art will appreciate that realizing all or part of flow process in above-described embodiment method,
Can be by computer program to complete come the hardware to instruct correlation, it is non-easy that described program can be stored in one
In the property lost computer read/write memory medium, this program is upon execution, it may include as the enforcement of above-mentioned each method
The flow process of example.Wherein, described storage medium can be magnetic disc, CD, read-only memory (Read-Only
Memory, ROM) etc..
Embodiment described above only have expressed the several embodiments of the present invention, and its description is more concrete and detailed,
But therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for this area
Those of ordinary skill for, without departing from the inventive concept of the premise, can also make some deformation and
Improve, these broadly fall into protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be with appended
Claim is defined.
Claims (12)
1. a kind of checking and killing virus method, comprises the following steps:
The behavior sequence track of records application program;
The behavior sequence track of application program is mated with the behavior sequence track of the virus prestoring;
If the behavior sequence track of application program is successful with the behavior sequence path matching of the virus prestoring,
Then judge described application program as virus;
Remove the application program being judged to virus.
2. method according to claim 1 is it is characterised in that behavior in described records application program
After the step of sequence track, methods described also includes:
Set up the behavior sequence tree of described application program according to the behavior sequence track of application program;
The behavior sequence track of the virus prestoring is formed the behavior sequence tree of virus;
The behavior sequence tree of application program is mated with the behavior sequence tree of the virus prestoring, if should
With the behavior sequence tree of the behavior sequence tree of program and the virus prestoring, the match is successful, then judge described answering
It is virus with program.
3. method according to claim 1 is it is characterised in that the behavior sequence of described records application program
The step of row track includes:
The critical behavior track of records application program, described critical behavior track includes process initiation, creates line
One or more in journey, establishment executable file, write registration table.
4. method according to claim 1 is it is characterised in that described removing is judged to the application of virus
The step of program includes:
Delete the process of described application program, or the behavior of application program described in rollback.
5. method according to any one of claim 1 to 4 is it is characterised in that described prestore
The behavior sequence track of virus include process initiation, process and create thread, system process in system process
The thread write registration table creating in the thread creation executable file of middle establishment, system process.
6. method according to any one of claim 1 to 4 is it is characterised in that methods described is also wrapped
Include:
Regularly update the behavior sequence track of virus.
7. a kind of checking and killing virus device is it is characterised in that include:
Logging modle, for the behavior sequence track of records application program;
Matching module, for by the behavior sequence of the behavior sequence track of application program and the virus prestoring
Track is mated;
Determination module, if the behavior sequence of behavior sequence track and the virus prestoring for application program
Path matching success, then judge described application program as virus;
Remove module, for removing the application program being judged to virus.
8. device according to claim 7 is it is characterised in that described device also includes:
Set up module, for after the behavior sequence track of described records application program, according to application program
Behavior sequence track set up the behavior sequence tree of described application program;
Form module, for the behavior sequence track of the virus prestoring being formed the behavior sequence tree of virus;
Described matching module is additionally operable to the behavior sequence of the behavior sequence tree of application program and the virus prestoring
Tree is mated row;
If the behavior sequence tree that described determination module is additionally operable to application program and the behavior sequence of the virus prestoring
The match is successful for row tree, then judge described application program as virus.
9. device according to claim 7 it is characterised in that described logging modle be additionally operable to record should
With the critical behavior track of program, described critical behavior track includes process initiation, establishment thread, creating can
One or more in execution file, write registration table.
10. device according to claim 7 is it is characterised in that described removing module is additionally operable to delete
The process of described application program, or the behavior of application program described in rollback.
11. devices according to any one of claim 7 to 10 are it is characterised in that described deposit in advance
The behavior sequence track of the virus of storage includes that process initiation, process create thread in system process, system is entered
The thread creation executable file creating in journey, the thread write registration table creating in system process.
12. devices according to any one of claim 7 to 10 it is characterised in that described device also
Including:
Update module, for regularly updating the behavior sequence track of virus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510484452.6A CN106446681B (en) | 2015-08-07 | 2015-08-07 | Checking and killing virus method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510484452.6A CN106446681B (en) | 2015-08-07 | 2015-08-07 | Checking and killing virus method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106446681A true CN106446681A (en) | 2017-02-22 |
| CN106446681B CN106446681B (en) | 2019-09-17 |
Family
ID=58092138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510484452.6A Active CN106446681B (en) | 2015-08-07 | 2015-08-07 | Checking and killing virus method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106446681B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108021802A (en) * | 2017-10-24 | 2018-05-11 | 努比亚技术有限公司 | A kind of system resource access control method, terminal and computer-readable recording medium |
| CN108182360A (en) * | 2018-01-31 | 2018-06-19 | 腾讯科技(深圳)有限公司 | A kind of Risk Identification Method and its equipment, storage medium, electronic equipment |
| CN109784053A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Generation method, device and storage medium, the electronic device of filtering rule |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| US7991880B2 (en) * | 2008-03-31 | 2011-08-02 | Nokia Corporation | Bionets architecture for building services capable of self-evolution |
| CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
| CN103825780A (en) * | 2014-02-26 | 2014-05-28 | 珠海市君天电子科技有限公司 | Tag-on program identification method, service and system |
-
2015
- 2015-08-07 CN CN201510484452.6A patent/CN106446681B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7991880B2 (en) * | 2008-03-31 | 2011-08-02 | Nokia Corporation | Bionets architecture for building services capable of self-evolution |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
| CN103825780A (en) * | 2014-02-26 | 2014-05-28 | 珠海市君天电子科技有限公司 | Tag-on program identification method, service and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108021802A (en) * | 2017-10-24 | 2018-05-11 | 努比亚技术有限公司 | A kind of system resource access control method, terminal and computer-readable recording medium |
| CN108182360A (en) * | 2018-01-31 | 2018-06-19 | 腾讯科技(深圳)有限公司 | A kind of Risk Identification Method and its equipment, storage medium, electronic equipment |
| CN108182360B (en) * | 2018-01-31 | 2023-09-19 | 腾讯科技(深圳)有限公司 | Risk identification method and equipment, storage medium and electronic equipment thereof |
| CN109784053A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Generation method, device and storage medium, the electronic device of filtering rule |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106446681B (en) | 2019-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10951647B1 (en) | Behavioral scanning of mobile applications | |
| US11184359B2 (en) | Automated access control policy generation for computer resources | |
| Barmpatsalou et al. | A critical review of 7 years of Mobile Device Forensics | |
| US11388273B2 (en) | Achieving atomicity in a chain of microservices | |
| JP6122555B2 (en) | System and method for identifying compromised private keys | |
| US8607330B2 (en) | Orderly change between new and old passwords | |
| CN101777062B (en) | Context-aware real-time computer-protection systems and methods | |
| Tamma et al. | Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices | |
| WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
| CN103632084A (en) | Building method for malicious feature data base, malicious object detecting method and device of malicious feature data base | |
| US11252327B1 (en) | Method and system for performing a contextual stitching operation on video data using a data processing unit | |
| US11158352B1 (en) | Method and system for indexing video data using a data processing unit | |
| US11409793B2 (en) | Method and system for performing a storage tier operation on video data using a data processing unit | |
| CN104424225B (en) | Document handling method based on document transmission process and device | |
| CN103268449A (en) | Method and system for detecting mobile phone malicious codes at high speed | |
| CN103428212A (en) | Malicious code detection and defense method | |
| CN105868625B (en) | Method and device for intercepting restart deletion of file | |
| CN106446681A (en) | Virus searching and killing method and apparatus | |
| TW201443683A (en) | Apparatus and method for searching and deleting macro virus | |
| US9118756B2 (en) | Recording method, recording device, and electronic device | |
| US9323924B1 (en) | Systems and methods for establishing reputations of files | |
| CN112559913A (en) | Data processing method and device, computing equipment and readable storage medium | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN102446252B (en) | Method and device for showing off-limit files | |
| JP2016538609A (en) | Program integrity verification method using hash |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230705 Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |