CN106503551A - A kind of for the processing method and system of extorting software - Google Patents
A kind of for the processing method and system of extorting software Download PDFInfo
- Publication number
- CN106503551A CN106503551A CN201610960494.7A CN201610960494A CN106503551A CN 106503551 A CN106503551 A CN 106503551A CN 201610960494 A CN201610960494 A CN 201610960494A CN 106503551 A CN106503551 A CN 106503551A
- Authority
- CN
- China
- Prior art keywords
- file
- disk
- newly
- restoration point
- cryptographic hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention relates to a kind of for the processing method and system of extorting software.Wherein method includes:Backup database is built, wherein, backup database includes that at least one restoration point and restoring data corresponding with each restoration point, restoring data include registry data and disk file data;Reception processing is asked;A restoration point is selected from backup database according to request is processed, and calls disk file data corresponding with restoration point;According to disk file data corresponding with restoration point, traversal disk, determines whether disk has newly-increased file;In the case of having newly-increased file in disk, add the attribute that locks when starting to the file for increasing newly, and disk is reduced according to registry data corresponding with restoration point.The present invention can reduce the judgement scope for extorting software in All Files, and effectively lock to extorting software, prevent the further infringement for extorting software, while can reduce to disk, make disk recover normal.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of for the processing method and system of extorting software.
Background technology
Extort software be hacker for kidnap user's assets or resource and as one kind from condition to user's extortionist
Malware.Extorting software would generally will be more to document, mail, data base, source code, picture, compressed file etc. in custom system
Planting file carries out some form of cryptographic operation, is allowed to unavailable, or by changing CONFIG.SYS, disturbing user normal
Reduce the availability of system using the method for system, then by the side of pop-up window, dialog box or generation text etc.
Formula is issued the user with extorts notice, it is desirable to which user obtains the password of decryption file or obtains restorer to designated account remittance
The method of the normal operation of system.
Be currently known may result in removing extort software approach have following several:First, by deleting the side for extorting software document
Formula is purged;2nd, it is purged by windows reduction system reducing;3rd, realized by disk filter driving principle
Also original system (for example reduce smart, Recovery card etc., Recovery card equivalent to the principle of disk filter in the way of software and hardware combining
To realize);4th, full backup also original system (the such as implementation method of the ghost of promise).
Due to extort software threat particularity, these methods above-mentioned used in removing extort software approach have various
Shortcoming.
Mainly it is divided to two kinds by way of deleting and extorting software document:1st, file characteristic judges:By extorting known to collection
The file characteristic of software, is judged to extort software to the file for meeting this document feature, is then come in the way of deleting this document
Software is extorted in removing.2nd, behavior characteristicss judge:The behavior characteristicss for extorting software are collected, the program being currently running then is judged
In behavior, if meet behavior characteristicss, if being, be judged to extort software, then carried out by way of deleting file clear
Remove.Can only judge known by the method for file characteristic and extort software and unknown software of extorting cannot be judged, because
This also cannot just remove and unknown extort software.Judge to extort software by behavior characteristicss, theoretically may determine that one
Point known or unknown extort software (behavior judgement can be bypassed by replacing sexual behaviour due to extorting software, therefore can be with
Judge a part known or unknown extort software), but in practical operation, False Rate is too high.For example, all software is extorted
Must all there is a feature, i.e., disk file be traveled through.But this feature can not be taken to extort software as judgement completely
Necessary and sufficient condition because not only extorting software, have a lot of softwares have traversal disk file the characteristics of, such as antivirus software,
File search function of windows systems etc..Therefore traditional want to remove the side for extorting software by deleting file to reach
Method is the need for high-precision to the known and unknown detection technique for extorting software.Even there is high-precision detection technique, pass through
Delete file software also following two shortcomings are extorted to remove:1st, all Malwares all can change registry data, come real
The existing various malicious operations (such as self-starting etc.) of oneself, if simply simple deletion file, can stay in registration table and extort
The junk data of software write;If 2 extort software has run (or being injected into some critical system processes to run),
Deleting by force to extort software document and can produce needs to read original and the situation of some processes caused collapse, so cause be
System is unstable, or even blue screen.
Removed using windows system reducings and extorted in software, windows system reducings are to reinstall
Operating system, makes system return to working condition on the premise of will not also destroying data file.Just add in Windows Me and " be
The function of system reduction ", and always used in the operating system of more than WindowsMe." system reducing " can recover to register
Table, local profile, COM+ data bases, Windows files protection (WFP) cache (wfp.dll), Windows management
The file of instrument (WMI) data base, Microsoft IIS metadata, and utility program default copy in " reduction " archive.
Content to be reduced can not be specified when reduction:All reduce, or not reducing.To store restoration point, then exist
Each has opened the free space at least needing 300 Mbytes (MB) on the hard disk of system protection.System reducing may take
The space of each disk 15%.If restoration point has taken all spaces, system reducing will delete old restoration point, be new reduction
Point vacating space.Remove hence with windows system reducings and extort software and have the disadvantages that:First, excessive magnetic is taken
Disk space.2nd, because windows restoration point majorities are that executable file (dll or exe) is backed up, therefore some are not
Unclear situation about removing just is occurred with the file of the presence of both form.When the 3rd, creating restoration point, algorithm is complicated, and operation is slow.
4th, windows system reducings are interfaces, are that all application programs are opened.Situations below so just occurs:Extort
Software is if, if being to carry out system reducing by the restoration point of windows interfaces, can execute to full magnetic completely
Disk file is first disposed the restoration point of currently all backups before being encrypted, and the situation for thus leading to not reduce is sent out
Raw.Even with restoration point resist technology, only allow oneself to use restoration point, do not allow other programs to use restoration point, but
So design occurs compatibility issue again.Because this interface is open, refusing other if only allowing oneself to use should
With program use, then those normally need exception will therefore occur using restoration point interface routine.
The original system of going back that is realized by disk filter driving principle is extorted in software to remove, and reduction system principle is substantially
It is that incremental backup is carried out to disk, the method being embodied as is to open up a back up memory space on disk, currently to magnetic
The all modifications data of the carrying out of disk are all written in back up memory space, when needing to reduce, directly backup storage
The data dump in space falls, and now disk has returned to the state before back up memory space data are eliminated.By magnetic
To extort the maximum shortcoming of software be exactly only one restoration point of support to remove for what disk filtration drive principle was realized go back original system, does not prop up
Hold the restoration point for creating multiple different time.Can so cause as the data that disposes during reduction are too many, many useful numbers
According to the problem that also loses because being eliminated and cannot give for change.
In full backup also original system (the such as implementation method of the ghost of promise), reduction system principle is substantially to disk
Full backup is carried out, the method being embodied as is the All Files data on to reading desire backup disk, and combines them pressure
Contracting (can not also compress, disk space is saved if compression, but the time that reduction needs is long, the magnetic that uncompressed words temporarily take
Disk space is big, but the recovery time is short) into a backup file, exist in storage medium, when needing to reduce, as long as handle
This backup file is written back data in the disk to be reduced after launching.With realized by disk filter driving principle
Also original system is compared removing the mode for extorting software, full backup also original system supports multipoint restoring, but simultaneously because backup
Quantity is too big, it is therefore desirable to devote a tremendous amount of time, and needs also exist for devoting a tremendous amount of time during reduction, and due to Backup Data
Amount is big, it is therefore desirable to which substantial amounts of memory space is supported.
Content of the invention
The technical problem to be solved is for the deficiencies in the prior art, there is provided a kind of for the place for extorting software
Reason method and system.
The technical scheme that the present invention solves above-mentioned technical problem is as follows:A kind of for the processing method for extorting software, including:
Backup database is built, wherein, the backup database includes at least one restoration point and goes back with described in each
The corresponding restoring data of origin, the restoring data include registry data and disk file data;
Reception processing is asked;
Request one restoration point of selection from the backup database is processed according to described, and is called and one reduction
The corresponding disk file data of point;
According to the disk file data corresponding with one restoration point, traversal disk, determines whether the disk has
Newly-increased file;
In the case of having newly-increased file in the disk, the category that locks when the newly-increased file is added and started
Property, and the disk is reduced according to registry data corresponding with one restoration point.
Another kind of technical scheme that the present invention solves above-mentioned technical problem is as follows:A kind of for the processing method for extorting software
And system, including:
Backup database builds module, and for building backup database, wherein, the backup database includes at least one
Restoration point and restoring data corresponding with restoration point each described, the restoring data include registry data and disk file
Data;
Receiver module, asks for reception processing;
Calling module, for processing request one restoration point of selection from the backup database according to described, and calls
The disk file data corresponding with one restoration point;
Comparison in difference module, for traveling through disk, according to the disk file data corresponding with one restoration point
Determine whether the disk has newly-increased file;
Locking module, in the case of having newly-increased file in the disk, adds to the newly-increased file and opens
The attribute locked when dynamic;
Registration table recovery module, in the case of having newly-increased file in the disk, according to one also
The corresponding registry data of origin is reduced to the disk.
The invention has the beneficial effects as follows:The present invention using in backup database record restoring data by the way of, by and also
Former data are compared, and judge whether there is newly-increased file in disk, in the case where there is newly-increased file, illustrate that now disk is
Through infection to software is extorted, lock when now the file to increasing newly starts, and according to the registry data in restoring data
Disk is reduced, the present invention combines the particularity for extorting software, can reduce the judgement for extorting software in All Files
Scope, and effectively lock to extorting software, the further infringement for extorting software is prevented, while can carry out to disk also
Original, makes disk recover normal.
The advantage of the additional aspect of the present invention will be set forth in part in the description, and partly will become from the following description
Obtain substantially, or recognized by present invention practice.
Description of the drawings
Fig. 1 is a kind of optional for the process flow schematic diagram one for extorting software of the embodiment of the present invention one;
Fig. 2 is a kind of optional for the process flow schematic diagram two for extorting software of the embodiment of the present invention one;
Fig. 3 is intended to one for a kind of optional of the embodiment of the present invention two for the processing system structure for extorting software.
Specific embodiment
The principle and feature of the present invention are described below in conjunction with accompanying drawing, example is served only for explaining the present invention, and
Non- for limiting the scope of the present invention.
Embodiment one
Fig. 1 is a kind of optional for the process flow schematic diagram one for extorting software of the embodiment of the present invention one.
As shown in figure 1, a kind of for the processing method for extorting software, including:
Step S100, builds backup database, and wherein, backup database is included at least one restoration point and gone back with each
The corresponding restoring data of origin, restoring data include registry data and disk file data.
Specifically, the registry data in restoring data can be the data of the key component of registration table, including self-starting
The data of message part and the registry data of other software changes that are possible to pay through the nose.
Specifically, disk file data can be the cryptographic Hash of the file path of All Files and file content in disk
Cryptographic Hash.
Preferably, if the registry data recorded in backup database be key component in registration table data with
And in disk the cryptographic Hash of the file path of All Files and file content cryptographic Hash, then the restoring data for actually forming
Very little, it is generally the case that the corresponding restoring data of each restoration point can be less than 150MB, thus be especially suitable for carrying out many
Point restoring operation, it is assumed that generate a restoration point in one day, continuous backup one month, the space of occupancy are not more than 4.5G.
Specifically, every how long how many restoration points most in a restoration point and backup database being generated, can be with
It is configured according to practical situation, can be selected by user, it should be noted that is most when being provided with backup database
After how many restoration point, if the restoration point in backup database has reached maximum, newly-generated restoration point can be to standby
The restoration point for being generated in part data base earliest is covered.
In a kind of optional embodiment, if as shown in Fig. 2 in part data base, it is at best able to the individual of the restoration point of storage
Number is 7, and as shown in the left-half of Fig. 2, in backup database, 7 restoration points of script are from May 1st, 2016 to 2016
The restoration point that on May 7, in records daily, after the restoration point that on May 8th, 2016 generates new, the earliest restoration point for recording
The restoration point of namely 2016 1 day entry of May will be disposed of, and on May 8th, 2016, newly-generated restoration point can be recorded
In backup database, and first time restoration point before is replaced by the restoration point on May 2nd, 2016, that is, 2016 year May 2
The restoration point of day entry becomes the restoration point of earliest record, specifically as shown in right-hand part part of Fig. 2.
Step S102, reception processing are asked.
Specifically, process request here can be sent by software trigger is extorted, or by user oneself
Process request.
Step S104, selects a restoration point from backup database according to request is processed, and calls and a restoration point
Corresponding disk file data.
Specifically, a reduction can be selected by arbitrary in the recorded restoration point from backup database of user
Point.
Step S106, travels through disk, determines whether disk has newly according to disk file data corresponding with restoration point
The file of increasing.
Specifically, after restoration point is chosen, need once to travel through disk, specially the institute in traversal disk
There is file, find out, if it has, according to the characteristic for extorting software, illustrating that disk is received
The infection of software is extorted, newly-increased file necessarily includes extorts software configuration processor.If there is no newly-increased file in disk, can
Two kinds of situations can be included, a kind of is that disk is not infected by extorting software, and another situation is that the restoration point of selection can
Can be that the restoration point generated after software is extorted in disk infection, can be by choosing a restoration point until having chosen all going back again
Determining whether disk has the mode of newly-increased file to exclude second probability, be then back to step S102 is carried out down origin
Single treatment.
Step S108, in the case of having newly-increased file in disk, to the category locked during newly-increased file interpolation startup
Property, and disk is reduced according to registry data corresponding with restoration point.
Specifically, lock when can be added to newly-increased file in locking module
Fixed attribute, the particular location for wherein adding can be that registration table or locking module can read interpolation data on startup
Place, locking module are mainly in the form of driving or service, and the main function of realizing is on startup, reads locking mould
Locking data in block, judges need which file locked, then these files is conducted the locking operations, Le is this ensures that thered
Before rope running software, locked with the newly-increased file for extorting software by force, as locking module forbids all distrust
Process to locking module in file operate, therefore extort software and other locking file cannot just pass through any
Mode is started;Specifically, lock operation includes that the opening of lock file, reading and writing enter, delete and renaming operation, needs
It is noted that locking module can allow its process that trusts to operate the file being added in locking module.
It should be noted that can on opportunity disk reduced according to registry data corresponding with restoration point
Be restart before, or after restarting.
It is by above-mentioned steps S100- step S108, of the invention by the way of record restoring data in backup database,
It is compared by restoring data, judges in disk, whether there is newly-increased file, in the case where there is newly-increased file, illustrate now
Disk has infected extorts software, locks when now the file to increasing newly starts, and according to the registration in restoring data
Table data are reduced to disk, and the present invention is combined and extorts the particularity of software, can be reduced and be extorted software in All Files
Judgement scope, and effectively lock to extorting software, prevent the further infringement for extorting software, while can be to disk
Reduced, make disk recover normal.
In an optional embodiment, disk file data include the cryptographic Hash of the file path of All Files in disk
Cryptographic Hash with file content;So determine whether disk has according to disk file data corresponding with restoration point newly-increased
The step of file, includes:
Calculate the cryptographic Hash and the cryptographic Hash of file content in All Files path in disk.
According to the cryptographic Hash in All Files path in disk and the cryptographic Hash of file content and corresponding with a restoration point
Disk file data, determine whether disk has newly-increased file.
In an optional embodiment, to increase newly file add start when lock attribute the step of after, also wrap
Include:Newly-increased file is moved in the threat file for pre-seting, and is released and is locked during the startup that adds on newly-increased file
Attribute.
In an optional embodiment, record what the file immigration that will be increased newly was pre-seted in the removing daily record for pre-seting
Threaten the operation in file.
Specifically, the enantiomorphic relationship for threatening the file in file, user can be moved into record every time in daily record is removed
The All Files of certain moved into threat file once can be checked by removing daily record, threatened in file not due to moving into
The newly-increased file of extorting software formed only is contained, while can also contain non-extorting software document, then there is mistake
The situation of removing, therefore, if the user find which file is to be removed by mistake, it is possible to by removing the threat that daily record is recorded
The corresponding relation of file is recovering the file for being considered to delete by mistake.If user perform institute wrong delete file access pattern after, if
Think that file or folder occupies disk storage space, then can be empty to vacate disk by deleting the daily record that removes in daily record
Between, when flow process is to delete to remove daily record, the content of the daily record to be deleted according to user, the file that finds out in daily record are threatening text
Corresponding document location in part folder, then first deletes these files, then erases log recording is removed.
In an optional embodiment, such as above-mentioned content, disk file data include the file of All Files in disk
The cryptographic Hash in path and the cryptographic Hash of file content;Therefore traversal disk is executed, according to disk text corresponding with restoration point
Also include while the step of whether number of packages has newly-increased file according to determination disk:
According to disk file data corresponding with restoration point, traversal disk, determines whether disk has more than predetermined number
The cryptographic Hash of file content of file change.Whether the file content of the file of predetermined number is had more than in the disk
Cryptographic Hash change in the case of, determine the disk be infected type extort software or infection type virus infection, connection
Whois lookup simultaneously downloads the program that can remove that the infection type extorts software or infection type virus.
Specifically, disk have more than the file content of the file of predetermined number cryptographic Hash change in file concrete
It is executable file, the file such as including exe, dll, wherein, predetermined number can be configured according to practical situation, and the present invention is right
The concrete numerical value of predetermined number is not limited;If it find that the cryptographic Hash for having substantial amounts of executable file changes, then disk
It is likely to have infected infection type and extorts software or other infection types virus, may be coupled to whether whois lookup has this when
The corresponding program that infection type extorts software or infection type virus can be removed, if there are then downloading, it is also possible to directly journey
Sequence is placed on and locally directly initiates, and runs corresponding program to realize extorting the removing of software or infection type virus to repair to infection type
Multiple infected executable file.If being searched less than removing on the server, infection type extorts software or infection type is viral
Corresponding program, illustrate infection type extort software or other infection types virus be probably unknown, may remind the user that voluntarily
Process, for example, find special killing instrument, or in order to ensure the safety of data, copy out lattice disk refitting after useful data
System, can realize the process for extorting software or virus to infection type by above-described embodiment.
Embodiment two
Fig. 3 is intended to one for a kind of optional of the embodiment of the present invention two for the processing system structure for extorting software.
In conjunction with said method, the invention allows for as shown in Figure 3 a kind of for the processing system for extorting software, including
Backup database builds module, receiver module, calling module, comparison in difference module, locking module and registration table recovery module.
Wherein, backup database builds module, and for building backup database, wherein, backup database includes at least one
Individual restoration point and restoring data corresponding with each restoration point, restoring data include registry data and disk file data.
Receiver module, asks for reception processing.
Calling module, for selecting a restoration point from backup database according to process request, and calls with one also
The corresponding disk file data of origin.
Comparison in difference module, for traveling through disk, determines disk according to disk file data corresponding with restoration point
Whether newly-increased file is had.
Locking module, in the case of having newly-increased file in disk, locks when the file for increasing newly is added and started
Attribute.
Registration table recovery module, in the case of having newly-increased file in disk, according to corresponding with a restoration point
Registry data disk is reduced.
In a kind of optional embodiment, disk file data include the cryptographic Hash of the file path of All Files in disk
Cryptographic Hash with file content;Comparison in difference module includes computing module and the first determining module.
Wherein, computing module, for calculating the cryptographic Hash of the cryptographic Hash in All Files path and file content in disk;
First determining module, for according to the cryptographic Hash in All Files path in disk and the cryptographic Hash of file content and
Disk file data corresponding with restoration point, determine whether disk has newly-increased file.
In a kind of optional embodiment, system also includes removing module, is connected with locking module, for the text that will be increased newly
Part is moved in the threat file for pre-seting, and releases the attribute locked during the startup that adds on newly-increased file.
Specifically, remove module be locking module process trusty, can read and transfer lock module in institute
There is file.
In a kind of optional embodiment, system includes log pattern, is connected with module is removed, for clear pre-seted
Remove the operation threatened in file for recording in daily record that the file immigration that will be increased newly is pre-seted.
In a kind of optional embodiment, disk file data include the cryptographic Hash of the file path of All Files in disk
Cryptographic Hash with file content;Comparison in difference module also includes the second determining module and file recovery module.
Wherein, the second determining module, for traveling through disk, determines according to disk file data corresponding with restoration point
Whether disk has more than the cryptographic Hash of the file content of the file of predetermined number changes;
Whether file recovery module, for having more than the cryptographic Hash of the file content of the file of predetermined number in the disk
In the case of changing, determine that the disk is infected type and extorts software or infection type virus infection, connection server is looked into
Look for and download the program that can remove that the infection type extorts software or infection type virus.
In the description of this specification, reference term " embodiment one ", " embodiment two ", " example ", " specific example " or
The description of " some examples " etc. means that the concrete grammar, device or the feature that describe with reference to the embodiment or example are contained in this
In at least one bright embodiment or example.In this manual, the schematic representation of above-mentioned term is necessarily directed to
Identical embodiment or example.And, the specific features of description, method, device or feature can be in any one or more realities
Apply and combined in example or example in an appropriate manner.Additionally, in the case of not conflicting, those skilled in the art can be by
The feature of different embodiments or example and different embodiments or example described in this specification is combined and combines.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all spirit in the present invention and
Within principle, any modification, equivalent substitution and improvements that is made etc. should be included within the scope of the present invention.
Claims (10)
1. a kind of for the processing method for extorting software, it is characterised in that to include:
Build backup database, wherein, the backup database include at least one restoration point and with restoration point each described
Corresponding restoring data, the restoring data include registry data and disk file data;
Reception processing is asked;
Request one restoration point of selection from the backup database is processed according to described, and is called and one restoration point pair
The disk file data that answers;
According to the disk file data corresponding with one restoration point, traversal disk, determines whether the disk has newly-increased
File;
In the case of having newly-increased file in the disk, the attribute that locks when the newly-increased file is added and started, and
The disk is reduced according to registry data corresponding with one restoration point.
2. method according to claim 1, it is characterised in that the disk file data include all texts in the disk
The cryptographic Hash of the file path of part and the cryptographic Hash of file content;
The basis disk file data corresponding with one restoration point determine whether the disk has newly-increased text
The step of part, includes:
Calculate the cryptographic Hash of the cryptographic Hash in All Files path and file content in the disk;
According to the cryptographic Hash in All Files path in the disk and the cryptographic Hash of file content and with one restoration point
The corresponding disk file data, determine whether the disk has newly-increased file.
3. method according to claim 1, it is characterised in that described lock when the newly-increased file is added and started
After the step of attribute, also include:
The newly-increased file is moved in the threat file for pre-seting, and releases the startup that adds on the newly-increased file
The attribute of Shi Suoding.
4. method according to claim 3, it is characterised in that record in the removing daily record for pre-seting described will be described new
The file of increasing moves into the operation threatened in file for pre-seting.
5. method according to claim 1, it is characterised in that the disk file data include all texts in the disk
The cryptographic Hash of the file path of part and the cryptographic Hash of file content;
The traversal disk is executed, determines that the disk is according to the disk file data corresponding with one restoration point
No the step of have newly-increased file while also include:
The disk is traveled through, determines whether the disk has according to the disk file data corresponding with one restoration point
The cryptographic Hash for exceeding the file content of the file of predetermined number changes;
Whether have more than in the disk file content of the file of predetermined number cryptographic Hash change in the case of, determine
The disk is infected type and extorts software or infection type virus infection, and connection server is searched and downloaded and can remove the sense
The program of software or infection type virus extorted by dye type.
6. a kind of for the processing system for extorting software, it is characterised in that to include:
Backup database builds module, and for building backup database, wherein, the backup database includes at least one reduction
Point and restoring data corresponding with restoration point each described, the restoring data include registry data and disk file number
According to;
Receiver module, asks for reception processing;
Calling module, for processing request one restoration point of selection from the backup database according to described, and calls and institute
State the corresponding disk file data of restoration point;
Comparison in difference module, for traveling through disk, determines according to the disk file data corresponding with one restoration point
Whether the disk has newly-increased file;
Locking module, in the case of having newly-increased file in the disk, when adding startup to the newly-increased file
The attribute of locking;
Registration table recovery module, in the case of having newly-increased file in the disk, according to one restoration point
Corresponding registry data is reduced to the disk.
7. system according to claim 6, it is characterised in that the disk file data include all texts in the disk
The cryptographic Hash of the file path of part and the cryptographic Hash of file content;
The comparison in difference module includes:
Computing module, for calculating the cryptographic Hash of the cryptographic Hash in All Files path and file content in the disk;
First determining module, for according to the cryptographic Hash in All Files path in the disk and the cryptographic Hash of file content and
The disk file data corresponding with one restoration point, determine whether the disk has newly-increased file.
8. system according to claim 6, it is characterised in that the system also includes removing module, with the locking mould
Block connects, and for moving into the newly-increased file in the threat file for pre-seting, and releases and adds on the newly-increased file
Plus startup when the attribute that locks.
9. system according to claim 8, it is characterised in that the system includes log pattern, with the removing module
Connection, for recording in the threat file for pre-seting the newly-increased file immigration in the removing daily record for pre-seting
Operation.
10. system according to claim 6, it is characterised in that the disk file data include owning in the disk
The cryptographic Hash of the file path of file and the cryptographic Hash of file content;
The comparison in difference module also includes;
Second determining module, for traveling through the disk, according to the disk file data corresponding with one restoration point
Determine whether the disk has more than the cryptographic Hash of the file content of the file of predetermined number and change;
File recovery module, occurs for whether having more than the cryptographic Hash of the file content of the file of predetermined number in the disk
In the case of change, determine that the disk is infected type and extorts software or infection type virus infection, connection server is searched simultaneously
Download the program that can remove that the infection type extorts software or infection type virus.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610960494.7A CN106503551A (en) | 2016-10-28 | 2016-10-28 | A kind of for the processing method and system of extorting software |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610960494.7A CN106503551A (en) | 2016-10-28 | 2016-10-28 | A kind of for the processing method and system of extorting software |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106503551A true CN106503551A (en) | 2017-03-15 |
Family
ID=58322506
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610960494.7A Pending CN106503551A (en) | 2016-10-28 | 2016-10-28 | A kind of for the processing method and system of extorting software |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106503551A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106951781A (en) * | 2017-03-22 | 2017-07-14 | 福建平实科技有限公司 | Extort software defense method and apparatus |
CN107491697A (en) * | 2017-09-29 | 2017-12-19 | 南京宏海科技有限公司 | server security maintaining method based on dynamic white list |
CN108345626A (en) * | 2017-11-09 | 2018-07-31 | 孔朝晖 | A kind of data grouped data set across catalogue of cloud system |
CN108647112A (en) * | 2018-03-16 | 2018-10-12 | 阿里巴巴集团控股有限公司 | The method, apparatus and distributing real time system system of data backup |
CN109145604A (en) * | 2018-08-21 | 2019-01-04 | 成都网思科平科技有限公司 | One kind extorting software intelligent detecting method and system |
CN109284608A (en) * | 2017-07-19 | 2019-01-29 | 阿里巴巴集团控股有限公司 | Extort recognition methods, device and equipment, the security processing of software |
CN111614662A (en) * | 2020-05-19 | 2020-09-01 | 网神信息技术(北京)股份有限公司 | Interception method and device for Lesovirus |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101777018A (en) * | 2010-02-08 | 2010-07-14 | 北京同有飞骥科技有限公司 | Copying and snapshot combined Windows system protection method |
CN103389925A (en) * | 2012-05-09 | 2013-11-13 | 南京壹进制信息技术有限公司 | Real-time backup method based on process name identification |
-
2016
- 2016-10-28 CN CN201610960494.7A patent/CN106503551A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101777018A (en) * | 2010-02-08 | 2010-07-14 | 北京同有飞骥科技有限公司 | Copying and snapshot combined Windows system protection method |
CN103389925A (en) * | 2012-05-09 | 2013-11-13 | 南京壹进制信息技术有限公司 | Real-time backup method based on process name identification |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106951781A (en) * | 2017-03-22 | 2017-07-14 | 福建平实科技有限公司 | Extort software defense method and apparatus |
CN109284608A (en) * | 2017-07-19 | 2019-01-29 | 阿里巴巴集团控股有限公司 | Extort recognition methods, device and equipment, the security processing of software |
CN109284608B (en) * | 2017-07-19 | 2022-10-18 | 阿里巴巴集团控股有限公司 | Method, device and equipment for identifying Legionella software and safety processing method |
CN107491697A (en) * | 2017-09-29 | 2017-12-19 | 南京宏海科技有限公司 | server security maintaining method based on dynamic white list |
CN108345626A (en) * | 2017-11-09 | 2018-07-31 | 孔朝晖 | A kind of data grouped data set across catalogue of cloud system |
CN108647112A (en) * | 2018-03-16 | 2018-10-12 | 阿里巴巴集团控股有限公司 | The method, apparatus and distributing real time system system of data backup |
CN109145604A (en) * | 2018-08-21 | 2019-01-04 | 成都网思科平科技有限公司 | One kind extorting software intelligent detecting method and system |
CN111614662A (en) * | 2020-05-19 | 2020-09-01 | 网神信息技术(北京)股份有限公司 | Interception method and device for Lesovirus |
CN111614662B (en) * | 2020-05-19 | 2022-09-09 | 奇安信网神信息技术(北京)股份有限公司 | Interception method and device for Lesovirus |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106503551A (en) | A kind of for the processing method and system of extorting software | |
US9317686B1 (en) | File backup to combat ransomware | |
US7673324B2 (en) | Method and system for tracking an operating performed on an information asset with metadata associated therewith | |
EP2033099B1 (en) | Combining virus checking and replication filtration | |
US7024403B2 (en) | Filter driver for identifying disk files by analysis of content | |
US7529778B1 (en) | System and method for providing access to consistent point-in-time file versions | |
KR101201118B1 (en) | System and method of aggregating the knowledge base of antivirus software applications | |
US7624443B2 (en) | Method and system for a self-heating device | |
US6701454B1 (en) | Method and system for recovering information during a program failure | |
US20070022315A1 (en) | Detecting and reporting changes on networked computers | |
JP2003503792A (en) | Recover your computer to a previous state | |
WO2006015949A1 (en) | A prioritization system | |
US10783041B2 (en) | Backup and recovery of data files using hard links | |
Liu et al. | Intrusion confinement by isolation in information systems | |
US9898603B2 (en) | Offline extraction of configuration data | |
KR102375955B1 (en) | Data backup system with improved security | |
WO2006137657A1 (en) | Method for intercepting malicious code in computer system and system therefor | |
KR20090064699A (en) | Digital forensic server for investigating digital evidence and method therefor | |
JP2001142764A (en) | Log file protecting system | |
WO2007091652A1 (en) | Tally information management method and management device | |
US8453242B2 (en) | System and method for scanning handles | |
US11113391B2 (en) | Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium | |
US8938807B1 (en) | Malware removal without virus pattern | |
CN114297645B (en) | Method, device and system for identifying Lesox family in cloud backup system | |
CN111382126A (en) | System and method for deleting files and hindering file recovery |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170315 |
|
WD01 | Invention patent application deemed withdrawn after publication |