CN110874474A - Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium - Google Patents
Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium Download PDFInfo
- Publication number
- CN110874474A CN110874474A CN201811579545.7A CN201811579545A CN110874474A CN 110874474 A CN110874474 A CN 110874474A CN 201811579545 A CN201811579545 A CN 201811579545A CN 110874474 A CN110874474 A CN 110874474A
- Authority
- CN
- China
- Prior art keywords
- currently created
- file handle
- virus
- file
- created file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 180
- 241000700605 Viruses Species 0.000 title claims abstract description 101
- 230000007123 defense Effects 0.000 title claims abstract description 16
- 238000012544 monitoring process Methods 0.000 claims abstract description 11
- 235000015122 lemonade Nutrition 0.000 claims description 30
- 238000011084 recovery Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a method and a device for defending a Lessomer virus, electronic equipment and a storage medium, relates to the technical field of network security, and aims to effectively identify the Lessomer virus in time. The Lessocian virus defense method comprises the following steps: monitoring the creation of file handles; if the file handle is created currently, inquiring the attribute of the currently created file handle, and judging whether the attribute of the currently created file handle has write permission; if the attribute of the currently created file handle has the write permission, inquiring the process to which the currently created file handle belongs; judging whether the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics or not; and if the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics, determining that the process to which the currently created file handle belongs is the process of the Lexoplasma virus. The invention is suitable for identifying the Lexomer virus and recovering the file.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for defending a lemonade virus, an electronic device, and a storage medium.
Background
Currently, Lessocian viruses are becoming increasingly favored by various lawbreakers because of their beneficial properties. Various lemonade virus versions are outbreaking without exception. Infected users are no longer only directed at individual users, and all enterprises and public institutions are affected to different degrees, so that crisis caused by the infected users is increased.
How to effectively identify the Lexomer virus in time becomes a hot point of concern for each antivirus vendor.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for defending against a lemonade virus, an electronic device, and a storage medium, which can effectively identify a lemonade virus in time.
In a first aspect, an embodiment of the present invention provides a method for defending against a lemonade virus, including: monitoring the creation of file handles; if the file handle is created currently, inquiring the attribute of the currently created file handle, and judging whether the attribute of the currently created file handle has write permission; if the attribute of the currently created file handle has the write permission, inquiring the process to which the currently created file handle belongs; judging whether the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics or not; and if the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics, determining that the process to which the currently created file handle belongs is the process of the Lexoplasma virus.
According to a specific implementation manner of the embodiment of the present invention, the determining whether the characteristics of the process to which the currently created file handle belongs meet the predetermined determination characteristics includes: judging whether the number of occupied file handles of the process to which the currently created file handle belongs reaches a preset number threshold value or not; and/or judging whether the suffix names of the files corresponding to the file handles occupied by the process to which the currently created file handle belongs are the same or not; and/or judging whether different paths exist in the paths of the files corresponding to the occupied file handles in the process to which the currently created file handles belong; if the characteristics of the process to which the currently created file handle belongs meet the predetermined judgment characteristics, determining that the process to which the currently created file handle belongs is a process of the Lexoer virus, including: if the number of the occupied file handles reaches a preset number threshold value and/or the suffix names of the files corresponding to the occupied file handles are the same and/or different paths exist in the paths of the files corresponding to the occupied file handles, the characteristics of the process to which the currently created file handles belong are determined and meet preset judgment characteristics.
According to a specific implementation manner of the embodiment of the present invention, if the attribute of the currently created file handle has write permission, the method further includes: copying a currently created file handle; and carrying out encryption backup on the file corresponding to the currently created file handle.
According to a specific implementation manner of the embodiment of the present invention, after determining that the process to which the currently created file handle belongs is a process of a lemonade virus, the method further includes: and recovering the file encrypted by the Lexoer virus by using the encrypted backup file.
In a second aspect, an embodiment of the present invention provides a stranger virus defense apparatus, including: the monitoring module is used for monitoring the creation of the file handle; the first judgment module is used for inquiring the attribute of the currently created file handle if the currently created file handle is created, and judging whether the attribute of the currently created file handle has write permission; the query module is used for querying the process to which the currently created file handle belongs if the attribute of the currently created file handle has the write permission; the second judgment module is used for judging whether the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics or not; and the third judging module is used for determining that the process to which the currently created file handle belongs is a process of the Lesoer virus if the characteristics of the process to which the currently created file handle belongs meet the preset judging characteristics.
According to a specific implementation manner of the embodiment of the present invention, the second determining module includes: the first judgment submodule is used for judging whether the number of the occupied file handles of the process to which the currently created file handles belong reaches a preset number threshold value or not; and/or the second judging submodule is used for judging whether the suffix names of the files corresponding to the file handles which are currently established in the process to which the file handles belong are the same or not; and/or the third judging submodule is used for judging whether different paths exist in the paths of the files corresponding to the occupied file handles in the process to which the currently created file handles belong; the third judging module is configured to determine a characteristic of a process to which a currently created file handle belongs if the number of occupied file handles reaches a predetermined number threshold, and/or suffix names of files corresponding to the occupied file handles are the same, and/or paths of files corresponding to the occupied file handles have different paths, and the characteristic conforms to a predetermined determination characteristic.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: the copying module is used for copying the currently created file handle; and the backup module is used for carrying out encryption backup on the file corresponding to the currently created file handle.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: and the recovery module is used for recovering the file encrypted by the Lexoer virus by using the encrypted backup file.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes the program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the method of any one of the foregoing implementation modes.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement a method according to any one of the foregoing implementation manners.
According to the method, the device, the electronic equipment and the storage medium for defending against the Lesoxhlet virus, the creation of the file handle is monitored, if the current creation of the file handle is monitored, and the read-write attribute information in the attribute of the currently created file handle is judged to be the write attribute, the characteristic of the process to which the currently created file handle belongs is further judged whether to accord with the preset judgment characteristic, if so, the process to which the currently created file handle belongs can be determined to be the process of the Lesolet virus, and therefore, whether the process to which the currently created file handle belongs is the process of the Lesolet virus can be determined according to the attribute of the currently created file handle and the characteristic of the process to which the currently created file handle belongs, and the Lesolet virus can be timely and effectively identified.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart illustrating a Lexuer virus defense method according to a first embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating a second embodiment of a Lexuer virus defense method according to the present invention;
FIG. 3 is a schematic flow chart illustrating a third embodiment of a Lexuer virus defense method according to the present invention;
FIG. 4 is a flowchart illustrating a fourth embodiment of the method for defending against a Lexuer virus according to the present invention;
FIG. 5 is a schematic structural diagram of a first embodiment of a Lexuer virus protection device according to the present invention;
FIG. 6 is a schematic structural diagram of a second embodiment of the Lexuer virus defense apparatus according to the present invention;
FIG. 7 is a schematic structural diagram of a third embodiment of a Lexuer virus protection device according to the present invention;
FIG. 8 is a schematic structural diagram of a fourth embodiment of a Lexuer virus protection device according to the present invention;
fig. 9 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first aspect, an embodiment of the present invention provides a method for defending a lemonade virus, which can effectively identify a lemonade virus in time and accurately recover an encrypted file.
Fig. 1 is a schematic flow chart of a first embodiment of a lemonade virus defense method provided by the present invention, and as shown in fig. 1, the method of this embodiment may include the steps of:
s101, the creation of the file handle is monitored.
A handle is a unique integer used to identify an object created or used by an application. Common handles include window handles, device description table handles, memory handles, file handles, process handles, thread handles, and the like. The file handle is the only identification basis of the opened file. To read data from a file, an application needs to call an operating system function and pass the file handle's address in memory and the number of bytes to copy to the operating system function.
In this embodiment, optionally, a file handle may be created through a Hook correlation function, such as ZwCreateFile, to be aware of.
Through monitoring, if the file handle is determined to be created currently, the step 102 is executed, otherwise, the creation of the file handle is continuously monitored.
S102, judging whether the attribute of the currently created file handle has write permission.
In this embodiment, if it is monitored that a file handle is currently created, the attribute of the currently created file handle is queried, and whether the attribute of the currently created file handle has write permission is determined.
The attributes of the file handle may generally include attribute information such as file name, file path, read authority, write authority, etc. According to the attribute of the file handle, whether the opened file has write permission or not can be determined.
In this embodiment, optionally, the attribute information of the file handle may be obtained by using native api zwqueryinformation file
If the attribute of the currently created file handle has write permission, executing step 103, otherwise, continuing to execute step 101.
And 103, inquiring the process of the currently created file handle.
In this embodiment, an ID (identifier) of a process to which the currently created file handle belongs may be obtained first, and the process to which the currently created file handle belongs may be obtained according to the ID.
Optionally, the ID of the process to which the currently created file handle belongs may be obtained through the system snapshot.
And 104, judging whether the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics or not.
In this embodiment, the characteristics of the process to which the currently created file handle belongs include the number of file handles occupied by the process to which the currently created file handle belongs, a suffix name of a file corresponding to the occupied file handle, a path of the file corresponding to the occupied file handle, and the like.
After the ID of the process to which the currently created file handle belongs is obtained, the handle of the process is obtained through an OpenProcess function, and the relevant characteristics of the process can be obtained according to the handle of the process.
The predetermined judging characteristic is a pre-established characteristic or a characteristic library which is consistent with the characteristic of the process of the Lexoplasma virus. The determination feature may be obtained by analyzing a process feature of a large number of lesioner viruses in advance, or may be updated according to a process feature of a newly-appearing lesioner virus.
According to the characteristics of the process to which the currently created file handle belongs, whether the process meets the preset judgment characteristics can be judged. If the characteristics of the process to which the currently created file handle belongs meet the predetermined judgment characteristics, executing step 105, otherwise, continuing to execute step 101.
And 105, determining that the process to which the currently created file handle belongs is a process of the Lexoplasma virus.
In a normal encryption procedure, a selected file is usually encrypted, and the read-write attribute information in the opened file handle attribute is generally read attribute. Because the lemonade virus can directly encrypt the file, the read-write attribute information of the opened file handle attribute is definitely the write attribute, namely has write permission. Therefore, in this embodiment, if it is monitored that a file handle is currently created, and it is determined that read-write attribute information in the attribute of the currently created file handle is a write attribute, it may be preliminarily determined that the process to which the currently created file handle belongs is a process of a suspected lesioner virus, and accordingly, it may be further determined whether the characteristic of the process to which the currently created file handle belongs meets a predetermined determination characteristic, and if so, it may be determined that the process to which the currently created file handle belongs is a process of a lesioner virus.
In this embodiment, it may be determined whether the process to which the currently created file handle belongs is a process of a lemonade virus according to the attribute of the currently created file handle and the characteristics of the process to which the currently created file handle belongs, so that the lemonade virus can be identified in time and efficiently.
After determining that the process to which the currently created file handle belongs is a process of the lemonade virus, the process may be closed and alarm information may be generated.
Fig. 2 is a flowchart illustrating a second embodiment of a method for defending against a lemonade virus according to the present invention, as shown in fig. 2, the difference between the method and the embodiment shown in fig. 1 is that, in this embodiment, the determining whether the feature of the process to which the currently created file handle belongs meets a predetermined determination feature (step 104) may specifically include:
1042, judging whether the suffix names of the files corresponding to the file handles occupied by the processes to which the currently created file handles belong are the same; and/or the presence of a gas in the gas,
after judgment, if the number of the occupied file handles reaches a predetermined number threshold value and/or the suffix names of the files corresponding to the occupied file handles are the same and/or different paths exist in the paths of the files corresponding to the occupied file handles in the process to which the currently created file handles belong, executing step 105; wherein the different paths include different paths having the same drive and different paths having different drives.
In this embodiment, the number threshold is preset according to actual conditions, for example, the number threshold may be set to 20, 25, or 30, and the higher the number threshold is, the higher the accuracy is, but if the number threshold is too high, the accuracy is high, but the timeliness of the determination may be affected. In order to balance the accuracy and timeliness of the determination, the number threshold is preferably 20 in this embodiment.
Normal encryption software, which usually encrypts all files or several special files in a path, rarely opens a large number of files with different drives and different paths at a certain time, and rarely has more than 20 file handles with suffixes. That is to say, the paths of opening files by normal encryption software are all files with the same path, and are not files with different drive letters and different paths, and there are rarely more than 20 file handles with suffixes.
While the lemonade virus performs full file scanning and encryption, it is imperative that multiple files be opened simultaneously during run time, have the same suffix name and different paths, and typically open more than 20 files.
Therefore, in this embodiment, the lemonade virus may be determined and identified by determining the number of file handles occupied by the current process, the suffix name, and the path.
When the method is applied specifically, the judgment of the Lexomer virus can be carried out on at least one of the number, the suffix name and the path of the file handle occupied by the current process, and can also be carried out on the number, the suffix name and the path of the file handle occupied by the current process, so that the occurrence of false alarm is reduced or avoided, and the accuracy of judging the Lexomer virus is improved.
When the number, the suffix name and the path of the file handles occupied by the current process are judged, the number of the file handles can be judged first, and the suffix name and the path of the file corresponding to the file handles are judged only when the number of the file handles reaches a preset number threshold (such as 20), so that unnecessary judgment operation can be reduced, the judgment efficiency is improved, and the system resources are saved.
Fig. 3 is a flowchart illustrating a third embodiment of a method for defending against a lemonade virus provided by the present invention, and as shown in fig. 3, the difference from the embodiment of the method shown in fig. 2 is that in this embodiment, if an attribute of a currently created file handle has write permission, the method may further include:
and step 106, copying the currently created file handle.
In this embodiment, after determining that the attribute of the currently created file handle has the write permission, the currently created file handle is copied, so that the file operation permission which is the same as that of the lemonade virus can be obtained, that is, the write permission for the corresponding file can be obtained.
And step 107, carrying out encryption backup on the file corresponding to the currently created file handle.
And immediately carrying out encryption backup on the file corresponding to the currently created file handle according to the obtained write permission.
In the embodiment, after the write permission is determined to exist in the attribute of the currently created file handle, the existence of suspicious lesker viruses can be preliminarily determined, so that the corresponding files can be encrypted and backed up in time to avoid unnecessary loss, and the effect of active defense in advance is achieved.
Fig. 4 is a flowchart illustrating a fourth embodiment of a method for defending against a lemonade virus according to the present invention, and as shown in fig. 4, the difference from the embodiment of the method shown in fig. 3 is that, in this embodiment, after determining that a process to which a currently created file handle belongs is a process of a lemonade virus, the method may further include:
and step 108, recovering the file encrypted by the Lexoplasma virus by using the encrypted backup file.
When the process to which the currently created file handle belongs is found to be a process of the Lexoer virus, all files encrypted by the process can be recovered. When recovering, the encrypted backup file can be decrypted and then replaced with the file encrypted by the Lexoer virus. The file encrypted by the Lexoer virus can be automatically recovered, and a user can be prompted to manually recover the file.
In this embodiment, after malicious encryption is performed on a file by a lesioner virus, the encrypted file of the lesioner virus can be recovered by using the encrypted backup file, so that the protection capability against the lesioner virus is further improved.
More importantly, in this embodiment, when a new file handle is found to be generated and the read/write attribute information in the attribute of the file handle is a write attribute, the file handle is copied and the corresponding file is encrypted and backed up, so that when the file encrypted by the loser virus is restored by using the file encrypted and backed up, the file encrypted by the loser virus can be restored to the state before the loser virus is encrypted, thereby realizing accurate restoration of the encrypted file.
In a second aspect, an embodiment of the present invention provides a device for defending against a lemonade virus, which can effectively identify a lemonade virus in time and accurately recover an encrypted file.
Fig. 5 is a schematic structural diagram of a first embodiment of a stranger virus protection device according to the present invention, and as shown in fig. 5, the protection device of the present embodiment may include: the system comprises a monitoring module 11, a first judging module 12, an inquiring module 13, a second judging module 14 and a third judging module 15; the monitoring module 11 is configured to monitor creation of a file handle; the first judging module 12 is configured to, if a file handle is currently created, query an attribute of the currently created file handle, and judge whether the attribute of the currently created file handle has a write permission; the query module 13 is configured to query a process to which a currently created file handle belongs if the attribute of the currently created file handle has a write permission; the second judging module 14 is configured to judge whether a feature of a process to which the currently created file handle belongs meets a predetermined judgment feature; and the third judging module 15 determines that the process to which the currently created file handle belongs is a process of the lemonade virus if the characteristics of the process to which the currently created file handle belongs meet the predetermined judgment characteristics.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 6 is a schematic structural diagram of a second embodiment of a stranger virus protection device according to the present invention, and as shown in fig. 6, the difference between the second embodiment of the device and the embodiment of the device shown in fig. 5 is that, in this embodiment, the second determining module 14 includes: a first judgment submodule 141, a second judgment submodule 142 and a third judgment submodule 143; wherein,
the first judging submodule 141 is configured to judge whether the number of occupied file handles in a process to which a currently created file handle belongs reaches a predetermined number threshold; and/or the presence of a gas in the gas,
the second judging submodule 142 is configured to judge whether suffix names of files corresponding to the file handles, which are occupied by the process to which the currently created file handle belongs, are the same; and/or the presence of a gas in the gas,
the third determining sub-module 143 is configured to determine whether different paths exist in paths of files corresponding to the file handles occupied by the process to which the currently created file handle belongs.
The third determining module 15 is configured to determine a characteristic of a process to which a currently created file handle belongs, and meet a predetermined determination characteristic, if the number of occupied file handles reaches a predetermined number threshold, and/or suffix names of files corresponding to the occupied file handles are the same, and/or paths of files corresponding to the occupied file handles have different paths.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 2, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 7 is a schematic structural diagram of a third embodiment of a stranger virus protection device provided by the present invention, and as shown in fig. 7, the difference from the embodiment of the device shown in fig. 6 is that in this embodiment, the device further includes: a copy module 16 and a backup module 17; the copying module 16 is configured to copy a currently created file handle; and the backup module 17 is configured to perform encrypted backup on the file corresponding to the currently created file handle.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 3, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 8 is a schematic structural diagram of a fourth embodiment of a stranger virus protection device according to the present invention, and as shown in fig. 8, the difference from the embodiment of the device shown in fig. 7 is that in this embodiment, the device further includes: and the recovery module 18 is used for recovering the file encrypted by the Lexoer virus by using the encrypted backup file.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 4, and the implementation principle and the technical effect are similar, which are not described herein again.
In a third aspect, an embodiment of the present invention further provides an electronic device. Fig. 9 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention, which may implement the flows shown in fig. 1 to fig. 4 of the present invention, and as shown in fig. 9, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, so as to execute the method for protecting against a stranger virus according to any of the foregoing embodiments.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiments shown in fig. 1 to fig. 4 of the present invention, and are not described herein again.
The electronic device may exist in a variety of forms including, but not limited to, a desktop computer having computing and processing capabilities, a server or other electronic device having computing and processing capabilities.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors, for executing the method for protecting against a lemonade virus described in any of the foregoing embodiments.
According to the method, the device, the electronic equipment and the storage medium for defending the Lesoxhlet virus, if the file handle is currently created through monitoring, and the read-write attribute information in the attribute of the currently created file handle is judged to be the write attribute, the process to which the currently created file handle belongs can be preliminarily judged to be the process of suspicious Lesolet virus, so that the characteristics of the process to which the currently created file handle belongs can be further judged whether to accord with the preset judgment characteristics, and if so, the process to which the currently created file handle belongs can be determined to be the process of the Lesolet virus. That is to say, according to the attribute of the currently created file handle and the characteristics of the process to which the currently created file handle belongs, it can be determined whether the process to which the currently created file handle belongs is a process of the lemonade virus, so that the lemonade virus can be identified timely and effectively.
After the write permission is determined to exist in the attribute of the currently created file handle, the corresponding file can be encrypted and backed up in time, and the function of active defense in advance is achieved.
When the lemonade virus is specifically judged, the number, the suffix name and the path of the file handle occupied by the current process can be judged so as to reduce or avoid the occurrence of false alarm and improve the accuracy of judging the lemonade virus.
Furthermore, after the file is maliciously encrypted by the stranger virus, the file encrypted by the stranger virus can be recovered by using the encrypted backup file, so that the virus defense capability of the stranger is further improved.
More importantly, when a new file handle is found to be generated and the read/write attribute information in the attribute of the file handle is a write attribute, the file handle is copied and the corresponding file is encrypted and backed up, so that when the file encrypted by the Lexoplasma antivirus is restored by using the encrypted and backed-up file, the file encrypted by the Lexoplasma antivirus can be restored to the state before the encryption of the Lexoplasma antivirus, and the accurate restoration of the encrypted file can be realized.
The embodiment of the invention can be applied to any Windows system, does not need to install a specific third-party application program, can process each application program in a silent mode, actively alarms only when finding the stranger virus, and actively recovers the encrypted file.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method of protecting against a stranger virus, comprising:
monitoring the creation of file handles;
if the file handle is created currently, inquiring the attribute of the currently created file handle, and judging whether the attribute of the currently created file handle has write permission;
if the attribute of the currently created file handle has the write permission, inquiring the process to which the currently created file handle belongs;
judging whether the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics or not;
and if the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics, determining that the process to which the currently created file handle belongs is the process of the Lexoplasma virus.
2. The method for protecting against a lemonade virus according to claim 1, wherein said determining whether the characteristics of the process to which the currently created file handle belongs meet predetermined determination characteristics comprises:
judging whether the number of occupied file handles of the process to which the currently created file handle belongs reaches a preset number threshold value or not; and/or the presence of a gas in the gas,
judging whether the suffix names of the files corresponding to the file handles occupied by the process to which the currently created file handle belongs are the same or not; and/or the presence of a gas in the gas,
judging whether different paths exist in paths of files corresponding to the file handles occupied by the process to which the currently created file handle belongs;
if the characteristics of the process to which the currently created file handle belongs meet the predetermined judgment characteristics, determining that the process to which the currently created file handle belongs is a process of the Lexoer virus, including: if the number of the occupied file handles reaches a preset number threshold value and/or the suffix names of the files corresponding to the occupied file handles are the same and/or different paths exist in the paths of the files corresponding to the occupied file handles, the characteristics of the process to which the currently created file handles belong are determined and meet preset judgment characteristics.
3. The method of claim 1 or 2, wherein if the attribute of the currently created file handle has write permission, the method further comprises:
copying a currently created file handle;
and carrying out encryption backup on the file corresponding to the currently created file handle.
4. The method of claim 3, wherein after determining that the process to which the currently created file handle belongs is a process of a lemonade virus, the method further comprises:
and recovering the file encrypted by the Lexoer virus by using the encrypted backup file.
5. A stranger virus protection device, comprising:
the monitoring module is used for monitoring the creation of the file handle;
the first judgment module is used for inquiring the attribute of the currently created file handle if the currently created file handle is created, and judging whether the attribute of the currently created file handle has write permission;
the query module is used for querying the process to which the currently created file handle belongs if the attribute of the currently created file handle has the write permission;
the second judgment module is used for judging whether the characteristics of the process to which the currently created file handle belongs meet the preset judgment characteristics or not;
and the third judging module is used for determining that the process to which the currently created file handle belongs is a process of the Lesoer virus if the characteristics of the process to which the currently created file handle belongs meet the preset judging characteristics.
6. The funicular virus defense apparatus according to claim 5, wherein the second determination module comprises:
the first judgment submodule is used for judging whether the number of the occupied file handles of the process to which the currently created file handles belong reaches a preset number threshold value or not; and/or the presence of a gas in the gas,
the second judgment submodule is used for judging whether the suffix names of the files corresponding to the file handles which are currently created belong to the same process; and/or the presence of a gas in the gas,
the third judgment submodule is used for judging whether different paths exist in the paths of the files corresponding to the file handles occupied by the process to which the currently created file handle belongs;
the third judging module is configured to determine a characteristic of a process to which a currently created file handle belongs if the number of occupied file handles reaches a predetermined number threshold, and/or suffix names of files corresponding to the occupied file handles are the same, and/or paths of files corresponding to the occupied file handles have different paths, and the characteristic conforms to a predetermined determination characteristic.
7. The Lessocian virus defence apparatus according to claim 5 or 6, wherein said apparatus further comprises:
the copying module is used for copying the currently created file handle;
and the backup module is used for carrying out encryption backup on the file corresponding to the currently created file handle.
8. The funicular virus defense apparatus of claim 7, wherein the apparatus further comprises:
and the recovery module is used for recovering the file encrypted by the Lexoer virus by using the encrypted backup file.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of the preceding claims.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any preceding claim.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811579545.7A CN110874474A (en) | 2018-12-21 | 2018-12-21 | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811579545.7A CN110874474A (en) | 2018-12-21 | 2018-12-21 | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110874474A true CN110874474A (en) | 2020-03-10 |
Family
ID=69716309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811579545.7A Pending CN110874474A (en) | 2018-12-21 | 2018-12-21 | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110874474A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111552962A (en) * | 2020-03-25 | 2020-08-18 | 沈阳通用软件有限公司 | Method for intercepting viruses of files in USB flash disk PE format based on Windows operating system |
| CN111625828A (en) * | 2020-07-29 | 2020-09-04 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106611121A (en) * | 2016-11-01 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for finding extortion viruses based on file format monitoring |
| CN107480527A (en) * | 2017-08-03 | 2017-12-15 | 深圳市联软科技股份有限公司 | Extort the prevention method and system of software |
| CN107729752A (en) * | 2017-09-13 | 2018-02-23 | 中国科学院信息工程研究所 | One kind extorts software defense method and system |
| CN108363923A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of blackmailer's virus defense method, system and equipment |
| CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
-
2018
- 2018-12-21 CN CN201811579545.7A patent/CN110874474A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106611121A (en) * | 2016-11-01 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for finding extortion viruses based on file format monitoring |
| CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
| CN107480527A (en) * | 2017-08-03 | 2017-12-15 | 深圳市联软科技股份有限公司 | Extort the prevention method and system of software |
| CN107729752A (en) * | 2017-09-13 | 2018-02-23 | 中国科学院信息工程研究所 | One kind extorts software defense method and system |
| CN108363923A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of blackmailer's virus defense method, system and equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111552962A (en) * | 2020-03-25 | 2020-08-18 | 沈阳通用软件有限公司 | Method for intercepting viruses of files in USB flash disk PE format based on Windows operating system |
| CN111552962B (en) * | 2020-03-25 | 2024-03-01 | 三六零数字安全科技集团有限公司 | Interception method of USB flash disk PE format file viruses based on Windows operating system |
| CN111625828A (en) * | 2020-07-29 | 2020-09-04 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
| CN111625828B (en) * | 2020-07-29 | 2021-02-26 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6703616B2 (en) | System and method for detecting security threats | |
| JP4807970B2 (en) | Spyware and unwanted software management through autostart extension points | |
| US9886578B2 (en) | Malicious code infection cause-and-effect analysis | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| US10284587B1 (en) | Systems and methods for responding to electronic security incidents | |
| RU2723665C1 (en) | Dynamic reputation indicator for optimization of computer security operations | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| US20170171240A1 (en) | Method and system for identifying uncorrelated suspicious events during an attack | |
| JP2014038596A (en) | Method for identifying malicious executable | |
| KR101937325B1 (en) | Method for Detecting and Preventing Malware and Apparatus thereof | |
| GB2485622A (en) | Server detecting malware in user device. | |
| US20220292194A1 (en) | System, Method, and Apparatus for Preventing Ransomware | |
| WO2021139308A1 (en) | Cloud server monitoring method, apparatus and device, and storage medium | |
| US20220309171A1 (en) | Endpoint Security using an Action Prediction Model | |
| CN113449302A (en) | Method for detecting malicious software | |
| CN110874474A (en) | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| US20240256658A1 (en) | Protecting data against malware attacks using cyber vault and automated airgap control | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| WO2016095671A1 (en) | Method and device for processing application-based message | |
| JP6602471B2 (en) | Techniques for automated application analysis | |
| WO2021144978A1 (en) | Attack estimation device, attack estimation method, and attack estimation program | |
| CN116611058A (en) | Lexovirus detection method and related system | |
| US11763004B1 (en) | System and method for bootkit detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200310 |