CN112560040A - General detection method and device for computer infectious virus - Google Patents
General detection method and device for computer infectious virus Download PDFInfo
- Publication number
- CN112560040A CN112560040A CN202011562776.4A CN202011562776A CN112560040A CN 112560040 A CN112560040 A CN 112560040A CN 202011562776 A CN202011562776 A CN 202011562776A CN 112560040 A CN112560040 A CN 112560040A
- Authority
- CN
- China
- Prior art keywords
- subdirectory
- file
- computer
- virus
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The invention provides a general detection method and a device for computer infectious viruses, wherein the method comprises the following steps: step S1: creating a first subdirectory and a second subdirectory in a root directory or other directories of a disk; step S2: creating a bait file under the first subdirectory and the second subdirectory; step S3: installing a monitoring program in a system, if the monitoring program monitors that the program in the system carries out change behaviors on the bait file, intercepting the monitored change behaviors, and judging that the program is an infectious virus; step S4: and processing the progress of the virus. According to the scheme of the invention, the infectious virus can be effectively detected at an early stage, and irreversible damage to the environment of the operating system of a user is avoided.
Description
Technical Field
The invention relates to the field of computer information security, in particular to a general detection method and device for computer infectious viruses.
Background
The infected virus is one of computer viruses, and is added into other programs or dynamic library files, so that the function of synchronous operation along with the infected program is realized, and further, the infected computer is damaged and spread.
The detection of the current host security software for the infectious virus is generally divided into two types, one type is a mode of statically scanning virus file characteristics, the detection mode detects the virus by matching a scanning file with characteristics in a virus library, and existing virus characteristics are stored in the virus library, so that the detection method cannot successfully detect virus varieties and newly appeared viruses. Another way to detect viruses is to identify and intercept viruses when they have infected system process files, but this detection method has a fatal defect that a part of files of a user computer is infected when the viruses are identified and intercepted, and the infected files are not easy or even recoverable.
Disclosure of Invention
In order to solve the technical problems, the invention provides a general detection method and a general detection device for computer infectious viruses, which are used for solving the technical problem that the detection rate of the traditional antivirus software on unknown infectious viruses is low.
According to a first aspect of the present invention, there is provided a universal method for detecting a computer-infected virus, the method comprising the steps of:
step S1: creating a first subdirectory and a second subdirectory in a root directory or other directories of a disk; the first subdirectory is the subdirectory which is firstly traversed by the operating system when traversing the root directory or other directories; the second subdirectory is the last subdirectory traversed by the operating system when traversing the root directory or other directories;
step S2: creating a bait file under the first subdirectory and the second subdirectory;
step S3: installing a monitoring program in a system, if the monitoring program monitors that the program in the system carries out change behaviors on the bait file, intercepting the monitored change behaviors, and judging that the program is an infectious virus;
step S4: and processing the progress of the virus.
Further, the first subdirectory and the second subdirectory are named according to an operating system file ordering rule.
Further, in step S4, the processing the virus process specifically includes: not processing; or, delete the virus file; or, ending the process.
Further, in step S3, the change behavior includes: modifying the content of the file; and/or, renaming the file; and/or, modifying file attributes; and/or, modifying file permissions; and/or delete files.
According to a second aspect of the present invention, there is provided a universal test device for computer-infected viruses, the device comprising:
the file directory creating module is used for creating a first subdirectory and a second subdirectory in a root directory or other directories of the disk; the first subdirectory is the subdirectory which is firstly traversed by the operating system when traversing the root directory or other directories; the second subdirectory is the last subdirectory traversed by the operating system when traversing the root directory or other directories;
a bait file creating module for creating a bait file under the first subdirectory and the second subdirectory;
the antivirus module is used for installing a monitoring program in the system, intercepting the monitored change behavior if the program in the system monitors that the program changes the bait file, and judging that the program is an infectious virus;
and the processing module is used for processing the progress of the virus.
Further, the first subdirectory and the second subdirectory are named according to an operating system file ordering rule.
Further, the processing module specifically processes the virus process, including: not processing; or, delete the virus file; or, ending the process.
Further, the change behavior includes: modifying the content of the file; and/or, renaming the file; and/or, modifying file attributes; and/or, modifying file permissions; and/or delete files.
According to a third aspect of the present invention, there is provided an electronic device comprising a processor and a memory, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for universal detection of computer-infected viruses.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium having a computer program stored therein, wherein the computer program is for being loaded by a processor and for executing the method for universal detection of computer-infected viruses.
According to the above scheme of the invention, the following technical effects can be obtained: the virus detection identification rate and the accuracy of the virus detection method are obviously improved compared with the existing detection method, and the virus detection identification rate and the accuracy can be found and processed in time when the virus does not infect the user file, so that irreversible damage to the environment of a user operating system is avoided.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. In the drawings:
FIG. 1 is a flow chart of a general method for detecting a computer-infected virus according to an embodiment of the present invention;
FIG. 2 is a block diagram showing a configuration of a general-purpose apparatus for detecting a computer-infected virus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the specific embodiments of the present invention and the accompanying drawings. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
To better illustrate the implementation process of the present invention, first, the method flow of the general detection method for computer-infected viruses according to one embodiment of the present invention is described with reference to fig. 1. As shown in fig. 1, the method comprises the steps of:
step S1: creating a first subdirectory and a second subdirectory in a root directory or other directories of a disk; the first subdirectory is the subdirectory which is firstly traversed by the operating system when traversing the root directory or other directories; the second subdirectory is the last subdirectory traversed by the operating system when traversing the root directory or other directories.
In this step, at least two subdirectories are created in the magnetic packing directory or other directories, the subdirectory names are names constructed according to the operating system file ordering rule, wherein one subdirectory name is constructed as the name which can be traversed by the system first, the other subdirectory name is constructed as the name which can be traversed by the system last, if three directories of test1, test2 and test3 exist in a certain partition of a user, a directory with the name of a can be created so that the operating system can be traversed first, and a directory with the name of z can be created so that the operating system can be traversed last.
Step S2: creating a bait file under the first and second subdirectories.
An executable file decoy is created in the subdirectory created in the previous step, with decoy file suffixes including but not limited to exe, com, sys.
Step S3: and installing a monitoring program in the system, if the monitoring program monitors that the program in the system carries out change behavior on the bait file, intercepting the monitored change behavior, and judging that the program is an infectious virus.
In the step, by installing a monitoring program in the system, the change behaviors of all programs in the system on the bait file are monitored, and the monitored change behaviors are intercepted. Since the change behavior of the bait file conforms to the characteristics of the infectious virus, when the change behavior of the program to the bait file is monitored, the program can be judged to be the infectious virus.
The change behavior includes: modifying the content of the file, and/or renaming the file, and/or modifying the properties of the file, and/or deleting the file.
Step S4: and processing the progress of the virus.
Processing the virus process, specifically comprising: and deleting or ending the process.
The general flow of the file infected by the infection type virus is that firstly, a directory structure under a drive symbol is traversed, all executable files under the path of the directory structure are searched, and then malicious codes of the virus are added into the searched executable program files, so that the purpose of diffusion and propagation is realized. Therefore, the virus is trapped based on the characteristic of virus traversal directory structure, because the traversal directory structure interface provided by the operating system is returned in order according to the character coding size of the pathname, the file directories which can be traversed by the operating system firstly and finally can be constructed, bait files are built under the directories, and when the virus tries to infect the files, the virus process is processed, such as ending or deleting the process.
Therefore, the scheme of the invention is to trap the virus by utilizing the characteristic of traversing the directory structure of the infectious virus, so that the infectious virus can be effectively detected in an early stage, and the irreversible damage of the user operating system environment is avoided. In addition, by means of creating the bait file, the change behavior of all programs in the system to the bait file can be effectively monitored and intercepted, so that virus processes are killed, the detection of viruses is more comprehensive, and the virus identification rate and the accuracy rate are remarkably improved.
The embodiment of the present invention further provides a general detection device for computer-infected viruses, as shown in fig. 2, the device includes:
the file directory creating module is used for creating a first subdirectory and a second subdirectory in a root directory or other directories of the disk; the first subdirectory is the subdirectory which is firstly traversed by the operating system when traversing the root directory or other directories; the second subdirectory is the last subdirectory traversed by the operating system when traversing the root directory or other directories;
a bait file creating module for creating a bait file under the first subdirectory and the second subdirectory;
the antivirus module is used for installing a monitoring program in the system, intercepting the monitored change behavior if the program in the system monitors that the program changes the bait file, and judging that the program is an infectious virus;
and the processing module is used for processing the progress of the virus.
Further, the first subdirectory and the second subdirectory are named according to an operating system file ordering rule.
Further, the processing module specifically processes the virus process, including: not processing; or, delete the virus file; or, ending the process.
Further, the change behavior includes: modifying the content of the file; and/or, renaming the file; and/or, modifying file attributes; and/or, modifying file permissions; and/or delete files.
The functions executed by the functional modules of the universal detection device for computer infectious viruses in this embodiment correspond to the steps of the aforementioned universal detection method for computer infectious viruses, and are not described herein again.
An embodiment of the present invention further provides an electronic device, which includes a processor and a memory, and is characterized in that the memory stores a computer program, and the processor is configured to execute the computer program to perform the method for universal detection of computer-infected viruses.
The embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, wherein the computer program is loaded by a processor and used for executing the method for universal detection of computer-infected viruses.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes a plurality of instructions for enabling a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, etc., and needs to install a Linux, a Windows, or a Windows Server operating system) to perform a part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent change and modification made to the above embodiment according to the technical spirit of the present invention are still within the scope of the technical solution of the present invention.
Claims (10)
1. A universal method for detecting a computer-infected virus, the method comprising the steps of:
step S1: creating a first subdirectory and a second subdirectory in a disk root directory or other directories; the first subdirectory is the subdirectory which is firstly traversed by the operating system when traversing the root directory or other directories; the second subdirectory is the last subdirectory traversed by the operating system when traversing the root directory or other directories;
step S2: creating a bait file under the first subdirectory and the second subdirectory;
step S3: installing a monitoring program in a system, if the monitoring program monitors that the program in the system carries out change behaviors on the bait file, intercepting the monitored change behaviors, and judging that the program is an infectious virus;
step S4: and processing the progress of the virus.
2. The universal method for detecting computer-infected viruses as claimed in claim 1, wherein the first subdirectory and the second subdirectory are named according to the operating system file ordering rule.
3. The method for universal detection of computer-infected viruses according to claim 1, wherein the step S4 of processing the virus process specifically comprises: not processing; or, delete the virus file; or, ending the process.
4. The method for universal detection of computer-infected viruses according to claim 1, wherein the alteration action comprises, in step S3: modifying the content of the file; and/or, renaming the file; and/or, modifying file attributes; and/or, modifying file permissions; and/or delete files.
5. A universal test device for computer-infected viruses, the device comprising:
the file directory creating module is used for creating a first subdirectory and a second subdirectory in a root directory or other directories of the disk; the first subdirectory is the subdirectory which is firstly traversed by the operating system when traversing the root directory or other directories; the second subdirectory is the last subdirectory traversed by the operating system when traversing the root directory or other directories;
a bait file creating module for creating a bait file under the first subdirectory and the second subdirectory;
the antivirus module is used for installing a monitoring program in the system, intercepting the monitored change behavior if the program in the system monitors that the program changes the bait file, and judging that the program is an infectious virus;
and the processing module is used for processing the progress of the virus.
6. The universal method for detecting computer-infected viruses as claimed in claim 5, wherein the first subdirectory and the second subdirectory are named according to the operating system file ordering rule.
7. The apparatus for detecting computer-infected viruses of claim 5, wherein the processing module processes the virus specifically comprises: not processing; or, delete the virus file; or, ending the process.
8. The universal test device for computer-infected viruses according to claim 7, wherein the altering act comprises: modifying the content of the file; and/or, renaming the file; and/or, modifying file attributes; and/or, modifying file permissions; and/or delete files.
9. An electronic device comprising a processor and a memory, wherein the memory has stored therein a computer program, the processor being configured to execute the computer program to perform the method for universal detection of computer infectious virus of any one of claims 1-4.
10. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is adapted to be loaded by a processor and to carry out the method for universal detection of computer infectious virus according to any one of claims 1 to 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011562776.4A CN112560040A (en) | 2020-12-25 | 2020-12-25 | General detection method and device for computer infectious virus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011562776.4A CN112560040A (en) | 2020-12-25 | 2020-12-25 | General detection method and device for computer infectious virus |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112560040A true CN112560040A (en) | 2021-03-26 |
Family
ID=75032807
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011562776.4A Pending CN112560040A (en) | 2020-12-25 | 2020-12-25 | General detection method and device for computer infectious virus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112560040A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114692151A (en) * | 2022-04-08 | 2022-07-01 | 成都理工大学 | Discovery method of USB flash disk virus and application tool thereof |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1314638A (en) * | 2001-04-29 | 2001-09-26 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
JP2006011552A (en) * | 2004-06-22 | 2006-01-12 | Lac Co Ltd | Computer virus information collection device, method, and program |
CN1761939A (en) * | 2003-03-17 | 2006-04-19 | 精工爱普生株式会社 | Method and system for preventing virus infection |
WO2009032379A1 (en) * | 2007-06-12 | 2009-03-12 | The Trustees Of Columbia University In The City Of New York | Methods and systems for providing trap-based defenses |
CN103294950A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | High-power secret information stealing malicious code detection method and system based on backward tracing |
CN107480527A (en) * | 2017-08-03 | 2017-12-15 | 深圳市联软科技股份有限公司 | Extort the prevention method and system of software |
CN107871079A (en) * | 2017-11-29 | 2018-04-03 | 深信服科技股份有限公司 | A kind of suspicious process detection method, device, equipment and storage medium |
CN108363923A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of blackmailer's virus defense method, system and equipment |
CN108616510A (en) * | 2018-03-24 | 2018-10-02 | 张瑜 | It is a kind of that virus detection techniques are extorted based on digital immune reclusion |
CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
CN109145599A (en) * | 2017-06-27 | 2019-01-04 | 关隆股份有限公司 | The means of defence of malicious virus |
CN109784055A (en) * | 2018-12-29 | 2019-05-21 | 上海高重信息科技有限公司 | A kind of method and system of quick detection and preventing malice software |
CN112106047A (en) * | 2018-02-23 | 2020-12-18 | 迈克菲有限责任公司 | Anti-lux software system and method using countersinks at electronic devices |
-
2020
- 2020-12-25 CN CN202011562776.4A patent/CN112560040A/en active Pending
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1314638A (en) * | 2001-04-29 | 2001-09-26 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
CN1761939A (en) * | 2003-03-17 | 2006-04-19 | 精工爱普生株式会社 | Method and system for preventing virus infection |
JP2006011552A (en) * | 2004-06-22 | 2006-01-12 | Lac Co Ltd | Computer virus information collection device, method, and program |
WO2009032379A1 (en) * | 2007-06-12 | 2009-03-12 | The Trustees Of Columbia University In The City Of New York | Methods and systems for providing trap-based defenses |
CN103294950A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | High-power secret information stealing malicious code detection method and system based on backward tracing |
CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
CN109145599A (en) * | 2017-06-27 | 2019-01-04 | 关隆股份有限公司 | The means of defence of malicious virus |
CN107480527A (en) * | 2017-08-03 | 2017-12-15 | 深圳市联软科技股份有限公司 | Extort the prevention method and system of software |
CN108363923A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of blackmailer's virus defense method, system and equipment |
CN107871079A (en) * | 2017-11-29 | 2018-04-03 | 深信服科技股份有限公司 | A kind of suspicious process detection method, device, equipment and storage medium |
CN112106047A (en) * | 2018-02-23 | 2020-12-18 | 迈克菲有限责任公司 | Anti-lux software system and method using countersinks at electronic devices |
CN108616510A (en) * | 2018-03-24 | 2018-10-02 | 张瑜 | It is a kind of that virus detection techniques are extorted based on digital immune reclusion |
CN109784055A (en) * | 2018-12-29 | 2019-05-21 | 上海高重信息科技有限公司 | A kind of method and system of quick detection and preventing malice software |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114692151A (en) * | 2022-04-08 | 2022-07-01 | 成都理工大学 | Discovery method of USB flash disk virus and application tool thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11625485B2 (en) | Method of malware detection and system thereof | |
US9348998B2 (en) | System and methods for detecting harmful files of different formats in virtual environments | |
US9679136B2 (en) | Method and system for discrete stateful behavioral analysis | |
US10242186B2 (en) | System and method for detecting malicious code in address space of a process | |
Bayer et al. | Scalable, behavior-based malware clustering. | |
Alazab et al. | Towards understanding malware behaviour by the extraction of API calls | |
US8307434B2 (en) | Method and system for discrete stateful behavioral analysis | |
RU2607231C2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
KR101647487B1 (en) | Analysis system and method for patch file | |
RU2573265C2 (en) | Method of detecting false positive results of scanning files for malware | |
JP5963008B2 (en) | Computer system analysis method and apparatus | |
US8352484B1 (en) | Systems and methods for hashing executable files | |
RU2634178C1 (en) | Method of detecting harmful composite files | |
EP3200115A1 (en) | Specification device, specification method, and specification program | |
EP3136276B1 (en) | System and method for detecting harmful files executable on a virtual stack machine | |
JP6711000B2 (en) | Information processing apparatus, virus detection method, and program | |
CN112560040A (en) | General detection method and device for computer infectious virus | |
KR20110087826A (en) | Method for detecting malware using vitual machine | |
CN105095754A (en) | Method, device and mobile terminal for processing virus applications | |
Dam et al. | Learning android malware | |
RU2583712C2 (en) | System and method of detecting malicious files of certain type | |
US20230096108A1 (en) | Behavior analysis based on finite-state machine for malware detection | |
JP6404771B2 (en) | Log determination device, log determination method, and log determination program | |
CN106203076B (en) | Method for judging malicious file by utilizing EBP (electronic book protocol) | |
RU2639666C2 (en) | Removing track of harmful activity from operating system, which is not downloaded on computer device at present |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210326 |
|
RJ01 | Rejection of invention patent application after publication |