CN115408687A - Lesog software precaution method and apparatus - Google Patents

Lesog software precaution method and apparatus Download PDF

Info

Publication number
CN115408687A
CN115408687A CN202211129724.7A CN202211129724A CN115408687A CN 115408687 A CN115408687 A CN 115408687A CN 202211129724 A CN202211129724 A CN 202211129724A CN 115408687 A CN115408687 A CN 115408687A
Authority
CN
China
Prior art keywords
file
target file
target
determining
suffix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211129724.7A
Other languages
Chinese (zh)
Inventor
李施展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211129724.7A priority Critical patent/CN115408687A/en
Publication of CN115408687A publication Critical patent/CN115408687A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/172Caching, prefetching or hoarding of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the invention provides a precaution method and a precaution device for Leso software, wherein the method comprises the following steps: determining a first target file in files in a system, wherein the first target file is a file which can be attacked by the Lesoh software; at least determining the name, the suffix and the access path of the first target file, and performing matching storage; processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the lasso software; and responding to an input instruction, and matching the second target file by combining the stored information of the first target file and the input instruction. The preventing method of the lasso software can simply and effectively prevent the lasso software from attacking the file.

Description

Lesog software precaution method and apparatus
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a prevention method and a prevention device for lasso software.
Background
Extorting software is a type of malware used by hackers to hijack user assets or resources and to extortion money to the user on the condition. The lasso software typically encrypts various files on the user's system, such as documents, mails, databases, source codes, pictures, compressed files, etc., to make them unusable and data irreversible without a password, or to make the usability of the system less by modifying the system configuration file and interfering with the normal use of the system by the user, and then sends out a lasso notification to the user by popping up a window, a dialog box, or generating a text file, etc., asking the user to remit money to a designated account to obtain a password for decrypting the file or to obtain a method for restoring the normal operation of the system.
The prior art has four main protection schemes for lasso software: the first solution is to discover the known Lesog software by scanning features with the antivirus engine; the antivirus engine is a main part of antivirus software, and is a program for detecting and finding viruses, the virus library is a sample of the found viruses, the sample in the virus library is used for comparing all programs or files in a machine, and the samples are not matched with the samples, and are viruses if the samples are matched with the samples, or are not necessarily viruses if the samples are not matched with the samples, but the virus library of the antivirus engine is known and the collected samples are generated by extracting characteristics, so that the unknown samples which are not collected cannot be prevented, and the scheme based on the principle cannot detect unknown extirpator software; and because the virus library is obtained by extracting features based on the binary data of the sample, and the antivirus engine judges whether an unknown file is a virus (Lesoware) or not based on the feature conformity, even if the known sample is used, the antivirus engine cannot detect the known sample by changing the binary data judged as the features by the antivirus engine, so that the first scheme has the defect that the known virus and the Lesoware cannot detect the known sample (only the feature code is changed). Meanwhile, a large amount of human resources are consumed for characteristic searching and killing.
The second scheme is to use file backup to protect the lasso software, and the main principle is to backup the files operated by modifying and deleting the readable and writable magnetic disc in a time period, so that if the files on the magnetic disc are encrypted by the lasso software in the time period, the encrypted files can be retrieved by backing up the files, but the second scheme has the defect that a large amount of magnetic disc space is required.
The third approach is to deploy sentinel files in the operating system because the lemonade encryption must recursively traverse the full disk file, followed by encryption. Therefore, the sentinel file is processed firstly during traversal through the naming mode of the file, and whether changes exist in the sentinel file is checked and compared periodically to judge whether the sentinel file is infected by the Lesojous virus or not. The disadvantage of this approach is that a large amount of meaningless non-suffix-free files need to be generated, taking up a large amount of disk space.
The fourth scheme is that when the file is modified, the contents of the file before and after modification and whether the file is infected with virus or not are judged by using an encryption processing mode through writing a drive file filtering or intercepting file processing related function and an encryption algorithm API. The disadvantage of this scheme is that the writing of the driver file has high technical requirements, affects the stability of the system, and easily causes system crash. And all file processing in the system runs the check code of the driver once, and a large amount of CPU resources are consumed.
Disclosure of Invention
The invention provides a method and a device for preventing lasso software, which can simply and effectively prevent the lasso software from attacking files.
In order to solve the above technical problem, an embodiment of the present invention provides a precaution method for lasso software, including:
determining a first target file in files in a system, wherein the first target file is a file which can be attacked by Lesoh software;
at least determining the name, the suffix and the access path of the first target file, and performing matching storage;
processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the lasso software;
and responding to an input instruction, and matching the second target file by combining the stored information of the first target file and the input instruction.
As an alternative embodiment, the determining the first target file in the intra-system file includes:
and traversing the files in the system, and determining a first target file with a target suffix, wherein the target suffix represents a file suffix of the file which can be attacked by the lasso software.
As an optional embodiment, the determining at least a name, a suffix, and an access path of the first target file, and performing matching storage includes:
determining at least a name, a suffix and an access path of the first target file;
creating an index table;
and matching and storing the related information of each first target file based on the index table.
As an optional embodiment, the processing the first object file to form a second object file includes:
and adding a first target characteristic at least in the binary form of the first target file to form the second target file, wherein the first target characteristic is the characteristic of the extone software for identifying and determining an attack object.
As an optional embodiment, the method further comprises:
and adding a second target feature in the binary state of the first target file to form the second target file, wherein the second target feature enables a system to recognize that the second target file is formed by processing the first target file.
As an optional embodiment, adding a first target feature and a second target feature in a binary state of the first target file includes:
and adding the first target characteristic and the second target characteristic into the file header of the first target file in the binary state of the first target file.
As an optional embodiment, the matching, in response to an input instruction, the second target file in combination with the stored information of the first target file and the input instruction includes:
responding to a first input instruction, and performing reduction processing on the second target file to form a corresponding first target file;
matching and searching are carried out on the basis of the stored information of each first target file and the first target file obtained through reduction processing, and relevant information of the first target file obtained through reduction processing is determined;
and processing the determined first target file based on the determined related information and the first input instruction, wherein the first input instruction comprises an instruction for accessing and opening the first target file.
As an alternative embodiment, the method further comprises the following steps:
and responding to a second input instruction, processing the determined first target file to form a second target file, wherein the second input instruction comprises a file saving instruction.
Another embodiment of the present invention provides a guarding device for lasso software, which includes:
the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining a first target file in files in the system, and the first target file is a file which can be attacked by Lesoh software;
the second determining module is used for at least determining the name, the suffix and the access path of the first target file and performing matching storage;
the processing module is used for processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the lasso software;
and the response module is used for responding to an input instruction and matching the second target file by combining the stored information of the first target file and the input instruction.
As an alternative embodiment, the determining the first target file in the intra-system file includes:
and traversing the files in the system, and determining a first target file with a target suffix, wherein the target suffix represents a file suffix of the file which can be attacked by the lasso software.
Based on the disclosure of the above embodiment, it can be known that the embodiment of the present invention has the advantages that a first target file which can be attacked by the lasso software is determined by screening the system file, then the related information of the first target file is determined and stored, then the first target file is processed to form a second target file which cannot be attacked by the lasso software, and after the system receives the input instruction, the matching response is performed based on the content of the input instruction and the stored related information. The method based on the embodiment can realize the precaution of the lasso software simply, quickly, effectively and with low power consumption, and prevent the files in the system from being attacked by the lasso software.
Drawings
FIG. 1 is a flowchart of a lasso software security method according to an embodiment of the present invention.
FIG. 2 is a flowchart of a lasso software prevention method according to another embodiment of the present invention.
FIG. 3 is a block diagram of a Lexus software precaution device in an embodiment of the present invention.
Detailed Description
Specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings, but the present invention is not limited thereto.
It will be understood that various modifications may be made to the embodiments disclosed herein. The following description is, therefore, not to be taken in a limiting sense, and is made merely as an exemplification of embodiments. Other modifications within the scope and spirit of the present disclosure will occur to those skilled in the art.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above, and the detailed description of the embodiments given below, serve to explain the principles of the disclosure.
These and other characteristics of the invention will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.
It should also be understood that, although the invention has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of the invention, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present disclosure will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present disclosure are described hereinafter with reference to the drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure that may be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the disclosure in unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.
The description may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.
The embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The core function of the Lesox virus is to encrypt the full disk file in the fastest time by consuming the minimum resources on the premise of not causing system crash. The main reason is to prevent the user of the system from finding out the abnormality, and the function of the Lessovirus is to encrypt the file which may be valuable, so it is necessary to distinguish which file needs to be encrypted and which does not need to be encrypted to save the computing resource. However, since there are hundreds of types of files that are usually encrypted by the leso virus, it is impossible to perform analysis and determination for each type of file during development, development difficulty and time are both increased, and resources and time are more consumed during program operation. The analysis shows that the suffix is set in the existing operating system, such as a Windows system, so that the resource consumption is reduced, the suffix is set to be bound with a processing program, the suffix is distributed by the operating system, the resource consumption and the time for analyzing and judging the file type of the file are reduced, and the suffix of the file has no influence on the file. Therefore, the method finds out through searching the open source lasso software and the reverse lasso software, and the lasso software distinguishes files under Windows and encrypts the suffixes which can be found in the internal list of the lasso software mainly by judging the file suffixes.
Based on the above, as shown in fig. 1, an embodiment of the present invention provides a prevention method for ransom software, including:
determining a first target file in files in a system, wherein the first target file is a file which can be attacked by the lasso software;
at least determining the name, suffix and access path of the first target file, and performing matching storage;
processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the Legioner software;
and responding to the input instruction, and matching the second target file by combining the stored information of the first target file and the input instruction.
Based on the disclosure of the foregoing embodiment, the beneficial effects of this embodiment include that a first target file that is attacked by the lasso software is determined by screening the system files, then the related information of the first target file is determined and stored, then the first target file is processed to form a second target file that is not attacked by the lasso software, and after the system receives the input instruction, the matching response is performed based on the content of the input instruction and the stored related information. In the embodiment, the file which can be attacked by the lasso software is forged in advance to form another file which can not be identified as an attack object by the lasso software, and after the system receives the input instruction, the system can correspondingly respond to the input instruction based on the input instruction and the stored related information of the first target file, so that the method based on the embodiment can realize simple, quick, effective and low-power-consumption prevention of the lasso software, and avoid the file in the system from being attacked by the lasso software.
Specifically, in this embodiment, determining the first target file in the intra-system file includes:
and traversing files in the system, and determining a first target file with a target suffix, wherein the target suffix represents a file suffix of a file which can be attacked by the Lesog software.
For example, files within the system are traversed to exclude executable files/programs that have suffixes including, but not limited to,. Exe,. Dll,. Sys,. COM,. BAT, etc., files with such several suffixes are of a file format/type that the lux virus does not. The file which can be attacked by Lesojous software, namely the first target file, can be determined by searching and filtering suffixes of files in the system.
Further, as shown in fig. 2, determining at least a name, a suffix, and an access path of the first target file, and performing matching storage includes:
at least determining the name, the suffix and the access path of the first target file;
creating an index table;
and matching and storing the related information of each first target file based on the index table.
For example, the information extraction is performed on the first target file obtained by screening, including but not limited to extracting a file name and path, a file data structure, a suffix name, and the like, and specifically, the registry information can be searched to obtain a path where a program for opening the first target file is located, for example, a txt type file is opened through C \\ windows \ system32\ statepad. After the relevant information about each first target file is obtained, an index table can be established, and all the information is stored in a system directory based on the index table matching, wherein the main purpose of the setting of the index table is to facilitate a scheduling module of the system to quickly search the information of the corresponding first target file and perform subsequent processing.
Specifically, the processing the first object file to form the second object file includes:
at least adding a first target characteristic before the binary form of the first target file to form a second target file, wherein the first target characteristic is the characteristic of the exto software for identifying and determining the attack object.
Optionally, the method in this embodiment further includes:
and adding a second target feature before the binary form of the first target file to form a second target file, wherein the second target feature enables a system to recognize that the second target file is formed by processing the first target file.
Adding a first target feature and a second target feature before the binary form of the first target file, wherein the adding of the first target feature and the second target feature comprises the following steps:
and adding a first target feature and a second target feature into a file header of the first target file before the binary form.
For example, a file feature that the lasso software ignores is added before the binary form of the original file, that is, the first target file, that is, a file feature that the lasso software does not recognize the first target file as an attack object, that is, the first target feature is added. The purpose of this step is to prevent the lasso software/virus from distinguishing whether it is encrypted or not by identifying file characteristics (lasso attack). Specifically, assuming that a first target file with a zip-like compression format has a header 504B and a corresponding ascii code PK, a feature 4d5a (first target feature) of an executable file can be added to the header, so that the header of the original zip-like file becomes 4d5a504B, and since the lasso software analyzes the file format, that is, determines whether the file is an attack target by analyzing the features of the data structure, the lasso software may consider the processed file, that is, the second target file, as an executable file, and ignore the file, that is, the attack is not performed. In addition, in order to facilitate the system to recognize the second target file so as to perform matching processing on the second target file, the second target feature is added to the file header of the first target file in the embodiment at the same time. For example, the original document becomes 4d5a7337504b \8230afterprocessing, where 7337 is the second target feature for document/program resolution at system processing.
Further, in response to an input instruction, matching the second target file in combination with the stored information of the first target file and the input instruction, includes:
responding to the first input instruction, and performing reduction processing on the second target file to form a corresponding first target file;
matching and searching are carried out on the basis of the stored information of each first target file and the first target file obtained through reduction processing, and relevant information of the first target file obtained through reduction processing is determined;
and processing the determined first target file based on the determined related information and a first input instruction, wherein the first input instruction comprises an instruction for accessing and opening the first target file.
For example, the first input command is a command for accessing and opening a first target file, such as an input command formed by clicking a second target file with a mouse, and at this time, the system will respond to the first input command and construct a scheduling module a for processing a mouse click event. Specifically, when a modified file, namely a second target file, is clicked by a mouse, the scheduling module a is operated to remove the forged features, namely the first target feature and the second target feature, added in the previous steps from the file, find the relevant information of the corresponding first target file based on the file suffix with the features removed through the index table established previously, determine an access path and the like based on the record of the relevant information, and further transmit the file information of the first target file to the corresponding starting program to open the first target file.
Optionally, when the user wants to save the first object file again after the first object file is accessed, the method in this embodiment further includes:
and responding to a second input instruction, processing the determined first target file to form a second target file, wherein the second input instruction comprises a file saving instruction.
For example, the construction scheduling module b is configured to process a boot program to implement file processing, where the file processing includes saving a file and creating a new file, and the lower-layer operation of the newly created file necessarily includes a file saving step, so that the module mainly processes the saved file, and certainly can also process an opened file, and specifically, can implement file processing based on a file processing API in HookWindows. When the file is saved, the suffix of the file needs to be removed, the processing mode of the steps is operated, and the forged characteristic and the characteristic for identification, namely the first target characteristic and the second target characteristic, are added. And writing the file information into the index table, and performing matching storage.
Based on the method, on the premise of preventing the lasso software, the system kernel can be prevented from being invaded, the stability of the system can not be influenced, a link of file comparison is not arranged in the kernel, the consumption of CPU resources of a computer is reduced, a large number of files can not be generated in the system, and the resource consumption of a disk is saved.
When the method is applied to the actual environment, for example, a file test.doc is prepared on a machine, four copies are respectively copied, wherein the first copy is an original edition without modification, the second file cancels a suffix, the third file modifies the suffix to be exe, the fourth file adds a file header of an executable file, and the modified suffix to be exe. And then, running the files on a machine with Lesso software, wherein the result shows that only the original file is attacked, the file is encrypted, and other files are safe.
As shown in fig. 3, another embodiment of the present invention also provides a guarding device for lasso software, which includes:
the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining a first target file in files in the system, and the first target file is a file which can be attacked by Lesoh software;
the second determining module is used for at least determining the name, the suffix and the access path of the first target file and performing matching storage;
the processing module is used for processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the lasso software;
and the response module is used for responding to an input instruction and matching the second target file by combining the stored information of the first target file and the input instruction.
As an alternative embodiment, determining a first target file in the in-system file includes:
and traversing the files in the system, and determining a first target file with a target suffix, wherein the target suffix represents a file suffix of the file which can be attacked by the lasso software.
As an optional embodiment, the determining at least a name, a suffix, and an access path of the first target file, and performing matching storage includes:
determining at least a name, a suffix and an access path of the first target file;
creating an index table;
and matching and storing the related information of each first target file based on the index table.
As an optional embodiment, the processing the first object file to form a second object file includes:
and adding a first target characteristic at least before the binary form of the first target file to form the second target file, wherein the first target characteristic is the characteristic of the extone software for identifying and determining an attack object.
As an optional embodiment, the method further comprises:
and adding a second target feature before the binary form of the first target file to form the second target file, wherein the second target feature enables a system to recognize that the second target file is formed by processing the first target file.
As an alternative embodiment, adding the first object feature and the second object feature before the binary form of the first object file includes:
and adding the first target feature and the second target feature into a file header of the first target file before the binary form.
As an optional embodiment, the matching, in response to an input instruction, the second target file in combination with the stored information of the first target file and the input instruction includes:
responding to a first input instruction, and performing reduction processing on the second target file to form a corresponding first target file;
matching and searching are carried out on the basis of the stored information of each first target file and the first target file obtained through reduction processing, and the related information of the first target file obtained through reduction processing is determined;
and processing the determined first target file based on the determined related information and the first input instruction, wherein the first input instruction comprises an instruction for accessing and opening the first target file.
As an alternative embodiment, the method further comprises the following steps:
and responding to a second input instruction, processing the determined first target file to form a second target file, wherein the second input instruction comprises a file saving instruction.
Another embodiment of the present application further provides an electronic device, including:
one or more processors;
a memory configured to store one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the above-described methods.
An embodiment of the present application also provides a storage medium having a computer program stored thereon, which when executed by a processor implements the method as described above. It should be understood that each solution in this embodiment has a corresponding technical effect in the foregoing method embodiments, and details are not described here.
Embodiments of the present application also provide a computer program product tangibly stored on a computer-readable medium and comprising computer-executable instructions that, when executed, cause at least one processor to perform a method such as the embodiments described above. It should be understood that each scheme in this embodiment has a corresponding technical effect in the foregoing method embodiment, and details are not described here.
It should be noted that the computer storage media of the present application can be computer readable signal media or computer readable storage media or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory medium (RAM), a read-only memory medium (ROM), an erasable programmable read-only memory medium (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory medium (CD-ROM), an optical storage medium, a magnetic storage medium, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, antenna, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
It should be understood that although the present application has been described in terms of various embodiments, not every embodiment may include only a single embodiment, and such description is for clarity purposes only, and it will be appreciated by those skilled in the art that the description as a whole may be combined as appropriate to form other embodiments as will be apparent to those skilled in the art.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents of the invention may be made by those skilled in the art within the spirit and scope of the invention, and such modifications and equivalents should also be considered as falling within the scope of the invention.

Claims (10)

1. A stroller software prevention method, comprising:
determining a first target file in files in a system, wherein the first target file is a file which can be attacked by the Lesoh software;
at least determining the name, the suffix and the access path of the first target file, and performing matching storage;
processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the lasso software;
and responding to an input instruction, and matching the second target file by combining the stored information of the first target file and the input instruction.
2. The method of claim 1, wherein determining the first target file in the intra-system file comprises:
and traversing the files in the system, and determining a first target file with a target suffix, wherein the target suffix represents a file suffix of the file which can be attacked by the lasso software.
3. The method of claim 1, wherein the determining and matching storage of at least the name, suffix, and access path of the first target file comprises:
determining at least a name, a suffix and an access path of the first target file;
creating an index table;
and matching and storing the related information of each first target file based on the index table.
4. The method of claim 1, wherein processing the first object file to form a second object file comprises:
adding a first target feature at least before the binary form of the first target file to form the second target file, wherein the first target feature is the feature of the Lesoh software for identifying and determining an attack object.
5. The method of claim 4, further comprising:
and adding a second target feature before the binary form of the first target file to form the second target file, wherein the second target feature enables a system to recognize that the second target file is formed by processing the first target file.
6. The method of claim 5, wherein adding a first object feature and a second object feature before the binary representation of the first object file comprises:
and adding the first target feature and the second target feature into a file header before the binary form of the first target file.
7. The method of claim 1, wherein the matching the second target file in response to the input instruction in combination with the stored information of the first target file and the input instruction comprises:
responding to a first input instruction, and performing reduction processing on the second target file to form a corresponding first target file;
matching and searching are carried out on the basis of the stored information of each first target file and the first target file obtained through reduction processing, and relevant information of the first target file obtained through reduction processing is determined;
and processing the determined first target file based on the determined related information and the first input instruction, wherein the first input instruction comprises an instruction for accessing and opening the first target file.
8. The method of claim 7, further comprising:
and responding to a second input instruction, processing the determined first target file to form a second target file, wherein the second input instruction comprises a file saving instruction.
9. A lasso software security apparatus, comprising:
the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining a first target file in files in the system, and the first target file is a file which can be attacked by Lesoh software;
the second determining module is used for at least determining the name, the suffix and the access path of the first target file and performing matching storage;
the processing module is used for processing the first target file to form a second target file, wherein the second target file is a file which can be ignored by the lasso software;
and the response module is used for responding to an input instruction and matching the second target file by combining the stored information of the first target file and the input instruction.
10. The apparatus of claim 1, wherein determining the first target file in the intra-system file comprises:
and traversing the files in the system, and determining a first target file with a target suffix, wherein the target suffix represents a file suffix of the file which can be attacked by the lasso software.
CN202211129724.7A 2022-09-16 2022-09-16 Lesog software precaution method and apparatus Pending CN115408687A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211129724.7A CN115408687A (en) 2022-09-16 2022-09-16 Lesog software precaution method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211129724.7A CN115408687A (en) 2022-09-16 2022-09-16 Lesog software precaution method and apparatus

Publications (1)

Publication Number Publication Date
CN115408687A true CN115408687A (en) 2022-11-29

Family

ID=84165771

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211129724.7A Pending CN115408687A (en) 2022-09-16 2022-09-16 Lesog software precaution method and apparatus

Country Status (1)

Country Link
CN (1) CN115408687A (en)

Similar Documents

Publication Publication Date Title
US11611586B2 (en) Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots
US7257842B2 (en) Pre-approval of computer files during a malware detection
US9418227B2 (en) Detecting malicious software
RU2571723C2 (en) System and method of reducing load on operating system when executing antivirus application
US20200193024A1 (en) Detection Of Malware Using Feature Hashing
KR101201118B1 (en) System and method of aggregating the knowledge base of antivirus software applications
US20130111591A1 (en) Fuzzy Whitelisting Anti-Malware Systems and Methods
US20050262567A1 (en) Systems and methods for computer security
US20110047618A1 (en) Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
US9239922B1 (en) Document exploit detection using baseline comparison
US7565695B2 (en) System and method for directly accessing data from a data storage medium
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
CN109983464B (en) Detecting malicious scripts
US11601443B2 (en) System and method for generating and storing forensics-specific metadata
CN112906001A (en) Linux lasso virus prevention method and system
US7346611B2 (en) System and method for accessing data from a data storage medium
Naz et al. Review of machine learning methods for windows malware detection
Lemmou et al. A behavioural in‐depth analysis of ransomware infection
US8938807B1 (en) Malware removal without virus pattern
CN109413048B (en) Method for detecting luxo software based on file-type honeypot, electronic device and program product
Roney et al. Identifying valuable pointers in heap data
CN110659478A (en) Method for detecting malicious files that prevent analysis in an isolated environment
CN115408687A (en) Lesog software precaution method and apparatus
KR20030090568A (en) System for protecting computer resource and method thereof
Lemmou et al. Discriminating unknown software using distance model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination