CN116340929A - Method and device for controlling software installation, storage medium and computer equipment - Google Patents
Method and device for controlling software installation, storage medium and computer equipment Download PDFInfo
- Publication number
- CN116340929A CN116340929A CN202111589445.4A CN202111589445A CN116340929A CN 116340929 A CN116340929 A CN 116340929A CN 202111589445 A CN202111589445 A CN 202111589445A CN 116340929 A CN116340929 A CN 116340929A
- Authority
- CN
- China
- Prior art keywords
- current process
- current
- type
- installation
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 412
- 230000002155 anti-virotic effect Effects 0.000 claims description 40
- 238000009434 installation Methods 0.000 claims description 40
- 238000001514 detection method Methods 0.000 claims description 21
- 238000011217 control strategy Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 6
- 241000700605 Viruses Species 0.000 abstract description 3
- 230000026676 system process Effects 0.000 description 4
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002401 inhibitory effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The application provides a method, a device, a storage medium and computer equipment for controlling software installation, wherein the method comprises the following steps: detecting whether the current process and the parent process of the current process are preset processes or not; determining the type of the current process under the condition that the current process and the parent process of the current process are not the preset process; and prohibiting the current process from running under the condition that the type of the current process is a program installation process. The method can effectively control the software installation, and the software carrying the virus or unexpected software is unintentionally installed, so that the safety of the system is improved.
Description
Technical Field
The application belongs to the technical field of computers, and particularly relates to a control method and device for software installation, a storage medium and computer equipment.
Background
In the existing software installation management and control, only some software installation, such as the software installation in a blacklist, is forbidden, but the lack of management and control on the software which is not forbidden to be installed and the software with unknown downloading source easily causes the software carrying viruses to be unintentionally installed, and the security of the system is affected.
Disclosure of Invention
Therefore, the technical problem to be solved in the application is to provide a method, a device, a storage medium and a computer device for controlling software installation, which can effectively control software installation, and unintended software carrying viruses is installed unintentionally, so that the safety of a system is improved.
In order to solve the above problems, the present application provides a method for controlling software installation, including:
detecting whether the current process and the parent process of the current process are preset processes or not; determining the type of the current process under the condition that the current process and the parent process of the current process are not the preset process; and prohibiting the current process from running under the condition that the type of the current process is a program installation process.
Optionally, the detecting whether the current process and the parent process of the current process are preset processes includes: acquiring paths of the current process and a parent process of the current process; detecting whether the obtained path is in an installation catalog of a security management system; under the condition that the path is in the installation directory, determining that the current process is the preset process; and under the condition that the path is not in the installation directory, determining that the current process is not the preset process.
Optionally, the determining, when the current process is not the preset process, the type of the current process includes: acquiring attribute information combinations in a header and a resource of the current process; and detecting the attribute information combination by an antivirus engine to determine the type of the current process.
Optionally, the determining the type of the current process by detecting the attribute information combination through an antivirus engine includes: identifying the basic type of the file to which the current process belongs based on a file header by an antivirus engine; under the condition that the basic type is a PE file, analyzing the file belonging to the current process through an antivirus engine to obtain the specific offset and the additional data characteristic of the file header; determining, by an antivirus engine, a type of the current process based on the particular offset and the additional data characteristic.
Optionally, the determining the type of the current process by detecting the attribute information combination through an antivirus engine includes: acquiring characteristics in a file resource through an antivirus engine; and matching the type of the current process according to the obtained characteristics.
Optionally, the antivirus engine is an OWL engine.
Optionally, in the case that the type of the current process is a program installation process, prohibiting the current process from running includes: detecting a system application program interface API created by a hook function hook process; under the condition that the hook function hook process is detected to be the program installation process, the current process is forbidden to run, an forbidden operation reminder is generated, and the forbidden operation reminder is sent to the hook function hook process; and calling the system application program interface API to start the program under the condition that the hook function hook process is detected to be a non-program installation process.
Optionally, before the detecting whether the current process and the parent process of the current process are preset processes, the method further includes: detecting whether a control strategy is started or not; and under the condition that the detection and control strategy is opened, detecting whether the current process and the parent process of the current process are preset processes or not.
In accordance with the above method, another aspect of the present invention provides a software installation management and control device, including: the process detection module is configured to detect whether the current process and the parent process of the current process are preset processes or not; the process type determining module is configured to determine the type of the current process when the current process and a parent process of the current process are not the preset process; and the disabling module is configured to disable the current process from running when the type of the current process is a program installation process.
In accordance with the above method, a further aspect of the present invention provides a storage medium having stored thereon a computer program which when executed by a processor implements the method of controlling software installation described above.
In accordance with a further aspect of the present invention, there is provided a computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, the processor implementing the method of controlling software installation as described above when executing the program.
Therefore, the scheme of the invention can inhibit the running of the current process by detecting whether the current process and the father process of the current process are preset processes or not, determining the type of the current process under the condition that the current process is not the preset process, and inhibiting the running of the current process under the condition that the type of the current process is the program installation process, so that the safety management system is taken as a unique downloading source, namely a unique trusted software source, and a user can only install the software downloaded from the safety management system, and the software of other downloading sources cannot be installed. Even if one piece of software is downloaded from the security management system and then copied to other computers, the software cannot be installed by clicking the downloaded installation package alone, so that the security of the computer is fully protected, and the security and confidentiality degree of the software are remarkably improved especially for government departments, financial enterprises and other departments needing important confidentiality.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
FIG. 1 is a flow chart of a method for controlling software installation according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an embodiment of a software installation management device according to the present invention.
The reference numerals are expressed as:
101. a process detection module; 201. a process type determining module; 301. the module is disabled.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
According to an embodiment of the present invention, a method for controlling software installation is provided, as shown in fig. 1, and a flowchart of an embodiment of the method of the present invention is shown. The method for controlling the software installation can comprise the following steps: step S101, step S201, and step S301.
In step S101, it is detected whether the current process and the parent process of the current process are preset processes.
Further, in this step, the preset process is a process of the security management system.
In one embodiment, the security management system may be a security management system of a service terminal, and further, detect whether the current process and a parent process of the current process belong to a process of the security management system of the service terminal. The security management system of the engine terminal can be internally provided with a software management system, and the software can be installed through the software management system. Further, it is detected whether the current process and the parent process of the current process belong to a process of the security management system of the engine terminal or a process of a software management system in the security management system of the engine terminal.
In this step, the parent process is the process that has created one or more child processes.
The detecting whether the current process and the parent process of the current process are preset processes comprises:
acquiring paths of the current process and a parent process of the current process;
detecting whether the obtained path is in an installation catalog of a security management system;
under the condition that the path is in the installation directory, determining that the current process is the preset process;
and under the condition that the path is not in the installation directory, determining that the current process is not the preset process.
By detecting whether the obtained path is in the installation catalog of the security management system, whether the current process and the parent process of the current process are the preset process or not can be accurately detected, whether the current process and the parent process of the current process are the preset process or not is detected, that is, whether the current process and the parent process of the current process are the processes of the security management system or not is detected, for example, the security management system of the Tianqing terminal or the process of the software management system in the security management system of the Tianqing terminal is detected, and if the current process and the parent process of the current process are the security management system of the Tianqing terminal or the process of the software management system in the security management system of the Tianqing terminal, the security of the current process can be determined to be high, and the execution can be continued. For example, the current process is the security management system of the engine terminal or the program installation process of the software management system in the security management system of the engine terminal is released.
In step S201, in the case where the current process and the parent process of the current process are not the preset process, the type of the current process is determined.
In this step, the types of processes may include a program installation process, a program uninstallation process, a program update process, and the like.
Wherein, when the current process is not the preset process, determining the type of the current process includes:
and acquiring attribute information combinations in the header and resource of the current process, and detecting the attribute information combinations through an antivirus engine to determine the type of the current process.
The anti-virus engine can be an OWL engine, and the OWL engine is a set of anti-virus engine in the security management system of the engine terminal, wherein the OWL engine has a format recognition and analysis function.
Wherein said determining the type of the current process by detecting the attribute information combination by an antivirus engine comprises:
identifying the basic type of the file to which the current process belongs based on a file header by an antivirus engine; under the condition that the basic type is a PE file, analyzing the file belonging to the current process through an antivirus engine to obtain the specific offset and the additional data characteristic of the file header; determining, by an antivirus engine, a type of the current process based on the particular offset and the additional data characteristic.
In this step, the basic types of files include, for example, MZ files, PE files, OLE files, ZIP or RAR compressed files, and the like.
Further, the PE file is an executable file.
In this step, the base type of the file to which the current process belongs is identified by the antivirus engine based on the attribute information combination in the header of the current process file, that is, the base type of the file to which the current process belongs is identified from the attribute information combination.
In the step, the basic type of the file to which the current process belongs is identified based on the file header through the format identification function of the OWL engine.
In the step, the file belonging to the current process is analyzed by the analysis function of the antivirus engine, and the specific offset and the additional data characteristic of the file header can be obtained after analysis. The type of the current process can be accurately determined based on the specific offset and the additional data characteristics of the file header by the OWL engine, namely whether the current process is the program installation process can be accurately determined, and meanwhile, the type of an installation file, such as an NSIS installation package, an OLE installation package, an RAR self-decompression installation package and the like, can be detected.
The specific offset refers to a position offset by a specific length with respect to a header (header); the additional data features refer to different installation packages filling different data in file resource information (resource), and according to the filling data, installation package types of different manufacturers can be corresponding. For example, the Chrome installation package is to fill B102 in the resource information, where the number corresponding to B102With a value of 0000004, the Chrome installation package can be characterized according to the two information。
The determining, by the antivirus engine, the type of the current process by detecting the attribute information combination further includes: acquiring characteristics in a file resource through an antivirus engine; and matching the type of the current process according to the obtained characteristics.
When the basic type of the file to which the current process belongs cannot be identified based on the file header through the antivirus engine, the characteristics in the file resource can be acquired through the antivirus engine, and the type of the current process can be matched according to the acquired characteristics. Or the base type of the file to which the current process belongs is identified based on the file header without the antivirus engine, the characteristics in the file resource are directly obtained through the antivirus engine, the type of the current process is matched according to the obtained characteristics,
the features in the file resource are unique features in various types of processes, and the types of the processes can be distinguished according to the features.
In this step, the antivirus engine may also be an OWL engine, and after the OWL engine obtains the features in the file resource, the type of the current process may be accurately determined by matching the type of the current process in the type library according to the features, that is, whether the current process is the program installation process may be accurately determined.
The type of the current process can be accurately identified and determined by acquiring the attribute information combination in the header and resource of the current process and introducing an OWL engine and determining the type of the current process through the format identification and analysis function of the OWL engine, so that the follow-up steps according to the type of the current process can be realized.
Step S301: and prohibiting the current process from running under the condition that the type of the current process is a program installation process.
In this step, the program installation process may be understood as a process of installing a package, that is, determining whether a currently executed program is an installation package by an antivirus engine, for example, an OWL engine, and if so, prohibiting the current program from running.
Wherein, in the case that the type of the current process is a program installation process, prohibiting the current process from running, including:
detecting a system application program interface API created by a hook function hook process;
under the condition that the hook function hook process is detected to be the program installation process, the current process is forbidden to run, an forbidden operation reminder is generated, and the forbidden operation reminder is sent to the hook function hook process;
and calling the system application program interface API to start the program under the condition that the hook function hook process is detected to be a non-program installation process.
Further, under the condition that the hook function hook process is detected to be a non-program installation process, the system application program interface API is called for program starting, and the current process running can continue to run.
By introducing an antivirus engine, particularly an OWL engine, whether the type of the current process is a program installation process is accurately judged, if so, the current process is prohibited from running, so that the running of the program installation process under the software management system process in a non-safety management system or a non-safety management system can be prohibited, and the purpose that the software management system in the safety management system, such as a Tianqing terminal safety management system or a Tianqing terminal safety management system, is taken as a unique downloading source, namely a unique trusted software source is achieved, so that a user can only install software downloaded from the safety management system, and software of other downloading sources cannot be installed. Even if one piece of software is downloaded from the security management system and then copied to other computers, the software cannot be installed by clicking the downloaded installation package alone, so that the security of the computer is fully protected, and the security and confidentiality degree of the software are remarkably improved especially for government departments, financial enterprises and other departments needing important confidentiality.
Before the detecting whether the current process and the parent process of the current process are preset processes, the method further comprises: detecting whether a control strategy is started or not; and under the condition that the detection and control strategy is opened, detecting whether the current process and the parent process of the current process are preset processes or not.
In this step, the governance policies may belong to software governance policies in the security management system.
In the step, under the condition that the detection and control strategy is opened, the current process and the parent process of the current process are detected, and under the condition that the detection and control strategy is not opened, the current process and the parent process of the current process are not detected.
Specifically, whether the installation package control switch is started in the setting of the safety management system is detected, if the switch is in a starting state, the installation condition of the terminal installation package is controlled, and if the switch is in a non-starting state, the installation condition of the terminal installation package is controlled.
By detecting whether the control strategy is started or not, an option of whether to use the control method for installing the software is provided for a user, and the use experience is improved.
In the case that the type of the current process is a program installation process, the method further includes: and sending popup prompt information to remind the user.
In this step, when the current process is of a program installation process, the current process is prohibited from running, and then a prompt message is sent.
In this step, a prompt message is sent in the form of a popup window to prompt the user that the current program is prohibited from being installed.
Through sending prompt message, can effectively play the warning effect to the user, improve and use experience.
There is further provided a software installation management and control apparatus corresponding to the software installation management and control method according to an embodiment of the present invention, as shown in fig. 2, and a schematic structural diagram of an embodiment of the software installation management and control apparatus according to the present invention. The management and control device for software installation comprises: a process detection module 101, a process type determination module 201, and a disabling module 301.
The process detection module 101 is configured to detect whether the current process and a parent process of the current process are preset processes;
the preset process is a process of the security management system.
In one embodiment, the security management system may be a security management system of a Tianqing terminal, and further, the process detection module 101 detects whether the current process and the parent process of the current process belong to the process of the Tianqing terminal security management system. The built-in software management system in the security management system of the Tianqing terminal can install software through the software management system. Further, whether the current process and the parent process of the current process belong to a software management system process in the security management system of the Tianqing terminal is detected by the process detection module 101.
Wherein a parent process is a process that has created one or more child processes.
The process detection module 101 is configured to detect whether the current process and a parent process of the current process are preset processes, including:
acquiring paths of the current process and a parent process of the current process through a process detection module 101;
detecting whether the obtained path is in an installation directory of the security management system or not through a process detection module 101;
under the condition that the path is in the installation directory, determining that the current process is the preset process;
and under the condition that the path is not in the installation directory, determining that the current process is not the preset process.
By setting the process detection module 101 to detect whether the obtained path is in the installation directory of the security management system, it is possible to accurately detect whether the current process and the parent process of the current process are the preset processes, by detecting whether the current process and the parent process of the current process are preset processes, that is, by detecting whether the current process and the parent process of the current process are processes of the security management system, for example, the security management system of the Tianqing terminal or the software management system in the security management system of the Tianqing terminal, if the current process and the parent process of the current process are processes of the security management system of the Tianqing terminal or the software management system in the security management system of the Tianqing terminal, it is possible to identify that the security of the current process is high, and it is possible to continue execution. For example, the current process is the security management system of the engine terminal or the program installation process of the software management system in the security management system of the engine terminal is released.
The process type determining module 201 is configured to determine a type of the current process if the current process is not the preset process.
The process types may include a program installation process, a program uninstallation process, a program update process, and the like.
Wherein the process type determining module 201 is configured to determine the type of the current process if the current process is not the preset process, including:
acquiring attribute information combinations in a header and a resource of the current process;
and detecting the attribute information combination by an antivirus engine to determine the type of the current process.
Further, the antivirus engine is an OWL engine, that is, the type of the current process is determined by the OWL engine. The OWL engine is a set of antivirus engine in the security management system of the engine terminal, wherein the OWL engine has a format recognition and analysis function. The antivirus engine may be understood as part of the process type determination module 201.
The attribute information combination in the header and resource of the current process is acquired by setting the process type determining module 201, the type of the current process is determined by introducing an OWL engine, and the type of the current process can be accurately identified and determined by the format identification and analysis function of the OWL engine, so that the follow-up steps according to the type of the current process can be realized.
The disabling module 301 is configured to disable the current process from running if the type of the current process is a program installation process.
The program installation process may be understood as a process of installing a package, that is, determining whether a currently executed program is an installation package by an antivirus engine, for example, an OWL engine, and if the currently executed program is an installation package, prohibiting the current program from running.
Wherein the disabling module 301 is configured to disable the current process from running if the type of the current process is a program installation process, including:
detecting, by the disabling module 301, a system application program interface API created by a hook function hook process;
under the condition that the hook function hook process is detected to be the program installation process, the current process is forbidden to run, an forbidden operation reminder is generated, and the forbidden operation reminder is sent to the hook function hook process;
and calling the system application program interface API to start the program under the condition that the hook function hook process is detected to be a non-program installation process.
Further, the disabling module 301 invokes the system application program interface API to perform program starting when detecting that the hook function hook process is not the program installation process, and the current process may continue to run.
By introducing an antivirus engine, particularly an OWL engine, whether the type of the current process is a program installation process is accurately judged, if so, the current process is prohibited from running, so that the running of the program installation process under the software management system process in a non-safety management system or a non-safety management system can be prohibited, and the purpose that the software management system in the safety management system, such as a Tianqing terminal safety management system or a Tianqing terminal safety management system, is taken as a unique downloading source, namely a unique trusted software source is achieved, so that a user can only install software downloaded from the safety management system, and software of other downloading sources cannot be installed. Even if one piece of software is downloaded from the security management system and then copied to other computers, the software cannot be installed by clicking the downloaded installation package alone, so that the security of the computer is fully protected, and the security and confidentiality degree of the software are remarkably improved especially for government departments, financial enterprises and other departments needing important confidentiality.
The management and control device for software installation further comprises: the policy detection module is configured to detect whether the control policy is started before detecting whether the current process and the parent process of the current process are preset processes, and detect whether the current process and the parent process of the current process are preset processes under the condition that the control policy is started.
The management and control policy may belong to a software management and control policy in the security management system.
Further, under the condition that the detection and control strategy is opened, the current process and the parent process of the current process are detected, and under the condition that the detection and control strategy is not opened, the current process and the parent process of the current process are not detected.
Specifically, whether the installation package control switch is started in the setting of the safety management system is detected through the strategy detection module, if the switch is in a starting state, the installation condition of the terminal installation package is controlled, and if the switch is in a non-starting state, the installation condition of the terminal installation package is controlled.
And whether the control strategy is started or not is detected by setting the strategy detection module, so that an option of whether the control method for installing the software is used or not is provided for a user, and the use experience is improved.
The management and control device for software installation further comprises: and the information prompt module is configured to send prompt information under the condition that the type of the current process is a program installation process.
Further, when the current process is of the program installation process, the prompt message is sent after the current process is forbidden to run.
Further, the information prompt module sends prompt information through a popup window to prompt the user that the current program is prohibited from being installed.
The prompt message is sent through the information prompt module, so that a prompt effect can be effectively played for a user, and the use experience is improved.
In an exemplary embodiment, there is also provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described method of managing software installation.
In an exemplary embodiment, a computer device is also provided, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the method of controlling software installation described above when executing the program.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented in hardware, or may be implemented by means of software plus necessary general hardware platforms. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to perform the methods described in various implementation scenarios of the present application.
By adopting the technical scheme of the invention, the current process and the father process of the current process are detected to be the preset process, the type of the current process is determined under the condition that the current process is not the preset process, and the current process is forbidden to run under the condition that the type of the current process is the program installation process, so that the running of the program installation process under the software management system process in the non-safety management system or the non-safety management system can be forbidden, the safety management system is taken as the only downloading source, namely the only trusted software source, and therefore, a user can only install the software downloaded from the safety management system, and the software of other downloading sources can not be installed. Even if one piece of software is downloaded from the security management system and then copied to other computers, the software cannot be installed by clicking the downloaded installation package alone, so that the security of the computer is fully protected, and the security and confidentiality degree of the software are remarkably improved especially for government departments, financial enterprises and other departments needing important confidentiality.
Those skilled in the art will appreciate that the drawings are merely schematic illustrations of one preferred implementation scenario, and that the modules or flows in the drawings are not necessarily required to practice the present application.
Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The foregoing application serial numbers are merely for description, and do not represent advantages or disadvantages of the implementation scenario.
The foregoing disclosure is merely a few specific implementations of the present application, but the present application is not limited thereto and any variations that can be considered by a person skilled in the art shall fall within the protection scope of the present application.
Claims (11)
1. A method for controlling software installation, comprising:
detecting whether the current process and the parent process of the current process are preset processes or not;
determining the type of the current process under the condition that the current process and the parent process of the current process are not the preset process;
and prohibiting the current process from running under the condition that the type of the current process is a program installation process.
2. The method for controlling software installation according to claim 1, wherein the detecting whether the current process and the parent process of the current process are preset processes comprises:
acquiring paths of the current process and a parent process of the current process;
detecting whether the obtained path is in an installation catalog of a security management system;
under the condition that the path is in the installation directory, determining that the current process is the preset process;
and under the condition that the path is not in the installation directory, determining that the current process is not the preset process.
3. The method for controlling software installation according to claim 1, wherein, in the case that the current process is not the preset process, determining the type of the current process includes:
acquiring attribute information combinations in a header and a resource of the current process;
and detecting the attribute information combination by an antivirus engine to determine the type of the current process.
4. A method of controlling software installation according to claim 3, wherein said determining the type of the current process by detecting the attribute information combination by an antivirus engine comprises:
identifying the basic type of the file to which the current process belongs based on a file header by an antivirus engine;
under the condition that the basic type is a PE file, analyzing the file belonging to the current process through an antivirus engine to obtain the specific offset and the additional data characteristic of the file header;
determining, by an antivirus engine, a type of the current process based on the particular offset and the additional data characteristic.
5. A method of controlling software installation according to claim 3, wherein said determining the type of the current process by detecting the attribute information combination by an antivirus engine comprises:
acquiring characteristics in a file resource through an antivirus engine;
and matching the type of the current process according to the obtained characteristics.
6. A method of controlling software installation according to claim 3, wherein the antivirus engine is an OWL engine.
7. The method according to claim 1, wherein the prohibiting the current process from running in the case where the type of the current process is a program installation process, comprises:
detecting a system application program interface API created by a hook function hook process;
under the condition that the hook function hook process is detected to be the program installation process, the current process is forbidden to run, an forbidden operation reminder is generated, and the forbidden operation reminder is sent to the hook function hook process;
and calling the system application program interface API to start the program under the condition that the hook function hook process is detected to be a non-program installation process.
8. The method for controlling software installation according to claim 1, further comprising, before said detecting whether the current process and the parent process of the current process are preset processes:
detecting whether a control strategy is started or not;
and under the condition that the detection and control strategy is opened, detecting whether the current process and the parent process of the current process are preset processes or not.
9. A software-installed management and control apparatus, comprising:
the process detection module is configured to detect whether the current process and the parent process of the current process are preset processes or not;
the process type determining module is configured to determine the type of the current process when the current process and a parent process of the current process are not the preset process;
and the disabling module is configured to disable the current process from running when the type of the current process is a program installation process.
10. A storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the method of controlling software installation of any one of claims 1 to 8.
11. A computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, characterized in that the processor implements the method of controlling the installation of software according to any one of claims 1 to 8 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111589445.4A CN116340929A (en) | 2021-12-23 | 2021-12-23 | Method and device for controlling software installation, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111589445.4A CN116340929A (en) | 2021-12-23 | 2021-12-23 | Method and device for controlling software installation, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116340929A true CN116340929A (en) | 2023-06-27 |
Family
ID=86890051
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111589445.4A Pending CN116340929A (en) | 2021-12-23 | 2021-12-23 | Method and device for controlling software installation, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116340929A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117633797A (en) * | 2023-11-27 | 2024-03-01 | 北京微步在线科技有限公司 | Software control method and device, electronic equipment and storage medium |
-
2021
- 2021-12-23 CN CN202111589445.4A patent/CN116340929A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117633797A (en) * | 2023-11-27 | 2024-03-01 | 北京微步在线科技有限公司 | Software control method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8898775B2 (en) | Method and apparatus for detecting the malicious behavior of computer program | |
| US10043001B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| EP2839406B1 (en) | Detection and prevention of installation of malicious mobile applications | |
| US9571520B2 (en) | Preventing execution of task scheduled malware | |
| US10318730B2 (en) | Detection and prevention of malicious code execution using risk scoring | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| US8505069B1 (en) | System and method for updating authorized software | |
| US20130067577A1 (en) | Malware scanning | |
| US9594906B1 (en) | Confirming a malware infection on a client device using a remote access connection tool to identify a malicious file based on fuzzy hashes | |
| US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
| CN103065092A (en) | Method for intercepting operating of suspicious programs | |
| KR101086203B1 (en) | A proactive system against malicious processes by investigating the process behaviors and the method thereof | |
| CN116340929A (en) | Method and device for controlling software installation, storage medium and computer equipment | |
| US8640242B2 (en) | Preventing and detecting print-provider startup malware | |
| CN110348180B (en) | Application program starting control method and device | |
| CN111783087A (en) | Method and device for detecting malicious execution of executable file, terminal and storage medium | |
| KR20110057297A (en) | Dynamic analyzing system for malicious bot and methods therefore | |
| KR101288833B1 (en) | Method for preventing malicious code using office documents, and computer-readable recording medium for the same | |
| JP2019220132A (en) | System and method of adapting patterns of dangerous behavior of programs to computer systems of users | |
| CN112487429A (en) | Verification method and device of external storage equipment | |
| CN109472144B (en) | Method, device and storage medium for operating file by defending virus | |
| JP2009116391A (en) | Security policy setting device cooperating with safety level evaluation and a program and method thereof | |
| CN106599684A (en) | Detection method and system of entity file-free malicious code | |
| Iztayev et al. | ANALYSIS OF SAFETY AND VULNERABILITIES OF THE LEVELS OF THE INFRASTRUCTURE AND APPLICATIONS ANDROID | |
| KR20150144046A (en) | Apparatus for detecting a web shell and method for controlling function execution using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |