CN1581088A - Method and device for preventing computer virus - Google Patents
Method and device for preventing computer virus Download PDFInfo
- Publication number
- CN1581088A CN1581088A CN 03143793 CN03143793A CN1581088A CN 1581088 A CN1581088 A CN 1581088A CN 03143793 CN03143793 CN 03143793 CN 03143793 A CN03143793 A CN 03143793A CN 1581088 A CN1581088 A CN 1581088A
- Authority
- CN
- China
- Prior art keywords
- file
- application file
- described application
- information
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a method for preventing computer virus. Said method includes the following steps: creating original information file containing appliction program file information which is not infected by virus; when said application programfile makes a request for operation, extracting information of said application program file to generate new information file; comparing new information file with old information file, according to compared result controlling operation of said application program file. Said invention also provides a device for implementing said method, and said device includes control device, detection device and information generation device.
Description
Technical field
The present invention relates to the computer virus precaution technology, be specifically related to a kind of method and device that prevents computer virus.
Background technology
Along with development of computer, the kind of computer virus and harm are also more and more, and it causes hardware damage, loss of data, or can not normally use etc., bring very big influence and loss to the computer user.Computer virus has very strong propagated and infectious, mainly spreads through the internet or propagates by the executable program in the infect computers.Adopt anti-virus software to carry out killing to computer virus at present, anti-virus software generally is made up of virus checking engine (Scan Engine) and virus characteristic storehouse (Virus Definition) more.File during the virus checking engine is coordinated computing machine according to the virus signature in the virus characteristic storehouse computer documents is checked, if find to have the characteristic of correspondence sign indicating number to exist, then show this document by specific virus infections, anti-virus software adopts related measure that virus is removed.Utilize anti-virus software to carry out Prevention and Cure of Computer Virus, need frequent updating virus characteristic storehouse, because every kind of new computer virus all can have the condition code that is different from known viruse, after new virus produces, by to its analysis, just can find out its condition code, it is added in original virus characteristic storehouse, the anti-virus software of constantly upgrading could the new virus of killing.This shows, this method always lags behind the appearance of new virus, the new virus that does not also show effect in normal program or data file then can't find for hiding, can't accomplish prevention,, will damage computer system in case new virus reaches the outbreak condition to new virus, light then influence the normal operation of system, heavy then cause systemic breakdown, even destroy the system hardware part, cause serious economy loss.
Summary of the invention
The objective of the invention is to overcome the shortcoming of above-mentioned prior art, a kind of method and apparatus that prevents computer virus is provided, forbid the application program operation of infected computer virus, thereby cut off the propagation that virus is undertaken by the program file that infects application program.
The invention provides a kind of method that prevents computer virus, described method comprises step:
Foundation comprises the original information file of the application file information of uninfecting virus;
When described application file request moves, extract the information of described application file, to generate new message file;
Judge whether described new message file is identical with described original information file;
If identical, show that then described application file is normal, normally start described application file;
If inequality, then show the possible infective virus of described application file, the described application file operation of No starting.
Preferably, the step of original information file that described foundation comprises the application file information of uninfecting virus comprises: using predetermined algorithm is that the application file of described uninfecting virus generates a verification and file, as the original information file of this application file.
Preferably, described when described application file request moves, extract the information of described application file, comprise step with the step that generates new message file:
Need obtain the notice of described application file operation to system's registration;
When described application file request moves, obtain the notice of described application file operation;
Set up the new message file of described application file according to described notice.
Further, the described step of setting up the new message file of described application file according to described notice comprises step:
Judge whether to exist original information file corresponding to described application file;
If there is the original information file of described application file, then set up the new message file of described application file;
If there is no the original information file of described application file is then returned error message to described system.
Preferably, if the described original information file that has described application file, the step of then setting up the new message file of described application file comprises: using the algorithm identical with the original information file of setting up described application file is that described application file generates a new verification and file, as the new message file of this application file.
Preferably, the original information file of described if there is no described application file then comprises to the step that described system returns error message: after described error message is received by described system, and the described application file of No starting.
The present invention also provides a kind of device of realizing said method, and described device comprises:
Information generation device, be used to read described application file, and generate the original information file comprise described application file information by predetermined algorithm, when described application file application operation, generate the new message file that comprises this application file information;
Whether pick-up unit is used for detecting described application file according to the described message file that described information generation device generates and is changed;
Control device is used to receive the registration of the described application file that described pick-up unit detects needs and cancels; And when described application file request moves, notify described pick-up unit that described application file is detected, and control the operation of described application file according to the testing result of described pick-up unit.
Wherein, described information generation device further comprises: information generates control device, is used for the needs according to system, generates the content of described message file according to predetermined algorithm control.
Preferably, described pick-up unit further comprises:
Register/cancel device, be used for when described system start-up, registering the original information file of described application file to described control device, so that described control device is notified to described pick-up unit there being application file request when operation to send, cancel this registration to described control device when out of service in described system;
Interacting message/treating apparatus is used for carrying out interacting message and finishing control to described information generation device according to the message of described control device with described control device;
Calibration equipment is used for when the application file request moves, the new message file of the described application file that more described information generation device generates and corresponding to the original information file of described application file.
Preferably, described interacting message/treating apparatus comprises:
The notifier processes device is used for receiving that at described pick-up unit the described information generation device of application file operation notice back control of described control device calls described information and generates the new message file that control device generates described application file;
The check results conveyer is used for sending the check results of described calibration equipment to described control device.
Utilize the present invention, can control the virus of propagating by the program file of infect computers application program effectively, need not frequently upgrade, especially undiscovered new virus has also been played good protective action, effectively simple.
Description of drawings
Fig. 1 is the process flow diagram of the step of the preferred embodiments of the present invention method of preventing computer virus;
Fig. 2 is the composition block scheme of the present invention's device of preventing computer virus.
Embodiment
In order to make those skilled in the art person understand the present invention better, the present invention is described in further detail below in conjunction with drawings and embodiments:
Because the virus of propagating by the infection executable program must colonize in oneself in the program file of executable program, therefore by the executable program file before the uninfecting virus is generated corresponding check and file, verification again when program is carried out, comparison, can find then whether it is subjected to virus infections, thereby control has stoped viral outbreak.
With reference to Fig. 1, Fig. 1 has described the flow process of step that the preferred embodiments of the present invention prevent the method for computer virus:
At first, in step 10, before system's operation, use predetermined algorithm to generate a verification and file as the program file of the application program of needs execution, the application file of this moment is the file of uninfecting virus;
Enter step 11, need obtain the notice of this application file operation to system's registration;
Then, to step 12, wait for the notice of obtaining this application file operation;
Enter step 13, when described application file request moves, receive the notice of this application file operation;
After receiving the notice of this application file operation, at first need to enter step 14, search for this application file corresponding check and file and whether exist;
If this application file corresponding check and file do not exist, then enter step 18, return failed message to operating system, after operating system is received this message, forbid this application file, prevent the virus outburst that wherein may exist, thereby prevent that computer resource from wrecking;
Then, return step 12, wait for next program run notice;
If this application file corresponding check and file exist, then enter step 15, obtain this application file, according to the new verification of set this application file of algorithm computation and;
Then, enter step 16, the new verification of this application file after relatively calculating with this application file corresponding check and file in the verification of preserving and whether consistent;
If consistent, show that then this application file does not change, enter step 17, return success message to operating system, allow application program normally to start operation;
If it is inconsistent, show that then this application file changes, may be by virus infections, enter step 18, return failed message to operating system, after operating system is received this message, forbid this application file, prevent the virus outburst that wherein may exist, thereby prevent that computer resource from wrecking.
The present invention also provides a kind of method corresponding device thereof that realizes preventing computer virus, does detailed description below with reference to Fig. 2.
Fig. 2 is the composition block scheme of the present invention's device of preventing computer virus:
This device is made up of three parts, is respectively control device 10, pick-up unit 20 and information generation device 30.Wherein, pick-up unit 20 comprises: register/cancel device 201, notifier processes device 202, check results conveyer 203 and calibration equipment 204, in the present invention, notifier processes device 202 and check results conveyer 203 are integrated into interacting message/treating apparatus; Information generation device 30 comprises: information generates control device 301.Introduce the technical characterictic of each ingredient below respectively:
Whether pick-up unit 20 is used for detecting the application file of asking to move according to the message file that information generation device 30 generates and is changed.Comprising:
Register/cancel device 201, be coupled to control device 10, be used for when system start-up, registering the original information file of application files to control device 10, so that control device 10 is notified to pick-up unit 20 there being application file request when operation to send, cancel this registration to control device 10 when out of service in system;
Check results conveyer 203, the comparative result that is used for transfer check device 204 is given control device 10.
Detailed operation process below by example in detail apparatus of the present invention:
At first, use information generation device 30 to generate generation verification of CRC32 algorithm computation and the file mspaint.CRC32 that control device 301 provides by information as the executable program file mspaint.exe of uninfecting virus, and by registering/cancel device 201 to control device 10 registration this document;
When starting infected mspaint.exe file, by control device 10 notice pick-up units 20, after pick-up unit 20 is notified, search and whether have the mspaint.CRC32 file, if there is no, then send and search failed message, after control device 10 is received this message, forbid the mspaint.exe running paper to control device 10; If the mspaint.CRC32 file exists, then read the content of file mspaint.exe by notifier processes device 203 control information generating apparatus 30, and the CRC32 algorithm that recalls information generation control device 301 provides carries out CRC32 verification calculating to this document content, to calculate verification and send calibration equipment 204 to, by calibration equipment 204 with this verification and be kept at the verification among the mspaint.CRC32 and compare.If comparative result is inconsistent, then send failed message to control device 10, after control device 10 was received this message, the notifying operation system forbade the mspaint.exe operation; If the comparative result unanimity then sends success message to control device 10, after control device 10 is received this message, allow mspaint.exe normally to move.When this device withdraws from, call and register/cancel module to operating system cancellation registration.
This device can detect Kziz (CIH on Christmas), I-Worm.Klez.E worms etc. infect the virus of executable program file, they will rewrite file when infecting executable program file content, it specifically is that this device is not distinguished for which kind of virus infections, after this device is installed, the application file that needs in the system to carry out must use the information generation device in this device to generate the original information file that comprises this application file information before uninfecting virus, the corresponding unique original information file of each application file, for example, the message file of mspaint.exe file correspondence is mspaint.CRC32 in the last example, and these original information file are kept in the system.When application file need move, the algorithm that is adopted when being generated the new message file of application file of this request operation by the information generation device in this device generates control device by the information in the information generation device to be provided, and the algorithm that adopts during with the original information file that generates this application file is consistent.Like this, by comparison, can know whether this application file is modified, whether moves thereby control this application file to the new old information of this application file.Avoided some computer viruses by infecting the propagation that application program is carried out effectively, and the virus outburst destruction of causing to system.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and does not break away from spirit of the present invention, for example, when generating the message file of application program by information generation device in the present invention various method can be arranged, equally, information generates the algorithm that control device provided also can have various ways, wishes that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (10)
1, a kind of method that prevents computer virus is characterized in that, described method comprises step:
Foundation comprises the original information file of the application file information of uninfecting virus;
When described application file request moves, extract the information of described application file, to generate new message file;
Judge whether described new message file is identical with described original information file;
If identical, show that then described application file is normal, normally start described application file;
If inequality, then show the possible infective virus of described application file, the described application file operation of No starting.
2, the method that prevents computer virus as claimed in claim 1, it is characterized in that, the step of original information file that described foundation comprises the application file information of uninfecting virus comprises: using predetermined algorithm is that the application file of described uninfecting virus generates a verification and file, as the original information file of this application file.
3, the method that prevents computer virus as claimed in claim 2 is characterized in that, and is described when described application file request moves, and extracts the information of described application file, comprises step with the step that generates new message file:
Need obtain the notice of described application file operation to system's registration;
When described application file request moves, obtain the notice of described application file operation;
Set up the new message file of described application file according to described notice.
4, the method that prevents computer virus as claimed in claim 3 is characterized in that, the described step of setting up the new message file of described application file according to described notice comprises step:
Judge whether to exist original information file corresponding to described application file;
If there is the original information file of described application file, then set up the new message file of described application file;
If there is no the original information file of described application file is then returned error message to described system.
5, the method that prevents computer virus as claimed in claim 4, it is characterized in that, if the described original information file that has described application file, the step of then setting up the new message file of described application file comprises: using the algorithm identical with the original information file of setting up described application file is that described application file generates a new verification and file, as the new message file of this application file.
6, the method that prevents computer virus as claimed in claim 4, it is characterized in that, the original information file of described if there is no described application file, then step from error message to described system that return comprises: after described error message is received by described system, and the described application file of No starting.
7, a kind of device that prevents computer virus is characterized in that, described device comprises:
Information generation device, be used to read described application file, and generate the original information file comprise described application file information by predetermined algorithm, when described application file application operation, generate the new message file that comprises this application file information;
Whether pick-up unit is used for detecting described application file according to the described message file that described information generation device generates and is changed;
Control device is used to receive the registration of the described application file that described pick-up unit detects needs and cancels; And when described application file request moves, notify described pick-up unit that described application file is detected, and control the operation of described application file according to the testing result of described pick-up unit.
8, the device that prevents computer virus as claimed in claim 7 is characterized in that, described information generation device further comprises: information generates control device, is used for the needs according to system, generates the content of described message file according to predetermined algorithm control.
9, the device that prevents computer virus as claimed in claim 7 is characterized in that, described pick-up unit further comprises:
Register/cancel device, be used for when described system start-up, registering the original information file of described application file to described control device, so that described control device is notified to described pick-up unit there being application file request when operation to send, cancel this registration to described control device when out of service in described system;
Interacting message/treating apparatus is used for carrying out interacting message and finishing control to described information generation device according to the message of described control device with described control device;
Calibration equipment is used for when the application file request moves, the new message file of the described application file that more described information generation device generates and corresponding to the original information file of described application file.
10, the device that prevents computer virus as claimed in claim 9 is characterized in that, described interacting message/treating apparatus comprises:
The notifier processes device is used for receiving that at described pick-up unit the described information generation device of application file operation notice back control of described control device calls described information and generates the new message file that control device generates described application file;
The check results conveyer is used for sending the check results of described calibration equipment to described control device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB031437931A CN1329828C (en) | 2003-08-06 | 2003-08-06 | Method and device for preventing computer virus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB031437931A CN1329828C (en) | 2003-08-06 | 2003-08-06 | Method and device for preventing computer virus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1581088A true CN1581088A (en) | 2005-02-16 |
CN1329828C CN1329828C (en) | 2007-08-01 |
Family
ID=34579525
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB031437931A Expired - Fee Related CN1329828C (en) | 2003-08-06 | 2003-08-06 | Method and device for preventing computer virus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1329828C (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100353277C (en) * | 2005-07-27 | 2007-12-05 | 毛德操 | Implementing method for controlling computer virus through proxy technique |
CN100389372C (en) * | 2005-08-16 | 2008-05-21 | 联想(北京)有限公司 | System and method in use for ensuring program runs in oringinal state |
WO2009049554A1 (en) * | 2007-10-15 | 2009-04-23 | Beijing Rising International Software Co., Ltd. | Method and apparatus for safeguarding automatically harmful computer program |
WO2010009625A1 (en) * | 2008-07-24 | 2010-01-28 | 成都市华为赛门铁克科技有限公司 | Computer file detecting method and device |
WO2010012175A1 (en) * | 2008-07-31 | 2010-02-04 | 华为技术有限公司 | Method and device for inspecting file |
CN103632089A (en) * | 2013-12-16 | 2014-03-12 | 北京网秦天下科技有限公司 | Security detection method, device and system of application installation package |
CN103853975A (en) * | 2012-11-28 | 2014-06-11 | 联想(北京)有限公司 | Information processing method and electronic device |
US8898775B2 (en) | 2007-10-15 | 2014-11-25 | Bejing Rising Information Technology Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5050212A (en) * | 1990-06-20 | 1991-09-17 | Apple Computer, Inc. | Method and apparatus for verifying the integrity of a file stored separately from a computer |
US5473769A (en) * | 1992-03-30 | 1995-12-05 | Cozza; Paul D. | Method and apparatus for increasing the speed of the detecting of computer viruses |
US5613002A (en) * | 1994-11-21 | 1997-03-18 | International Business Machines Corporation | Generic disinfection of programs infected with a computer virus |
CN1107263C (en) * | 1995-01-24 | 2003-04-30 | 西南石油学院 | Technology and hardware for prevention and treatment of computer virus |
CN1241124C (en) * | 2001-09-14 | 2006-02-08 | 北京瑞星科技股份有限公司 | Method for fully controlling files in computer system |
-
2003
- 2003-08-06 CN CNB031437931A patent/CN1329828C/en not_active Expired - Fee Related
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100353277C (en) * | 2005-07-27 | 2007-12-05 | 毛德操 | Implementing method for controlling computer virus through proxy technique |
CN100389372C (en) * | 2005-08-16 | 2008-05-21 | 联想(北京)有限公司 | System and method in use for ensuring program runs in oringinal state |
WO2009049554A1 (en) * | 2007-10-15 | 2009-04-23 | Beijing Rising International Software Co., Ltd. | Method and apparatus for safeguarding automatically harmful computer program |
US8561192B2 (en) | 2007-10-15 | 2013-10-15 | Beijing Rising Information Technology Co., Ltd. | Method and apparatus for automatically protecting a computer against a harmful program |
US8898775B2 (en) | 2007-10-15 | 2014-11-25 | Bejing Rising Information Technology Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
WO2010009625A1 (en) * | 2008-07-24 | 2010-01-28 | 成都市华为赛门铁克科技有限公司 | Computer file detecting method and device |
WO2010012175A1 (en) * | 2008-07-31 | 2010-02-04 | 华为技术有限公司 | Method and device for inspecting file |
CN103853975A (en) * | 2012-11-28 | 2014-06-11 | 联想(北京)有限公司 | Information processing method and electronic device |
CN103632089A (en) * | 2013-12-16 | 2014-03-12 | 北京网秦天下科技有限公司 | Security detection method, device and system of application installation package |
Also Published As
Publication number | Publication date |
---|---|
CN1329828C (en) | 2007-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7802300B1 (en) | Method and apparatus for detecting and removing kernel rootkits | |
US8352522B1 (en) | Detection of file modifications performed by malicious codes | |
AU2012353035B2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
US8726387B2 (en) | Detecting a trojan horse | |
US9015829B2 (en) | Preventing and responding to disabling of malware protection software | |
US20160094564A1 (en) | Taxonomic malware detection and mitigation | |
US20110078796A1 (en) | Trusted Operating Environment For Malware Detection | |
CA2777831C (en) | Detecting and responding to malware using link files | |
US20080282350A1 (en) | Trusted Operating Environment for Malware Detection | |
WO2004097604A3 (en) | A method of, and system for, heuristically detective viruses in executable code | |
US20110277033A1 (en) | Identifying Malicious Threads | |
CN1834978A (en) | Access controller and access control method | |
CN1841394A (en) | Source code repair method and code manage system | |
CN101042719A (en) | System and method for killing ROOTKIT | |
WO2015007224A1 (en) | Malicious program finding and killing method, device and server based on cloud security | |
US9251350B2 (en) | Trusted operating environment for malware detection | |
JP6023282B2 (en) | Malware risk scanner | |
CN1581088A (en) | Method and device for preventing computer virus | |
CN1282083C (en) | Computer memory virus monitoring method and method for operation with virus | |
US8726377B2 (en) | Malware determination | |
WO2014044187A2 (en) | A method and device for checking and removing computer viruses | |
US8938807B1 (en) | Malware removal without virus pattern | |
CN1743990A (en) | Transplatform virus detecting and killing method | |
CN1641516A (en) | Method for ensuring system safety for window operating system | |
US11436326B2 (en) | False alarm detection for malware scanning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070801 Termination date: 20200806 |
|
CF01 | Termination of patent right due to non-payment of annual fee |