CN1900940A - Method for computer safety start - Google Patents
Method for computer safety start Download PDFInfo
- Publication number
- CN1900940A CN1900940A CN 200610061765 CN200610061765A CN1900940A CN 1900940 A CN1900940 A CN 1900940A CN 200610061765 CN200610061765 CN 200610061765 CN 200610061765 A CN200610061765 A CN 200610061765A CN 1900940 A CN1900940 A CN 1900940A
- Authority
- CN
- China
- Prior art keywords
- computer
- program
- driven unit
- main interface
- security procedure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The present invention discloses safe computer starting method and solves the technological problem of recognizing worm and preventing worm running. The method includes the following steps: installing main interface module and driving module separately in the application layer and the driving layer, recording the driving course during starting the computer with the driving module, and scanning and analyzing the recorded driving course with the main interface module to determine the safe course. During starting the computer, the driving module is run first to intercept the worm, and the main interface module judges whether the program is worm or not through digital signature verification, safety program signature library verification and static behavior characteristic code analysis and judgment, so as to ensure the normal running of the computer system while eliminating the worm automatically during starting the computer.
Description
Technical field
The present invention relates to a kind of method of computer safety start, particularly a kind of method of clean boot in computing machine Windows system.
Background technology
At present, computer virus spreads unchecked, and some are in order to obtain unlawful interests, and the various rogue programs of illegal installation comprise wooden horse back door, virus, spyware etc. in others' computing machine.These illegal rogue programs move in computer starting automatically, and other various harmful operations of privacy, bank card password and execution of computer user are stolen in the operation of supervisory control comuter, have brought trouble for computer user's work and life.Because there is a large amount of leaks in computer software, cause computing machine to be easy to the infected various rogue programs of, when using a computer, caused inconvenience and loss for the user.People have wanted to use up the rogue program that various ways are searched automatic operation, so far neither one effective method still.On the other hand, judge that whether a program is that the method for rogue program also exists a lot of problems, traditional antivirus software judges that the method for virus adopts binary condition code identification, and this recognition methods can not effectively tackle emerging rogue program.Because present virus, velocity of propagation is fast, mutation is many, and antivirus software manufacturer comes killing virus by the method for collecting Virus Sample extraction condition code, is playing the part of the role who afterwards repairs.And the virus mutation at similar wooden horse back door is many, with strong points, sample is difficult to obtain, and the antivirus software that relies on the sample characteristics sign indicating number is the effective virus of this class of killing often.
Summary of the invention
The method that the purpose of this invention is to provide a kind of computer safety start, the technical matters that solve are identification rogue program and the operation that prevents rogue program.
The present invention is by the following technical solutions: a kind of method of computer safety start may further comprise the steps: one, at computer application layer and Drive Layer main interface assembly and driven unit are installed respectively; Two, driven unit records the title of all processes of moving in the computer starting process, and the running process that main interface assembly is noted driven unit carries out scanning analysis, determines security procedure; When three, starting computing machine, driven unit is by the preferential load operating of the CPU of computing machine, and the program that is not listed in the security procedure is judged as rogue program, is driven the assembly interception, does not carry out operation.
When method of the present invention started for the first time at computing machine, driven unit was noted the title of all processes of moving in the computer starting process, and storage; After computer starting was finished, the running process that main interface assembly is noted driven unit carried out scanning analysis, determines security procedure.
The working procedure that main interface assembly of the present invention is noted driven unit uses the method for digital signature authentication, the storehouse checking of security procedure signature and the analysis of static behavior condition code to carry out scanning analysis.
When driven unit of the present invention is noted the title of all processes of moving in the computer starting process,, store in the running process tabulation in the hard disk in the name list mode.
Method of the present invention is used the method representation dangerous values of marking when scanning analysis, each scanning analysis step all obtains a dangerous fractional value, and main interface assembly records the process that equals 0 fen in the security procedure tabulation.
Driven unit of the present invention is tackled rogue program by rreturn value.
Main interface assembly of the present invention has: the module that human-computer interaction module, transmission message communicate to driven unit, scanning analysis identification rogue program module.
Driven unit interception of the present invention handles original establishment process processing realization in the substituting for computer by the establishment process.
Security procedure signature storehouse checking of the present invention adopts scanning analysis identification rogue program module that the condition code in the condition code of program to be analyzed and the security procedure signature storehouse is compared one by one, if identical condition code is arranged, just this program name to be analyzed is recorded the security procedure tabulation, this program is a normal procedure certainly.
Importing table information, zone field, progress information and the file name of size, resource and the date created of the whole program file to be verified of static behavior condition code analysis employing analysis of the present invention, the transplantable execution body information of authenticating documents, version information, transplantable execution body structure, through relatively providing dangerous values, then dangerous values being added up, is final dangerous values that 0 program name records the security procedure tabulation.
The present invention compared with prior art, driven unit is by the preferential load operating of the CPU of computing machine, in the computer starting process, tackle rogue program, normal program is not tackled, the working procedure that main interface assembly is noted driven unit adopts digital signature authentication, the storehouse checking of security procedure signature and static behavior condition code analysis and judgement method to judge whether a program is rogue program, guaranteed the operate as normal of computer system, again the rogue program of operation automatically in the dump system starting process effectively.
Description of drawings
Fig. 1 is the process flow diagram of the embodiment of the invention.
Fig. 2 is an embodiment of the invention computer starting process flow diagram.
Fig. 3 is that embodiment of the invention computing machine restarts process flow diagram.
Fig. 4 is an embodiment of the invention scanning identification rogue program process flow diagram.
Fig. 5 is an embodiment of the invention editor process flow diagram.
Fig. 6 is an intercept process process flow diagram in the embodiment of the invention computer starting process.
Fig. 7 is a process interception process flow diagram of the present invention.
Fig. 8 is the surface chart that the embodiment of the invention restarts computing machine.
Embodiment
Below in conjunction with drawings and Examples the present invention is described in further detail.Nominal definition, process: the example that is a program of moving.Rogue program: the program harmful to computer system comprised Virus, wooden horse back door and spy's program etc.Driven unit: be a driver, driver operates in the bottom of system, and there is very high control authority in system, can be regarded as the part of operating system.Main interface assembly: be main interface program, be mainly used to handle man-machine interaction, in the Windows system, main interface assembly generally is with the form of window and user interactions, and the user can use mouse and keyboard operation, finishes required task.
The method of computer safety start of the present invention, use a computer and be configured to CPU Pentium 4 00MHz or higher, more than the internal memory 64MB, the display mode that display card SVGA16 position look above, more than the hard disk 300MB, operating system is: Windows 2000/Windows XP/Windows2003, at first install main interface assembly and driven unit respectively at computer application layer and Drive Layer.Main interface assembly comprises: (1) human-computer interaction module part, as shown in Figure 8, adopt the window of Windows, by button in the window and user interactions; (2) module section that intercoms mutually with driven unit, main interface assembly and driven unit are set up message channel, with send message to the mode controlling and driving assembly of driven unit finish record the process information and interception process initiation function; (3) scanning analysis identification rogue program module section, judge by scanning whether a program is rogue program, concrete scan method has comprised digital signature authentication in sequence, the storehouse checking of security procedure signature and the analysis of static behavior condition code, use the fraction representation dangerous values in the scanning process, the mark that each scanning is obtained adds up, after scanning is finished, judge the risk factor of the program that is scanned according to final mark.
Driven unit is used to tackle the operation of all programs, and the title of the record process of move is in the list records of the running process that is arranged on hard disk, and hook procedure operation is the function realization of handling original establishment process processing in the substituting for computer by the establishment process.
As shown in Figure 1, the method for computer safety start of the present invention may further comprise the steps: one, at computer application layer and Drive Layer main interface assembly and driven unit are installed respectively; When two, starting computing machine, driven unit is noted the title of all processes of moving in the computer starting process in the name list mode, stores in the running process tabulation in the hard disk; Three, after computer starting is finished, the tab sequential of working procedure that main interface assembly is noted driven unit uses the method for digital signature authentication, the storehouse checking of security procedure signature and the analysis of static behavior condition code to carry out scanning analysis, use the method representation dangerous values of marking, each scanning analysis step all obtains a dangerous fractional value, and main interface assembly records the program that equals 0 fen in the security procedure tabulation; Four, restart computing machine, in the tabulation of security procedure, be not judged as rogue program, be driven assembly and tackle, do not carry out operation by rreturn value.
The method of computer safety start of the present invention is owing to installed driven unit in the Drive Layer of computing machine, in the computer starting process, driven unit is by the preferential load operating of the CPU of computing machine, after the operation, by replacing all new process creations of monitoring.As shown in Figure 2, in the time of computer starting, the driven unit operation, driven unit uses the establishment process of self to handle the original process of substituting for computer, when computing machine is created each new process, driven unit is noted each process title that is created, and is stored in the running process list records in the mode of tabulating.As shown in Figure 3, when restarting the computer, driven unit is called character string relatively according to the process title that is kept in the hard disk in the security procedure tabulation to the process name of new establishment, the program in starting tabulation does not all directly stop this process, do not allow to create this process by rreturn value, have only the program of process title in the security procedure tabulation just to allow the establishment process.After computer system starting was finished, the order that main interface assembly transmission stops to tackle was to driven unit, and driven unit stops to stop the operation of establishment process, and the control of computer system is given the user by letting slip the process that is prevented from.The Drive Layer of computing machine is installed after the driven unit, each computing machine that starts, driven unit can be noted the program name of operation to the running process list records, start the first time of having finished clean boot, can dispense the process that starts computing machine for the first time like this, only need to carry out secondary startup, simplified the step of user's startup safe in utilization.
The scan method that main interface assembly scanning identification rogue program uses has comprised digital signature authentication, the storehouse checking of security procedure signature and the analysis of static behavior condition code.The purpose of doing like this is: at first get rid of to be arranged on and think normal program in the computer operating system, the scan function of scanning analysis module, again according to this program of static behavior condition code comparative analysis, obtain a dangerous values, dangerous values is to calculate with mark, mark is big more, and the risk factor of this program is just high more, is dangerous values that 0 program name is stored in the security procedure tabulation of registration table then.As shown in Figure 4, the flow process of main interface assembly scanning analysis rogue program is to analyze digital signature earlier, analyzes security procedure signature storehouse again, ultimate analysis static behavior condition code.
The central processing unit of computing machine reads file to be scanned, compare by reading mode, at first verify the rogue program tabulation, the rogue program tabulation is the set that artificially collects the condition code of extraction, be kept in the hard disk, compare by the data that read in the hard disk,, illustrate that this program has been a rogue program if central processing unit reads the condition code of file to be scanned in rogue program tabulation the inside, dangerous values is given 100 fens, expression is relatively more dangerous, there is no need down to scan the end of scan again.
Digital signature is the function whether certain file of checking that Windows operating system provides contains unique definite signature.The digital signature of Microsoft is all arranged on the data of each program of Windows operating system the inside, and the value of digital signature is unique, and it can prove that this program is normal security procedure.If program to be analyzed contains the digital signature of Microsoft, just this program name is recorded security procedure tabulation the inside, the end of scan, as do not have digital signature, carry out the storehouse checking of security procedure signature.
Security procedure signature storehouse is the condition code set of passing through the security procedure of collection by artificial, mode with tabulation is stored in the security procedure signature library file, central processing unit collects software commonly used with text, crossing by analysis verification is after the normal procedure, extract the condition code of the file of these normal procedures, gather together.The scanning analysis identification rogue program module of main interface assembly compares the condition code in the condition code of program to be analyzed and the security procedure signature storehouse one by one, if identical condition code is arranged, just this program name to be analyzed is recorded the security procedure tabulation, certainly this program is a normal procedure, the end of scan.
Rule ordering below static behavior condition code analysis in the scanning rogue program method is adopted by relatively providing dangerous values, adds up dangerous values then, is final dangerous values that 0 program name records security procedure and tabulates, then the end of scan.
1, the size of the whole file to be verified of central processing unit discriminatory analysis of computing machine provides the marking value and is kept in the internal memory, adds up then, is judged as rogue program, the end of scan when score value surpasses 100.A normal program, perhaps some large-scale softwares generally can be too not little, and have only virus or the convenience of wooden horse in order to transmit, generally can be smaller.
1.1, file to be verified is during less than 1KB, adds 20 fens, charges to and be kept in the internal memory;
1.2, file to be verified is during less than 50KB, adds 15 fens;
1.3, file to be verified is during less than 100KB, adds 10 fens;
1.4, file to be verified is during less than 200KB, adds 5 fens;
1.5, file to be verified is during greater than 500KB, subtracts 5 fens;
1.6, file to be verified is during greater than 1024KB, subtracts 20 fens.
2, the resource and the date created of the central processing unit discriminatory analysis file to be verified of computing machine provide the marking value and charge to and be stored in the internal memory, add up then, are judged as rogue program, the end of scan when score value surpasses 100.General Virus does not have resources such as forms, icon and sound, even if having, is seldom yet, so here resource and the relatively more responsive information of date created are analyzed.
2.1, the number of resources of central processing unit discriminatory analysis file to be verified, the result is charged to and is stored in the internal memory, number of resources is less than and equals 5, then adds 5 fens;
2.2, central processing unit discriminatory analysis character string, when file during, subtract 10 fens less than 500K;
2.3, the date created of central processing unit discriminatory analysis file to be verified is in one day, adds 5 fens.
3, the transplantable execution body PE information of central processing unit discriminatory analysis file to be verified to determine whether file to be verified is added shell, if adding the shell dangerous values adds 50 fens, is charged to and is stored in the internal memory.
3.1, central processing unit judges the section at program entry point to be verified place, the section of standard whether.The code segment entrance of normal procedure, all at code, in the code segment of .code name, if not, think it all is to add shell;
3.2, central processing unit judges whether the code of program inlet point to be verified identical with the shell condition code.The code of the entrance that the compiler compiling back of computing machine generates all is identical, and adding the shell instrument also is so, therefore compares according to the entrance code of a program and the shell feature in the condition code storehouse, just can judge whether to be added the program of shell;
3.3, central processing unit analyzes the importing function of program to be verified, and determines whether file to be verified is added shell.As: analyze four api functions of program sensitivity to be verified, in importing table content, have only more than two, the api function below six, and be consistent with six api functions, show that program to be verified is added shell.The api function of five common sensitivities: " VirtualAlloc ", " VirtualFree ", " LoadLibraryA ", " LoadLibraryW " and " GetProcAddress ", it is commonly used that these five api functions add shell, VirtualAlloc and VirtualFree: be used to carry out the distribution and the release of internal memory, LoadLibraryA and LoadLibraryW: be used to load the DLL dynamic link library, GetProcAddress: be used for obtaining the entrance pointer of function from the DLL dynamic link library of LoadLibray loading.
4, the central processing unit of computing machine is analyzed program file version information to be verified, provides the marking value.General normal program all can have developer's version information, as exabyte, version number, copyright information and description character, most Virus does not have these information, only there is fraction virus can forge version information, central processing unit is charged to the analysis and judgement result and be stored in the internal memory, continues scanning then.
4.1, do not have version information in the program file to be verified, add 8 fens;
4.2, do not have add 2 fens of Business Name in the program file to be verified;
4.3, do not have copyright information to add 2 fens in the program file to be verified;
4.4, do not have descriptor in the program file to be verified, or describe character and be less than 5, add 2 fens;
4.5, the file Business Name is mirosoftware, and this document added shell, adds 10 fens.
5, the central processing unit of computing machine is analyzed the importing table information of the transplantable execution body PE structure of program file to be verified, dynamic link libraries DLL and its importing function are compared identification, then the analysis and judgement result is charged to and is stored in the internal memory, continue scanning then, provide the marking value.
5.1, to import table imperfect, if central processing unit reads file header or the importing table is made mistakes, judges by central processing unit, adds 50 fens directly for this program;
5.2, central processing unit analyzes DLL information, whether has the non-Microsoft mould that is less than or equals to load in the non-DLL of the Microsoft importing table more than 2, piece surpasses 2, each deducts 20 fens;
5.3, import and to have the module relevant in the table with network, add 10 fens, central processing unit is analyzed the DLL that whether exists network to be correlated with in the program file to be verified, as WPCAP, a DLL who is used for the kit of data interception bag adds 5 fens;
5.4, central processing unit analyzes the application programming interface API that whether exists file relevant in the program file to be verified, as CreateFile, adds 5 fens; If program is added shell, just do not analyze in the API importing table and do not contain dangerous interface, i.e. the interface interchange of written document, establishment process and access to netwoks, each adds 5 fens;
If 5.5 program file to be verified is VB (Visual Basic) program, whether the central processing unit analysis and judgement contains file operation, and use GetIpUpDown, add 10 fens.
6, the central processing unit of computing machine is analyzed the zone field of program file to be verified, provides the marking value.The size of the normal non-code segment of program approximately is in 10 times of code segment, if above 10 times, might be some viruses of having packed, or by the program of virus infections, central processing unit is all added up all sections except code segment, size relatively again, and promptly how many sizes of they and code segment differs, central processing unit is charged to the analysis and judgement result and be stored in the internal memory like this, continues scanning then.
6.1, segment table is imperfect, adds 10 fens;
6.2, non-code segment is more than 100 times of code segment, adds 10 fens;
6.3, non-code segment is more than 80 times of code segment, adds 8 fens;
6.4, non-code segment is more than 60 times of code segment, adds 6 fens;
6.5, non-code segment is more than 40 times of code segment, adds 4 fens;
6.6, non-code segment is more than 20 times of code segment, adds 2 fens;
6.7, non-code segment is more than 10 times of code segment, adds 1 fen.
7, the central processing unit analysis process information of computing machine is charged to the analysis and judgement result and be stored in the internal memory, continues scanning then, provides the marking value.
7.1, process title to be verified if: " svchost.exe ", " lsass.exe ", " winlogon.exe ", " services.exe ", " Msimn.exe ", one of them in " msnmsgr.exe " these six processes adds 5 fens;
7.2, program file to be verified under the installation directory of operating system, add 10 fens;
7.3, program file to be verified under the %system% catalogue, add 10 fens;
7.4, the path of program file to be verified is network path, adds 5 fens;
7.5, central processing unit analyzes the similarity of the name of process to be verified and following critical processes, reaches 80%, adds 10 fens: " conime ", " svchost ", " services ", " winlogon ", " explorer ", " lsass ", " internat ", " smss ";
7.6, whether the suffix of process title that analyze to create be " DLL ", if add 20 fens.
8, the central processing unit of computing machine is analyzed the file name of program file to be verified, provides the marking value.Name, for normal program, the generic-document name can be above 32, and wherein generally can not surpass the space that has more than 2 yet, also do not have Chinese or #, and these special characters of %, if these conditions below having met, that just illustrates that this program might be problematic program, central processing unit is charged to the analysis and judgement result and be stored in the internal memory, continues scanning then.
8.1, the filename overlength, to greater than 32 characters, add 5 fens;
8.2, contain the space more than 3 in the filename, add 5 fens;
8.3, contain special character in the filename, as Chinese symbol, each character adds 1 fen;
8.4, filename analyzes mark and is higher than 10 fens, then be made as 10 fens.
As shown in Figure 5, according to the result of computer scanning, the user can edit-modify master interface program the result of scanning, certain program that the user manually is provided with in the scanning result tabulation is rogue program or normal procedure.
As shown in Figure 6, in the computer starting process, at first the load driver assembly is given this program creation process earlier, dispatches this process then, and process is moved.Original establishment process processing capacity is the processing of driven unit itself in the driven unit replacement computing machine.When computing machine is created process, driven unit can be done following the processing to the process that is created earlier: whether 1, startup process is the operating system process, the operating system process is the process that computer starting must move, definitely can not tackle, otherwise can make the computer system cisco unity malfunction, so to allow the process operation of operating system program; 2, judge whether to be the program inside the normal procedure tabulation, if the program of normal procedure tabulation the inside just allows the establishment process; 3, forbid the direct establishment of other all processes.
Under normal circumstances, after computer system starting is finished, driven unit stops automatic interception, but consider and variety of issue to occur, cause driven unit to be in the interception state always, will cause computing machine normally to use like this, so will have one to stop the method for interception automatically at driven unit: if main interface program moves, perhaps regularly detect after the driven unit self-operating, if driven unit detected self-operating above 5 minutes, driven unit just stops interception, and computing machine can normally be moved.
As shown in Figure 7, the method for driven unit implementation process interception of the present invention is to use the establishment process to handle original establishment process processing in the substituting for computer.At first driven unit is initialized the time, the central processing unit of computing machine obtains ID number of original processing function, find the function memory address of ID correspondence, adopt the method for modified address attribute then, function address is made as and can writes, revise function address, rewriting this address is the processing function address of driven unit the inside, replaces.The processing function of driven unit begins to make judgement, and decision stops the operation that still allows this process, recovers can not writing of function address after computer starting is finished.Want the implementation process interception that several different methods can be arranged, the method that the present invention adopts is to replace the kernel processes function of ZwCreateProcess, ZwCreateProcessEx, these four establishment processes uses of ZwCreateThread, ZwResumeThread.
Claims (10)
1. the method for a computer safety start may further comprise the steps: one, at computer application layer and Drive Layer main interface assembly and driven unit are installed respectively; Two, driven unit records the title of all processes of moving in the computer starting process, and the running process that main interface assembly is noted driven unit carries out scanning analysis, determines security procedure; When three, starting computing machine, driven unit is by the preferential load operating of the CPU of computing machine, and the program that is not listed in the security procedure is judged as rogue program, is driven the assembly interception, does not carry out operation.
2. the method for computer safety start according to claim 1, it is characterized in that: when described computing machine started for the first time, driven unit was noted the title of all processes of moving in the computer starting process, and storage; After computer starting was finished, the running process that main interface assembly is noted driven unit carried out scanning analysis, determines security procedure.
3. the method for computer safety start according to claim 2 is characterized in that: the working procedure that described main interface assembly is noted driven unit uses the method for digital signature authentication, the storehouse checking of security procedure signature and the analysis of static behavior condition code to carry out scanning analysis.
4. the method for computer safety start according to claim 3 is characterized in that: when described driven unit is noted the title of all processes of moving in the computer starting process, in the name list mode, store in the running process tabulation in the hard disk.
5. the method for computer safety start according to claim 4, it is characterized in that: during described scanning analysis, use the method representation dangerous values of marking, each scanning analysis step all obtains a dangerous fractional value, and main interface assembly records the process that equals 0 fen in the security procedure tabulation.
6. the method for computer safety start according to claim 5, it is characterized in that: described driven unit is tackled rogue program by rreturn value.
7. the method for computer safety start according to claim 6, it is characterized in that: described main interface assembly has: human-computer interaction module, send module, scanning analysis identification rogue program module that message communicates to driven unit.
8. the method for computer safety start according to claim 7 is characterized in that: described driven unit interception is handled in the substituting for computer original establishment process to handle by the establishment process and is realized.
9. the method for computer safety start according to claim 8, it is characterized in that: described security procedure signature storehouse checking adopts scanning analysis identification rogue program module that the condition code in the condition code of program to be analyzed and the security procedure signature storehouse is compared one by one, if identical condition code is arranged, just this program name to be analyzed is recorded the security procedure tabulation, this program is a normal procedure certainly.
10. the method for computer safety start according to claim 9, it is characterized in that: importing table information, zone field, progress information and the file name of size, resource and the date created of the whole program file to be verified of described static behavior condition code analysis employing analysis, the transplantable execution body information of authenticating documents, version information, transplantable execution body structure, through relatively providing dangerous values, then dangerous values being added up, is final dangerous values that 0 program name records the security procedure tabulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610061765 CN100481101C (en) | 2006-07-19 | 2006-07-19 | Method for computer safety start |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610061765 CN100481101C (en) | 2006-07-19 | 2006-07-19 | Method for computer safety start |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1900940A true CN1900940A (en) | 2007-01-24 |
| CN100481101C CN100481101C (en) | 2009-04-22 |
Family
ID=37656827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610061765 Expired - Fee Related CN100481101C (en) | 2006-07-19 | 2006-07-19 | Method for computer safety start |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100481101C (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101950339A (en) * | 2010-09-14 | 2011-01-19 | 上海置水软件技术有限公司 | Security protection method and system of computer |
| CN102034047A (en) * | 2010-12-21 | 2011-04-27 | 姚志浩 | Automatic protection method for computer virus |
| CN102081720A (en) * | 2010-11-18 | 2011-06-01 | 腾讯科技(深圳)有限公司 | Method and system for detecting process creation during real-time protection |
| CN102110220A (en) * | 2011-02-14 | 2011-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Application program monitoring method and device |
| CN101685483B (en) * | 2008-09-22 | 2011-07-20 | 成都市华为赛门铁克科技有限公司 | Method and device for extracting virus feature code |
| CN102890641A (en) * | 2012-08-30 | 2013-01-23 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN102902910A (en) * | 2011-07-28 | 2013-01-30 | 腾讯科技(深圳)有限公司 | Method and system for drive protection |
| CN103019778A (en) * | 2012-11-30 | 2013-04-03 | 北京奇虎科技有限公司 | Startups cleaning method and device |
| CN103514411A (en) * | 2012-06-25 | 2014-01-15 | 联想(北京)有限公司 | Method for starting electronic equipment and electronic equipment safety system |
| CN103763686A (en) * | 2013-12-23 | 2014-04-30 | 北京奇虎科技有限公司 | Processing method and device for short messages |
| CN103902901A (en) * | 2013-09-17 | 2014-07-02 | 北京安天电子设备有限公司 | APT detection method and system based on compiler recognition |
| CN104598806A (en) * | 2014-11-24 | 2015-05-06 | 北京奇虎科技有限公司 | Method and device for registering detecting |
| CN103902883B (en) * | 2013-09-24 | 2017-01-11 | 北京安天电子设备有限公司 | APT prevention method and system based on driving-stage program |
| CN103713920B (en) * | 2011-06-20 | 2017-11-14 | 北京奇虎科技有限公司 | Portable device system starting protection method and apparatus |
| CN107430663A (en) * | 2014-12-23 | 2017-12-01 | 迈克菲有限责任公司 | It is determined that the prestige for process |
-
2006
- 2006-07-19 CN CN 200610061765 patent/CN100481101C/en not_active Expired - Fee Related
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101685483B (en) * | 2008-09-22 | 2011-07-20 | 成都市华为赛门铁克科技有限公司 | Method and device for extracting virus feature code |
| CN101950339A (en) * | 2010-09-14 | 2011-01-19 | 上海置水软件技术有限公司 | Security protection method and system of computer |
| CN102081720B (en) * | 2010-11-18 | 2013-01-02 | 腾讯科技(深圳)有限公司 | Method and system for detecting process creation during real-time protection |
| CN102081720A (en) * | 2010-11-18 | 2011-06-01 | 腾讯科技(深圳)有限公司 | Method and system for detecting process creation during real-time protection |
| CN102034047A (en) * | 2010-12-21 | 2011-04-27 | 姚志浩 | Automatic protection method for computer virus |
| CN102034047B (en) * | 2010-12-21 | 2012-10-17 | 姚志浩 | Automatic protection method for computer virus |
| CN102110220A (en) * | 2011-02-14 | 2011-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Application program monitoring method and device |
| CN102110220B (en) * | 2011-02-14 | 2013-01-23 | 宇龙计算机通信科技(深圳)有限公司 | Application program monitoring method and device |
| CN103713920B (en) * | 2011-06-20 | 2017-11-14 | 北京奇虎科技有限公司 | Portable device system starting protection method and apparatus |
| CN102902910A (en) * | 2011-07-28 | 2013-01-30 | 腾讯科技(深圳)有限公司 | Method and system for drive protection |
| US9317707B2 (en) | 2011-07-28 | 2016-04-19 | Tencent Technology (Shenzhen) Company Limited | Method and system for protecting a driver |
| CN102902910B (en) * | 2011-07-28 | 2013-10-23 | 腾讯科技(深圳)有限公司 | Method and system for drive protection |
| CN103514411A (en) * | 2012-06-25 | 2014-01-15 | 联想(北京)有限公司 | Method for starting electronic equipment and electronic equipment safety system |
| CN102890641B (en) * | 2012-08-30 | 2015-02-11 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN102890641A (en) * | 2012-08-30 | 2013-01-23 | 北京奇虎科技有限公司 | Process behavior control method and device |
| CN103019778A (en) * | 2012-11-30 | 2013-04-03 | 北京奇虎科技有限公司 | Startups cleaning method and device |
| CN103019778B (en) * | 2012-11-30 | 2016-05-25 | 北京奇虎科技有限公司 | The method for cleaning of starting up's item and device |
| CN103902901A (en) * | 2013-09-17 | 2014-07-02 | 北京安天电子设备有限公司 | APT detection method and system based on compiler recognition |
| CN103902901B (en) * | 2013-09-17 | 2017-10-31 | 北京安天网络安全技术有限公司 | A kind of APT detection methods and system recognized based on compiler |
| CN103902883B (en) * | 2013-09-24 | 2017-01-11 | 北京安天电子设备有限公司 | APT prevention method and system based on driving-stage program |
| CN103763686A (en) * | 2013-12-23 | 2014-04-30 | 北京奇虎科技有限公司 | Processing method and device for short messages |
| CN104598806A (en) * | 2014-11-24 | 2015-05-06 | 北京奇虎科技有限公司 | Method and device for registering detecting |
| CN107430663A (en) * | 2014-12-23 | 2017-12-01 | 迈克菲有限责任公司 | It is determined that the prestige for process |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100481101C (en) | 2009-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100481101C (en) | Method for computer safety start | |
| Li et al. | Understanding android app piggybacking: A systematic study of malicious code grafting | |
| TWI401582B (en) | Monitor device, monitor method and computer program product thereof for hardware | |
| US7627898B2 (en) | Method and system for detecting infection of an operating system | |
| CN101359355B (en) | Method for raising user's authority for limitation account under Windows system | |
| US10162965B2 (en) | Portable media system with virus blocker and method of operation thereof | |
| US8763128B2 (en) | Apparatus and method for detecting malicious files | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| US20100122313A1 (en) | Method and system for restricting file access in a computer system | |
| EP2750067B1 (en) | System and method for selecting synchronous or asynchronous file access method during antivirus analysis | |
| CN1702590A (en) | Method for establishing trustable operational environment in a computer | |
| CN1550950A (en) | Method and system for protecting computer system from malicious software operation | |
| US10262139B2 (en) | System and method for detection and prevention of data breach and ransomware attacks | |
| CN102024113B (en) | Method and system for quickly detecting malicious code | |
| KR101816751B1 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
| RU2427890C2 (en) | System and method to compare files based on functionality templates | |
| CN101382984A (en) | Method for scanning and detecting generalized unknown virus | |
| US20210312037A1 (en) | System and method for container assessment using sandboxing | |
| KR100991807B1 (en) | System and method for detecting and managing malicious code in computer systems using microsoft windows operating systems | |
| KR101819322B1 (en) | Malicious Code Analysis Module and Method therefor | |
| CN101046836A (en) | System and method for removing ROOTKIT | |
| CN1677302A (en) | Method and system for acquiring resource usage log and computer product | |
| Aslan | Performance comparison of static malware analysis tools versus antivirus scanners to detect malware | |
| CN1920786A (en) | System and method for implementing safety control of operation system | |
| RU2583712C2 (en) | System and method of detecting malicious files of certain type |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHENZHEN CITY ANLUO TECHNOLOGY CO., LTD Free format text: FORMER OWNER: XIE ZHAOXIA Effective date: 20100329 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518020 BUILDING 3, PETROLEM CHEMISTRY SHUIBEI INDUSTRY DISTRICT, CUIZHU NORTH ROAD, LUOHU DISTRICT, SHENZHEN CITY, GUANGDONG PROVINCE TO: 518020 FLOOR 8, EAST SIDE, BUILDING 3, PETROLEM CHEMISTRY SHUIBEI INDUSTRY DISTRICT, CUIZHU NORTH ROAD, LUOHU DISTRICT, SHENZHEN CITY, GUANGDONG PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100329 Address after: 518020 Guangdong city of Shenzhen province Luohu District Cuizhu North Petrochemical Water Bay Industrial Zone 3 East 8 floor Patentee after: Shenzhen Anluo Technology Co., Ltd. Address before: 518020 Guangdong city of Shenzhen province Luohu District Cuizhu north petrochemical industrial zone 3 East Bay water Patentee before: Xie Chaoxia |
|
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090422 Termination date: 20100719 |