KR101436496B1 - System for remote diagnosis of malware - Google Patents

System for remote diagnosis of malware Download PDF

Info

Publication number
KR101436496B1
KR101436496B1 KR1020130105078A KR20130105078A KR101436496B1 KR 101436496 B1 KR101436496 B1 KR 101436496B1 KR 1020130105078 A KR1020130105078 A KR 1020130105078A KR 20130105078 A KR20130105078 A KR 20130105078A KR 101436496 B1 KR101436496 B1 KR 101436496B1
Authority
KR
South Korea
Prior art keywords
input
file
specific file
output
malicious code
Prior art date
Application number
KR1020130105078A
Other languages
Korean (ko)
Inventor
정태일
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Priority to KR1020130105078A priority Critical patent/KR101436496B1/en
Application granted granted Critical
Publication of KR101436496B1 publication Critical patent/KR101436496B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3041Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is an input/output interface
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Abstract

The present invention relates to a system for remote diagnosis of malware. The server comprises a scanner which generates an IO command for a particular file when a diagnosis request about the file from a client terminal is received and analyzes an IO outcome of the file carried out by the client terminal which received the IO command for the file, to diagnose the file; and a virtual input/output unit which transmits the IO command for the file generated by the scanner to the client terminal and transmits the IO outcome of the file received from the client terminal to the scanner.

Description

SYSTEM FOR REMOTE DIAGNOSIS OF MALWARE [0002]

The present disclosure relates to a method of allowing a remote server to examine a file located on a client and a virtualized network file input / output (IO) technique.

The technology of the conventional cloud anti-malware solution uses a method of transferring a file to a server or a method of determining whether the server is malicious after extracting a signature value such as a CRC from a client.

In the case of the method of transmitting and checking the file, since the entire file is transmitted even if the whole file is not needed for diagnosis, unnecessary maintenance and maintenance costs due to unnecessary file transmission decrease and network traffic increase may occur.

On the other hand, in the case of generating a signature from the client and sending it to the server, a load is generated because the client handles the signature generation. If you create signatures for the entire file, you have to deal with the file IO load that needs to read the entire file. Depending on the file, you will need to analyze what parts are needed to generate the signature for the partial data. A problem arises that the client must be responsible for a significant portion of the scanner's operation.

Therefore, it is required to improve the disadvantages of the existing cloud service operation method, so that only the operation for the file IO is performed by the client, but the network traffic generates only the necessary data, not the whole file.

The present disclosure is directed to a method of enabling a remote server to examine a file (e.g., malicious software) located on a client and a virtualized network file input / output (IO) technique. More specifically, we propose a malicious code remote diagnosis method that minimizes data traffic by implementing a file IO layer that is virtualized on the server and client, and the client performs file IO requested by the server and sends the result back to the server do.

According to an embodiment of the present disclosure, a malicious code diagnosis server is provided. The server generates an input / output (IO) command for the specific file when the client terminal requests the diagnosis of the specific file, and the input / output of the specific file performed by the client terminal that has received the file input / A scanner for analyzing the result and diagnosing the specific file; And a virtual input / output unit that transmits an input / output (IO) command to the specific file generated by the scanner to the client terminal and transmits an input / output result of the specific file received from the client terminal to the scanner have.

The file input / output command is used to read, write, seek, open, close, attribute change, rename, delete (delete) ) ≪ / RTI > commands.

The file input / output command may be an instruction to read a predetermined position of the specific file.

The virtual input / output unit stores a result of input / output of the specific file, and when the input / output result of the specific file is requested again, the virtual input / output unit transmits a result of input / output of the stored specific file to the scanner. And a file input / output result corresponding to the file input / output command is transmitted to the cache to update the cache when an input / output command for a file not stored in the cache is received, And a network input / output unit.

According to another embodiment of the present disclosure, a malicious code diagnosis system is provided. The system generates an input / output (I / O) command for the specific file upon receipt of a request for diagnosis of a specific file from the client terminal, transmits an input / output (IO) command for the specific file to the client terminal, A malicious code diagnosis server for analyzing input / output results of the specific file received from the client terminal that has received the file input / output command and diagnosing the specific file; And an input / output (I / O) command for the specific file is received from the malicious code diagnosis server to perform input / output of the specific file, and an input / output result To the malicious code diagnosis server.

According to another embodiment of the present invention, a malicious code diagnosis server diagnoses a file of a client terminal is provided. The method includes generating an input / output (I / O) command for the specific file when the malicious code diagnosis server is requested to diagnose a specific file from the client terminal; Outputting an I / O command to the client terminal; Receiving an input / output result of the specific file performed by the client terminal that has received the file input / output command for the specific file; And analyzing the input / output result of the received specific file to diagnose the specific file.

The file input / output command is used to read, write, seek, open, close, attribute change, rename, delete (delete) ) ≪ / RTI > commands.

The file input / output command may be an instruction to read a predetermined position of the specific file.

The method comprising: storing input / output results of the specified file; And if the input / output result of the specific file is requested again, reusing the stored result.

Embodiments of the present invention can be implemented by requesting and performing the same operation as the operation (e.g., file IO) required when inspecting a file (for example, a file suspected of being malicious software) at each client terminal, The data traffic can be reduced by transmitting only the data of the file I / O to the network, and the client has a relatively small work burden on the file IO.

1A to 1D are conceptual diagrams illustrating a malicious code diagnosis system according to an embodiment of the present invention.
2 is a block diagram of a malicious code diagnosis server according to an embodiment of the present invention.
3 is a flowchart illustrating a malicious code diagnosis method according to an embodiment of the present invention.

It is noted that the technical terms used herein are used only to describe specific embodiments and are not intended to limit the invention. It is also to be understood that the technical terms used herein are to be interpreted in a sense generally understood by a person skilled in the art to which the present invention belongs, Should not be construed to mean, or be interpreted in an excessively reduced sense. Further, when a technical term used herein is an erroneous technical term that does not accurately express the spirit of the present invention, it should be understood that technical terms that can be understood by a person skilled in the art are replaced. In addition, the general terms used in the present invention should be interpreted according to a predefined or prior context, and should not be construed as being excessively reduced.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings, wherein like reference numerals refer to like or similar elements throughout the several views, and redundant description thereof will be omitted. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. It is to be noted that the accompanying drawings are only for the purpose of facilitating understanding of the present invention, and should not be construed as limiting the scope of the present invention with reference to the accompanying drawings. The spirit of the present invention should be construed as extending to all modifications, equivalents, and alternatives in addition to the appended drawings.

1A is a conceptual diagram illustrating a malicious code diagnosis system according to an embodiment of the present invention.

The malicious code diagnosis system may include a malicious code diagnosis server 100 and a client terminal 200.

Here, malicious code is a generic term for all software that can harm your computer, such as malicious software or malware. Computer viruses, worms, worms, spyware, adware, to be.

The malicious code diagnosis server 100 includes a scanner 110 for scanning a file and a virtual IO unit for requesting a file IO to a remote client 200 by virtualizing a file input / output (IO) 120). The client 200 may include a virtual I / O unit 220 that performs a file IO requested by the malicious code diagnosis server 100 and returns the result.

The scanner 110 may perform the same operation as that for diagnosing a file stored locally. The scanner 110 generates an IO command for a file to be inspected without considering whether a file to be inspected is located locally or remotely. The file I / O command generated by the scanner 110 is requested to the client terminal 200 through the network by the virtual input / output unit 120.

Referring to FIG. 1A, a client terminal 200 sends an inspection request to a malicious code diagnostic server 100 for a file existing on its storage medium. At this time, the file requested by the client terminal 200 may be a file suspected of being malicious code or a file suspected of being infected. For example, a file not inspected for a predetermined period or longer, a file stored in a specific location, a file newly stored within a predetermined period, a file having a name of a predetermined character string, or the like may be a suspicious file.

The scanner 110 of the malicious code diagnostic server 100 that has received the inspection request can read, write, seek, open, close, (IO) commands such as attribute change, rename, delete, and the like. For example, the file input / output (IO) command may be a command to read a predetermined position (header, xx to yy, ...) of a specific file. This is because malicious code whose characteristics are known can be discriminated even if only a specific portion of the entire file is read.

The generated file input / output commands are transmitted to the client terminal 200 through the virtual input / output unit 120. The client terminal 200 receiving the file input / output command calls the corresponding file through the virtual input / output unit 220 and transmits the result of the received file input / output command to the malicious code diagnosis server 100. The scanner 110 of the malicious code diagnostic server 100 receiving the resultant value examines the corresponding file on the client terminal 200 based on the result.

FIG. 1B is a conceptual diagram illustrating a modified embodiment of the malicious code diagnosis system illustrated in FIG. 1A.

FIG. 1B is an embodiment in which the server and the client in FIG. 1A have opposite roles. That is, the client 200 'includes the scanner 210'. Upon receiving the diagnosis request of the specific file from the malicious code diagnostic server 100 ', the client 200' generates an input / output command for the file The malicious code diagnosis server 100 'transmits the input / output result of the file to the client 200', and the client 200 'uses the scanner 210' Diagnose the file. This variant can be applied to a system for diagnosing multiple virtual machines.

1C is a conceptual diagram illustrating a malicious code diagnosis system according to another embodiment of the present invention.

1C, the virtual input / output unit 120 of the malicious code diagnosis server 100 may further include a cache 121 and a network I / O unit 122. The cache 121 stores the file input / output result and related information performed on the specific file, and returns (returns) the existing result stored when the I / O command for the specific file is performed again to the scanner 110 . When an input / output command for a file that is not stored in the cache 121 occurs, the network input / output unit 122 transmits the input / output command to the client terminal 200 through the network and outputs the input / output result of the file to the client terminal 200 And transmit it to the scanner 110. Accordingly, the network input / output unit 122 can update the storage information of the cache 121. That is, when the cache receives the file input / output result other than the pre-stored file input / output result, it can update the stored file input / output information.

1C illustrates operations of the cache 121 and the network I / O unit 122 in response to a read command issued from the scanner 110. FIG. The scanner 110 generates a plurality of read commands while inspecting a file. The scanner 110 may re-read the previously read area, thereby unnecessarily generating network traffic. To solve this problem, the cache 121 does not generate the IO when re-reading the previously read data but provides the return value for the read command. In this way, the I / O requests generated through the network input / output unit 122 can be minimized.

1D is a conceptual diagram illustrating a malicious code diagnosis system according to another embodiment of the present invention.

FIG. 1D illustrates an example of the virtual IO-based cloud system described above. In the illustrated structure, the client terminals 200a to 200d take charge of only the file IO, so there is no porting problem according to the platform, and there is no performance restriction, so that the client terminals 200a to 200d operate in various types of devices such as a PC, a smartphone, a tablet, .

Meanwhile, when a plurality of servers 100 capable of independently performing file diagnosis are shared, and information of each other is shared and a scanner is scheduled, when a client terminal requests a diagnosis, And can be inspected using a virtual I / O unit (Virtual IO).

2 is a block diagram of a malicious code diagnosis server according to an embodiment of the present invention.

The malicious code diagnosis server 100 according to an embodiment of the present invention may include a scanner 110 and a virtual input / output unit 120.

The malicious code diagnosis server 100 may perform the remote file diagnosis described in FIGS. 1A to 1D. Here, malicious code is a generic term for all software that can harm your computer, such as malicious software or malware. Computer viruses, worms, worms, spyware, adware, to be. Meanwhile, the file diagnosed by the malicious code diagnosis server 100 at the request of the client may be a file suspected of being malicious code or a file suspected of being infected.

When the malicious code diagnosis server 100 receives a request for diagnosis of a specific file from a client terminal, the scanner 110 generates an input / output (IO) command for the specific file and receives a file input / output command for the specific file And analyze the input / output result of the specific file performed by the client terminal to diagnose the specific file.

The virtual input / output unit 120 transmits an input / output (IO) command to the specific file generated by the scanner to the client terminal, and transmits the input / output result of the specific file received from the client terminal to the scanner have.

At this time, the file input / output command is a command to read, write, seek, open, close, attribute change, rename, delete (delete) delete < / RTI > commands. The file input / output command may be a command to read a predetermined position of the specific file.

The virtual input / output unit 120 may further include a cache 121 and a network input / output unit 122. The cache 121 may store the input / output result of the specific file that has been performed, and may transmit the input / output result of the stored specific file to the scanner when the input / output result of the specific file is requested again, The input / output unit 122 may transmit the file input / output request to the client terminal when a file input / output not stored in the cache is requested. Accordingly, the network input / output unit 122 can update the storage information of the cache 121.

3 is a flowchart illustrating a malicious code diagnosis method according to an embodiment of the present invention.

The malicious code diagnosis method described below can be performed by the malicious code diagnostic server described with reference to FIG. 1 and FIG.

The malicious code diagnosis server may receive a diagnostic (scan) request for a specific file from the client terminal (S310). At this time, the file requested for diagnosis may be a file suspected of malicious code or a file suspected of being infected.

Upon receipt of the request, the malicious code diagnosis server may generate an input / output (I / O) command for the file in operation S320. At this time, the file input / output command is a command to read, write, seek, open, close, attribute change, rename, delete (delete) delete < / RTI > commands. The file input / output command may be a command to read a predetermined position or a part of the specific file.

The malicious code diagnosis server may transmit an input / output (IO) command to the client terminal (S330). Upon receiving the command, the client terminal performs input / output of the specific file and transmits the input / output result of the specific file to the malicious code diagnosis server.

Upon receiving the input / output result of the specific file (S340), the malicious code diagnostic server may perform input / output result analysis and infection diagnosis of the specific file (S350). Furthermore, the malicious code diagnosis server can treat a file infected with a malicious code. For example, the malicious code diagnosis server reads a corresponding portion of an infected file from a normal file, moves the file pointer to a malicious code start position, Write, and resize the file.

After the step S350, if it is determined that additional diagnosis is required for another part of the file or another file (S360), the malicious code diagnosis server can repeat steps S320 to S350.

Thus, those skilled in the art will appreciate that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. It is therefore to be understood that the embodiments described above are to be considered in all respects only as illustrative and not restrictive.

For example, the malicious code diagnostic server 100 or the client terminal 200 according to the present invention may store embodiments of the present disclosure in a memory, in one embodiment the memory is a computer-readable medium. In one implementation, the memory may be a volatile memory unit, and in other embodiments the memory may be a non-volatile memory unit. The memory may also include, for example, a hard disk device, an optical disk device, or any other mass storage device.

The malicious code diagnosis server 100 or the client terminal may also include one or more network interface devices such as an Ethernet card, a serial communication device such as an RS-232 port and / or a wireless interface device such as an 802.11 card as an external input / output device can do. In other implementations, such input / output devices may include driver devices configured to transmit output data to other input / output devices and receive input data, such as keyboards, printers, display devices, and the like.

The malicious code diagnosis server 100 can be realized by an instruction that causes one or more processing devices to execute the above-described functions and processes at the time of execution. Such instructions may include, for example, interpreted instructions such as script commands, such as JavaScript or ECMAScript commands, or other instructions stored in executable code or computer readable media.

The malicious code diagnosis server 100 according to the present invention may be implemented in a distributed manner over a network, such as a server farm, or may be implemented as a single computer device.

Implementations of the functional operations and the subject matter described herein may be implemented in digital electronic circuitry, or may be implemented in computer software, firmware, or hardware, including the structures disclosed herein, and structural equivalents thereof, It can be implemented. Implementations of the subject matter described herein may be implemented as one or more computer program products, i. E. One or more modules relating to computer program instructions encoded on a type of program storage medium for execution by, or control of, the operation of the processing system Can be implemented.

The computer-readable medium can be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of matter that affects the machine readable propagation type signal, or a combination of one or more of the foregoing.

As such, the present specification is not intended to limit the invention to the specific terminology presented. Thus, while the present invention has been described in detail with reference to the above examples, those skilled in the art will be able to make adaptations, modifications, and variations on these examples without departing from the scope of the present invention. The scope of the present invention is defined by the appended claims rather than the detailed description and all changes or modifications derived from the meaning and scope of the claims and their equivalents are to be construed as being included within the scope of the present invention do.

100: malicious code diagnosis server
110: Scanner
120: virtual input / output unit
121: Cache
122: Network I /

Claims (11)

  1. Output (I / O) command for the specific file upon receipt of a request for diagnosis of a specific file from the client terminal, and analyzes the input / output result of the specific file performed by the client terminal that has received the file input / output command for the specific file A scanner for diagnosing the specific file; And
    A virtual input / output unit for transmitting an input / output (IO) command for the specific file generated by the scanner to the client terminal and for transmitting an input / output result of the specific file received from the client terminal to the scanner;
    And a malicious code diagnosis server for detecting malicious code.
  2. The method according to claim 1,
    The file input /
    At least one of read, write, seek, open, close, attribute change, rename, and delete commands for the specific file The malicious code diagnosis server comprising:
  3. The method according to claim 1,
    The file input /
    Wherein the malicious code is a command to read a predetermined position of the specific file.
  4. 2. The apparatus of claim 1, wherein the virtual input /
    A cache for storing an input / output result of the specific file, and transmitting an input / output result of the stored specific file to the scanner when an input / output result of the specific file is requested again; And
    Output request corresponding to the file input / output command to the cache when the input / output command for the file not stored in the cache is received, and transmits the input / output command to the client terminal, And an input / output unit.
  5. Output (I / O) command for the specific file, an I / O command for the specific file to the client terminal upon receipt of a request for diagnosis of a specific file from the client terminal, A malicious code diagnosis server for analyzing input / output results of the specific file received from the client terminal and diagnosing the specific file; And
    Outputting a result of the input / output of the specific file by requesting diagnosis of the specific file by the malicious code diagnosis server, receiving an input / output (IO) command for the specific file from the malicious code diagnosis server, And transmitting the malicious code to the malicious code diagnosis server.
  6. A malicious code diagnosis server diagnosing a file of a client terminal,
    Generating an input / output (I / O) command for the specific file when the malicious code diagnosis server is requested to diagnose a specific file from the client terminal;
    Outputting an I / O command to the client terminal;
    Receiving an input / output result of the specific file performed by the client terminal that has received the file input / output command for the specific file;
    Analyzing input / output results of the received specific file to diagnose the specific file;
    ≪ / RTI >
  7. The method according to claim 6,
    The file input /
    At least one of read, write, seek, open, close, attribute change, rename, and delete commands for the specific file RTI ID = 0.0 > 1, < / RTI >
  8. The method according to claim 6,
    The file input /
    And reading the predetermined position of the specific file.
  9. The method according to claim 6,
    Storing an input / output result of the specific file;
    Further comprising reusing the stored result when an input / output result of the specific file is requested again.
  10. A method of operating a malicious code diagnostic system,
    A malicious code diagnosis server requesting diagnosis of a specific file from a client terminal and generating an input / output (IO) command for the specific file;
    Transmitting an input / output (IO) command to the malicious code diagnosis server to the client terminal;
    Outputting the input / output result of the specific file to the malicious code diagnosis server;
    And diagnosing the specific file by analyzing input / output results of the specific file by the malicious code diagnostic server.
  11. 10. A computer-readable medium having instructions for performing the steps of the method according to any one of claims 6 to 9.
KR1020130105078A 2013-09-02 2013-09-02 System for remote diagnosis of malware KR101436496B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020130105078A KR101436496B1 (en) 2013-09-02 2013-09-02 System for remote diagnosis of malware

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020130105078A KR101436496B1 (en) 2013-09-02 2013-09-02 System for remote diagnosis of malware

Publications (1)

Publication Number Publication Date
KR101436496B1 true KR101436496B1 (en) 2014-10-14

Family

ID=51995879

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020130105078A KR101436496B1 (en) 2013-09-02 2013-09-02 System for remote diagnosis of malware

Country Status (1)

Country Link
KR (1) KR101436496B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180130631A (en) * 2017-05-29 2018-12-10 서일대학교산학협력단 Vulnerability checking system based on cloud service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101043299B1 (en) 2009-07-21 2011-06-22 (주) 세인트 시큐리티 Method, system and computer readable recording medium for detecting exploit code
KR20110084295A (en) * 2008-11-11 2011-07-21 인터내셔널 비지네스 머신즈 코포레이션 Data providing device, system, server device, program, and method
KR20110119918A (en) * 2010-04-28 2011-11-03 한국전자통신연구원 Apparatus, system and method for detecting malicious code injected with fraud into normal process
KR20120072120A (en) * 2010-12-23 2012-07-03 한국전자통신연구원 Method and apparatus for diagnosis of malicious file, method and apparatus for monitoring malicious file

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110084295A (en) * 2008-11-11 2011-07-21 인터내셔널 비지네스 머신즈 코포레이션 Data providing device, system, server device, program, and method
KR101043299B1 (en) 2009-07-21 2011-06-22 (주) 세인트 시큐리티 Method, system and computer readable recording medium for detecting exploit code
KR20110119918A (en) * 2010-04-28 2011-11-03 한국전자통신연구원 Apparatus, system and method for detecting malicious code injected with fraud into normal process
KR20120072120A (en) * 2010-12-23 2012-07-03 한국전자통신연구원 Method and apparatus for diagnosis of malicious file, method and apparatus for monitoring malicious file

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180130631A (en) * 2017-05-29 2018-12-10 서일대학교산학협력단 Vulnerability checking system based on cloud service
KR101994664B1 (en) * 2017-05-29 2019-07-02 서일대학교산학협력단 Vulnerability checking system based on cloud service

Similar Documents

Publication Publication Date Title
US8806647B1 (en) Behavioral scanning of mobile applications
US9489515B2 (en) System and method for blocking the transmission of sensitive data using dynamic data tainting
EP2774039B1 (en) Systems and methods for virtualized malware detection
US8819835B2 (en) Silent-mode signature testing in anti-malware processing
JP5878560B2 (en) System and method for detecting malicious PDF network content
US8719928B2 (en) Method and system for detecting malware using a remote server
CN102483780B (en) Antivirus scan
US20130117849A1 (en) Systems and Methods for Virtualized Malware Detection
KR101161493B1 (en) Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform
US20180013770A1 (en) System, Apparatus And Method For Using Malware Analysis Results To Drive Adaptive Instrumentation Of Virtual Machines To Improve Exploit Detection
CN101777062B (en) Context-aware real-time computer-protection systems and methods
US9355247B1 (en) File extraction from memory dump for malicious content analysis
JP6419787B2 (en) Optimized resource allocation to virtual machines in malware content detection system
US9659175B2 (en) Methods and apparatus for identifying and removing malicious applications
US8782792B1 (en) Systems and methods for detecting malware on mobile platforms
US10075455B2 (en) Zero-day rotating guest image profile
US20140137190A1 (en) Methods and systems for passively detecting security levels in client devices
CN102160048A (en) Collecting and analyzing malware data
US9626509B1 (en) Malicious content analysis with multi-version application support within single operating environment
US20080059726A1 (en) Dynamic measurement of an operating system in a virtualized system
KR20130079460A (en) Providing authenticated anti-virus agents a direct access to scan memory
CN101622624A (en) File conversion in restricted process
US20110321016A1 (en) Injection context based static analysis of computer software applications
CN102413142A (en) Active defense method based on cloud platform
US10326792B2 (en) Virus intrusion route identification device, virus intrusion route identification method, and program

Legal Events

Date Code Title Description
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20180827

Year of fee payment: 5

FPAY Annual fee payment

Payment date: 20190826

Year of fee payment: 6