WO2015123972A1 - 宏病毒检测方法及装置 - Google Patents
宏病毒检测方法及装置 Download PDFInfo
- Publication number
- WO2015123972A1 WO2015123972A1 PCT/CN2014/084389 CN2014084389W WO2015123972A1 WO 2015123972 A1 WO2015123972 A1 WO 2015123972A1 CN 2014084389 W CN2014084389 W CN 2014084389W WO 2015123972 A1 WO2015123972 A1 WO 2015123972A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- macro
- data file
- module
- virus
- target data
- Prior art date
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 151
- 238000001514 detection method Methods 0.000 title claims abstract description 105
- 238000000034 method Methods 0.000 claims abstract description 57
- 230000008569 process Effects 0.000 claims description 25
- 230000008439 repair process Effects 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims 2
- 230000002155 anti-virotic effect Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to the field of computer security technologies, and in particular, to a macro virus detection method and apparatus. Background technique
- a macro in computer science refers to a sequence of instructions that are allowed in a data file to be used by a programming language.
- Macro virus refers to a malicious instruction sequence written in a macro file in a data file or data file template.
- One method is to statically analyze data files by using anti-virus software, and to decompose and recognize the structure of data files by using a composite data file format, and extract feature codes of all macros in the data files. Matching the signatures of all the macros in the extracted data file with the signatures of the macro viruses in the virus database. If they match, the matching macros are cleared.
- Another method is to use the active defense function of the antivirus software to monitor in real time. The behavior of the data file handler, if it detects malicious behavior, intercepts the behavior, suspends execution of the data file handler, prompts the user for the result of the behavior execution and possible consequences, only after the user processes the behavior , the data file handler can continue to execute.
- the method of static analysis of data files by using anti-virus software to detect macro viruses requires that the anti-virus software can recognize the structure and analysis of all data files, but since different applications have different data file structures, This method is difficult to implement in practical applications; in addition, if the data file is encrypted, even if the anti-virus software can recognize the structure of the data file, the specific content of the data file structure cannot be obtained, resulting in the inability to structure the data file. Analyze. This causes this method to have a small coverage when detecting macro viruses.
- the active defense function of the anti-virus software to monitor the behavior of the data file handler in real time will cause the user to occupy higher system resources and affect the overall performance of the machine when operating the data file.
- the detected "malicious behavior” may be the normal operation behavior of the user, or it may be a malicious behavior in the true sense.
- the method of behavior monitoring cannot distinguish between the two.
- the police In order to ensure security, the police must be frequently alerted. Prompt the user to handle the corresponding process, resulting in poor user experience. Summary of the invention
- an embodiment of the present invention discloses a macro virus detecting method, including:
- the macro virus detection module registered in advance as the data file handler plug-in is invoked
- the target data file is detected by the called macro virus detection module.
- the calling is pre-registered as a macro virus detecting module of the data file processing program plugin, and includes:
- the detecting, by using the invoked macro virus detection module, the target data file includes:
- the macro module in the target data file is detected by the called macro virus detection module.
- the detecting the macro module in the target data file by using the invoked macro virus detection module comprises:
- the method further includes:
- the micro-features built in the macro virus detection module and the extracted features are further used for matching;
- the preset micro-feature matching condition includes:
- the sum of the extracted macroblock features and the microfeatures in the called macro virus detection module is greater than a preset threshold.
- the method further includes:
- an embodiment of the present invention further discloses a macro virus detecting apparatus, including: a calling unit, configured to: after the data file processing program performs an opening operation on the target data file, and does not perform content of the target data file In the case of loading, calling a macro virus detection module registered in advance as the data file handler plugin;
- the first detecting unit is configured to detect the target data file by using the called macro virus detecting module.
- the calling unit is specifically configured to:
- the data file processing program After the data file processing program performs an open operation on the target data file and does not load the content of the target data file, detecting whether there is a macro module in the target data file;
- the first detecting unit is specifically configured to:
- the macro module in the target data file is detected by the called macro virus detection module.
- the first detecting unit includes: an extracting subunit, a first matching subunit, and a first output subunit,
- the extracting subunit is configured to extract features of each macro module
- the first matching subunit is configured to perform matching by using a virus feature and an extracted feature built in the macro virus detection module;
- the first output subunit is configured to output deterministic macro virus alarm information to the user if the preset virus feature matching condition is met.
- the first detecting unit further includes: a second matching subunit and a second output subunit, where the second matching subunit is configured to further utilize the macro in the case that there is no matching virus feature The micro-features and extracted features built into the virus detection module are matched;
- the second output subunit is configured to output non-deterministic macro virus alarm information to the user if the preset micro feature matching condition is met.
- the preset micro-feature matching condition includes:
- the sum of the extracted macroblock features and the microfeatures in the called macro virus detection module is greater than a preset threshold.
- the method further includes: an analyzing unit, a second detecting unit, and a repairing unit,
- the analyzing unit is configured to analyze an execution process of the feature matching macro module and a result after the execution; the second detecting unit is configured to detect whether there is a result analyzed by the analysis module in the system; In the case where the detection result of the second detection module is YES, the macro according to the feature matching The execution process of the module and the results after execution, the system is reverse repaired.
- the macro virus detection module since the macro virus detection module is first registered as a data file handler plugin, after the data file handler performs an open operation on the target data file, and the content of the target data file is not loaded, The macro virus detection module is called to perform detection of the target data file. Therefore, the macro virus detection module can recognize the format of all data files, and can also enter the data file for analysis, which improves the coverage of the detected data files.
- the macro virus detection module is called to run once after the data file processing program performs an open operation on the target data file and does not load the content of the target data file, and does not continue to run after the detection is completed.
- the method provided by the embodiment of the invention reduces the occupation of system resources, and does not frequently alert the user in the process of using the data file, thereby improving the user experience.
- Embodiments of the present invention also provide a computer readable storage medium comprising computer instructions that, when executed, cause a macro virus detection method according to an embodiment of the present invention to be performed.
- FIG. 1 is a schematic flowchart of a macro virus detecting method according to an embodiment of the present invention
- FIG. 2 is a schematic flowchart of another macro virus detecting method according to an embodiment of the present invention.
- FIG. 3 is a schematic structural diagram of a macro virus detecting apparatus according to an embodiment of the present invention.
- FIG. 4 is a schematic structural diagram of another macro virus detecting apparatus according to an embodiment of the present invention.
- FIG. 1 is a schematic flowchart of a method for detecting a macro virus according to an embodiment of the present invention, including the following steps: S101: After performing an open operation on a target data file by a data file processing program, and not performing content of a target data file In the case of loading, calling a macro virus detection module registered in advance as the data file handler plugin; For example: The data file handler is Microsoft Office 2007 (office software developed by Microsoft Corporation, version 2007), the target data file is xxx.docx, and the macro virus detection module A is pre-registered as a plug-in for Microsoft Office 2007;
- the data file handler is Microsoft Office 2007 (office software developed by Microsoft Corporation, version 2007)
- the target data file is xxx.docx
- the macro virus detection module A is pre-registered as a plug-in for Microsoft Office 2007;
- xxx.docx When xxx.docx is opened and its contents have not been loaded, A is called, where xxx.docx is opened including xxx.docx contains the password, and the password is opened after the password is entered.
- S102 The target data file is detected by using the called macro virus detection module.
- the macro file may be detected in the target data file after the data file processing program performs the opening operation on the target data file and the content of the target data file is not loaded; in the target data file
- a macro virus detection module registered in advance as the data file handler plug-in is invoked; and the macro module in the target data file is detected by using the called macro virus detection module.
- VBE object model for Microsoft Office documents as follows:
- VBE object the root object, which contains all other objects and collections that can be represented in Visual Basic for Applications;
- VBProjects A collection of VBProject objects representing all open projects in the development environment
- VBProject object Represents a project, that is, the document itself's own module project
- VBComponents A collection of VBComponent objects representing the components in the project;
- VBComponent object Represents a component contained in a project, such as a class module or a standard module
- CodeModule object Represents program code (macro code) after a component such as a form, class, or document.
- VBE object model first obtain the VBE object of the target file xxx.docx, and then obtain the CodeModule through the object, where CodeModule represents the macro module. If the CodeModule is not obtained, it indicates that there is no macro module in xxx.docx, if obtained CodeModule, which indicates that there is a macro module in xxx.docx, assumes that XXX.docx contains a macro module named macro s, and uses the called A to detect the macro module named macos in xxx.docx.
- the feature of each macro module may also be extracted; matching the virus feature and the extracted feature built in the macro virus detection module; if the preset virus feature matching condition is met, The deterministic macro virus alarm information is output to the user.
- the driver file xxx.sys is released in the driver directory
- the virus features built in the macro virus detection module include: The driver file is released in the driver directory, indicating that the driver file is extracted. The feature matches the virus signature built in the macro virus detection module, and outputs the alarm information of "the macro virus named macros in the xxx.docx file" to the user.
- a macro table which is a type of table that can contain macro code, which is triggered by the specified name. If excel contains a macro table, extract the macros object collection sheets, and then enumerate one by one, obtain the code in the table through the interface of the sheet, extract the features, and use the virus features built into the macro virus detection module and The extracted features are matched; if the preset virus feature matching condition is met, the deterministic macro virus alarm information is output to the user.
- the micro-features and the extracted features built in the macro virus detection module are further used for matching; if the preset micro-feature matching condition is met, the non-deterministic macro virus alarm is output to the user. information.
- the extracted macro module whose name is macros has the following features:
- the delete module is included, and the virus feature built in the macro virus detection module does not include this feature.
- the micro-feature built in the macro virus detection module includes this feature, indicating that the feature is extracted.
- the feature matches the micro-feature built in the macro virus detection module, and outputs to the user an alarm message that the "xxx.docx file contains a macro module whose name is macros may contain a macro virus".
- the non-deterministic macro virus alarm information is output to the user.
- micro-features in the macro virus detection module include: sensitive strings, suspicious function names, and suspicious module names, where systemroot ⁇ drivers is considered a sensitive string, and functions with names with add, delete, or update are considered suspicious function names.
- a module with the name autorun is considered a suspicious module name.
- the extracted macro module with the name macros has the following characteristics: It contains four strings with systemroot ⁇ drivers, two functions with delete names, one function with add name, and two names. Submodule with autorun.
- the preset threshold is 8
- the sum of the extracted macros of the macros and the microfeatures in the macro virus detection module is 9, which is greater than the preset threshold 8, indicating that the extracted name is macros.
- the macro module may contain a macro virus and output to the user an "information that the macro module named macros may contain a macro virus" in the xxx.docx file.
- the preset threshold is 10
- the sum of the extracted macros of the macros and the microfeatures in the macro virus detection module is 9, which is not greater than the preset threshold of 10, indicating that the extracted name is macros.
- the macro module does not contain macro viruses and does not output alarm information to the user.
- the embodiment of the present invention defines two types of macro virus information: wherein “deterministic macro virus information” refers to: Based on the current antivirus technology, it is basically determined that the detected macro module does contain the currently known macro virus.
- non-deterministic macro virus information means: Based on the current anti-virus technology, the detected macro module may contain macro virus information, and the detected result is uncertain.
- the macro virus detection module is first registered as a data file processing program plug-in, and after the data file processing program performs an opening operation on the target data file, and the content of the target data file is not loaded.
- the macro virus detection module is called to perform detection of the target data file. Therefore, the macro virus detection module can recognize the format of all data files, and can also enter the data file for analysis, which improves the coverage of the detected data files.
- the macro virus detection module is called to run once after the data file processing program performs an open operation on the target data file and does not load the content of the target data file, and does not continue to run after the detection is completed.
- the method provided by the embodiment of the invention reduces the occupation of system resources, and does not frequently alert the user in the process of using the data file, thereby improving the user experience.
- the embodiment shown in FIG. 2 is based on the embodiment shown in FIG. 1 , adding S 103 : analyzing the execution process of the feature matching macro module and the result after execution; S 104 : detecting whether there is an analysis result in the system S 105 : The step of performing reverse repair on the system according to the execution process of the feature matching macro module.
- the execution process of the feature-matched macro module and the impact of the post-execution result on the system can be analyzed, and the system is repaired according to the analysis to ensure that the system is in operation.
- FIG. 3 is a macro virus detecting apparatus according to an embodiment of the present invention, including a calling unit 301 and a first detecting unit 302.
- the calling unit 301 is configured to: after the data file processing program performs an opening operation on the target data file, and does not load the content of the target data file, invoke a macro registered in advance as the data file processing program plug-in Virus detection module;
- the first detecting unit 302 is configured to detect the target data file by using the invoked macro virus detecting module.
- the calling unit 301 is specifically configured to:
- the macro data module is detected in the target data file; when there is a macro module in the target data file, the macro file is called.
- the first detecting unit 302 is specifically configured to:
- the macro module in the target data file is detected by the called macro virus detection module.
- the first detecting unit 302 in this embodiment includes: an extracting subunit, a first matching subunit, and a first output subunit (not shown),
- a first matching subunit configured to perform matching by using a virus feature and an extracted feature built in the macro virus detection module
- the first output subunit is configured to output the determined macro virus alarm information to the user if the preset virus feature matching condition is met.
- the first detecting module 302 in this embodiment further includes: a second matching subunit and a second output subunit (not shown),
- a second matching sub-unit configured to further perform matching by using the micro-features and the extracted features in the macro virus detection module in the case that there is no matching virus feature
- the second output subunit is configured to output the non-deterministic macro virus alarm information to the user if the preset virus feature matching condition is met.
- the preset micro-feature matching condition is: the sum of the extracted macroblock features and the micro-features in the invoked macro virus detection module is greater than a preset threshold.
- the macro virus detection module is first registered as a data file processing program plug-in, and after the data file processing program performs an opening operation on the target data file, and the content of the target data file is not loaded.
- the macro virus detection module is called to perform detection of the target data file. Therefore, the macro virus detection module can recognize the format of all data files, and can also enter the data file for analysis, which improves the coverage of the detected data files.
- the macro virus detection module is called to run once after the data file processing program performs an open operation on the target data file and does not load the content of the target data file, and after the detection is completed.
- the method provided by the embodiment of the present invention reduces the occupation of system resources, and does not frequently alert the user in the process of using the data file, thereby improving the user's Experience the effect.
- FIG. 4 is another macro virus detecting apparatus according to an embodiment of the present invention, including a calling unit 301, a first detecting unit 302, an analyzing unit 303, a second detecting unit 304, and a repairing unit 305.
- the analyzing unit 303 is configured to analyze the execution process of the feature matching macro module and the result after the execution; the second detecting unit 304 is configured to detect whether there is a result analyzed by the analysis module in the system; and the repairing unit 305 is configured to: In the case that the detection result of the second detection module is YES, the system is reversely repaired according to the execution process of the feature-matched macro module and the result after the execution.
- the execution process of the feature-matched macro module and the impact of the executed result on the system can be analyzed, and the system is repaired according to the analysis to ensure that the system is in operation.
- Embodiments of the present invention also provide a computer readable storage medium comprising computer instructions that, when executed, cause a macro virus detection method according to an embodiment of the present invention to be performed.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/901,883 US10237285B2 (en) | 2014-02-24 | 2014-08-14 | Method and apparatus for detecting macro viruses |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410061998.6A CN103810428B (zh) | 2014-02-24 | 2014-02-24 | 一种宏病毒检测方法及装置 |
CN201410061998.6 | 2014-02-24 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015123972A1 true WO2015123972A1 (zh) | 2015-08-27 |
Family
ID=50707181
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/084389 WO2015123972A1 (zh) | 2014-02-24 | 2014-08-14 | 宏病毒检测方法及装置 |
Country Status (3)
Country | Link |
---|---|
US (1) | US10237285B2 (zh) |
CN (1) | CN103810428B (zh) |
WO (1) | WO2015123972A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10237285B2 (en) | 2014-02-24 | 2019-03-19 | Zhuhai Juntian Electronic Technology Co., Ltd. | Method and apparatus for detecting macro viruses |
CN115189926A (zh) * | 2022-06-22 | 2022-10-14 | 北京天融信网络安全技术有限公司 | 网络流量的检测方法、网络流量的检测系统和电子设备 |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105488410A (zh) * | 2015-05-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | 一种excel宏表病毒的检测方法及系统 |
US10534917B2 (en) * | 2017-06-20 | 2020-01-14 | Xm Cyber Ltd. | Testing for risk of macro vulnerability |
CN107819783A (zh) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | 一种基于威胁情报的网络安全检测方法及系统 |
CN109800568B (zh) * | 2018-12-29 | 2021-01-15 | 360企业安全技术(珠海)有限公司 | 文档文件的安全防护方法、客户端、系统及存储介质 |
KR102284646B1 (ko) * | 2019-10-25 | 2021-08-03 | 소프트캠프 주식회사 | 문서 파일에 구성된 매크로의 악성코드 감염 확인 방법과 시스템 |
CN111125701B (zh) * | 2019-12-24 | 2022-04-29 | 深信服科技股份有限公司 | 文件检测方法、设备、存储介质及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6577920B1 (en) * | 1998-10-02 | 2003-06-10 | Data Fellows Oyj | Computer virus screening |
CN102708320A (zh) * | 2012-05-04 | 2012-10-03 | 奇智软件(北京)有限公司 | 一种病毒apk的识别方法及装置 |
CN102841999A (zh) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | 一种文件宏病毒的检测方法和装置 |
CN103810428A (zh) * | 2014-02-24 | 2014-05-21 | 珠海市君天电子科技有限公司 | 一种宏病毒检测方法及装置 |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
US6697950B1 (en) * | 1999-12-22 | 2004-02-24 | Networks Associates Technology, Inc. | Method and apparatus for detecting a macro computer virus using static analysis |
US6986051B2 (en) * | 2000-04-13 | 2006-01-10 | International Business Machines Corporation | Method and system for controlling and filtering files using a virus-free certificate |
GB2378273A (en) * | 2001-07-31 | 2003-02-05 | Hewlett Packard Co | Legitimate sharing of electronic content |
US7409717B1 (en) * | 2002-05-23 | 2008-08-05 | Symantec Corporation | Metamorphic computer virus detection |
US7418729B2 (en) * | 2002-07-19 | 2008-08-26 | Symantec Corporation | Heuristic detection of malicious computer code by page tracking |
US7882561B2 (en) * | 2005-01-31 | 2011-02-01 | Microsoft Corporation | System and method of caching decisions on when to scan for malware |
US8365286B2 (en) * | 2006-06-30 | 2013-01-29 | Sophos Plc | Method and system for classification of software using characteristics and combinations of such characteristics |
GB0822619D0 (en) * | 2008-12-11 | 2009-01-21 | Scansafe Ltd | Malware detection |
CN102045368A (zh) * | 2011-01-20 | 2011-05-04 | 中兴通讯股份有限公司 | 智能移动终端的病毒防御方法及系统 |
US8726388B2 (en) * | 2011-05-16 | 2014-05-13 | F-Secure Corporation | Look ahead malware scanning |
CN103019872B (zh) * | 2012-10-15 | 2015-09-09 | 北京奇虎科技有限公司 | 浏览器修复方法与装置 |
CN103294955B (zh) * | 2013-06-28 | 2016-06-08 | 北京奇虎科技有限公司 | 宏病毒查杀方法及系统 |
-
2014
- 2014-02-24 CN CN201410061998.6A patent/CN103810428B/zh active Active
- 2014-08-14 WO PCT/CN2014/084389 patent/WO2015123972A1/zh active Application Filing
- 2014-08-14 US US14/901,883 patent/US10237285B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6577920B1 (en) * | 1998-10-02 | 2003-06-10 | Data Fellows Oyj | Computer virus screening |
CN102708320A (zh) * | 2012-05-04 | 2012-10-03 | 奇智软件(北京)有限公司 | 一种病毒apk的识别方法及装置 |
CN102841999A (zh) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | 一种文件宏病毒的检测方法和装置 |
CN103810428A (zh) * | 2014-02-24 | 2014-05-21 | 珠海市君天电子科技有限公司 | 一种宏病毒检测方法及装置 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10237285B2 (en) | 2014-02-24 | 2019-03-19 | Zhuhai Juntian Electronic Technology Co., Ltd. | Method and apparatus for detecting macro viruses |
CN115189926A (zh) * | 2022-06-22 | 2022-10-14 | 北京天融信网络安全技术有限公司 | 网络流量的检测方法、网络流量的检测系统和电子设备 |
CN115189926B (zh) * | 2022-06-22 | 2024-01-26 | 北京天融信网络安全技术有限公司 | 网络流量的检测方法、网络流量的检测系统和电子设备 |
Also Published As
Publication number | Publication date |
---|---|
US10237285B2 (en) | 2019-03-19 |
US20160156645A1 (en) | 2016-06-02 |
CN103810428B (zh) | 2017-05-24 |
CN103810428A (zh) | 2014-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015123972A1 (zh) | 宏病毒检测方法及装置 | |
US9876812B1 (en) | Automatic malware signature extraction from runtime information | |
US20200193024A1 (en) | Detection Of Malware Using Feature Hashing | |
JP5992622B2 (ja) | 悪意あるアプリケーション診断装置及び方法 | |
TWI401582B (zh) | 用於一硬體之監控裝置、監控方法及其電腦程式產品 | |
EP1560112B1 (en) | Detection of files that do not contain executable code | |
JP5265061B1 (ja) | 悪意のあるファイル検査装置及び方法 | |
US20170169224A1 (en) | Apparatus and method for detecting malicious mobile app | |
Choudhary et al. | A simple method for detection of metamorphic malware using dynamic analysis and text mining | |
WO2015135286A1 (zh) | 提取pe文件特征的方法及装置 | |
CN111177665B (zh) | 一种新生成可执行文件的安全追溯方法 | |
JP6668390B2 (ja) | マルウェアの軽減 | |
CN108898014B (zh) | 一种病毒查杀方法、服务器及电子设备 | |
Aslan | Performance comparison of static malware analysis tools versus antivirus scanners to detect malware | |
JP6662117B2 (ja) | 署名に基づく静的解析を用いた悪質ソフトウェアの動作の検出 | |
US20180341770A1 (en) | Anomaly detection method and anomaly detection apparatus | |
US20170004307A1 (en) | Method and device for virus identification, nonvolatile storage medium, and device | |
JP5326063B1 (ja) | デバッグイベントを用いた悪意のあるシェルコードの検知装置及び方法 | |
WO2015153037A1 (en) | Systems and methods for identifying a source of a suspect event | |
JP6714112B2 (ja) | グラフィカルユーザインターフェース要素に関連した悪意のある行為の軽減 | |
WO2016095671A1 (zh) | 一种应用程序的消息处理方法和装置 | |
US10880316B2 (en) | Method and system for determining initial execution of an attack | |
JP5955475B1 (ja) | プログラム、情報処理装置、及び情報処理方法 | |
Kai et al. | A fuzzing test for dynamic vulnerability detection on Android Binder mechanism | |
US10579794B1 (en) | Securing a network device by automatically identifying files belonging to an application |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14883501 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14901883 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16/12/2016) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14883501 Country of ref document: EP Kind code of ref document: A1 |