WO2016145749A1 - 一种确定危险文件所对应的行为信息的方法和装置 - Google Patents
一种确定危险文件所对应的行为信息的方法和装置 Download PDFInfo
- Publication number
- WO2016145749A1 WO2016145749A1 PCT/CN2015/082409 CN2015082409W WO2016145749A1 WO 2016145749 A1 WO2016145749 A1 WO 2016145749A1 CN 2015082409 W CN2015082409 W CN 2015082409W WO 2016145749 A1 WO2016145749 A1 WO 2016145749A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file
- behavior
- dangerous
- dangerous file
- computer device
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Definitions
- the application is filed as a priority application by a Chinese patent application.
- the application date of the Chinese patent application is March 18, 2015, and the application number is 201510119820.7.
- the invention is entitled “A method and apparatus for determining behavior information corresponding to a dangerous document. ".
- the present invention relates to the field of computer technologies, and in particular, to a method and apparatus for determining behavior information corresponding to a dangerous file in a computer device.
- a method for determining behavior information corresponding to a dangerous file in a computer device comprises:
- Running a virtual environment in the computer device when a dangerous file is detected The dangerous file, wherein the virtual environment includes at least one virtual API that is identical to at least one real API in a real environment of the computer device;
- the behavior of the dangerous file is monitored in a virtual environment to obtain behavior information corresponding to the dangerous file.
- an apparatus for determining behavior information corresponding to a dangerous file in a computer device comprising:
- Means for operating the dangerous file in a virtual environment of the computer device when a dangerous file is detected wherein the virtual environment includes the same as at least one real API in a real environment of the computer device At least one virtual API;
- the present invention has the following advantages: 1) can obtain behavior information of dangerous files by running dangerous files in a virtual environment of a computer device, which does not require manual analysis, and greatly saves obtaining behavior information. The required time; 2) because the virtual execution of the virtual API can record all the operational behaviors of the dangerous files, so that the behavior information obtained by the computer device is comprehensive, thereby avoiding the realization of the computer device due to the incomplete behavior information. The environment cannot be fully repaired; 3) running dangerous files in a virtual environment does not affect the real environment of the computer device, and the virtual environment takes up very little space in the computer device, and the virtual environment does not need to actually execute the virtual API.
- Computer equipment can be based on the dangers obtained in the virtual environment Behavior information files to be repaired on the real environment of computer equipment to quickly and comprehensively repair dangerous files, and other dangerous files dangerous files released by the destruction of the real environment.
- FIG. 1 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention
- FIG. 2 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to another embodiment of the present invention
- FIG. 3 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention
- FIG. 4 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to another embodiment of the present invention.
- FIG. 1 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
- the method of this embodiment is mainly implemented by a computer device; the computer device includes a network device and a user device.
- the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud computing-based cloud composed of a large number of computers or network servers, where the cloud computing is distributed computing.
- a super virtual computer consisting of a group of loosely coupled computers; the network in which the network device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a VPN (Virtual Private Network) network Wait.
- the user equipment includes, but is not limited to, a PC (Personal Computer), a tablet, a smart phone, a PDA (Personal Digital Assistant), an IPTV (Internet Protocol Television), and the like.
- the method according to the present embodiment includes step S1 and step S2.
- step S1 when it is detected that a dangerous file exists, the computer device runs the dangerous file in the virtual environment of the computer device.
- the dangerous file includes any dangerous files, such as virus files, Trojan files, and the like.
- the virtual environment is used in a real environment of a virtual computer device, and the virtual environment includes at least one virtual API that is identical to at least one real application API (Application Programming Interface) in the real environment.
- the virtual API can be called in the virtual environment and can return the same feedback result as the real API corresponding to calling the virtual API in the real environment.
- the real environment is used to represent a system environment that is actually running in a computer device; for example, a system environment corresponding to a real operating Windows operating system in a computer device.
- the real API is used to represent an API in a real environment; for example, a system API in a real running Windows operating system in a computer device.
- DeleteFile which is used to delete a specified file in the real environment, and returns a feedback result indicating successful execution of the delete operation
- the virtual environment of the computer device has The virtual API corresponding to the real API calls the virtual API in the virtual environment, and also returns a feedback result indicating that the delete operation is successfully performed.
- the function of the virtual API is not actually executed, but only the effect of calling the real API corresponding to the virtual API is virtualized.
- a virtual API corresponding to the DeleteFile is invoked in the virtual environment, and the virtual API does not perform the operation of deleting the specified file in the virtual environment, but directly returns to indicate successful execution of the deletion when called. The feedback of the operation results in a virtual call to the effect of calling DeleteFile.
- the virtual environment does not need to configure a registry and an environment variable in the computer device, so it can be directly started and run without performing a corresponding installation operation.
- the virtual environment can be started in various scenarios, such as automatically starting when the computer device is powered on, automatically starting when a scanning operation is performed in the computer device, automatically starting when a dangerous file is detected, according to User action to be started, etc.
- the virtual environment is restored to its initial environment each time it is started; more preferably, after the virtual environment is started, the virtual environment may automatically perform an initialization operation after each dangerous file is completed. Or the initialization operation can be performed according to user operations to restore the virtual environment to the initial environment.
- the virtual environment may have a very small footprint in the computer device (eg, occupying a space of about 10 M), and its operation does not affect the operation of the real system of the computer device.
- the size of the occupied space may vary according to the behavior of the dangerous file in the virtual environment, such as the behavior of dangerous files releasing other files.
- the computer device when a dangerous file is detected, the computer device provides the dangerous file to the virtual environment of the computer device and runs the dangerous file in the virtual environment.
- the computer device when a virus file is detected in a computer device, the computer device provides the virus file to a virtual environment of the computer device and runs the virus file in the virtual environment.
- the at least one virtual API in the virtual environment comprises an application reading virtual API capable of reading the currently active application
- the step S1 further comprises: when the dangerous file calling application reads the virtual API, the computer device provides the current file to the dangerous file Active application information.
- the application read virtual API includes any virtual API for reading the currently active application, such as a virtual API corresponding to CreateToolhelp32Snapshot in the real system, and the CreateToolhelp32Snapshot is used in the real system to obtain information about all currently active processes. .
- the application information includes any information indicating the currently active application, such as an application name of the currently active application, a process ID of the currently active application, and the like.
- the computer device in the process of running the dangerous file in the virtual environment, when the dangerous file invokes the application to read the virtual API, the computer device returns the currently active application information to the dangerous file through the read virtual API.
- the virus file file1 is run.
- the computer device reads the virtual API through the application to return the currently active application information to the file1, where the application information is used to indicate that the currently active application includes APP1 and APP2.
- the application reading the virtual API can obtain the currently active application information in various ways.
- the application reads the virtual API to obtain the currently active application information through the user's process configuration of the virtual environment. For example, the user configures the process list in the virtual environment, and adds the applications APP1 and APP2 in the process list, and the application read virtual API can read the currently active applications according to the process list, including APP1 and APP2.
- an application reading virtual API triggers obtaining current active application information from a real environment of a computer device.
- the application reading the virtual API triggers a real API corresponding to the application reading virtual API in the real environment of the computer device, and obtains the currently active application information according to the returned result of the real API.
- step S2 the computer device monitors the behavior of the dangerous file in the virtual environment to obtain behavior information corresponding to the dangerous file.
- the computer device can obtain the behavior information corresponding to the dangerous file by monitoring and recording the behavior performed by the dangerous file in the virtual environment.
- the computer device monitors the behavior of the dangerous file based on the virtual API invoked during the running of the dangerous file, and obtains behavior information corresponding to the dangerous file.
- a computer device records all behaviors of a dangerous file that cause a virtual environment to send changes through a virtual API invoked during a running of a dangerous file, and obtains behavior information corresponding to the behavior.
- the behavior information includes any information related to the operational behavior of the dangerous file in the virtual environment.
- the behavior information includes but is not limited to:
- the file operation behavior includes any operation behavior that can be performed on the file, such as creating, updating, deleting a file, and the like.
- the information related to the file operation behavior includes but is not limited to: information indicating a type of operation behavior of the file (such as creation, update, deletion operation behavior), a file name to be operated, a path of the file to be operated Information, etc.
- the registry operation behavior includes any operation behavior that can be performed on the registry, such as creating, setting, deleting a registry key, and the like.
- the information related to the registry operation behavior includes, but is not limited to, information indicating a type of operation behavior of the registry (such as creating, setting, deleting operation behavior), an operated registry key, a registry key Corresponding values, etc.
- the process operation behavior includes any operation behaviors that can be performed on the process, such as creating and closing processes, writing across processes, and the like.
- the information related to the process operation behavior includes but is not limited to information indicating a type of operation behavior of the thread (such as creating and closing a process, writing across a process), an ID of the operated process, and being operated. Path information corresponding to the process.
- the thread operation behavior includes any operation behavior that can be performed on a thread, such as thread injection.
- the information related to the thread operation behavior includes, but is not limited to, information for indicating a type of operation behavior of the thread, an identifier ID of the thread to be operated, a feature value corresponding to the thread to be operated, and the like;
- the feature value is used to indicate a feature of the thread.
- the feature value is a check value corresponding to a code length of the thread; for example, the code length of the thread is 0x100, and the feature value is a CRC corresponding to the code length (Cyclic) Redundancy Check, cyclic redundancy check code) 32 values.
- the method in this embodiment further includes step S4, the step S2 further includes step S21.
- step S4 the computer device obtains at least one file released by the dangerous file in the virtual environment.
- the computer device obtains the following files released during the running of the dangerous file file2: ser2vet.exe, autorun.inf.
- step S21 the computer device monitors the behavior of the dangerous file and the at least one file released by the dangerous file in the virtual environment, and obtains behavior information corresponding to the dangerous file.
- step S4 the computer device obtains the following dangerous files released by the dangerous file file2: ser2vet.exe, autorun.inf; in step S21, the computer device is in the virtual environment, respectively for file2, ser2vet.exe, autorun.
- the behavior of inf is monitored to obtain the three dangerous behavioral information, and the obtained behavior information is used as the behavior information corresponding to the dangerous file file2.
- the method of this embodiment further includes step S5.
- step S5 the computer device turns off the virtual environment when the predetermined shutdown condition is met.
- the predetermined closing condition includes any predetermined condition for indicating to close the virtual environment.
- the predetermined closing condition includes but is not limited to:
- the dangerous file performs a process exit operation in a virtual environment.
- the process exit operation includes any operation for indicating a process of exiting the dangerous file; preferably, the process exit operation includes, but is not limited to, a self-delete operation of the dangerous file, and the deletion of the dangerous file performed by the user in the virtual environment. Operation, etc.
- the predetermined closing condition is satisfied when the running time of the dangerous file in the virtual environment exceeds 5 s.
- predetermined closing conditions are merely examples, and are not intended to limit the present invention.
- any predetermined condition for indicating the shutdown of the virtual environment should be included in the predetermined shutdown described in the present invention. Within the scope of the condition.
- the behavior information of the dangerous file can be obtained by running the dangerous file in the virtual environment of the computer device, the process does not need manual analysis, and the time required for obtaining the behavior information is greatly saved;
- the virtual execution of the virtual API can be used to record all the operational behaviors of the dangerous files, so that the behavior information obtained by the computer device is comprehensive, so as to avoid the real environment of the computer device cannot be completely repaired due to the incomplete behavior information.
- running dangerous files in a virtual environment does not affect the real environment of the computer device, and the virtual environment takes up very little space in the computer device, and the virtual environment does not need to actually perform the function of the virtual API, but only needs to be able to Returning the same feedback results as the real API corresponding to calling the virtual API in the real environment, which allows dangerous files to run faster in the virtual environment, thereby quickly obtaining behavioral information for dangerous files.
- FIG. 2 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
- the method of the present embodiment is mainly implemented by a computer device; wherein any reference to the computer device in the embodiment shown in FIG. 1 is incorporated herein.
- the method according to the present embodiment includes step S1, step S2, and step S3.
- the step S1 and the step S2 are described in detail with reference to FIG. 1 and will not be further described herein.
- step S3 the computer device repairs the real environment of the computer device according to the behavior information corresponding to the dangerous file.
- the computer device can repair the real environment of the computer device according to the behavior information corresponding to the dangerous file in various scenarios.
- step S2 the computer device directly performs step S3 to repair the real environment of the computer device.
- step S2 the computer device directly performs step S3 to repair the real environment of the computer device while clearing the dangerous file, when it is determined that the dangerous file is cleared according to the user's operation.
- step S3 is performed to repair the real environment of the computer device.
- step S3 the computer device directly performs an operation opposite to the operation behavior indicated by the behavior information according to the behavior information corresponding to the dangerous file, to perform restoration and restoration on the real environment of the computer device.
- the behavior information of the dangerous file includes information indicating the creation of the file, and path information of the created file. Then, in step S3, the computer device deletes the created file according to the behavior information in the file path indicated by the path information, to restore the real environment to a state before the dangerous file is run.
- the behavior information of the dangerous file includes information indicating that the registry key is deleted, and the deleted registry key. Then in step S3, the computer device restores the deleted registry entry according to the behavior information to restore the real environment to a state before the dangerous file is run.
- step S3 further includes step S31 and step S32.
- step S31 the computer device determines corresponding repair operation information according to the behavior information corresponding to the dangerous file.
- the repair operation information includes any information related to the repair operation.
- the repair operation information includes but is not limited to:
- the file repair operation includes any operation for repairing a file, such as restoring File parameters, delete files, etc.
- the information related to the file repair operation includes, but is not limited to, information indicating a type of repair operation of the file, a file name to be operated, a file parameter to be restored, a value of the file parameter, and the like.
- the computer device scans the dangerous file and at least one file released by the dangerous file in its real system, and determines the information related to the file repair operation according to the scan result and the behavior information of the dangerous file.
- the registry repair operation includes any operations for repairing the registry, such as restoring, deleting a registry key, and the like.
- the information related to the registry repair operation includes, but is not limited to, information indicating a type of repair operation of the registry, a registry key to be operated, a value corresponding to the registry key, and the like.
- the computer device can obtain a default value corresponding to the registry key by querying the local knowledge base, and use the default value as a value corresponding to the registry key.
- the process repair operation includes any operations for repairing a process, such as closing, restarting, etc. of a process.
- the information related to the process repair operation includes, but is not limited to, information indicating a type of repair operation of the process, path information corresponding to the operated process, and the like.
- the process being operated is a system file
- the process repair operation can be completed directly by restarting the computer device without obtaining the repair operation information of the process.
- the thread repair operation includes any operation for repairing a thread, such as stopping a thread.
- the information related to the thread repair operation includes, but is not limited to, information indicating a type of repair operation of the thread, and a feature value corresponding to the thread being operated.
- repair operation information is only an example, and is not intended to limit the present invention. Those skilled in the art should understand that any information related to the repair operation should be included in the scope of the repair operation information described in the present invention. .
- step S31 the computer device determines the repair operation indicated by the repair operation information according to the operation behavior indicated by the behavior information corresponding to the dangerous file, and further determines the repair operation information according to the repair operation and the behavior information.
- the behavior information includes information for indicating cross-process writing and path information of the operated process; in step S31, the computer device determines that the repair operation is a restart process according to the information for indicating the cross-process write operation, and according to The repair operation and behavior information, determining the repair operation information includes: information indicating the restart process and path information of the restarted process.
- the behavior information includes information for indicating thread injection and a feature value corresponding to the operated thread; in step S31, the computer device determines, according to the information indicating the thread injection, that the repair operation is a stop thread, and according to the repair
- the operation and behavior information, determining the repair operation information includes: information indicating the stop thread and the feature value corresponding to the stopped thread.
- step S32 the computer device repairs the real environment of the computer device according to the repair operation information.
- the repair operation information determined in step S31 includes information indicating a restart process and path information corresponding to the operated process.
- the computer device searches for the corresponding process according to the path information, and restarts the found process.
- the repair operation information determined in step S31 includes information indicating a stop thread and a feature value corresponding to the operated thread.
- the computer device determines the matching thread based on the feature value and stops the thread.
- step S3 when it is determined that the computer device needs to be restarted, the computer device presents the user with prompt information for prompting to restart the computer device.
- the computer device can repair the real environment of the computer device according to the behavior information of the dangerous file obtained in the virtual environment, so as to quickly and comprehensively repair the dangerous file and other released by the dangerous file.
- FIG. 3 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
- the apparatus for determining behavior information corresponding to a dangerous file according to the present embodiment includes means for operating the dangerous file in a virtual environment of a computer device when a dangerous file is detected
- the device hereinafter simply referred to as "running device 1”
- monitoring device 2 a device for monitoring the behavior of the dangerous file in the virtual environment to obtain behavior information corresponding to the dangerous file.
- the running device 1 runs the dangerous file in the virtual environment of the computer device.
- the dangerous file includes any dangerous files, such as virus files, Trojan files, and the like.
- the virtual environment is used in a real environment of a virtual computer device, and the virtual environment includes at least one virtual API that is identical to at least one real API in the real environment.
- the virtual API can be called in the virtual environment and can return the same feedback result as the real API corresponding to calling the virtual API in the real environment.
- the real environment is used to represent a system environment that is actually running in a computer device; for example, a system environment corresponding to a real operating Windows operating system in a computer device.
- the real API is used to represent an API in a real environment; for example, a system API in a real running Windows operating system in a computer device.
- DeleteFile which is used to delete a specified file in the real environment, and returns a feedback result indicating successful execution of the delete operation
- the virtual environment of the computer device has The virtual API corresponding to the real API, the virtual API is called in the virtual environment, and is also returned for Indicates the feedback result of a successful delete operation.
- the function of the virtual API is not actually executed, but only the effect of calling the real API corresponding to the virtual API is virtualized.
- a virtual API corresponding to the DeleteFile is invoked in the virtual environment, and the virtual API does not perform the operation of deleting the specified file in the virtual environment, but directly returns to indicate successful execution of the deletion when called. The feedback of the operation results in a virtual call to the effect of calling DeleteFile.
- the virtual environment does not need to configure a registry and an environment variable in the computer device, so it can be directly started and run without performing a corresponding installation operation.
- the virtual environment can be started in various scenarios, such as automatically starting when the computer device is powered on, automatically starting when a scanning operation is performed in the computer device, automatically starting when a dangerous file is detected, according to User action to be started, etc.
- the virtual environment is restored to its initial environment each time it is started; more preferably, after the virtual environment is started, the virtual environment may automatically perform an initialization operation after each dangerous file is completed. Or the initialization operation can be performed according to user operations to restore the virtual environment to the initial environment.
- the virtual environment may have a very small footprint in the computer device (eg, occupying a space of about 10 M), and its operation does not affect the operation of the real system of the computer device.
- the size of the occupied space may vary according to the behavior of the dangerous file in the virtual environment, such as the behavior of dangerous files releasing other files.
- the running device 1 when it is detected that a dangerous file exists, the running device 1 provides the dangerous file to the virtual environment of the computer device, and runs the dangerous file in the virtual environment.
- the running device 1 when it is detected that a virus file exists in the computer device, the running device 1 provides the virus file to the virtual environment of the computer device, and runs the virus file in the virtual environment.
- the at least one virtual API in the virtual environment comprises an application read virtual API capable of reading the currently active application
- the running device 1 further comprises: providing the current active event to the dangerous file when the dangerous file calling the application reads the virtual API
- a device for applying information hereinafter referred to as "providing device”, not shown).
- the application read virtual API includes any virtual API for reading the currently active application, such as a virtual API corresponding to CreateToolhelp32Snapshot in the real system, and the CreateToolhelp32Snapshot is used in the real system to obtain information about all currently active processes. .
- the application information includes any information indicating the currently active application, such as an application name of the currently active application, a process ID of the currently active application, and the like.
- the providing device when the dangerous file invokes the application to read the virtual API, the providing device returns the currently active application information to the dangerous file through the read virtual API.
- the virus file file1 is run in the virtual environment, and when the file1 calls the application to read the virtual API, the providing device returns the currently active application information to the file1 through the application reading virtual API, where the application information is used to indicate that the currently active application includes APP1 and APP2.
- the application reading the virtual API can obtain the currently active application information in various ways.
- the application reads the virtual API to obtain the currently active application information through the user's process configuration of the virtual environment. For example, the user configures the process list in the virtual environment, and adds the applications APP1 and APP2 in the process list, and the application read virtual API can read the currently active applications according to the process list, including APP1 and APP2.
- an application reading virtual API triggers obtaining current active application information from a real environment of a computer device.
- the application reading the virtual API triggers a real API corresponding to the application reading virtual API in the real environment of the computer device, and obtains the currently active application information according to the returned result of the real API.
- the monitoring device 2 monitors the behavior of the dangerous file in the virtual environment to obtain the behavior information corresponding to the dangerous file.
- the monitoring device 2 can obtain behavior information corresponding to the dangerous file by monitoring and recording the behavior performed by the dangerous file in the virtual environment.
- the monitoring device 2 monitors the behavior of the dangerous file based on the virtual API invoked during the running of the dangerous file, and obtains behavior information corresponding to the dangerous file.
- the monitoring device 2 records all the behaviors of the dangerous files that cause the virtual environment to send changes through the virtual API invoked during the running of the dangerous files, and obtains the behavior information corresponding to the behaviors.
- the behavior information includes any information related to the operational behavior of the dangerous file in the virtual environment.
- the behavior information includes but is not limited to:
- the file operation behavior includes any operation behavior that can be performed on the file, such as creating, updating, deleting a file, and the like.
- the information related to the file operation behavior includes but is not limited to: information indicating a type of operation behavior of the file (such as creation, update, deletion operation behavior), a file name to be operated, a path of the file to be operated Information, etc.
- the registry operation behavior includes any operation behavior that can be performed on the registry, such as creating, setting, deleting a registry key, and the like.
- the information related to the registry operation behavior includes, but is not limited to, information indicating a type of operation behavior of the registry (such as creating, setting, deleting operation behavior), an operated registry key, a registry key Corresponding values, etc.
- the process operation behavior includes any operation behaviors that can be performed on the process, such as creating and closing processes, writing across processes, and the like.
- the information related to the process operation behavior includes but is not limited to information indicating a type of operation behavior of the thread (such as creating and closing a process, writing across a process), an ID of the operated process, and being operated. Path information corresponding to the process.
- the thread operation behavior includes any operation behavior that can be performed on a thread, such as thread injection.
- the information related to the thread operation behavior includes, but is not limited to, information for indicating a type of operation behavior of the thread, an identifier ID of the thread to be operated, a feature value corresponding to the thread to be operated, and the like;
- the feature value is used to indicate a feature of the thread.
- the feature value is a check value corresponding to a code length of the thread; for example, the code length of the thread is 0x100, and the feature value is a CRC corresponding to the code length (Cyclic) Redundancy Check, cyclic redundancy check code) 32 values.
- the behavior determining apparatus of the embodiment further includes means for obtaining at least one file released by the dangerous file in the virtual environment (hereinafter referred to as "obtaining device”, not shown), the monitoring device 2 further comprising means for monitoring the behavior of the at least one file released by the dangerous file and the dangerous file in the virtual environment, and obtaining the behavior information corresponding to the dangerous file (hereinafter referred to as "sub-monitoring device”, Not shown).
- the obtaining device acquires at least one file released by the dangerous file in the virtual environment.
- the obtaining device in the virtual environment obtains the following files released during the running of the dangerous file file2: ser2vet.exe, autorun.inf.
- the sub-monitoring device monitors the behavior of the dangerous file and the at least one file released by the dangerous file in a virtual environment, and obtains behavior information corresponding to the dangerous file.
- the obtaining device obtains the following dangerous files released by the dangerous file file2: ser2vet.exe, autorun.inf; the sub-monitoring device monitors the behaviors of file2, ser2vet.exe, autorun.inf in the virtual environment to obtain the 3 dangerous behavioral information, and the obtained behavior information is the behavior information corresponding to the dangerous file file2.
- the manner in which the sub-monitoring device monitors the behavior of each file released by the dangerous file is the same as or similar to the manner in which the behavior of the dangerous file in the monitoring device 2 is monitored, and details are not described herein again.
- the behavior determining apparatus of the present embodiment further includes means for turning off the virtual environment (hereinafter simply referred to as "shutdown device", not shown) when the predetermined shutdown condition is satisfied.
- shutdown device means for turning off the virtual environment
- the shutdown device shuts down the virtual environment.
- the predetermined closing condition includes any predetermined condition for indicating to close the virtual environment.
- the predetermined closing condition includes but is not limited to:
- the dangerous file performs a process exit operation in a virtual environment.
- the process exit operation includes any operation for indicating a process of exiting the dangerous file; preferably, the process exit operation includes, but is not limited to, a self-delete operation of the dangerous file, and the deletion of the dangerous file performed by the user in the virtual environment. Operation, etc.
- the predetermined closing condition is satisfied when the running time of the dangerous file in the virtual environment exceeds 5 s.
- predetermined closing conditions are merely examples, and are not intended to limit the present invention.
- any predetermined condition for indicating the shutdown of the virtual environment should be included in the predetermined shutdown described in the present invention. Within the scope of the condition.
- the behavior information of the dangerous file can be obtained by running the dangerous file in the virtual environment of the computer device, the process does not need manual analysis, and the time required for obtaining the behavior information is greatly saved;
- the virtual execution of the virtual API can be used to record all the operational behaviors of the dangerous files, so that the behavior information obtained by the computer device is comprehensive, so as to avoid the real environment of the computer device cannot be completely repaired due to the incomplete behavior information.
- running dangerous files in a virtual environment does not affect the reality of the computer equipment. Environment, and the virtual environment takes up very little space in the computer device, and the virtual environment does not need to actually perform the function of the virtual API, but only needs to be able to return the same real API corresponding to the virtual API in the real environment. Feedback results in the ability to run dangerous files more quickly in a virtual environment, thereby quickly obtaining behavioral information about dangerous files.
- FIG. 4 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
- the behavior determining apparatus according to the present embodiment includes the operating device 1, the monitoring device 2, and a device for repairing the real environment of the computer device according to the behavior information corresponding to the dangerous file (hereinafter referred to as "repair device 3") .
- the operation device 1 and the monitoring device 2 have been described in detail with reference to FIG. 3, and details are not described herein again.
- the repairing device 3 repairs the real environment of the computer device according to the behavior information corresponding to the dangerous file.
- the repairing device 3 can repair the real environment of the computer device according to the behavior information corresponding to the dangerous file in various scenarios.
- the direct repair device 3 performs an operation to repair the real environment of the computer device.
- the repairing device 3 directly performs an operation to repair the real environment of the computer device while clearing the dangerous file.
- the repairing device 3 performs an operation to repair the real environment of the computer device.
- the repairing device 3 directly performs an operation opposite to the operational behavior indicated by the behavior information according to the behavior information corresponding to the dangerous file, to perform restoration and restoration on the real environment of the computer device.
- the behavior information of the dangerous file includes information indicating the creation of the file, and path information of the created file. Then, the repairing device 3 deletes the created file according to the behavior information under the file path indicated by the path information, to restore the real environment to the dangerous text. The state before the piece is run.
- the behavior information of the dangerous file includes information indicating that the registry key is deleted, and the deleted registry key. Then, the repairing device 3 restores the deleted registry item according to the behavior information to restore the real environment to the state before the dangerous file is run.
- the repairing device 3 further includes means for determining corresponding repairing operation information according to the behavior information corresponding to the dangerous document (hereinafter referred to as "determining device”, not shown), And a device for repairing the real environment of the computer device according to the repair operation information (hereinafter referred to as "sub-repair device”, not shown).
- the determining device determines the corresponding repair operation information according to the behavior information corresponding to the dangerous file.
- the repair operation information includes any information related to the repair operation.
- the repair operation information includes but is not limited to:
- the file repair operation includes any operations for repairing files, such as restoring file parameters, deleting files, and the like.
- the information related to the file repair operation includes, but is not limited to, information indicating a type of repair operation of the file, a file name to be operated, a file parameter to be restored, a value of the file parameter, and the like.
- the determining means scans the dangerous file and the at least one file released by the dangerous file in a real system of the computer device, and determines the information related to the file repairing operation according to the scanning result and the behavior information of the dangerous file.
- the registry repair operation includes any operations for repairing the registry, such as restoring, deleting a registry key, and the like.
- the information related to the registry repair operation includes, but is not limited to, information indicating a type of repair operation of the registry, a registry key to be operated, a value corresponding to the registry key, and the like.
- the determining device may obtain a default value corresponding to the registry key by querying the local knowledge base, and use the default value as a value corresponding to the registry key.
- the process repair operation includes any operations for repairing a process, such as closing, restarting, etc. of a process.
- the information related to the process repair operation includes, but is not limited to, information indicating a type of repair operation of the process, path information corresponding to the operated process, and the like.
- the process being operated is a system file
- the process repair operation can be completed directly by restarting the computer device without obtaining the repair operation information of the process.
- the thread repair operation includes any operation for repairing a thread, such as stopping a thread.
- the information related to the thread repair operation includes, but is not limited to, information indicating a type of repair operation of the thread, and a feature value corresponding to the thread being operated.
- repair operation information is only an example, and is not intended to limit the present invention. Those skilled in the art should understand that any information related to the repair operation should be included in the scope of the repair operation information described in the present invention. .
- the determining device determines the repair operation indicated by the repair operation information according to the operation behavior indicated by the behavior information corresponding to the dangerous file, and further determines the repair operation information according to the repair operation and the behavior information.
- the behavior information includes information indicating the information written across the process and the path information of the operated process; the determining means determines the repair operation as the restart process according to the information for indicating the cross-process write operation, and according to the repair operation and behavior
- the information determining the repair operation information includes: information indicating the restart process and path information of the restarted process.
- the behavior information includes information for indicating thread injection and a feature value corresponding to the operated thread; the determining means determines, according to the information for indicating thread injection, that the repair operation is a stop thread, and according to the repair operation and behavior information, Determining the repair operation information includes: information indicating the stop thread and the feature value corresponding to the stopped thread.
- the sub-repair device repairs the real environment of the computer device according to the repair operation information.
- the repair operation information determined by the determining means includes information indicating a restart process and path information corresponding to the operated process.
- the sub-repair device searches for the corresponding process according to the path information, and restarts the found process.
- the repair operation information determined by the determining means includes information indicating the stop of the thread and a feature value corresponding to the thread being operated.
- the sub-repair device determines the matching thread based on the feature value and stops the thread.
- the computer device presents the user with prompt information for prompting to restart the computer device.
- the computer device can repair the real environment of the computer device according to the behavior information of the dangerous file obtained in the virtual environment, so as to quickly and comprehensively repair the dangerous file and other released by the dangerous file.
- the present invention may be implemented in software and/or a combination of software and hardware.
- each device of the present invention may employ an Application Specific Integrated Circuit (ASIC) or any other similar hardware device.
- ASIC Application Specific Integrated Circuit
- the software program of the present invention may be executed by a processor to implement the steps or functions described above.
- the software program (including related data structures) of the present invention can be stored in a computer readable recording medium such as a RAM (random access memory) memory, a magnetic or optical drive or a floppy disk and the like.
- some of the steps or functions of the present invention may be implemented in hardware, for example, as a circuit that cooperates with a processor to perform various steps or functions.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
Claims (21)
- 一种在计算机设备中确定危险文件所对应的行为信息的方法,其中,该方法包括:当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息。
- 根据权利要求1所述的方法,其中,所述至少一个虚拟API包括能够读取当前活动应用的应用读取虚拟API,在所述虚拟环境中运行所述危险文件的步骤包括:当所述危险文件调用所述应用读取虚拟API时,向所述危险文件提供当前活动的应用信息。
- 根据权利要求1或2所述的方法,其中,该方法还包括:在所述虚拟环境中获得运行的危险文件所释放的至少一个文件;其中,在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的步骤包括:在虚拟环境中,对所述危险文件以及所述至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息。
- 根据权利要求1至3中任一项所述的方法,其中,所述行为信息包括以下至少一项:-与文件操作行为相关的信息;-与注册表操作行为相关的信息;-与进程操作行为相关的信息;-与线程操作行为相关的信息。
- 根据权利要求1至4中任一项所述的方法,其中,该方法还包括:根据所述危险文件所对应的行为信息,对所述计算机设备的真实环 境进行修复。
- 根据权利要求5所述的方法,其中,根据所述危险文件所对应的行为信息,对所述计算机设备的系统环境进行修复的步骤包括:根据所述危险文件所对应的行为信息,确定相应的修复操作信息;根据所述修复操作信息,对所述计算机设备的真实环境进行修复。
- 根据权利要求6所述的方法,其中,所述修复操作信息包括以下至少一项:-与文件修复操作相关的信息;-与注册表修复操作相关的信息;-与进程修复操作相关的信息;-与线程修复操作相关的信息。
- 根据权利要求1至7所述的方法,其中,该方法还包括:当满足预定关闭条件时,关闭所述虚拟环境。
- 根据权利要求8所述的方法,其中,所述预定关闭条件包括以下至少一项:-所述危险文件在虚拟环境中执行进程退出操作;-所述危险文件在虚拟环境中的运行时间超过预定时间。
- 一种在计算机设备中确定危险文件所对应的行为信息的装置,其中,该装置包括:用于当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件的装置,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;用于在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的装置。
- 根据权利要求10所述的装置,其中,所述至少一个虚拟API包括能够读取当前活动应用的应用读取虚拟API,用于在所述虚拟环境中运行所述危险文件的装置包括:用于当所述危险文件调用所述应用读取虚拟API时,向所述危险文件提供当前活动的应用信息的装置。
- 根据权利要求10或11所述的装置,其中,该装置还包括:用于在所述虚拟环境中获得运行的危险文件所释放的至少一个文件的装置;其中,用于在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的装置包括:用于在虚拟环境中,对所述危险文件以及所述至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息的装置。
- 根据权利要求10至12中任一项所述的装置,其中,所述行为信息包括以下至少一项:-与文件操作行为相关的信息;-与注册表操作行为相关的信息;-与进程操作行为相关的信息;-与线程操作行为相关的信息。
- 根据权利要求10至13中任一项所述的装置,其中,该装置还包括:用于根据所述危险文件所对应的行为信息,对所述计算机设备的真实环境进行修复的装置。
- 根据权利要求14所述的装置,其中,用于根据所述危险文件所对应的行为信息,对所述计算机设备的系统环境进行修复的装置包括:用于根据所述危险文件所对应的行为信息,确定相应的修复操作信息的装置;用于根据所述修复操作信息,对所述计算机设备的真实环境进行修复的装置。
- 根据权利要求15所述的装置,其中,所述修复操作信息包括以下至少一项:-与文件修复操作相关的信息;-与注册表修复操作相关的信息;-与进程修复操作相关的信息;-与线程修复操作相关的信息。
- 根据权利要求10至16所述的装置,其中,该装置还包括:用于当满足预定关闭条件时,关闭所述虚拟环境的装置。
- 根据权利要求17所述的方法,其中,所述预定关闭条件包括以下至少一项:-所述危险文件在虚拟环境中执行进程退出操作;-所述危险文件在虚拟环境中的运行时间超过预定时间。
- 一种计算机可读介质,所述计算机可读介质包括计算机代码,当所述计算机代码被执行时,如权利要求1至9中任一项所述的方法被执行。
- 一种计算机程序产品,当所述计算机程序产品被计算机设备执行时,如权利要求1至9中任一项所述的方法被执行。
- 一种计算机设备,所述计算机设备包括存储器和处理器,所述存储器中存储有计算机代码,所述处理器被配置来通过执行所述计算机代码以执行如权利要求1至9中任一项所述的方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP15885132.9A EP3113060B1 (en) | 2015-03-18 | 2015-06-25 | Method and apparatus for determining behaviour information corresponding to dangerous file |
JP2016564985A JP2017520820A (ja) | 2015-03-18 | 2015-06-25 | 危険ファイルに対応する挙動情報特定方法及び危険ファイルに対応する挙動情報特定装置 |
KR1020167030047A KR101974989B1 (ko) | 2015-03-18 | 2015-06-25 | 위험 파일에 대응하는 행위 정보를 결정하는 방법 및 장치 |
US15/300,770 US10915624B2 (en) | 2015-03-18 | 2015-06-25 | Method and apparatus for determining behavior information corresponding to a dangerous file |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510119820.7 | 2015-03-18 | ||
CN201510119820.7A CN104766006B (zh) | 2015-03-18 | 2015-03-18 | 一种确定危险文件所对应的行为信息的方法和装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016145749A1 true WO2016145749A1 (zh) | 2016-09-22 |
Family
ID=53647828
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/082409 WO2016145749A1 (zh) | 2015-03-18 | 2015-06-25 | 一种确定危险文件所对应的行为信息的方法和装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US10915624B2 (zh) |
EP (1) | EP3113060B1 (zh) |
JP (1) | JP2017520820A (zh) |
KR (1) | KR101974989B1 (zh) |
CN (1) | CN104766006B (zh) |
WO (1) | WO2016145749A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106921608B (zh) | 2015-12-24 | 2019-11-22 | 华为技术有限公司 | 一种检测终端安全状况方法、装置及系统 |
WO2019009601A1 (ko) * | 2017-07-04 | 2019-01-10 | 주식회사 수산아이앤티 | 웹 소스를 보호하기 위한 장치 및 방법 |
CN110020933B (zh) * | 2019-04-10 | 2020-06-23 | 南方电网数字电网研究院有限公司 | 应用于财务业务系统的自动退出方法、装置和计算机设备 |
US11336690B1 (en) * | 2019-11-15 | 2022-05-17 | National Technology & Engineering Solutions Of Sandia, Llc | Threat emulation framework |
JP7489197B2 (ja) * | 2020-01-31 | 2024-05-23 | 株式会社Nttデータ | クラウド監視・修復方法、クラウド監視・修復システム及びプログラム |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1314638A (zh) * | 2001-04-29 | 2001-09-26 | 北京瑞星科技股份有限公司 | 检测和清除已知及未知计算机病毒的方法、系统和介质 |
CN1356631A (zh) * | 2001-12-03 | 2002-07-03 | 上海市计算机病毒防范服务中心 | 分布式病毒监测体系结构 |
CN101350049A (zh) * | 2007-07-16 | 2009-01-21 | 珠海金山软件股份有限公司 | 鉴定病毒文件的方法、装置及网络设备 |
Family Cites Families (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5974549A (en) * | 1997-03-27 | 1999-10-26 | Soliton Ltd. | Security monitor |
US6192512B1 (en) * | 1998-09-24 | 2001-02-20 | International Business Machines Corporation | Interpreter with virtualized interface |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US8171553B2 (en) * | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US7779472B1 (en) * | 2005-10-11 | 2010-08-17 | Trend Micro, Inc. | Application behavior based malware detection |
JP2007334536A (ja) * | 2006-06-14 | 2007-12-27 | Securebrain Corp | マルウェアの挙動解析システム |
EP1933248A1 (de) * | 2006-12-12 | 2008-06-18 | secunet Security Networks Aktiengesellschaft | Verfahren zur sicheren Datenverarbeitung auf einem Computersystem |
US8307443B2 (en) * | 2007-09-28 | 2012-11-06 | Microsoft Corporation | Securing anti-virus software with virtualization |
US7797748B2 (en) * | 2007-12-12 | 2010-09-14 | Vmware, Inc. | On-access anti-virus mechanism for virtual machine architecture |
KR20090067569A (ko) * | 2007-12-21 | 2009-06-25 | (주) 세인트 시큐리티 | 가상화 기법을 이용한 윈도우 커널 보호 시스템 |
JP4705961B2 (ja) * | 2008-01-25 | 2011-06-22 | Sky株式会社 | ウィルス被害範囲予測システム |
JP4755658B2 (ja) * | 2008-01-30 | 2011-08-24 | 日本電信電話株式会社 | 解析システム、解析方法および解析プログラム |
US8312547B1 (en) * | 2008-03-31 | 2012-11-13 | Symantec Corporation | Anti-malware scanning in a portable application virtualized environment |
JP2009037651A (ja) * | 2008-11-17 | 2009-02-19 | Fujitsu Ltd | セキュリティ管理システム |
US8528075B2 (en) * | 2008-11-30 | 2013-09-03 | Red Hat Israel, Ltd. | Accelerating the execution of anti-virus programs in a virtual machine environment |
JP5274227B2 (ja) | 2008-12-10 | 2013-08-28 | 株式会社ラック | ウェブページ検査装置、コンピュータシステム、ウェブページ検査方法、及びプログラム |
US8407787B1 (en) * | 2009-01-22 | 2013-03-26 | Trend Micro Incorporated | Computer apparatus and method for non-intrusive inspection of program behavior |
JP5440973B2 (ja) * | 2009-02-23 | 2014-03-12 | 独立行政法人情報通信研究機構 | コンピュータ検査システム、コンピュータ検査方法 |
JP5225942B2 (ja) * | 2009-07-01 | 2013-07-03 | 日本電信電話株式会社 | 解析システム、解析方法、及び解析プログラム |
US8479286B2 (en) * | 2009-12-15 | 2013-07-02 | Mcafee, Inc. | Systems and methods for behavioral sandboxing |
KR20110087826A (ko) * | 2010-01-27 | 2011-08-03 | 한남대학교 산학협력단 | 가상머신을 이용한 악성소프트웨어 탐지 방법 |
TWI407328B (zh) | 2010-09-15 | 2013-09-01 | Chunghwa Telecom Co Ltd | 網路病毒防護方法及系統 |
US8555385B1 (en) * | 2011-03-14 | 2013-10-08 | Symantec Corporation | Techniques for behavior based malware analysis |
US20120254993A1 (en) * | 2011-03-28 | 2012-10-04 | Mcafee, Inc. | System and method for virtual machine monitor based anti-malware security |
US9298910B2 (en) * | 2011-06-08 | 2016-03-29 | Mcafee, Inc. | System and method for virtual partition monitoring |
RU2514141C1 (ru) * | 2012-09-28 | 2014-04-27 | Закрытое акционерное общество "Лаборатория Касперского" | Способ эмуляции вызовов системных функций для обхода средств противодействия эмуляции |
KR101429131B1 (ko) | 2013-06-12 | 2014-08-11 | 소프트캠프(주) | 시스템 보호를 위한 파일 보안용 관리장치와 관리방법 |
US9591003B2 (en) | 2013-08-28 | 2017-03-07 | Amazon Technologies, Inc. | Dynamic application security verification |
RU2580030C2 (ru) * | 2014-04-18 | 2016-04-10 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ распределения задач антивирусной проверки между виртуальными машинами в виртуальной сети |
US9973531B1 (en) * | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9471283B2 (en) * | 2014-06-11 | 2016-10-18 | Ca, Inc. | Generating virtualized application programming interface (API) implementation from narrative API documentation |
US9917855B1 (en) * | 2016-03-03 | 2018-03-13 | Trend Micro Incorporated | Mixed analysys-based virtual machine sandbox |
-
2015
- 2015-03-18 CN CN201510119820.7A patent/CN104766006B/zh active Active
- 2015-06-25 US US15/300,770 patent/US10915624B2/en active Active
- 2015-06-25 EP EP15885132.9A patent/EP3113060B1/en active Active
- 2015-06-25 KR KR1020167030047A patent/KR101974989B1/ko active IP Right Grant
- 2015-06-25 WO PCT/CN2015/082409 patent/WO2016145749A1/zh active Application Filing
- 2015-06-25 JP JP2016564985A patent/JP2017520820A/ja active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1314638A (zh) * | 2001-04-29 | 2001-09-26 | 北京瑞星科技股份有限公司 | 检测和清除已知及未知计算机病毒的方法、系统和介质 |
CN1356631A (zh) * | 2001-12-03 | 2002-07-03 | 上海市计算机病毒防范服务中心 | 分布式病毒监测体系结构 |
CN101350049A (zh) * | 2007-07-16 | 2009-01-21 | 珠海金山软件股份有限公司 | 鉴定病毒文件的方法、装置及网络设备 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3113060A4 * |
Also Published As
Publication number | Publication date |
---|---|
CN104766006A (zh) | 2015-07-08 |
US10915624B2 (en) | 2021-02-09 |
CN104766006B (zh) | 2019-03-12 |
KR101974989B1 (ko) | 2019-05-07 |
KR20160138523A (ko) | 2016-12-05 |
US20170124321A1 (en) | 2017-05-04 |
EP3113060A1 (en) | 2017-01-04 |
JP2017520820A (ja) | 2017-07-27 |
EP3113060A4 (en) | 2017-11-08 |
EP3113060B1 (en) | 2021-01-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3555789B1 (en) | Intelligent backup and versioning | |
WO2016145749A1 (zh) | 一种确定危险文件所对应的行为信息的方法和装置 | |
US7614084B2 (en) | System and method for detecting multi-component malware | |
US20220398321A1 (en) | Data management | |
US20130160126A1 (en) | Malware remediation system and method for modern applications | |
US10339316B2 (en) | Integrity assurance through early loading in the boot phase | |
US20160156645A1 (en) | Method and apparatus for detecting macro viruses | |
US20210182392A1 (en) | Method for Detecting and Defeating Ransomware | |
US8448243B1 (en) | Systems and methods for detecting unknown malware in an executable file | |
JP5888386B2 (ja) | ウィルスの処理方法及び装置 | |
RU2583711C2 (ru) | Способ отложенного устранения вредоносного кода | |
JP6404771B2 (ja) | ログ判定装置、ログ判定方法、およびログ判定プログラム | |
US20140229526A1 (en) | Systems, methods and media for securely executing remote commands using cross-platform library | |
US11509738B2 (en) | System for migration of data from legacy computer system using wireless peer-to-peer connection | |
KR101138746B1 (ko) | 실행 파일을 이용한 악성 코드 차단 장치 및 방법 | |
EP2230616B1 (en) | System and method for detecting multi-component malware | |
KR20120039569A (ko) | 실행 파일을 이용한 악성 코드 차단 장치 | |
JP2022141590A (ja) | 空のスパースファイルを使用してアーカイブスライスをマルウェアについて検査するシステムおよび方法 | |
WO2014139295A1 (zh) | 数据处理的方法及终端 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
REEP | Request for entry into the european phase |
Ref document number: 2015885132 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015885132 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20167030047 Country of ref document: KR Kind code of ref document: A Ref document number: 2016564985 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15885132 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15300770 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |