CN103679024B - Virus treating method and device - Google Patents
Virus treating method and device Download PDFInfo
- Publication number
- CN103679024B CN103679024B CN201310583369.5A CN201310583369A CN103679024B CN 103679024 B CN103679024 B CN 103679024B CN 201310583369 A CN201310583369 A CN 201310583369A CN 103679024 B CN103679024 B CN 103679024B
- Authority
- CN
- China
- Prior art keywords
- virus
- file
- target process
- name
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 218
- 238000000034 method Methods 0.000 title claims abstract description 183
- 230000008569 process Effects 0.000 claims abstract description 155
- 238000004458 analytical method Methods 0.000 claims abstract description 33
- 230000008439 repair process Effects 0.000 claims description 35
- 238000012545 processing Methods 0.000 claims description 14
- 230000002401 inhibitory effect Effects 0.000 abstract 1
- 230000002155 anti-virotic effect Effects 0.000 description 39
- 230000006399 behavior Effects 0.000 description 4
- 230000003111 delayed effect Effects 0.000 description 4
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 208000015181 infectious disease Diseases 0.000 description 3
- 230000002458 infectious effect Effects 0.000 description 3
- 238000003672 processing method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000003362 replicative effect Effects 0.000 description 2
- 230000009385 viral infection Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 238000004659 sterilization and disinfection Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention provides a virus treating method and device. The method includes the steps that feature analysis is carried out on threads contained in a target process so as to determine whether at least one of the threads contained in the target process is successfully matched with virus feature information or not; if yes, virus type information is determined according to the virus feature information successfully matched with the corresponding threads so that process creation can be inhibited according to the virus type information. By adopting the measure of inhibiting process creation, viruses in a system can be effectively prevented from being replicated, and accordingly the safety performance of the system can be improved.
Description
[ technical field ] A method for producing a semiconductor device
The present invention relates to computer technologies, and in particular, to a method and an apparatus for processing viruses.
[ background of the invention ]
A virus is data that is compiled or inserted into an application that destroys computer functionality, which affects the normal use of the application and is capable of replicating itself, usually in the form of a set of instructions or program code. Viruses are characterized by being destructive, replicative and infectious. When a file in the system is infected by a virus, the system needs to be scanned by the antivirus engine in order to clear the virus. Due to the strong replication of the virus, the virus after running can try to infect other files in the system, so that the antivirus software is difficult to completely remove the virus in the system.
[ summary of the invention ]
Aspects of the present invention provide a method and an apparatus for processing a virus, so as to improve security performance of a system.
In one aspect of the present invention, a method for processing a virus is provided, including:
performing characteristic analysis on threads included by a target process to determine whether at least one thread is successfully matched with virus characteristic information in the threads included by the target process;
if at least one thread exists in the threads included in the target process and the virus characteristic information is successfully matched, determining virus type information according to the successfully matched virus characteristic information;
and forbidding the execution of the process creation operation according to the virus type information.
The foregoing aspect and any possible implementation manner further provide an implementation manner, where performing feature analysis on threads included in a target process to determine whether at least one of the threads included in the target process is successfully matched with virus feature information includes:
obtaining the name of the target process and/or the hash value of the name;
obtaining characteristic information of threads included by the target process;
and matching in a virus feature library according to the name of the target process and/or the hash value of the name and the feature information of the threads included by the target process to determine whether at least one thread exists in the threads included by the target process and the virus feature information included in the virus feature library is successfully matched.
The above-mentioned aspect and any possible implementation manner further provide an implementation manner, where after prohibiting execution of a process creation operation according to the virus type information, the method further includes:
determining a first file operated by a target process corresponding to the at least one thread;
according to the virus type information, repairing the first file to generate a second file, wherein the file name of the second file comprises a preset or randomly generated repairing identifier;
and copying the second file to generate a third file, wherein the file name of the third file is the same as that of the first file.
The foregoing aspect and any possible implementation manner further provide an implementation manner, where after the performing the copy operation on the second file to generate a third file, the method further includes:
instructing the system to execute a restart operation;
and deleting the second file.
The above-described aspect and any possible implementation manner further provide an implementation manner, where the prohibiting execution of the process creation operation according to the virus type information includes:
determining whether to enter a safe repair mode or not according to the virus type information;
if the safe repair mode is determined to be entered, generating a notification event;
and according to the notification event, forbidding the execution of the process creation operation.
In another aspect of the present invention, there is provided a virus processing apparatus including:
the analysis unit is used for carrying out characteristic analysis on the threads included by the target process so as to determine whether at least one thread is successfully matched with the virus characteristic information in the threads included by the target process;
the determining unit is used for determining virus type information according to the successfully matched virus characteristic information if at least one thread exists in the threads included in the target process and the virus characteristic information is successfully matched;
and the operation unit is used for forbidding the execution of the process creation operation according to the virus type information.
The above-mentioned aspect and any possible implementation manner further provide an implementation manner, and the determining unit is specifically configured to
Obtaining the name of the target process and/or the hash value of the name;
obtaining characteristic information of threads included by the target process; and
and matching in a virus feature library according to the name of the target process and/or the hash value of the name and the feature information of the threads included by the target process to determine whether at least one thread exists in the threads included by the target process and the virus feature information included in the virus feature library is successfully matched.
There is further provided in accordance with the above-mentioned aspect and any possible implementation manner, an implementation manner, wherein the apparatus further includes a repair unit configured to repair the device
Determining a first file operated by a target process corresponding to the at least one thread;
according to the virus type information, repairing the first file to generate a second file, wherein the file name of the second file comprises a preset or randomly generated repairing identifier; and
and copying the second file to generate a third file, wherein the file name of the third file is the same as that of the first file.
The above-mentioned aspects and any possible implementation further provide an implementation that the repair unit is further configured to
Instructing the system to execute a restart operation; and
and deleting the second file.
The above-described aspects and any possible implementation further provide an implementation of the operating unit, which is specifically configured to
Determining whether to enter a safe repair mode or not according to the virus type information;
if the safe repair mode is determined to be entered, generating a notification event; and
and sending the notification event to notify that the process creation operation is forbidden to be executed.
As can be seen from the foregoing technical solutions, in the embodiments of the present invention, feature analysis is performed on threads included in a target process to determine whether at least one thread successfully matches with virus feature information in the threads included in the target process, and if at least one thread successfully matches with virus feature information in the threads included in the target process, virus type information is determined according to the successfully matched virus feature information, so that a process creation operation can be prohibited according to the virus type information.
In addition, by adopting the technical scheme provided by the invention, the characteristic analysis is not performed by taking the file as a unit, but the characteristic analysis is performed by taking the thread included in the target process as a unit, and the granularity of the characteristic analysis is reduced, so that the safety performance of the system can be further improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed in the embodiments or the prior art descriptions will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without inventive labor.
FIG. 1 is a schematic flow chart of a virus processing method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a virus processing apparatus according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of a virus processing apparatus according to another embodiment of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Fig. 1 is a schematic flow chart of a virus processing method according to an embodiment of the present invention, as shown in fig. 1.
101. And performing characteristic analysis on the threads included by the target process to determine whether at least one thread is successfully matched with the virus characteristic information in the threads included by the target process.
Wherein the target process can be understood as all processes in the system.
102. And if at least one thread exists in the threads included in the target process and the virus characteristic information is successfully matched, determining the virus type information according to the successfully matched virus characteristic information.
Specifically, processes in the system may be traversed using a snapshot approach to obtain process information for each process. Such as the name of the process, the name of the thread, the state of the thread and the behavior of the thread, etc.
103. And forbidding the execution of the process creation operation according to the virus type information.
Viruses, also known as computer viruses, may include, but are not limited to, trojans, backdoors, local area network worms, mail worms, spyware, infectious viruses, or Rootkits/Bootkits.
It should be noted that the execution main bodies 101 to 103 may be antivirus engines, and may be located in local clients to perform offline operation to remove viruses, or may be located in servers on a network side to perform online operation to remove viruses, which is not limited in this embodiment.
It should be understood that the client may be an application installed on the terminal, or may also be a web page of a browser, as long as the objective existence form of the secure system environment can be provided by implementing virus removal, which is not limited in this embodiment.
Therefore, whether at least one thread and virus characteristic information are successfully matched in the threads included by the target process is determined by performing characteristic analysis on the threads included by the target process, if at least one thread and virus characteristic information are successfully matched in the threads included by the target process, the virus type information is determined according to the successfully matched virus characteristic information, so that the process creation operation can be prohibited to be executed according to the virus type information, and due to the fact that measures for prohibiting the process creation operation from being executed are adopted, the virus in the system can be effectively prevented from being copied, and the safety performance of the system is improved.
Optionally, in a possible implementation manner of this embodiment, in 101, the antivirus engine may specifically obtain a name of the target process and/or a hash value of the name. Then, the antivirus engine obtains characteristic information of the thread included by the target process. Then, the antivirus engine may perform matching in a virus feature library according to the name of the target process and/or the hash value of the name, and feature information of the threads included in the target process, so as to determine whether at least one thread exists in the threads included in the target process and the virus feature information included in the virus feature library is successfully matched.
The feature information may include dynamic features and/or static features, among others. The dynamic characteristics can be understood as being based on virus behaviors as the basis for judging the virus, and the static characteristics can be understood as being based on the feature codes of the virus as the basis for judging the virus.
Specifically, the virus feature library stores information related to virus feature information, including but not limited to an identifier of a process (e.g., a name of a target process and/or a hash value of the name), feature information of a thread, and an Identifier (ID) of the virus feature information, which is not particularly limited in the present invention.
For example,
the antivirus engine may specifically perform first matching in the virus feature library according to the name of the target process and/or the hash value of the name, so as to determine whether at least one target process in the target process is successfully matched with the name of the process included in the virus feature library.
If the matching is successful, the antivirus engine may further perform second matching in the virus feature library according to the feature information of the thread included in the successfully matched target process, so as to determine whether at least one thread exists in the thread included in the successfully matched target process and the virus feature information corresponding to the target process included in the virus feature library is successfully matched. If the matching is not successful, the antivirus engine can further perform third matching in the virus feature library according to the feature information of the threads included in the successfully matched target process, so as to determine whether at least one thread exists in the threads included in the successfully matched target process and the other virus feature information included in the virus feature library except the virus feature information corresponding to the target process is successfully matched.
If the matching is not successful, the antivirus engine may further perform a second matching in the virus feature library according to the feature information of the threads included in the target process, so as to determine whether at least one thread exists in the threads included in the target process and the virus feature information included in the virus feature library is successfully matched.
Further, after 102, the antivirus engine may further determine to perform an operation on the at least one thread and instruct the process management unit, e.g., suspend the thread, or, e.g., stop the thread, again, etc.
Optionally, the antivirus engine in this embodiment may further perform initialization processing on the virus feature library in advance. Specifically, the antivirus engine may initialize the virus feature library according to a start sequence of a process.
Optionally, in a possible implementation manner of this embodiment, the antivirus engine may specifically adopt a masking manner to transmit the successfully matched virus feature information. For example,
in 101, when each thread is successfully matched with virus feature information included in the virus feature library, the antivirus engine may record a virus feature code, and then the antivirus engine performs or operation on the recorded virus feature code in sequence to obtain a return value. In particular, the disinfection engine may store the return value in a global variable.
Specifically, the virus signature code may be 4 bytes in the virus code, and may include two or three instructions, or may also be another number of bytes in the virus code, which is not particularly limited in this embodiment.
At 102, the antivirus engine performs an and operation according to the return value obtained at 101 to obtain a virus signature.
Optionally, in a possible implementation manner of this embodiment, after 103, the antivirus engine may specifically determine the first file run by the target process corresponding to the at least one thread. Then, the antivirus engine may perform a repair operation on the first file according to the virus type information to generate a second file, where a file name of the second file includes a preset or randomly generated repair identifier. Then, the antivirus engine may perform a copy operation on the second file to generate a third file, where a file name of the third file is the same as a file name of the first file.
Specifically, the antivirus engine may specifically load a corresponding special antivirus engine according to the determined virus type information, and perform a repair operation on the first file according to the virus type information. Since the second file is a file generated after the first file is repaired and is already a file without virus infection, if the file name of the second file is still set to be the same as that of the first file, the antivirus engine repeatedly scans and kills the second file, and thus, the antivirus engine is caused to have dead circulation. By adopting the technical scheme of the invention, the dead cycle of the killing engine can be effectively prevented.
Accordingly, the antivirus engine may then further instruct the system to perform a reboot operation. Then, during or after the system is restarted, the antivirus engine may delete the second file. For example, the antivirus engine may set a delayed deletion flag bit, and when the delayed deletion flag bit is true, the antivirus engine may instruct the system to perform a restart operation, and then determine and delete the second file according to the repair identifier. When the delay flag bit is not true, the antivirus engine may generate a notification event and send the notification event to the driver to notify the driver to enter a normal state, that is, to no longer prohibit the process creation operation from being executed.
Optionally, in a possible implementation manner of this embodiment, in 103, the antivirus engine may specifically determine whether to enter a secure repair mode according to the virus type information. If the security repair mode is determined to be entered, the antivirus engine may generate a notification event and send the notification event to notify that the process creation operation is prohibited.
Specifically, if the virus indicated by the virus type information has the characteristic of single-process residence, the antivirus engine may directly suspend or stop the related thread by using a method in the prior art; if the virus indicated by the virus type information has the characteristic of multi-process residence, the antivirus engine can pop up a dialog box to inquire whether to enter a safe repair mode or not to a user. For example, the content of the pop-up dialog box is "antivirus mini-tip: and (3) discovering stubborn xxx viruses, switching to a safe repair mode to thoroughly search and kill the xxx viruses, wherein the xxx viruses cannot operate other application programs in the repair process.
If the user clicks a 'confirm' button, the antivirus engine can generate a notification event and send the notification event to a driver to notify the driver that the process creation operation is forbidden; if the user clicks the "cancel" button, the antivirus engine may directly suspend or stop the associated thread using methods known in the art.
In this embodiment, feature analysis is performed on threads included in a target process to determine whether at least one thread successfully matches with virus feature information in the threads included in the target process, and if at least one thread successfully matches with virus feature information in the threads included in the target process, virus type information is determined according to the successfully matched virus feature information, so that a process creation operation can be prohibited from being executed according to the virus type information.
In addition, by adopting the technical scheme provided by the invention, the characteristic analysis is not performed by taking the file as a unit, but the characteristic analysis is performed by taking the thread included in the target process as a unit, and the granularity of the characteristic analysis is reduced, so that the safety performance of the system can be further improved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
Fig. 2 is a schematic structural diagram of a virus processing apparatus according to another embodiment of the present invention, as shown in fig. 2. The virus processing apparatus of the present embodiment may include an analysis unit 21, a determination unit 22, and an operation unit 23.
The analysis unit 21 is configured to perform feature analysis on the threads included in the target process to determine whether at least one of the threads included in the target process is successfully matched with the virus feature information. Wherein the target process can be understood as all processes in the system.
And the determining unit 22 is configured to determine, if at least one of the threads included in the target process is successfully matched with the virus characteristic information, the virus type information according to the successfully matched virus characteristic information. Specifically, the determining unit 22 may specifically use a snapshot method to traverse the processes in the system to obtain the process information of each process. Such as the name of the process, the name of the thread, the state of the thread and the behavior of the thread, etc.
And an operation unit 23, configured to prohibit execution of a process creation operation according to the virus type information. Viruses, also known as computer viruses, may include, but are not limited to, trojans, backdoors, local area network worms, mail worms, spyware, infectious viruses, or Rootkits/Bootkits.
It should be noted that the virus processing device provided in this embodiment may be a virus killing engine, and may be located in a local client to perform offline operation to remove the virus, or may be located in a server on a network side to perform online operation to remove the virus, which is not limited in this embodiment.
It should be understood that the client may be an application installed on the terminal, or may also be a web page of a browser, as long as the objective existence form of the secure system environment can be provided by implementing virus removal, which is not limited in this embodiment.
Therefore, the analysis unit is used for carrying out characteristic analysis on the threads included by the target process to determine whether at least one thread and the virus characteristic information are successfully matched in the threads included by the target process, and further, if at least one thread and the virus characteristic information are successfully matched in the threads included by the target process, the determination unit is used for determining the virus type information according to the successfully matched virus characteristic information, so that the operation unit can forbid the execution of the process creation operation according to the virus type information.
Optionally, in a possible implementation manner of this embodiment, the determining unit 22 may be specifically configured to obtain a name of the target process and/or a hash value of the name; obtaining characteristic information of threads included by the target process; and matching in a virus feature library according to the name of the target process and/or the hash value of the name and the feature information of the threads included in the target process to determine whether at least one thread exists in the threads included in the target process and the virus feature information included in the virus feature library is successfully matched.
The feature information may include dynamic features and/or static features, among others. The dynamic characteristics can be understood as being based on virus behaviors as the basis for judging the virus, and the static characteristics can be understood as being based on the feature codes of the virus as the basis for judging the virus.
Specifically, the virus feature library stores information related to virus feature information, including but not limited to an identifier of a process (e.g., a name of a target process and/or a hash value of the name), feature information of a thread, and an Identifier (ID) of the virus feature information, which is not particularly limited in the present invention.
For example,
the determining unit 22 may specifically perform first matching in the virus feature library according to the name of the target process and/or the hash value of the name, so as to determine whether at least one target process in the target process successfully matches the name of the process included in the virus feature library.
If the matching is successful, the determining unit 22 may further perform second matching in the virus feature library according to the feature information of the threads included in the successfully matched target process, so as to determine whether at least one thread exists in the threads included in the successfully matched target process, and the virus feature information corresponding to the target process included in the virus feature library is successfully matched. If the matching is not successful, the determining unit 22 may further perform third matching in the virus feature library according to the feature information of the threads included in the successfully matched target process, so as to determine whether at least one thread exists in the threads included in the successfully matched target process, and the matching is successful with other virus feature information included in the virus feature library, except for the virus feature information corresponding to the target process.
If the matching is not successful, the determining unit 22 may further perform a second matching in the virus feature library according to the feature information of the threads included in the target process, so as to determine whether at least one of the threads included in the target process is successfully matched with the virus feature information included in the virus feature library.
Further, after 102, the determining unit 22 may further determine to perform an operation on the at least one thread and instruct the process management unit, for example, to suspend the thread, or, for example, to stop the thread again, etc.
Optionally, the device provided in this embodiment may be further configured to initialize the virus feature library in advance. Specifically, the virus feature library may be initialized according to a starting sequence of the processes.
Optionally, in a possible implementation manner of this embodiment, the provided virus processing device, for example, the analysis unit 21, the determination unit 22, the operation unit 23, and the like, may specifically adopt a mask mode to transmit the virus feature information successfully matched. For example,
the analysis unit 21 may record a virus feature code when each thread is successfully matched with virus feature information included in the virus feature library, and then the analysis unit 21 performs or operation on the recorded virus feature code in sequence to obtain a return value. In particular, the analysis unit 21 may store the return value into a global variable.
Specifically, the virus signature code may be 4 bytes in the virus code, and may include two or three instructions, or may also be another number of bytes in the virus code, which is not particularly limited in this embodiment.
The determining unit 22 performs and operation according to the return value obtained by the analyzing unit 21 to obtain a virus signature.
Optionally, in a possible implementation manner of this embodiment, as shown in fig. 3, the virus processing apparatus provided in this embodiment may further include a repair unit 31, configured to determine a first file run by a target process corresponding to the at least one thread; according to the virus type information, repairing the first file to generate a second file, wherein the file name of the second file comprises a preset or randomly generated repairing identifier; and copying the second file to generate a third file, wherein the file name of the third file is the same as that of the first file.
Specifically, the repairing unit 31 may specifically load a corresponding special killing engine according to the virus type information determined by the determining unit 22, and perform a repairing operation on the first file according to the virus type information. Since the second file is a file generated after the first file is repaired and is already a file without virus infection, if the file name of the second file is still set to be the same as that of the first file, the antivirus engine repeatedly scans and kills the second file, and thus, the antivirus engine is caused to have dead circulation. By adopting the technical scheme of the invention, the dead cycle of the killing engine can be effectively prevented.
Accordingly, the repair unit 31 may further be configured to instruct the system to perform a restart operation; and deleting the second file. Specifically, during or after the system is restarted, the repair unit 31 may delete the second file. For example, the repair unit 31 may set a delayed deletion flag bit, and when the delayed deletion flag bit is true, the repair unit 31 may instruct the system to perform a restart operation, and then determine the second file according to the repair identifier and delete the second file. When the delay flag bit is not true, the repair unit 31 may generate a notification event and send the notification event to the driver to notify the driver to enter a normal state, that is, to no longer prohibit the process creation operation.
Optionally, in a possible implementation manner of this embodiment, the operation unit 23 may be specifically configured to determine whether to enter a secure repair mode according to the virus type information; if the safe repair mode is determined to be entered, generating a notification event; and sending the notification event to notify that the process creation operation is prohibited.
Specifically, if the virus indicated by the virus type information has the characteristic of single-process residence, the operation unit 23 may directly suspend or stop the related thread by using a method in the prior art; if the virus indicated by the virus type information has a multi-process resident characteristic, the operation unit 23 may pop up a dialog box to ask the user whether to enter a security repair mode. For example, the content of the pop-up dialog box is "antivirus mini-tip: and (3) discovering stubborn xxx viruses, switching to a safe repair mode to thoroughly search and kill the xxx viruses, wherein the xxx viruses cannot operate other application programs in the repair process.
If the user clicks the "ok" button, the operation unit 23 may generate a notification event and transmit the notification event to the driver to notify the driver that the process creation operation is prohibited; if the user clicks the cancel button, the operation unit 23 may directly suspend or stop the relevant thread by a method in the related art.
In this embodiment, an analysis unit performs feature analysis on threads included in a target process to determine whether at least one thread exists in the threads included in the target process and the virus feature information is successfully matched, and then, if at least one thread exists in the threads included in the target process and the virus feature information is successfully matched, a determination unit determines virus type information according to the successfully matched virus feature information, so that an operation unit can prohibit execution of a process creation operation according to the virus type information.
In addition, by adopting the technical scheme provided by the invention, the characteristic analysis is not performed by taking the file as a unit, but the characteristic analysis is performed by taking the thread included in the target process as a unit, and the granularity of the characteristic analysis is reduced, so that the safety performance of the system can be further improved.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided by the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for processing a virus, comprising:
performing characteristic analysis on threads included by a target process to determine whether at least one thread is successfully matched with virus characteristic information in the threads included by the target process;
if at least one thread exists in the threads included in the target process and the virus characteristic information is successfully matched, determining virus type information according to the successfully matched virus characteristic information;
according to the virus type information, forbidding to execute process creation operation; wherein,
the prohibiting the execution of the process creation operation according to the virus type information includes:
and if the virus indicated by the virus type information has the characteristic of multi-process residence, forbidding to execute process creation operation, or suspending or stopping the at least one thread.
2. The method of claim 1, wherein the performing feature analysis on the threads included in the target process to determine whether at least one of the threads included in the target process is successfully matched with the virus feature information comprises:
obtaining the name of the target process and/or the hash value of the name;
obtaining characteristic information of threads included by the target process;
and matching in a virus feature library according to the name of the target process and/or the hash value of the name and the feature information of the threads included by the target process to determine whether at least one thread exists in the threads included by the target process and the virus feature information included in the virus feature library is successfully matched.
3. The method of claim 1, wherein after prohibiting execution of a process creation operation based on the virus type information, further comprising:
determining a first file operated by a target process corresponding to the at least one thread;
according to the virus type information, repairing the first file to generate a second file, wherein the file name of the second file comprises a preset or randomly generated repairing identifier;
and copying the second file to generate a third file, wherein the file name of the third file is the same as that of the first file.
4. The method of claim 3, wherein after the copying the second file to generate a third file, further comprising:
instructing the system to execute a restart operation;
and deleting the second file.
5. The method according to any one of claims 1 to 4, wherein said prohibiting execution of a process creation operation according to said virus type information comprises:
determining whether to enter a safe repair mode or not according to the virus type information;
if the safe repair mode is determined to be entered, generating a notification event;
and according to the notification event, forbidding the execution of the process creation operation.
6. A virus handling device, comprising:
the analysis unit is used for carrying out characteristic analysis on the threads included by the target process so as to determine whether at least one thread is successfully matched with the virus characteristic information in the threads included by the target process;
the determining unit is used for determining virus type information according to the successfully matched virus characteristic information if at least one thread exists in the threads included in the target process and the virus characteristic information is successfully matched;
the operation unit is used for forbidding the execution of process creation operation according to the virus type information; wherein,
the operating unit is particularly used for
And if the virus indicated by the virus type information has the characteristic of multi-process residence, forbidding to execute process creation operation, or suspending or stopping the at least one thread.
7. Device according to claim 6, characterized in that the determination unit is specifically configured to
Obtaining the name of the target process and/or the hash value of the name;
obtaining characteristic information of threads included by the target process; and
and matching in a virus feature library according to the name of the target process and/or the hash value of the name and the feature information of the threads included by the target process to determine whether at least one thread exists in the threads included by the target process and the virus feature information included in the virus feature library is successfully matched.
8. The apparatus according to claim 6, characterized in that the apparatus further comprises a repair unit for
Determining a first file operated by a target process corresponding to the at least one thread;
according to the virus type information, repairing the first file to generate a second file, wherein the file name of the second file comprises a preset or randomly generated repairing identifier; and
and copying the second file to generate a third file, wherein the file name of the third file is the same as that of the first file.
9. The apparatus of claim 8, wherein the repair unit is further configured to repair
Instructing the system to execute a restart operation; and
and deleting the second file.
10. Device according to any of claims 6 to 9, characterized in that the operating unit, in particular for
Determining whether to enter a safe repair mode or not according to the virus type information;
if the safe repair mode is determined to be entered, generating a notification event; and
and sending the notification event to notify that the process creation operation is forbidden to be executed.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310583369.5A CN103679024B (en) | 2013-11-19 | 2013-11-19 | Virus treating method and device |
| CN201510075309.1A CN104657664B (en) | 2013-11-19 | 2013-11-19 | The processing method and equipment of virus |
| JP2014208092A JP5888386B2 (en) | 2013-11-19 | 2014-10-09 | Virus processing method and apparatus |
| EP14189276.0A EP2874090B1 (en) | 2013-11-19 | 2014-10-16 | Virus processing method and apparatus |
| US14/533,062 US20150143523A1 (en) | 2013-11-19 | 2014-11-04 | Virus processing method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310583369.5A CN103679024B (en) | 2013-11-19 | 2013-11-19 | Virus treating method and device |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510075309.1A Division CN104657664B (en) | 2013-11-19 | 2013-11-19 | The processing method and equipment of virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103679024A CN103679024A (en) | 2014-03-26 |
| CN103679024B true CN103679024B (en) | 2015-03-25 |
Family
ID=50316534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310583369.5A Active CN103679024B (en) | 2013-11-19 | 2013-11-19 | Virus treating method and device |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US20150143523A1 (en) |
| EP (1) | EP2874090B1 (en) |
| JP (1) | JP5888386B2 (en) |
| CN (1) | CN103679024B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108470126B (en) * | 2018-03-19 | 2020-05-01 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN109829304B (en) * | 2018-12-29 | 2021-04-13 | 奇安信科技集团股份有限公司 | Virus detection method and device |
| CN110826067B (en) * | 2019-10-31 | 2022-08-09 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
| CN113873512B (en) * | 2021-09-28 | 2024-04-30 | 中国电子科技集团公司信息科学研究院 | Internet of things edge gateway security architecture system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101950339A (en) * | 2010-09-14 | 2011-01-19 | 上海置水软件技术有限公司 | Security protection method and system of computer |
| CN101950336A (en) * | 2010-08-18 | 2011-01-19 | 奇智软件(北京)有限公司 | Method and device for removing malicious programs |
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
Family Cites Families (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7114184B2 (en) * | 2001-03-30 | 2006-09-26 | Computer Associates Think, Inc. | System and method for restoring computer systems damaged by a malicious computer program |
| KR20050053401A (en) * | 2003-12-02 | 2005-06-08 | 주식회사 하우리 | Method for removing computer virus, and computer-readable storage medium recorded with virus-removing program |
| US7523343B2 (en) * | 2004-04-30 | 2009-04-21 | Microsoft Corporation | Real-time file system repairs |
| US7721340B2 (en) * | 2004-06-12 | 2010-05-18 | Microsoft Corporation | Registry protection |
| CN101390077B (en) * | 2006-02-28 | 2013-03-27 | 微软公司 | Thread interception and analysis |
| US7870387B1 (en) * | 2006-04-07 | 2011-01-11 | Mcafee, Inc. | Program-based authorization |
| US8528087B2 (en) * | 2006-04-27 | 2013-09-03 | Robot Genius, Inc. | Methods for combating malicious software |
| US7870612B2 (en) * | 2006-09-11 | 2011-01-11 | Fujian Eastern Micropoint Info-Tech Co., Ltd | Antivirus protection system and method for computers |
| US8127316B1 (en) * | 2006-11-30 | 2012-02-28 | Quest Software, Inc. | System and method for intercepting process creation events |
| US7814077B2 (en) * | 2007-04-03 | 2010-10-12 | International Business Machines Corporation | Restoring a source file referenced by multiple file names to a restore file |
| AU2008202532A1 (en) * | 2007-06-18 | 2009-01-08 | Pc Tools Technology Pty Ltd | Method of detecting and blocking malicious activity |
| US8387139B2 (en) * | 2008-02-04 | 2013-02-26 | Microsoft Corporation | Thread scanning and patching to disable injected malware threats |
| US8078909B1 (en) * | 2008-03-10 | 2011-12-13 | Symantec Corporation | Detecting file system layout discrepancies |
| US8370941B1 (en) * | 2008-05-06 | 2013-02-05 | Mcafee, Inc. | Rootkit scanning system, method, and computer program product |
| US8205257B1 (en) * | 2009-07-28 | 2012-06-19 | Symantec Corporation | Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process |
| KR101671795B1 (en) * | 2010-01-18 | 2016-11-03 | 삼성전자주식회사 | Computer system and method for preventing dynamic link library injection attack |
| KR101122650B1 (en) * | 2010-04-28 | 2012-03-09 | 한국전자통신연구원 | Apparatus, system and method for detecting malicious code injected with fraud into normal process |
| US9135443B2 (en) * | 2010-05-06 | 2015-09-15 | Mcafee, Inc. | Identifying malicious threads |
| US9235706B2 (en) * | 2011-12-02 | 2016-01-12 | Mcafee, Inc. | Preventing execution of task scheduled malware |
-
2013
- 2013-11-19 CN CN201310583369.5A patent/CN103679024B/en active Active
-
2014
- 2014-10-09 JP JP2014208092A patent/JP5888386B2/en active Active
- 2014-10-16 EP EP14189276.0A patent/EP2874090B1/en active Active
- 2014-11-04 US US14/533,062 patent/US20150143523A1/en not_active Abandoned
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101950336A (en) * | 2010-08-18 | 2011-01-19 | 奇智软件(北京)有限公司 | Method and device for removing malicious programs |
| CN101950339A (en) * | 2010-09-14 | 2011-01-19 | 上海置水软件技术有限公司 | Security protection method and system of computer |
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
Also Published As
| Publication number | Publication date |
|---|---|
| US20150143523A1 (en) | 2015-05-21 |
| CN103679024A (en) | 2014-03-26 |
| JP2015099587A (en) | 2015-05-28 |
| EP2874090B1 (en) | 2018-01-17 |
| JP5888386B2 (en) | 2016-03-22 |
| EP2874090A1 (en) | 2015-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10664602B2 (en) | Determining malware prevention based on retrospective content scan | |
| US8918878B2 (en) | Restoration of file damage caused by malware | |
| CN102663288B (en) | Virus killing method and device thereof | |
| KR102210627B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| JP7537661B2 (en) | Advanced Ransomware Detection | |
| CN111819556B (en) | Container escape detection method, device, system and storage medium | |
| RU2487405C1 (en) | System and method for correcting antivirus records | |
| EP2515250A1 (en) | System and method for detection of complex malware | |
| JP2017527931A (en) | Malware detection method and system | |
| JP2019505943A (en) | Cyber security systems and technologies | |
| CN107330328B (en) | Method and device for defending against virus attack and server | |
| CN102194072A (en) | Method, device and system used for handling computer virus | |
| CN103679024B (en) | Virus treating method and device | |
| CN103679027A (en) | Searching and killing method and device for kernel level malware | |
| CN109784055A (en) | A kind of method and system of quick detection and preventing malice software | |
| Liu et al. | A system call analysis method with mapreduce for malware detection | |
| CN106203105B (en) | File management method and device | |
| KR20160138523A (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
| CN104657664B (en) | The processing method and equipment of virus | |
| KR20190096686A (en) | Malware preventing system anf method based on access controlling for data file | |
| Morales et al. | Building malware infection trees | |
| JP2017134574A (en) | Program, information processing device and information processing method | |
| EP1758021A2 (en) | Method or apparatus for managing a server process in a computer system | |
| JP2007058862A (en) | Method and apparatus for managing server process, and computer program (method or apparatus for managing server process in computer system) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right |
Owner name: BAIDU IN LINE NETWORK TECHNOLOGY CO LTD (BEOJING) Free format text: FORMER OWNER: BAIDU INERNATIONAL TECHNOLOGY (SHENZHEN) CO., LTD. Effective date: 20140225 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518057 SHENZHEN, GUANGDONG PROVINCE TO: 100085 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20140225 Address after: 100085 Beijing, Haidian District, No. ten on the street Baidu building, No. 10 Applicant after: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. Address before: 518057 D unit, No. two, No. 5 productivity building, Nanshan District hi tech, Shenzhen, Guangdong 301, China, three Applicant before: BAIDU INTERNATIONAL TECHNOLOGY (SHENZHEN) Co.,Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |