CN100596336C - System and method for removing ROOTKIT - Google Patents
System and method for removing ROOTKIT Download PDFInfo
- Publication number
- CN100596336C CN100596336C CN200610066816A CN200610066816A CN100596336C CN 100596336 C CN100596336 C CN 100596336C CN 200610066816 A CN200610066816 A CN 200610066816A CN 200610066816 A CN200610066816 A CN 200610066816A CN 100596336 C CN100596336 C CN 100596336C
- Authority
- CN
- China
- Prior art keywords
- information
- rootkit
- testing tool
- client operating
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention discloses a system for clearing ROOTKIT and method, in which said system includes; virtual machine monitor, service operation system operated on the virtual machine monitor and at least one customer operation system. Said customer operation system includes detection tool proxy module, and the service operation system includes detection tool. Besides, said invention also provides the concrete steps of said method clearing ROOTKIT by using said system.
Description
Technical field
The present invention relates to remove the system and method for virus, relate in particular to the system and method for a kind of ROOTKIT of removing.
Background technology
Along with the commercial user to dependent the continuing to increase of personal computer (PC), user's main viral instrument with wooden horse of inspection on PC is anti-(killing) virus and anti-(killing) wooden horse tool software, these tool work principles are when moving in system, the system file of preserving on process in the scanning system internal memory and the hard disk, and coupling correlated characteristic file, thereby find virus and wooden horse.
Operating system is dimerous by kernel (Kernel) and shell (Shell), and wherein: kernel is responsible for a job that corresponds to reality, and comprises CPU task scheduling, Memory Allocation management, equipment control, file operation etc.; Shell is based on the interactive function that kernel provides and the interface that exists, and it is responsible for instruction and transmits and explain.General process scan tool and antivirus software are no exception, and the process that can see is that kernel " is seen " and fed back to application program by relevant interface instruction (API) in fact, so just inevitable data channel of existence.Briefly, ROOTKIT manages to allow the operation rank that oneself reaches the same with kernel, even enter kernel spacing, it has just had the access rights the same with kernel like this, thereby can make amendment to core instructions, modal is to revise the API that kernel is enumerated process, allow data that they the return information of " omissions " ROOTKIT self process all the time, general process instrument naturally with regard to " seeing " less than ROOTKIT.More senior ROOTKIT also distorts more API, like this, the user just can't see process (process API is blocked), can't see file (file read-write API is blocked), can't see the port (networking component SOCK API is blocked) that is opened, more tackled less than relevant network packet (networking component NDIS API is blocked), ROOTKIT replaces the data of returning by the function of monitoring system, with legal numerical value like this.Other clandestine activities of ROOTKIT comprise to be covered network activity and revises the WINDOWS registration table, has reached and has hidden the not found target of its code.
When virus or wooden horse employing ROOTKIT technology, the file that process and hard disk are preserved in its viral internal memory own is hidden, then can not found by anti-virus, anti-Trojan tool software, therefore more can not mate, adopt the virus of ROOTKIT technology and the anti-virus that wooden horse can not be used prior art and the tool software discovery of anti-Trojan with tag file.
Virus and the wooden horse hidden in the system gently then destroy system, and be heavy then steal sensitive datas such as user's contract, account No., brings seriously to the user and lose.
At present, the way that detects ROOTKIT the most reliably is that shutoff operation system (OFFLINE OS) detects.For example, system self starts, and lists all files, REGISTRY item or the like then.Start from CD with WINPE then, list all files, REGISTRY item again.At this moment, contrast two tabulations, under normal circumstances, listed content should be the same in two tabulations, if different place, just can find the file that those be can't see under the situation with self system start-up.
The major defect of this method is:
1) this method can only detect file in the hard disk, for may checking by the process that network or mode enter run mode in system or the system;
2) shutdown system can be made troubles to the user, and particularly for some important system that can not shut down in 24 hours (for example, the authoring system of bank etc.), the method for shutdown system is unpractical;
3) because ROOTKIT is unknown, not only search ROOTKIT and have difficulties, and how ROOTKIT replaces system core file and API is unknown, remove unknown ROOTKIT and have technical matters.
Summary of the invention
The objective of the invention is to, the system of a kind of ROOTKIT of removing is provided.
Another object of the present invention is to, the method for a kind of ROOTKIT of removing is provided.
The system of removing ROOTKIT of the present invention comprises virtual machine monitor, and operates in service operations system and at least one client operating system on the virtual machine monitor, wherein:
Described client operating system comprises the testing tool proxy module, is used for when client operating system moves, and collects information in the client operating system;
Described service operations system comprises testing tool;
Described testing tool, be used for the information when virtual machine monitor is collected the client operating system operation, and the information of collecting compared with the information of described testing tool proxy module collection, judge whether to exist ROOTKIT, and, will be replaced by the information that ROOTKIT revises according to the information of collecting in the testing tool proxy module.
Described service operations system can also comprise the primal system file with reference to module, is used for when client operating system moves at first, preserves starter system information.
The information of described collection is listed files information or Installed System Memory status information.
Described Installed System Memory status information is the program code of system's api interface address information and API correspondence.
The method of removing ROOTKIT of the present invention may further comprise the steps:
Steps A) the testing tool proxy module is collected the information of user in client operating system;
Step B) runs on service operations systems inspection on the virtual machine monitor and run in the client operating system on the virtual machine monitor 3 whether have the information of being revised by ROOTKIT;
Step C) if there is ROOTKIT, then the information of collecting according to the testing tool proxy module will be replaced by the information that ROOTKIT revises, and remove ROOTKIT.
Described step B) can comprise the following steps:
Step B1) testing tool is collected the information that client operating system is opened in virtual machine monitor;
Step B2) the testing tool proxy module in the client operating system is collected in the information of opening in the client operating system 1, and the information transmission of collecting is given the testing tool of service operations system;
Step B3) with described step B1) in the testing tool information and the step B2 that collect) in the information of testing tool proxy module collection compare, judge whether there are differences information;
Step B4) if there is not different information, then do not have ROOTKIT in the client operating system, checking process finishes; If then there is ROOTKIT in variant information in the client operating system.
Described step C) can also comprise the following steps:
Testing tool is used step B2) in the testing tool proxy module information of collecting, replace the different information of being revised by ROOTKIT, remove ROOTKIT.
The method of killing ROOTKIT of the present invention can also may further comprise the steps:
Original system file is preserved starter system information in the client operating system with reference to module in the service operations system;
At different information, testing tool is replaced the actual information of being revised by ROOTKIT that hard disk is preserved with the primal system file with reference to the starter system information of preserving in the module.
The information of described collection is listed files information or Installed System Memory status information.
Described Installed System Memory status information is the program code of api interface address information and API correspondence.
The invention has the beneficial effects as follows: according to the system and method for removing ROOTKIT of the present invention, when the operating system real time execution, remove unknown ROOTKIT reliably, and testing tool of the present invention and primal system file references module run on the service operations Installed System Memory zone of the VMM control outside the operating system, the virus of attack operation security of system software and wooden horse can't be attacked VMM and service operations system, therefore testing tool and primal system file references module can be not under attack, and be safe.
Description of drawings
Fig. 1 is the system architecture synoptic diagram of the removing ROOTKIT of one embodiment of the invention;
Fig. 2 is the method flow diagram of the removing ROOTKIT of one embodiment of the invention;
Fig. 3 is the system architecture synoptic diagram of the removing ROOTKIT of another embodiment of the present invention;
Fig. 4 is the method flow diagram of the removing ROOTKIT of another embodiment of the present invention.
Embodiment
Describe the system and method for removing ROOTKIT of the present invention in detail below with reference to accompanying drawing 1~4.
Fig. 1 is the system architecture synoptic diagram of the removing ROOTKIT of one embodiment of the invention.
As shown in Figure 1, the system of the removing ROOTKIT of present embodiment comprises: at least one client operating system (client OS) 1, service operations system 2, virtual machine monitor (Virtual Machine Monitor, VMM) 3.
Wherein, virtual machine monitor 3 operates on the hardware platform of virtual support computations, and moves existing various operating system (comprising client operating system 1 of the present invention and service operations system 2) thereon; Service operations system 2, it runs on the virtual machine monitor 3, comprise testing tool 22, be used for when virtual machine monitor 3 is directly collected client operating systems 1 operation information (for example, information such as the file set of opening, process sets and api interface address), it is provided with testing tool proxy module 22 ' in client operating system 1, be used for being collected in the information (information such as the file set of for example, opening, process sets and api interface address) that client operating system 1 user opens; Client operating system 1 comprises testing tool proxy module 22 ' in the described service operations system 2, is used for being collected in the information that client operating system 1 user opens, and with the information transmission of collecting to testing tool 22.
More than, testing tool 22 and testing tool proxy module 22 ' collected information comprise: 1) listed files information: be stored in the lists of documents on the memory device; 2) Installed System Memory status information comprises system api interface address and the corresponding program code of api interface etc.
Be understandable that, if have ROOTKIT in the client operating system 1, because ROOTKIT can hide himself and by information such as the file of its modification or system's api interfaces, therefore the information of collecting that shows in the testing tool proxy module 22 ' then is the raw information (for example, information such as primal system file, original api interface) for not revised by ROOTKIT.
Concrete, when client operating system 1 initial operation, testing tool 22 brings into operation on virtual machine monitor 3, the information that is used for when virtual machine monitor 3 is directly collected client operating system 1 operation (comprises file set, process sets, api interface address and the corresponding program code of API etc.), and compare with the information of client operating system 1, collecting of coming from testing tool proxy module 22 ' transmission, if finding some file or process only is present in the set of testing tool 22 collections, and do not collect in the testing tool proxy module 22 ', then differential file might be ROOTKIT; If when the api interface address that api interface address that testing tool 22 is collected and testing tool proxy module 22 ' are collected was inconsistent, then difference api interface address was the api interface that ROOTKIT replaces.At this moment, testing tool 22 will be according to the information of collecting in the testing tool proxy module 22 ', the i.e. raw information of not revised by ROOTKIT, comprise primal system file, original api interface address and corresponding program code, replace actual system file, api interface address and the corresponding program code of being revised by ROOTKIT that hard disk is preserved, thereby remove unknown ROOTKIT.
Below, the method with reference to Fig. 2 introduces removing ROOTKIT of the present invention may further comprise the steps:
Step 101) testing tool 22 beginnings operation on virtual machine monitor 3 in the service operations system 2, and (for example collect information that users open in client operating system 1 by virtual machine monitor 3, information such as the file set of opening, process sets and api interface address), testing tool proxy module 22 ' is collected the information (comprising file set, process sets and api interface address etc.) that the user opens in client operating system 1 and in the notice client operating system 1;
Step 102) the testing tool proxy module 22 ' in the client operating system 1 is with the testing tool 22 of its information transmission of collecting in client operating system 1 to the service operations system 2;
Step 103) testing tool 22 is with step 101) in testing tool 22 information and the step 102 of collecting) in the information of testing tool proxy module 22 ' collection compare, (for example judge whether there are differences information, differential file, difference process and difference api interface address etc.), if there is no different information, then there is not ROOTKIT in the client operating system 1, then finish checking process to client operating system 1 prompting back, otherwise, execution in step 104);
Step 104) at different information, the corresponding information of collecting in the testing tool 22 usefulness testing tool proxy modules 22 ', the actual information of being revised by ROOTKIT that the replacement hard disk is preserved (for example, system file, api interface address and the corresponding program code of API etc.), thus remove unknown ROOTKIT.
Below, in conjunction with a concrete example application of method of the present invention in real system is described:
Above-mentioned collection process explanation:
1) file 3 and 4 is new files that ROOTKIT generates on hard disk;
2) content of file 1 is def before ROOTKIT invades, and is modified to abc after invaded by ROOTKIT.
At this moment, need be with file 3 and 4 deletions, and change the content abc of file 1 into def just can be destroyed system recovery Cheng Wei by ROOTKIT system, therefore, testing tool 22 needs to replace the file 1 (its content is abc), 3 and 4 of the preservation in the hard disk with the file 1 (its content is def) that testing tool proxy module 22 ' is collected, and can remove unknown ROOTKIT.Recovery is similar with the process of the system file that recovers to be revised by ROOTKIT by the system api interface address that ROOTKIT revises, and no longer illustrates at this.
In sum, system according to the removing ROOTKIT of the embodiment of the invention 1, by operation VMM software on hardware platform, on VMM, move client operating system 1 and service operations system 2 then, and testing tool 22 is set in service operations system 2, testing tool proxy module 22 ' is set in client operating system 1, be used to collect the information of directly on client operating system 1, opening, testing tool 22, be used for directly collecting the information of opening when client operating system 1 moves at virtual machine monitor 3, and compare with the information of collecting in the testing tool proxy module 22 ', demonstrate different information, thereby check out unknown ROOTKIT reliably, then, testing tool 22 is at different information, and the corresponding information of collecting with testing tool proxy module 22 ' substitutes the actual information of being revised by ROOTKIT in the hard disk, thereby removes ROOTKIT.Testing tool 22 of the present invention runs on the region of memory of the VMM control outside the operating system, because the virus and the wooden horse of attack operation system can't be attacked on the VMM, therefore, testing tool and primal system file references module can be not under attack, and be safe.
As shown in Figure 3, be the system architecture synoptic diagram of the removing ROOTKIT of present embodiment.The system of the removing ROOTKIT of present embodiment is identical substantially with the structure of the system of the removing ROOTKIT of the embodiment of the invention 1, comprising: at least one client operating system 1, service operations system 2 ', virtual machine monitor 3.Difference is, the service operations system 2 ' of present embodiment comprises that testing tool 22 and primal system file are with reference to module 21.
Wherein, the primal system file is used for when client operating system 1 initial operation starter system information (comprising information such as file set, process sets, api interface address and corresponding program code) being carried out mirror image or backup with reference to module 21.26S Proteasome Structure and Function in other unit and the embodiment of the invention 1 is identical substantially, no longer repeats at this.
In addition, the purpose that need carry out mirror image or backup to the system information during initial operation in the client operating system 1 is: when detecting the system file that infected by ROOTKIT and api interface, according to the raw information that is not infected of collecting in the testing tool proxy module 22 ' by ROOTKIT, detection module 22 usefulness primal system files are replaced the actual information of being revised by ROOTKIT that hard disk is preserved with reference to corresponding starter system information in the module 21, thereby remove unknown ROOTKIT.
Concrete, when client operating system 1 initial operation, the primal system file carries out mirror image or backup with reference to 21 pairs of starter system information of module; Testing tool 22 brings into operation on virtual machine monitor 3, information such as the file set that is used for when virtual machine monitor 3 is directly collected client operating systems 1 operation, opening, process sets, api interface address, and with testing tool proxy module 22 ' in the information such as file set, process sets, api interface address of collecting compare, if finding some file or process only is present in the set of testing tool 22 collections, and do not collect in the testing tool proxy module 22 ', then differential file might be ROOTKIT; If when the api interface address that api interface address that testing tool 22 is collected and testing tool proxy module 22 ' are collected was inconsistent, then difference api interface address was the api interface that ROOTKIT replaces.At this moment, according to different information, testing tool 22 usefulness primal system files are with reference to the corresponding information of preserving in the module 21, and the actual information of being revised by ROOTKIT that the replacement hard disk is preserved (for example, system file, api interface address and corresponding program code etc.), thus remove unknown ROOTKIT.
Below, the method with reference to Fig. 4 introduces the unknown ROOTKIT of removing of present embodiment may further comprise the steps:
Step 201) original system file carries out mirror image or backup with reference to starter system information in 21 pairs of client operating systems 1 of module in the service operations system 2;
Step 202) testing tool 22 beginnings operation on virtual machine monitor 3 in the service operations system 2, and collect the information such as file set, process sets and api interface address that users open based on virtual machine monitor 3 in client operating system 1, and testing tool proxy module 22 ' is collected the information such as file set, process sets and api interface address that the user opens in the notice client operating system 1 in client operating system 1;
Step 203) the testing tool proxy module 22 ' in the client operating system 1 is given the information transmission of its collection the testing tool 22 of service operations system 2;
Step 204) testing tool 22 is with described step 202) in testing tool 22 information and the step 203 of collecting) in the information of testing tool proxy module 22 ' collection compare, (for example judge whether there are differences information, differential file, difference process and difference api interface address etc.), if there is no different information, then there is not ROOTKIT in the client operating system 1, then finish checking process to client operating system 1 prompting back, otherwise, execution in step 205);
Step 205) at different information, testing tool 22 usefulness accordingly the primal system file with reference to module 21 in the starter system information of mirror image or backup (for example replace the actual information of being revised by ROOTKIT that hard disk preserves, system file, api interface and corresponding program code), thus remove unknown ROOTKIT.
Below, the application of method in real system of the removing ROOTKIT of present embodiment is described in conjunction with a concrete example:
Primal system file in the service operations system 2 carries out mirror image with reference to the system file 1 and 2 of 21 pairs of client operating systems 1 of module when moving at first or backup obtains file 1 ' and 2 '; Testing tool 22 moves the file of opening when being collected in client operating system 1 operation on virtual machine monitor 3 be 1,2,3 and 4; The file that testing tool proxy module 22 ' collection user opens at client operating system 1 in the client operating system 1 is 1 and 2, and the content of the file 1 that the content of file 1 and testing tool 22 are collected is variant, the content of the file of collecting at testing tool 22 1 is abc, and the content of the file 1 that testing tool proxy module 22 ' is collected is def.
Above-mentioned collection process explanation:
1) file 3 and 4 is new files that ROOTKIT generates on hard disk;
2) content of file 1 is def before ROOTKIT invades, and is changed into abc and be subjected to ROOTKIT to invade the back by it.
At this moment, need be with file 3 and 4 deletions, and change the content abc of file 1 into def just can be destroyed system recovery Cheng Wei by ROOTKIT system, therefore, testing tool 22 needs to replace the file 1 (its content is abc), 3 and 4 of the preservation in the hard disk with the file 1 ' (its content is def) that the primal system file is preserved with reference to module 21, can remove unknown ROOTKIT.Recovery is similar with the process of the system file that recovers to be revised by ROOTKIT by the system api interface address that ROOTKIT revises, and no longer illustrates at this.
In the present embodiment, it is a kind of preferred mode that the primal system file is arranged in the service operations system 2 with reference to module 21, the present invention is not limited to the primal system file is arranged in the service operations system 2 with reference to module 21, as long as when client operating system 1 initial operation, it is finished the mirror image of information such as starter system file and system api interface address or backup is got final product.
In sum, system according to the removing ROOTKIT of present embodiment, by operation VMM software on hardware platform, on VMM, move client operating system 1 and service operations system 2 ' then, testing tool proxy module 22 ' is set in client operating system 1, be used to collect the information of directly on client operating system 1, opening, and testing tool 22 is set in service operations system 2 ', be used for directly collecting the information of opening when client operating system 1 moves at virtual machine monitor 3, and compare with the information of collecting in the testing tool proxy module 22 ', demonstrate different information, thereby check out unknown ROOTKIT reliably.By increasing the primal system file with reference to module 21, keep starter system information, testing tool 22 substitutes the actual information of being revised by ROOTKIT in the hard disk with the primal system file with reference to the corresponding information of collecting in the module 21, thereby removes ROOTKIT at different information.The testing tool 22 of present embodiment and primal system file run on the region of memory of the VMM control outside the operating system with reference to module 21, because the virus and the wooden horse of attack operation system can't be attacked on the VMM, therefore, testing tool 22 and primal system file references module 21 ' can be not under attack, and be safe.
In the embodiment of the invention described above, it is a kind of preferred mode that the testing tool proxy module is arranged in the client operating system, the present invention is not limited to the testing tool proxy module is arranged in the client operating system, the testing tool proxy module can be realized by various other modes, for example, when the testing tool in the service operations system brings into operation, it passes through self-replication, then in client operating system the testing tool of transmission copying as the testing tool proxy module, and in client operating system the operation and resident this testing tool proxy module; Testing tool in the perhaps service operations system transmits the testing tool proxy module in client operating system, and in client operating system operation and resident testing tool proxy module because file copy and be transmitted as prior art, the present invention no longer repeats.
In sum, system and method according to removing ROOTKIT of the present invention, when the operating system real time execution, can remove unknown ROOTKIT reliably, and testing tool of the present invention and primal system file references module run on the service operations Installed System Memory zone of the VMM control outside the operating system, the virus of attack operation security of system software and wooden horse can't be attacked VMM and service operations system, therefore testing tool and primal system file references module can be not under attack, and be safe.
Concerning those skilled in the art, can associate other advantage and distortion according to above embodiment.Therefore, the present invention is not limited to above-mentioned specific embodiment, and it carries out detailed, exemplary explanation as just example to the present invention.In the scope that does not deviate from aim of the present invention, those of ordinary skills can replace resulting technical scheme by various being equal to according to above-mentioned specific embodiment, but these technical schemes all should be included in the scope of claim of the present invention and the scope that is equal within.
Claims (8)
1. a system that removes ROOTKIT is characterized in that, comprises virtual machine monitor (3), and operates in service operations system (2) and at least one client operating system (1) on the virtual machine monitor (3), it is characterized in that:
Described client operating system (1) comprises testing tool proxy module (22 '), is used for when client operating system (1) moves, and collects the information in the client operating system (1);
Described service operations system (2) comprises testing tool (22);
Described testing tool (22), be used for the information when virtual machine monitor (3) is collected client operating system (1) operation, and the information of collecting compared with the information of described testing tool proxy module (22 ') collection, judge whether to exist ROOTKIT, and, will be replaced by the information that ROOTKIT revises according to the information of collecting in the testing tool proxy module (22 ').
2. the system of removing ROOTKIT as claimed in claim 1 is characterized in that described service operations system (2) also comprises the primal system file with reference to module (21), is used at client operating system (1) when moving at first, preserves starter system information.
3. the system of removing ROOTKIT as claimed in claim 1 is characterized in that the described information that described testing tool (22) and testing tool proxy module (22 ') are collected is listed files information or Installed System Memory status information.
4. the system of removing ROOTKIT as claimed in claim 3 is characterized in that described Installed System Memory status information is the program code of system's api interface address information and API correspondence.
5. a method of removing ROOTKIT is characterized in that, is applied to a virtual machine monitor (3), and described virtual machine monitor (3) is gone up operation one service operations system (2) and at least one client operating system (1), may further comprise the steps:
Steps A) testing tool proxy module (22 ') is collected the information of user in client operating system (1);
Step B) described service operations system (2) includes a testing tool (22), the information when described testing tool (22) is collected client operating system (1) operation, and the information of collecting with testing tool proxy module (22 ') is relatively;
Step C) when comparative result when there are differences, if judge and have ROOTKIT, then the information of collecting according to testing tool proxy module (22 ') will be replaced by the information that ROOTKIT revises, and remove ROOTKIT.
6. the method for removing ROOTKIT as claimed in claim 5 is characterized in that, and is further comprising the steps of:
Original system file is preserved starter system information in the client operating system (1) with reference to module (21) in the service operations system (2);
At different information, testing tool (22) is replaced the actual information of being revised by ROOTKIT that hard disk is preserved with the primal system file with reference to the starter system information of preserving in the module (21).
7. the method for removing ROOTKIT as claimed in claim 5 is characterized in that the described information that described testing tool (22) and testing tool proxy module (22 ') are collected is listed files information or Installed System Memory status information.
8. the method for removing ROOTKIT as claimed in claim 7 is characterized in that described Installed System Memory status information is the program code of api interface address information and API correspondence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610066816A CN100596336C (en) | 2006-03-29 | 2006-03-29 | System and method for removing ROOTKIT |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610066816A CN100596336C (en) | 2006-03-29 | 2006-03-29 | System and method for removing ROOTKIT |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101046836A CN101046836A (en) | 2007-10-03 |
| CN100596336C true CN100596336C (en) | 2010-03-31 |
Family
ID=38771440
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610066816A Expired - Fee Related CN100596336C (en) | 2006-03-29 | 2006-03-29 | System and method for removing ROOTKIT |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100596336C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100504904C (en) * | 2007-12-25 | 2009-06-24 | 北京大学 | Windows concealed malevolence software detection method |
| CN101359351B (en) * | 2008-09-25 | 2010-11-10 | 中国人民解放军信息工程大学 | Multilayer semantic annotation and detection method against malignancy |
| CN102122330B (en) * | 2011-01-24 | 2014-12-03 | 中国人民解放军国防科学技术大学 | 'In-VM' malicious code detection system based on virtual machine |
| CN103150508B (en) * | 2013-03-08 | 2015-10-21 | 北京理工大学 | Based on the rootkit behavior discrimination method of multidimensional cross-view |
| CN104050413A (en) * | 2013-03-13 | 2014-09-17 | 腾讯科技(深圳)有限公司 | Method for data processing and terminal |
| CN103902902A (en) * | 2013-10-24 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Rootkit detection method and system based on embedded system |
| CN109388348A (en) * | 2018-10-15 | 2019-02-26 | 北京迈拓晨峰科技发展有限公司 | A kind of data destruction device, method and system |
-
2006
- 2006-03-29 CN CN200610066816A patent/CN100596336C/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
| CN102523215B (en) * | 2011-12-15 | 2014-10-01 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101046836A (en) | 2007-10-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100472547C (en) | System and method for killing ROOTKIT | |
| CN100596336C (en) | System and method for removing ROOTKIT | |
| CN101986324B (en) | Asynchronous processing of events for malware detection | |
| US7861300B2 (en) | Method and apparatus for determination of the non-replicative behavior of a malicious program | |
| EP1751649B1 (en) | Systems and method for computer security | |
| US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
| US8079085B1 (en) | Reducing false positives during behavior monitoring | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| US7934261B1 (en) | On-demand cleanup system | |
| US9239922B1 (en) | Document exploit detection using baseline comparison | |
| US8108931B1 (en) | Method and apparatus for identifying invariants to detect software tampering | |
| US20080005796A1 (en) | Method and system for classification of software using characteristics and combinations of such characteristics | |
| US20170193227A1 (en) | Method, apparatus and system for processing computer virus | |
| EP1915719B1 (en) | Information protection method and system | |
| MXPA05012549A (en) | Method and system for a self-healing device. | |
| RU2697954C2 (en) | System and method of creating antivirus record | |
| KR20100049258A (en) | Method and system for protecting abusinng based browser | |
| GB2465240A (en) | Detecting malware by monitoring executed processes | |
| US9152791B1 (en) | Removal of fake anti-virus software | |
| US10262139B2 (en) | System and method for detection and prevention of data breach and ransomware attacks | |
| US20140372991A1 (en) | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing | |
| CN101154253B (en) | Computer security protection method and computer security protection instrument | |
| US12013942B2 (en) | Rootkit detection based on system dump sequence analysis | |
| EP2306356A2 (en) | Asynchronous processing of events for malware detection | |
| US20230315848A1 (en) | Forensic analysis on consistent system footprints |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100331 Termination date: 20210329 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |