CN115333844B - Virus behavior monitoring method and device, electronic equipment and storage medium - Google Patents
Virus behavior monitoring method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115333844B CN115333844B CN202210985583.2A CN202210985583A CN115333844B CN 115333844 B CN115333844 B CN 115333844B CN 202210985583 A CN202210985583 A CN 202210985583A CN 115333844 B CN115333844 B CN 115333844B
- Authority
- CN
- China
- Prior art keywords
- recording operation
- screen recording
- terminal device
- virus
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 129
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012544 monitoring process Methods 0.000 title claims abstract description 33
- 230000006399 behavior Effects 0.000 claims abstract description 84
- 238000001514 detection method Methods 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 230000009471 action Effects 0.000 claims description 7
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 17
- 238000013461 design Methods 0.000 description 6
- 230000002155 anti-virotic effect Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 238000012806 monitoring device Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003612 virological effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000010009 beating Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000012464 large buffer Substances 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N5/00—Details of television systems
- H04N5/76—Television signal recording
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Multimedia (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method and apparatus for monitoring virus behavior, an electronic device, and a storage medium. The method for monitoring the virus behavior is applied to first terminal equipment and comprises the following steps: responding to the detection that the first terminal equipment has virus behaviors, and performing screen recording operation of the virus behaviors on the first terminal equipment; encrypting file content obtained through screen recording operation; uploading the encrypted file content to a second terminal device, so that the file content is played by the second terminal device. The technical scheme provided by the specification can accurately trace the virus.
Description
Technical Field
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method and apparatus for monitoring virus behavior, an electronic device, and a storage medium.
Background
With the widespread use of computer technology in various fields of social life, viruses have come and come like their accessories. These viruses have become a significant problem for computer use due to their infectivity, replication and destruction.
At present, when virus behaviors on terminal equipment are monitored through software or a program for monitoring viruses, monitoring results are recorded as texts in a log mode. When tracing viruses by using the logs for recording the virus behaviors, inaccurate tracing of the viruses can be caused due to the fact that the information contained in the logs is complex, the display of the virus behaviors is not visual enough, the logs can be tampered by the viruses and the like.
Disclosure of Invention
In order to accurately trace the source of viruses, the embodiment of the specification provides a method, a device, electronic equipment and a storage medium for monitoring virus behaviors.
In a first aspect, an embodiment of the present disclosure provides a method for monitoring virus behavior, which is applied to a first terminal device, and includes:
Responding to the detection that the first terminal equipment has virus behaviors, and performing screen recording operation of the virus behaviors on the first terminal equipment;
encrypting file content obtained through screen recording operation;
Uploading the encrypted file content to a second terminal device, so that the file content is played by the second terminal device.
In one possible design, the monitoring that the first terminal device has virus behavior includes:
and monitoring a popup window prompt of the first terminal equipment for virus behaviors.
In one possible design, the screen recording operation for performing virus behavior on the first terminal device includes:
and displaying the background virus behavior of the virus in the first terminal equipment to the foreground of the first terminal equipment so as to perform screen recording operation.
In one possible design, after the screen recording operation for performing virus action on the first terminal device and before encrypting the file content obtained through the screen recording operation, the method further includes:
Ending the screen recording operation in response to the first preset time length after the screen recording operation is started; and/or the number of the groups of groups,
Responding to a popup window prompt that the first terminal equipment does not monitor the virus behavior within a second preset time period after the screen recording operation is started, and ending the screen recording operation; and/or the number of the groups of groups,
And ending the screen recording operation in response to the storage capacity of the file content obtained through the screen recording operation reaching a preset threshold.
In one possible design, the file content is a video file;
the encrypting the file content obtained through the screen recording operation comprises the following steps:
for each video frame in the video file obtained through the screen recording operation, carrying out shielding processing on desktop information and/or file information opened through mouse clicking in the current video frame;
and encrypting the video file obtained by the shielding treatment.
In one possible design, the file content is a video file;
the encrypting the file content obtained through the screen recording operation comprises the following steps:
performing secondary processing on the video frames containing the mouse cursor aiming at each video frame in the video file obtained through the screen recording operation; wherein the secondary processing includes a deletion processing and/or an encryption processing;
And encrypting the video file obtained by the secondary processing.
In one possible design, the file content is a video file;
after encrypting the file content obtained through the screen recording operation and before uploading the encrypted file content to the second terminal device, the method further comprises the following steps:
Performing format conversion on the encrypted video file to obtain a target video file; wherein, the format of the target video file does not comprise an audio-visual format;
the uploading the encrypted file content to the second terminal device includes:
and uploading the target video file to a second terminal device.
In a second aspect, an embodiment of the present disclosure further provides a device for monitoring virus behavior, which is applied to a first terminal device, and includes:
The screen recording module is used for responding to the detection that the first terminal equipment has virus behaviors and performing screen recording operation on the virus behaviors;
The encryption module is used for encrypting the file content obtained through the screen recording operation;
And the uploading module is used for uploading the encrypted file content to second terminal equipment so as to play the file content by using the second terminal equipment.
In a third aspect, embodiments of the present specification further provide an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor implements the method described in any embodiment of the present specification when executing the computer program.
In a fourth aspect, the embodiments of the present specification also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method according to any of the embodiments of the present specification.
The embodiment of the specification provides a method, a device, electronic equipment and a storage medium for monitoring virus behaviors, and in response to the monitoring of the occurrence of the virus behaviors of first terminal equipment, the first terminal equipment is subjected to screen recording operation of the virus behaviors, file contents obtained through the screen recording operation are encrypted, and the encrypted file contents are uploaded to second terminal equipment so as to play the file contents by using the second terminal equipment, so that the virus behaviors can be effectively recorded in a screen recording mode, and valuable information references are provided for subsequent sample analysis.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for monitoring virus behavior according to an embodiment of the present disclosure;
FIG. 2 is a hardware architecture diagram of an electronic device according to an embodiment of the present disclosure;
Fig. 3 is a structural diagram of a monitoring device for virus behavior according to an embodiment of the present disclosure.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present specification more apparent, the technical solutions of the embodiments of the present specification will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present specification, and it is apparent that the described embodiments are some, but not all, embodiments of the present specification, and all other embodiments obtained by persons of ordinary skill in the art without making any inventive effort based on the embodiments of the present specification are within the scope of protection of the present specification.
As described above, when the virus behavior on the terminal device is monitored by the software or the program for monitoring the virus, the monitoring result is recorded as text in the form of a log. When tracing viruses by using the logs for recording the virus behaviors, inaccurate tracing of the viruses can be caused due to the fact that the information contained in the logs is complex, the display of the virus behaviors is not visual enough, the logs can be tampered by the viruses and the like.
To solve this technical problem, the inventors considered in the development process: the method can effectively record the virus behavior by means of the screen recording operation of the virus behavior on the terminal equipment and encrypt the file content of which the screen recording operation is completed, thereby providing valuable information reference for subsequent sample analysis.
The inventive concept of the embodiments of the present specification is described below.
Referring to fig. 1, an embodiment of the present disclosure provides a method for monitoring virus behavior, which is applied to a first terminal device, and includes:
Step 100: responding to the detection that the first terminal equipment has virus behaviors, and performing screen recording operation of the virus behaviors on the first terminal equipment;
step 102: encrypting file content obtained through screen recording operation;
step 104: uploading the encrypted file content to the second terminal equipment so as to play the file content by using the second terminal equipment.
In the embodiment of the specification, in response to the detection that the first terminal device has virus behaviors, the first terminal device is subjected to screen recording operation of the virus behaviors, file contents obtained through the screen recording operation are encrypted, and the encrypted file contents are uploaded to the second terminal device so as to play the file contents by using the second terminal device, so that the virus behaviors can be effectively recorded in a screen recording mode, and valuable information references are provided for subsequent sample analysis.
The manner in which the individual steps shown in fig. 1 are performed is described below.
For step 100:
it is to be understood that the first terminal device and the second terminal device may be any one of a computer and a server, and are not particularly limited herein.
It is also understood that viral behavior includes, but is not limited to: the registry adds a startup item (i.e., the virus will automatically run when the terminal device is restarted); registering a service; releasing the file (i.e., first copying one copy itself and then moving that copy to another place); modifying the released exe as a hidden file and a system file; encrypting the file, and carrying out le-rope beating fraud; infecting exe (e.g. copying a virus into exe using an API such as CopyFile, if exe is opened by double clicking, the terminal device will have the virus in it); detecting a soft process (for example, traversing all processes, checking whether file names in terminal equipment exist with the names of antivirus software, and if so, sending APIs of exiting processes to the windows); system-related processes (e.g., task manager, registry editor, etc.); the virus is copied to the system directory (to hide itself, typically under the system directory). Common viruses are infectious viruses, trojan horses, worms, lux viruses, APT and the like.
In one embodiment of the present specification, the step of "detecting that the first terminal device has virus activity" may specifically include:
and monitoring a popup prompt of the first terminal equipment on virus behaviors.
In this embodiment, since many common scenes do not need to be recorded on a screen, usually when suspected virus behavior starts, the recorded information has a reference value. Therefore, considering the influence of long-time recording screen and recorded files on system performance and disk space occupation, when the popup window prompt of the first terminal equipment on virus behaviors is monitored, the screen recording operation of the virus behaviors can be carried out on the first terminal equipment. Taking An Tianzhi A terminal monitoring system as an example, when the intelligent A senses the virus behavior and carries out popup prompt, the screen recording is started by default at the moment.
Of course, no pop-up cue may occur, except that the pop-up cue of the first terminal device for virus behavior may be utilized to characterize the first terminal device as occurring. For example, when the background program detects that the first terminal device has virus behavior, the screen recording operation can be performed.
In addition, in addition to automatically performing a screen recording operation on the virus behavior by using the first terminal device, in an embodiment of the present specification, the screen recording operation may also be a triggering operation based on a user (i.e., an operator), for example, a start instruction initiated by the user to the first terminal device.
It should be noted that, the case that the operator manually opens the recording is suitable for a scenario that the operator leaves the first terminal device temporarily or does not use the first terminal device for a long time. In this scenario, after the operator starts the screen recording, the screen recording program starts and starts recording.
In one embodiment of the present disclosure, the step of performing a screen recording operation of a virus action on the first terminal device may specifically include:
And displaying the background virus behavior of the virus in the first terminal equipment to the foreground of the first terminal equipment so as to perform screen recording operation.
In this embodiment, in order to record the background virus behavior of the first terminal device, for example, when the antivirus software monitors that the first terminal device has a virus, the virus may be tracked, and the virus may be displayed (or run) in the background virus behavior to the foreground.
For example, when the antivirus software monitors that the virus modifies the configuration file in the background, the first terminal device may open the configuration file in the foreground, so that the screen recording operation may be conveniently performed.
In one embodiment of the present specification, after step 100 and before step 102, the method specifically may further include:
And ending the screen recording operation in response to the first preset time length after the screen recording operation is started.
In this embodiment, considering the influence of long-time recording of the screen and the recorded file on the system performance and the disk space occupation, the screen recording operation may be ended when a first preset duration after the screen recording operation is started is reached.
In some embodiments, the first preset time period may be 1,2 or 3 hours, and specific values of the first preset time period are not limited herein.
In one embodiment of the present specification, after step 100 and before step 102, the method specifically may further include:
And responding to the popup window prompt of the first terminal equipment for virus behavior which is not monitored within a second preset time period after the screen recording operation is started, and ending the screen recording operation.
In this embodiment, considering the influence of long-time recording of the screen and the recorded file on the system performance and the disk space occupation, the screen recording operation may be ended when the popup window prompt of the first terminal device on the virus behavior is reached for a second preset time period after the screen recording operation is started and is not monitored within the second preset time period.
Generally, after detecting the virus, the antivirus software preferably kills the virus to prevent the virus from invading the first terminal device, so as to prevent the virus from generating subsequent virus behaviors. But the virus will typically not launch an attack only once, but will launch multiple attacks, where the location of the first terminal device will also vary from attack to attack. Therefore, the screen recording operation needs to be finished when a second preset time period after the screen recording operation is started is reached and the popup window prompt of the first terminal device on the virus behavior is not monitored within the second preset time period.
It should be noted that, although the virus killing software kills the virus, the virus killing software may still obtain the location where the virus is located when attacking the first terminal device and the operation that the virus wants to perform (although the operation may be blocked by the virus killing software during the execution). That is, the antivirus software kills the virus, but also records the virus behavior of the virus.
In some embodiments, the second preset time period may be 1,2 or 3 hours, and the specific value of the first preset time period is not limited herein.
In one embodiment of the present specification, after step 100 and before step 102, the method specifically may further include:
And ending the screen recording operation in response to the storage capacity of the file content obtained through the screen recording operation reaching a preset threshold.
In this embodiment, considering the influence of long-time recording of the screen and the recorded file on the system performance and the disk space occupation, the recording operation may be ended when the storage capacity of the file content obtained through the recording operation reaches a preset threshold.
In some embodiments, the preset threshold may be 100, 200 or 300M, and the specific value of the preset threshold is not limited herein.
For step 102:
It will be appreciated that file content may include streaming files (i.e., files that are in the process of being recorded) and video files (i.e., files that have been recorded). The following describes the processing corresponding to the video file and the streaming file, respectively.
When the file content is a streaming file, in an embodiment of the present disclosure, step 102 may specifically include:
and encrypting the streaming file obtained in real time in the screen recording operation process.
In this embodiment, when the audio-video media file is transmitted from the first terminal device to the second terminal device during streaming, the second terminal device does not need to wait until the whole file is completely downloaded, but only needs to go through a start delay of several seconds or more than ten seconds to play. When the video media file is played on the second terminal device, the rest of the file will continue to be downloaded at the background server. The transmission of the streaming file not only shortens the starting delay by ten times and hundred times, but also does not need too large buffer capacity, and can avoid the defect that a receiving end can play after waiting for the whole file to be downloaded from the Internet. In addition, by encrypting the streaming file, the file security in the streaming process can be ensured.
When the file content is a video file, in an embodiment of the present disclosure, step 102 may specifically include:
for each video frame in the video file obtained through the screen recording operation, carrying out shielding processing on desktop information and/or file information opened through mouse clicking in the current video frame;
and encrypting the video file obtained by the shielding treatment.
In this embodiment, since the video file obtained through the screen may relate to private file information, in order to avoid privacy disclosure, after obtaining the video file, key information (i.e. desktop information and/or file information opened by clicking a mouse) of each video frame in the video file may be masked, so that only video frames of virus behaviors may be reserved.
In some implementations, the masking process includes a mosaic and/or add layers process.
It should be noted that, since the virus behavior generally has no mouse cursor, and the user operates the mouse cursor, the file information may refer to the file information opened by clicking the mouse in this scenario. That is, the behavior of the file information that is not opened by the mouse click is the virus behavior.
When the file content is a video file, in an embodiment of the present disclosure, step 102 may specifically include:
Performing secondary processing on the video frames containing the mouse cursor aiming at each video frame in the video file obtained through the screen recording operation; wherein the secondary processing includes a deletion processing and/or an encryption processing;
And encrypting the video file obtained by the secondary processing.
In this embodiment, as described above, since the virus behavior generally has no mouse cursor, and the user operates the mouse cursor, the deletion process and/or the encryption process may be performed on the video frame corresponding to the user operation, so as to avoid privacy disclosure, and thus only the video frame of the virus behavior may be retained.
When the file content is a video file, in an embodiment of the present disclosure, after step 102 and before step 104, the method may further include:
performing format conversion on the encrypted video file to obtain a target video file; wherein, the format of the target video file does not comprise an audio-visual format;
step 104 may specifically include:
and uploading the target video file to the second terminal equipment.
In this embodiment, considering that the recorded audio-visual media file may be identified and deleted by the virus, the format of the recorded and encrypted file may be converted into an unconventional audio-visual format, so that the second terminal device may perform normal playing of the received target file content after encryption and format conversion.
Conventional video formats include, but are not limited to avi, wmv, mpeg, mp, m4v, mov, asf, flv, f, v, rmvb, rm, 3gp, vob, etc.
For step 104:
in step 104, the second terminal device, upon receiving the encrypted and format-converted target video file, may decode and decrypt the target video file according to the decoding and decrypting rules predetermined by the first terminal device and the second terminal device, so that the video file recorded at the first terminal device may be normally played at the second terminal device, so as to provide valuable information references for subsequent sample analysis.
As shown in fig. 2 and 3, the embodiment of the present disclosure provides a device for monitoring virus behavior. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 2, a hardware architecture diagram of an electronic device where a virus behavior monitoring device is provided in the embodiment of the present disclosure is shown, where the electronic device where the embodiment is located may include other hardware, such as a forwarding chip responsible for processing a message, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2. Taking a software implementation as an example, as shown in fig. 3, the device in a logic sense is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of an electronic device where the device is located and running the computer program.
As shown in fig. 3, the device for monitoring virus behavior provided in this embodiment includes:
the screen recording module 300 is configured to perform a screen recording operation of the virus behavior on the first terminal device in response to monitoring that the virus behavior occurs in the first terminal device;
the encryption module 302 is configured to encrypt file content obtained through a screen recording operation;
and the uploading module 304 is configured to upload the encrypted file content to the second terminal device, so as to play the file content by using the second terminal device.
In the embodiment of the present disclosure, the screen recording module 300 may be used to perform the step 100 in the embodiment of the method, the encryption module 302 may be used to perform the step 102 in the embodiment of the method, and the uploading module 304 may be used to perform the step 104 in the embodiment of the method.
In one embodiment of the present disclosure, the screen recording module 300 is configured to, when performing monitoring that the first terminal device has virus behavior, perform the following operations:
and monitoring a popup prompt of the first terminal equipment on virus behaviors.
In one embodiment of the present disclosure, when performing a screen recording operation for performing a virus action on a first terminal device, the screen recording module 300 is configured to perform the following operations:
And displaying the background virus behavior of the virus in the first terminal equipment to the foreground of the first terminal equipment so as to perform screen recording operation.
In one embodiment of the present specification, the method further includes an ending module for performing the following operations:
The method comprises the steps of responding to a first preset time length after a screen recording operation is started, and ending the screen recording operation; and/or the number of the groups of groups,
The method comprises the steps of responding to a popup window prompt that a first terminal device does not monitor virus behaviors within a second preset time period after a screen recording operation is started, and ending the screen recording operation; and/or the number of the groups of groups,
And the method is used for ending the screen recording operation in response to the storage capacity of the file content obtained through the screen recording operation reaching a preset threshold.
In one embodiment of the present description, the file content is a video file;
The encryption module 302 is configured to perform the following operations:
for each video frame in the video file obtained through the screen recording operation, carrying out shielding processing on desktop information and/or file information opened through mouse clicking in the current video frame;
and encrypting the video file obtained by the shielding treatment.
In one embodiment of the present description, the file content is a video file;
The encryption module 302 is configured to perform the following operations:
Performing secondary processing on the video frames containing the mouse cursor aiming at each video frame in the video file obtained through the screen recording operation; wherein the secondary processing includes a deletion processing and/or an encryption processing;
And encrypting the video file obtained by the secondary processing.
In one embodiment of the present description, the file content is a streaming file;
The encryption module 302 is configured to perform the following operations:
and encrypting the streaming file obtained in real time in the screen recording operation process.
In one embodiment of the present description, the file content is a video file;
Further comprises:
the format conversion module is used for carrying out format conversion on the encrypted video file to obtain a target video file; wherein, the format of the target video file does not comprise an audio-visual format;
The upload module 304 is configured to perform the following operations:
and uploading the target video file to the second terminal equipment.
It will be appreciated that the structure illustrated in the embodiments of the present description does not constitute a specific limitation on a device for monitoring the behavior of a virus. In other embodiments of the present description, a device for monitoring viral behavior may include more or fewer components than shown, or may combine certain components, or may split certain components, or may have a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the above-mentioned device, because the content is based on the same conception as the method embodiment of the present specification, the specific content can be referred to the description in the method embodiment of the present specification, and the description is not repeated here.
The embodiment of the specification also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the monitoring method of the virus behavior in any embodiment of the specification when executing the computer program.
Embodiments of the present specification also provide a computer readable storage medium having a computer program stored thereon, which when executed by a processor causes the processor to perform a method of monitoring a virus behavior in any of the embodiments of the present specification.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present specification.
Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs, DVD+RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present specification, and are not limiting thereof; although the present specification has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present specification.
Claims (8)
1. A method for monitoring virus behavior, applied to a first terminal device, comprising:
Responding to the detection that the first terminal equipment has virus behaviors, and performing screen recording operation of the virus behaviors on the first terminal equipment;
encrypting file content obtained through screen recording operation;
uploading the encrypted file content to second terminal equipment so as to play the file content by using the second terminal equipment;
The file content is a video file;
the encrypting the file content obtained through the screen recording operation comprises the following steps:
performing secondary processing on the video frames containing the mouse cursor aiming at each video frame in the video file obtained through the screen recording operation; wherein the secondary processing includes a deletion processing and/or an encryption processing;
Encrypting the video file obtained by the secondary treatment;
after encrypting the file content obtained through the screen recording operation and before uploading the encrypted file content to the second terminal device, the method further comprises the following steps:
Performing format conversion on the encrypted video file to obtain a target video file; wherein, the format of the target video file does not comprise a conventional video and audio format;
the uploading the encrypted file content to the second terminal device includes:
Uploading the target video file to a second terminal device; after receiving the target video file, the second terminal device decodes and decrypts the target video file according to a decoding and decrypting rule preset by the first terminal device and the second terminal device, so that the video file recorded by the first terminal device is normally played on the second terminal device.
2. The method of claim 1, wherein the monitoring that the first terminal device has virus activity comprises:
and monitoring a popup window prompt of the first terminal equipment for virus behaviors.
3. The method of claim 1, wherein the performing a screen recording operation of the virus behavior on the first terminal device includes:
and displaying the background virus behavior of the virus in the first terminal equipment to the foreground of the first terminal equipment so as to perform screen recording operation.
4. The method of claim 1, further comprising, after said screen recording operation of the virus action on the first terminal device and before said encrypting the file content obtained by the screen recording operation:
Ending the screen recording operation in response to the first preset time length after the screen recording operation is started; and/or the number of the groups of groups,
Responding to a popup window prompt that the first terminal equipment does not monitor the virus behavior within a second preset time period after the screen recording operation is started, and ending the screen recording operation; and/or the number of the groups of groups,
And ending the screen recording operation in response to the storage capacity of the file content obtained through the screen recording operation reaching a preset threshold.
5. The method of claim 1, wherein the file content is a video file;
the encrypting the file content obtained through the screen recording operation comprises the following steps:
for each video frame in the video file obtained through the screen recording operation, carrying out shielding processing on desktop information and/or file information opened through mouse clicking in the current video frame;
and encrypting the video file obtained by the shielding treatment.
6. A device for monitoring virus behavior, applied to a first terminal device, comprising:
The screen recording module is used for responding to the detection that the first terminal equipment has virus behaviors and performing screen recording operation on the virus behaviors;
The encryption module is used for encrypting the file content obtained through the screen recording operation;
the uploading module is used for uploading the encrypted file content to second terminal equipment so as to play the file content by using the second terminal equipment;
The file content is a video file;
the encryption module is used for executing the following operations:
performing secondary processing on the video frames containing the mouse cursor aiming at each video frame in the video file obtained through the screen recording operation; wherein the secondary processing includes a deletion processing and/or an encryption processing;
Encrypting the video file obtained by the secondary treatment;
Further comprises:
the format conversion module is used for carrying out format conversion on the encrypted video file to obtain a target video file; wherein, the format of the target video file does not comprise a conventional video and audio format;
the uploading module is used for executing the following operations:
Uploading the target video file to a second terminal device; after receiving the target video file, the second terminal device decodes and decrypts the target video file according to a decoding and decrypting rule preset by the first terminal device and the second terminal device, so that the video file recorded by the first terminal device is normally played on the second terminal device.
7. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-5 when the computer program is executed.
8. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210985583.2A CN115333844B (en) | 2022-08-17 | 2022-08-17 | Virus behavior monitoring method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210985583.2A CN115333844B (en) | 2022-08-17 | 2022-08-17 | Virus behavior monitoring method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115333844A CN115333844A (en) | 2022-11-11 |
| CN115333844B true CN115333844B (en) | 2024-06-25 |
Family
ID=83924130
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210985583.2A Active CN115333844B (en) | 2022-08-17 | 2022-08-17 | Virus behavior monitoring method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115333844B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109462695A (en) * | 2018-11-16 | 2019-03-12 | 努比亚技术有限公司 | Terminal record screen method, apparatus, mobile terminal and readable storage medium storing program for executing |
| CN110971602A (en) * | 2019-12-04 | 2020-04-07 | 江苏创宇盾安全技术有限公司 | Intrusion detection method and system based on video stream windows remote login protocol |
| CN114579446A (en) * | 2022-03-04 | 2022-06-03 | 平安壹钱包电子商务有限公司 | Data processing method and device, computer equipment and computer readable storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108090173A (en) * | 2017-12-14 | 2018-05-29 | 广东欧珀移动通信有限公司 | Delet method, device, terminal and the storage medium of record screen file |
-
2022
- 2022-08-17 CN CN202210985583.2A patent/CN115333844B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109462695A (en) * | 2018-11-16 | 2019-03-12 | 努比亚技术有限公司 | Terminal record screen method, apparatus, mobile terminal and readable storage medium storing program for executing |
| CN110971602A (en) * | 2019-12-04 | 2020-04-07 | 江苏创宇盾安全技术有限公司 | Intrusion detection method and system based on video stream windows remote login protocol |
| CN114579446A (en) * | 2022-03-04 | 2022-06-03 | 平安壹钱包电子商务有限公司 | Data processing method and device, computer equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115333844A (en) | 2022-11-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US9953162B2 (en) | Rapid malware inspection of mobile applications | |
| US20170346843A1 (en) | Behavior processing method and device based on application program | |
| Pan et al. | Panoptispy: Characterizing audio and video exfiltration from android applications | |
| US9117078B1 (en) | Malware behavior analysis and policy creation | |
| US11182478B2 (en) | Systems and methods for tracking and recording events in a network of computing systems | |
| JP2014504765A (en) | System and method for detecting malicious PDF network content | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| WO2022036865A1 (en) | Method and apparatus for automatically capturing log file, and computer device | |
| WO2020042375A1 (en) | Method and apparatus for outputting information | |
| CN113452717B (en) | Method and device for communication software safety protection, electronic equipment and storage medium | |
| US9258318B2 (en) | Systems and methods for informing users about applications available for download | |
| WO2016127886A1 (en) | Method and device for online multimedia playback on user equipment | |
| Shaaban et al. | Practical windows forensics | |
| US11501016B1 (en) | Digital password protection | |
| CN113946873B (en) | Off-disk file tracing method and device, terminal and storage medium | |
| CN115333844B (en) | Virus behavior monitoring method and device, electronic equipment and storage medium | |
| Ariffin et al. | Forensic readiness: A case study on digital CCTV systems antiforensics | |
| KR102149711B1 (en) | An apparatus for detecting and preventing ransom-ware behavior using camouflage process, a method thereof and computer recordable medium storing program to perform the method | |
| Eterovic‐Soric et al. | Windows 7 antiforensics: a review and a novel approach | |
| Gurkok | Cyber forensics and incident response | |
| JP2022104878A (en) | System and method for preventing malicious process from being injected into software | |
| JP4704393B2 (en) | Screen playback system | |
| CN116611058A (en) | Lexovirus detection method and related system | |
| US20220083646A1 (en) | Context Based Authorized External Device Copy Detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |