[go: up one dir, main page]

CN106844097A - A kind of means of defence and device for malice encryption software - Google Patents

A kind of means of defence and device for malice encryption software Download PDF

Info

Publication number
CN106844097A
CN106844097A CN201611246120.5A CN201611246120A CN106844097A CN 106844097 A CN106844097 A CN 106844097A CN 201611246120 A CN201611246120 A CN 201611246120A CN 106844097 A CN106844097 A CN 106844097A
Authority
CN
China
Prior art keywords
data file
application program
unknown applications
unknown
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611246120.5A
Other languages
Chinese (zh)
Inventor
张皓秋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201611246120.5A priority Critical patent/CN106844097A/en
Publication of CN106844097A publication Critical patent/CN106844097A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种针对恶意加密软件的防护方法及装置,涉及网络安全技术领域,通过对访问的网路文件进行采样和标记信息来源,并对写入本地存储的文件进行匹配以确定该文件的信息来源。本发明主要的技术方案为:监控未知应用程序的执行过程,判断该未知应用程序是否存在修改指定的数据文件的操作,该未知应用程序是不能确定安全性的应用程序;若存在,则在未知应用程序修改该数据文件之前对该数据文件进行备份;判断该未知应用程序修改该数据文件的内容中是否存在特征数据,该特征数据为恶意加密软件的特征数据;若存在,则终止该未知应用程序的执行过程,利用该数据文件的备份文件替换被修改的数据文件。本发明主要用于保护本地的数据文件的安全。

The invention discloses a protection method and device for malicious encryption software, and relates to the technical field of network security. The file is determined by sampling the accessed network files and marking the source of information, and matching the files written into the local storage. source of information. The main technical solution of the present invention is: monitor the execution process of the unknown application program, and judge whether the operation of modifying the specified data file exists in the unknown application program. The unknown application program is an application program whose security cannot be determined; Back up the data file before the application program modifies the data file; determine whether there is characteristic data in the content of the data file modified by the unknown application program, and the characteristic data is characteristic data of malicious encryption software; if it exists, terminate the unknown application program During the execution of the program, the modified data file is replaced with the backup file of the data file. The present invention is mainly used for protecting the safety of local data files.

Description

一种针对恶意加密软件的防护方法及装置A protection method and device against malicious encryption software

技术领域technical field

本发明涉及网络安全技术领域,尤其涉及一种针对恶意加密软件的防护方法及装置。The invention relates to the technical field of network security, in particular to a protection method and device for malicious encryption software.

背景技术Background technique

勒索软件,也称敲诈者病毒是近年数量增加最快的网络安全威胁之一,是不法分子通过锁屏、加密文件等方式劫持用户资产或资源以此向用户敲诈钱财的一种恶意软件。不法分子往往通过网络钓鱼的方式,向受害电脑植入勒索软件来加密硬盘上的文件甚至所有数据,随后向受害企业或个人要求数额不等的赎金(如比特币等)后才予以解密。当用户受到勒索软件的感染,通常会有如下的表现形式:Ransomware, also known as blackmailer virus, is one of the fastest-growing network security threats in recent years. It is a kind of malicious software that criminals hijack user assets or resources by locking screens, encrypting files, etc. to extort money from users. Criminals often use phishing to implant ransomware into the victim computer to encrypt files or even all data on the hard disk, and then demand varying amounts of ransom (such as Bitcoin, etc.) from the victim company or individual before decrypting it. When a user is infected by ransomware, it usually has the following manifestations:

1、通过设置电脑开机密码、登录密码等对电脑锁屏,影响用户系统的正常使用。1. Lock the screen of the computer by setting the computer power-on password, login password, etc., affecting the normal use of the user system.

2、通过威胁恐吓用户,实施敲诈:比如FakeAV勒索软件会伪装成反病毒软件,欺骗在用户的系统中发现病毒,诱骗用户付款购买其“反病毒软件”。2. Intimidate users by threatening and blackmailing: For example, FakeAV ransomware will pretend to be anti-virus software, deceive users to find viruses in their systems, and trick users into paying for their "anti-virus software."

3、加密用户用户文件和数据,要求支付赎金:最典型的是CTB-Locker家族,采用高强度的加密算法,加密用户文档,只有在用户支付赎金后,才提供解密文档的方法。3. Encrypt user files and data and ask for ransom payment: the most typical one is the CTB-Locker family, which uses high-strength encryption algorithms to encrypt user files, and only after the user pays the ransom will the method of decrypting the files be provided.

4、篡改磁盘MBR(Master Boot Record,硬盘的主引导记录),制造计算机蓝屏重启,之后加密电脑整个磁盘敲诈赎金。4. Tampering with the disk MBR (Master Boot Record, the master boot record of the hard disk), creating a blue screen restart of the computer, and then encrypting the entire disk of the computer to extort ransom.

从最近几年国内流行的勒索软件的传播过程看,用户需要开启杀毒功能并及时更新以确保对勒索软件的有效识别,但是对于最新的勒索软件以及变种,在没能有效识别出应用程序的安全性时,也很难避免勒索软件的攻击。Judging from the dissemination process of popular ransomware in China in recent years, users need to turn on the anti-virus function and update it in time to ensure the effective identification of ransomware. It is also difficult to avoid ransomware attacks when the security is compromised.

发明内容Contents of the invention

有鉴于此,本发明提供一种针对恶意加密软件的防护方法及装置,通过对访问的网路文件进行采样和标记信息来源,并对写入本地存储的文件进行匹配以确定该文件的信息来源。In view of this, the present invention provides a method and device for protecting against malicious encryption software, by sampling and marking information sources on accessed network files, and matching files written into local storage to determine the information sources of the files .

依据本发明的一个方面,提出了一种针对恶意加密软件的防护方法,该方法包括:According to one aspect of the present invention, a kind of protection method against malicious encryption software is proposed, the method includes:

监控未知应用程序的执行过程,判断所述未知应用程序是否存在修改指定的数据文件的操作,所述未知应用程序是不能确定安全性的应用程序;Monitoring the execution process of the unknown application program, and judging whether the operation of modifying the specified data file exists in the unknown application program, and the unknown application program is an application program whose security cannot be determined;

若存在,则在所述未知应用程序修改所述数据文件之前对所述数据文件进行备份;If it exists, backing up the data file before the unknown application program modifies the data file;

判断所述未知应用程序修改所述数据文件的内容中是否存在特征数据,所述特征数据为恶意加密软件的特征数据;Judging whether there is feature data in the content of the data file modified by the unknown application, the feature data is feature data of malicious encryption software;

若存在,则终止所述未知应用程序的执行过程,利用所述数据文件的备份文件替换被修改的数据文件。If it exists, the execution process of the unknown application program is terminated, and the modified data file is replaced by the backup file of the data file.

优选的,所述终止所述未知应用程序的执行过程,利用所述数据文件的备份文件替换被修改的数据文件包括:Preferably, the terminating the execution process of the unknown application program, and using the backup file of the data file to replace the modified data file includes:

发送报警信息,所述报警信息用于提示所述未知应用程序疑似恶意加密软件,获取用户的操作指令;Sending alarm information, the alarm information is used to prompt that the unknown application program is suspected of malicious encryption software, and obtain the user's operation instruction;

当所述操作指令为终止执行指令时,结束所述未知应用程序的进程;When the operation instruction is a termination execution instruction, end the process of the unknown application program;

利用所述数据文件的备份文件替换被修改的数据文件。The modified data file is replaced with the backup file of the data file.

优选的,所述监控未知应用程序的执行过程,判断所述未知应用程序是否存在修改指定的数据文件的操作包括:Preferably, the monitoring the execution process of the unknown application program, and judging whether the operation of modifying the specified data file in the unknown application program includes:

当应用程序启动执行时,识别所述应用程序的安全性;identifying the security of the application when the application starts executing;

若无法确定所述应用程序的安全性,则确定所述应用程序为未知应用程序;If the security of the application program cannot be determined, then determine that the application program is an unknown application program;

监控所述未知应用程序是否加载指定的数据文件。Monitor whether the unknown application program loads the specified data file.

优选的,在所述未知应用程序修改所述数据文件之前对所述数据文件进行备份包括:Preferably, backing up the data file before the unknown application program modifies the data file includes:

当所述未知应用程序存在修改所述数据文件的操作时,输出提示信息,以判断是否继续执行修改所述数据文件的操作;When the unknown application program has an operation to modify the data file, output prompt information to determine whether to continue to perform the operation to modify the data file;

若继续执行,则在修改所述数据文件之前对所述数据文件进行备份。If the execution continues, the data file is backed up before the data file is modified.

优选的,所述判断所述未知应用程序修改所述数据文件的内容中是否存在特征数据包括:Preferably, the judging whether there is characteristic data in the content of the data file modified by the unknown application program includes:

获取恶意加密软件的特征数据,所述特征数据包括加密格式信息、解密提示信息;Acquiring characteristic data of malicious encryption software, said characteristic data including encrypted format information and decryption prompt information;

根据所述特征数据匹配所述未知应用程序修改所述数据文件的内容;Matching the unknown application program according to the feature data to modify the content of the data file;

若匹配成功则确定所述未知应用程序为疑似恶意加密软件。If the matching is successful, it is determined that the unknown application program is suspected malicious encryption software.

依据本发明的另一个方面,提出了一种针对恶意加密软件的防护装置,该装置包括:According to another aspect of the present invention, a kind of protection device against malicious encryption software is proposed, the device includes:

第一判断单元,用于监控未知应用程序的执行过程,判断所述未知应用程序是否存在修改指定的数据文件的操作,所述未知应用程序是不能确定安全性的应用程序;The first judging unit is used to monitor the execution process of the unknown application program, and judge whether the unknown application program has an operation to modify the specified data file, and the unknown application program is an application program whose security cannot be determined;

备份单元,用于当所述第一判断单元判断存在修改指定的数据文件的操作时,在所述未知应用程序修改所述数据文件之前对所述数据文件进行备份;A backup unit, configured to back up the data file before the unknown application program modifies the data file when the first judging unit judges that there is an operation to modify the specified data file;

第二判断单元,用于判断所述未知应用程序修改所述数据文件的内容中是否存在特征数据,所述特征数据为恶意加密软件的特征数据;The second judging unit is used to judge whether there is feature data in the content of the data file modified by the unknown application program, and the feature data is feature data of malicious encryption software;

替换单元,用于当所述第二判断单元确定修改所述数据文件的内容中存在所述特征数据时,终止所述未知应用程序的执行,利用所述备份单元复制所述数据文件的备份文件替换被修改的数据文件。A replacement unit, configured to terminate the execution of the unknown application program when the second judging unit determines that the feature data exists in the modified content of the data file, and use the backup unit to copy the backup file of the data file Replace modified data files.

优选的,所述替换单元包括:Preferably, the replacement unit includes:

发送模块,用于发送报警信息,所述报警信息用于提示所述未知应用程序疑似恶意加密软件,获取用户的操作指令;The sending module is used to send alarm information, and the alarm information is used to prompt that the unknown application program is suspected of malicious encryption software, and obtain the user's operation instruction;

终止模块,用于当所述用户的操作指令为终止执行指令时,结束所述未知应用程序的进程;A termination module, configured to terminate the process of the unknown application program when the user's operation instruction is a termination execution instruction;

替换模块,用于利用所述数据文件的备份文件替换被修改的数据文件。The replacement module is used to replace the modified data file with the backup file of the data file.

优选的,所述第一判断单元包括:Preferably, the first judging unit includes:

识别模块,用于当应用程序启动执行时,识别所述应用程序的安全性;An identification module, configured to identify the security of the application when the application starts to execute;

确定模块,用于当所述识别模块无法确定所述应用程序的安全性时,确定所述应用程序为未知应用程序;A determination module, configured to determine that the application is an unknown application when the identification module cannot determine the security of the application;

监控模块,用于监控所述确定模块确定的未知应用程序是否加载指定的数据文件。The monitoring module is used to monitor whether the unknown application determined by the determination module loads the specified data file.

优选的,所述备份单元包括:Preferably, the backup unit includes:

输出模块,用于当所述未知应用程序存在修改所述数据文件的操作时,输出提示信息,以判断是否继续执行修改所述数据文件的操作;An output module, configured to output prompt information when the unknown application program has an operation to modify the data file, so as to determine whether to continue to perform the operation to modify the data file;

备份模块,用于当所述输出模块输出的提示信息的反馈信息为继续执行修改操作时,在修改所述数据文件之前对所述数据文件进行备份。The backup module is configured to back up the data file before modifying the data file when the feedback information of the prompt information output by the output module is to continue the modification operation.

优选的,所述第二判断单元包括:Preferably, the second judging unit includes:

获取模块,用于获取恶意加密软件的特征数据,所述特征数据包括加密格式信息、解密提示信息;An acquisition module, configured to acquire characteristic data of malicious encryption software, said characteristic data including encrypted format information and decryption prompt information;

匹配模块,用于根据所述获取模块获取的特征数据匹配所述未知应用程序修改所述数据文件的内容;A matching module, configured to match the unknown application program to modify the content of the data file according to the feature data acquired by the acquisition module;

确定模块,用于当所述匹配模块匹配成功时,确定所述未知应用程序为疑似恶意加密软件。A determining module, configured to determine that the unknown application program is suspected malicious encryption software when the matching module successfully matches.

本发明所采用的一种针对恶意加密软件的防护方法及装置,是在未知的应用程序对本地中的文件进行读取或修改操作之前,先将该未知应用程序所要读取或修改的文件进行备份,之后允许未知应用程序对文件进行的所有操作,同时,对未知应用程序所修改的文件内容进行监控,判断所修改的内容中是否含有符合恶意加密软件的特征数据,在确定其含有特征数据时,则将该未知应用程序确定为恶意软件,终止其在本地的执行并将所修改的文件删除,使用备份文件覆盖所删除的文件。通过本发明所采用的防护方法及装置,可以对疑似恶意加密的勒索软件在执行过程中所携带的特征数据加以判断,而对于疑似的勒索软件所修改的本地文件,通过预先的备份也可以确保本地被修改的文件能够有效修复,从而实现预防未知应用对本地的文件进行恶意加密所造成的危害与损失。A protection method and device for malicious encryption software adopted by the present invention is to first perform the file read or modify by the unknown application program before the unknown application program reads or modifies the local files. Back up, and then allow unknown applications to perform all operations on files. At the same time, monitor the content of files modified by unknown applications to determine whether the modified content contains characteristic data consistent with malicious encryption software. After confirming that it contains characteristic data , then determine the unknown application program as malicious software, terminate its local execution and delete the modified file, and use the backup file to overwrite the deleted file. Through the protection method and device adopted in the present invention, it is possible to judge the characteristic data carried by the suspected malicious encrypted ransomware in the execution process, and for the local files modified by the suspected ransomware, it can also be ensured by pre-backup. Locally modified files can be effectively repaired, thereby preventing damage and losses caused by unknown applications maliciously encrypting local files.

上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

图1示出了本发明实施例提出的一种针对恶意加密软件的防护方法流程图;FIG. 1 shows a flowchart of a protection method for malicious encryption software proposed by an embodiment of the present invention;

图2示出了本发明实施例提出的另一种针对恶意加密软件的防护方法流程图;FIG. 2 shows a flow chart of another protection method against malicious encryption software proposed by an embodiment of the present invention;

图3示出了本发明实施例提出的一种针对恶意加密软件的防护装置的组成框图;FIG. 3 shows a block diagram of a protection device for malicious encryption software proposed by an embodiment of the present invention;

图4示出了本发明实施例提出的另一种针对恶意加密软件的防护装置的组成框图。FIG. 4 shows a block diagram of another protection device against malicious encryption software proposed by an embodiment of the present invention.

具体实施方式detailed description

下面将参照附图更详细地描述本发明的示例性实施例。虽然附图中显示了本发明的示例性实施例,然而应当理解,可以以各种形式实现本发明而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本发明,并且能够将本发明的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present invention are shown in the drawings, it should be understood that the invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present invention and to fully convey the scope of the present invention to those skilled in the art.

本发明实施例提供了一种针对恶意加密软件的防护方法,该方法主要应用于增强系统的安全性,特别是对于勒索软件的恶意攻击,其具体步骤如图1所示,包括:The embodiment of the present invention provides a protection method against malicious encryption software. The method is mainly used to enhance the security of the system, especially for malicious attacks of ransomware. The specific steps are shown in Figure 1, including:

101、监控未知应用程序的执行过程,判断该未知应用程序是否存在修改指定的数据文件的操作。101. Monitor the execution process of the unknown application program, and determine whether the unknown application program has an operation of modifying a specified data file.

其中,本发明实施例中的未知应用程序是指系统无法确定该应用的安全性的程序。也就是说,应用程序在启动执行时,系统会通过安全防御软件判断该应用程序是否为安全的应用,若是,则继续执行,而当判断应用程序是木马或病毒时,则禁止该应用程序的执行。而除了以上两种情况外,当无法判断出该应用程序是安全应用或是木马或病毒程序时,则向本地用户发送提示信息,告知该应用的安全性不明,继续执行可能存在风险,同时,要求用户判断是否继续执行该应用程序,再根据用户的指示进一步的确定是否执行该应用程序。Wherein, the unknown application program in the embodiment of the present invention refers to a program for which the system cannot determine the security of the application. That is to say, when the application program is started and executed, the system will judge whether the application program is a safe application through the security defense software, and if so, continue to execute, and when it is judged that the application program is a Trojan horse or a virus, then prohibit the application program from running. implement. In addition to the above two situations, when it is impossible to determine whether the application program is a security application or a Trojan horse or a virus program, a prompt message is sent to the local user, informing the application that the security is unknown and there may be risks in continuing to execute. At the same time, The user is required to judge whether to continue to execute the application program, and then further determine whether to execute the application program according to the user's instruction.

当确定应用程序为未知应用程序时,在该未知应用程序被启动时,系统将对该程序进行实时监控,以判断该未知应用程序是否会对本地的文件进行修改操作。其中,所修改的本地文件为指定的数据文件,一般的,所指定的数据文件是指定类型的文件,例如,.doc、.gif、.exe等,由于恶意加密软件的目的是对数据文件进行加密,从而实现敲诈勒索的目的,因此,为了防止未知应用程序属于恶意加密软件,就需要对该未知应用程序的操作进行监控,特别是对本地的数据文件进行的写操作。在本发明实施例中,所指定的数据文件的类型可根据实际情况的需求进行自定义设置,这样,可以有重点的对本地中的重要类型的数据文件进行保护,从而降低系统由于监控未知应用程序所消耗的系统资源。When it is determined that the application program is an unknown application program, when the unknown application program is started, the system will monitor the program in real time to determine whether the unknown application program will modify the local file. Wherein, the modified local file is a specified data file. Generally, the specified data file is a specified type of file, such as .doc, .gif, .exe, etc. Since the purpose of malicious encryption software is to Therefore, in order to prevent the unknown application from being malicious encryption software, it is necessary to monitor the operation of the unknown application, especially the write operation to the local data file. In the embodiment of the present invention, the type of the specified data file can be customized according to the needs of the actual situation. In this way, the important types of data files in the local area can be protected with emphasis, thereby reducing the system due to monitoring of unknown applications. System resources consumed by the program.

102、在未知应用程序修改指定的数据文件之前对该数据文件进行备份。102. Back up the specified data file before the unknown application program modifies the data file.

当步骤101中判断未知应用程序存在修改本地中指定的数据文件的操作时,将对所操作的数据文件进行备份复制操作。需要说明的是,所备份的数据文件是在未知应用程序对该数据文件进行修改操作之前进行的备份操作。When it is judged in step 101 that the unknown application has an operation to modify the specified data file in the local, a backup copy operation will be performed on the operated data file. It should be noted that the backed up data file is a backup operation performed before the unknown application program modifies the data file.

本发明实施例中,进行数据备份操作的时机是在对未知应用程序进行监控的过程中,未知应用程序读取本地中指定的数据文件时,或者是在准备向数据文件写入数据内容之前。In the embodiment of the present invention, the time to perform the data backup operation is during the process of monitoring the unknown application program, when the unknown application program reads the specified data file in the local, or before preparing to write data content to the data file.

此外,为了确保所备份的数据文件不被该未知应用程序再次修改,在存储该备份文件时,需要将该备份文件保存至本地的安全区域中,该区域一般禁止对数据文件的读操作或写操作,或者是对备份文件进行加密处理,改变原有数据文件的文件类型。In addition, in order to ensure that the backed up data file will not be modified again by the unknown application program, when storing the backup file, the backup file needs to be saved in a local security area, which generally prohibits reading or writing to the data file. operation, or encrypt the backup file, and change the file type of the original data file.

103、判断未知应用程序修改指定的数据文件的内容中是否存在特征数据。103. Determine whether there is feature data in the content of the data file specified by the unknown application program.

在完成数据文件的备份后,将继续执行并监控未知应用程序,即监控未知应用程序对指定的数据文件进行修改操作,其中,监控的主要内容是监控该修改操作在数据文件中所修改的具体内容,判断该内容中是否存在恶意加密软件所具有的特征数据。在本发明实施例中,该特征数据并不特指已知恶意加密软件所具有的特征数据,而是对于所有恶意加密软件所共有的一些特征数据,例如,对数据文件进行加密的密钥信息,或者是用于敲诈勒索的信息等。可见,本步骤是对未知应用程序进行鉴定的具体步骤,即根据未知应用程序在数据文件中所写入的内容确定其是否为恶意加密软件,当存在特征数据时,将未知应用程序确定为疑似恶意加密软件。After completing the backup of the data file, it will continue to execute and monitor the unknown application program, that is, monitor the modification operation of the specified data file by the unknown application program. The main content of the monitoring is to monitor the specific modification operation in the data file. content, and determine whether there is characteristic data of malicious encryption software in the content. In the embodiment of the present invention, the feature data does not specifically refer to the feature data of known malicious encryption software, but some feature data common to all malicious encryption software, for example, the key information for encrypting data files , or information used for extortion, etc. It can be seen that this step is a specific step for identifying the unknown application, that is, to determine whether it is malicious encryption software according to the content written by the unknown application in the data file, and when there is characteristic data, determine the unknown application as suspected Malicious encryption software.

104、终止未知应用程序的执行过程,利用数据文件的备份文件替换被修改的数据文件。104. Terminate the execution process of the unknown application program, and replace the modified data file with the backup file of the data file.

根据步骤103的判断,当确定未知应用程序为疑似恶意加密软件时,系统将终止未知应用程序的执行,同时获取被修改的数据文件的备份文件将其替换被修改的数据文件。也就是停止疑似恶意加密软件的执行,防止其继续对其他的数据文件进行修改,同时将已修改的数据文件删除,并使用步骤102中所备份的该数据文件的备份文件保存至该文件的原地址中,使得疑似恶意加密软件对本地中的数据文件无法进行恶意加密。According to the judgment in step 103, when it is determined that the unknown application program is suspected malicious encryption software, the system will terminate the execution of the unknown application program, and meanwhile obtain the backup file of the modified data file to replace the modified data file. That is to stop the execution of suspected malicious encryption software, prevent it from continuing to modify other data files, delete the modified data files simultaneously, and use the backup file of the data file backed up in step 102 to save to the original file of the file. address, so that suspected malicious encryption software cannot maliciously encrypt local data files.

此外,在终止该疑似恶意加密软件的执行后,还可以将该未知应用程序的相关信息通过安全防御软件进行上报,以使其他网络用户能够识别出该疑似恶意加密软件,减少该疑似恶意加密软件所造成的危害。In addition, after the execution of the suspected malicious encryption software is terminated, the relevant information of the unknown application program can also be reported through the security defense software, so that other network users can identify the suspected malicious encryption software and reduce the number of suspected malicious encryption software. the harm caused.

上述本发明实施例提供的一种针对恶意加密软件的防护方法,是在未知的应用程序对本地中的文件进行读取或修改操作之前,先将该未知应用程序所要读取或修改的文件进行备份,之后允许未知应用程序对文件进行的所有操作,同时,对未知应用程序所修改的文件内容进行监控,判断所修改的内容中是否含有符合恶意加密软件的特征数据,在确定其含有特征数据时,则将该未知应用程序确定为恶意软件,终止其在本地的执行并将所修改的文件删除,使用备份文件覆盖所删除的文件。通过本发明实施例所采用的防护方法及装置,可以对疑似恶意加密的勒索软件在执行过程中所携带的特征数据加以判断,而对于疑似的勒索软件所修改的本地文件,通过预先的备份也可以确保本地被修改的文件能够有效修复,从而实现预防未知应用对本地的文件进行恶意加密所造成的危害与损失。The above-mentioned protection method against malicious encryption software provided by the embodiment of the present invention is to first perform the file read or modify by the unknown application program before the unknown application program reads or modifies the local file. Back up, and then allow unknown applications to perform all operations on files. At the same time, monitor the content of files modified by unknown applications to determine whether the modified content contains characteristic data consistent with malicious encryption software. After confirming that it contains characteristic data , then determine the unknown application program as malicious software, terminate its local execution and delete the modified file, and use the backup file to overwrite the deleted file. Through the protection method and device adopted in the embodiment of the present invention, it is possible to judge the characteristic data carried by the suspected malicious encrypted ransomware during the execution process, and for the local files modified by the suspected ransomware, the backup can also be performed in advance. It can ensure that the locally modified files can be effectively repaired, so as to prevent the damage and loss caused by the malicious encryption of local files by unknown applications.

进一步的,为了更加详细的说明上述的针对恶意加密软件的防护方法在实际应用中的具体实现,以下实施例中将针对上述实施例中的各个步骤进行详细说明,具体如图2所示,包括:Further, in order to describe in more detail the specific implementation of the above-mentioned protection method against malicious encryption software in practical applications, the following embodiments will describe in detail the steps in the above-mentioned embodiments, as shown in FIG. 2 , including :

201、监控未知应用程序的执行过程,判断该未知应用程序是否存在修改指定的数据文件的操作。201. Monitor an execution process of an unknown application program, and judge whether the unknown application program has an operation of modifying a specified data file.

本步骤是在未知应用程序启动后,对该应用程序进行实时的监控。其中,对未知应用程序的判断是在应用程序启动后,系统中的安全防御软件将获取该应用程序的相关信息,以确定该应用程序的安全性,一般的,安全防御软件中会存储有大量应用程序的安全性判断信息,包括安全的应用程序以及危险的应用程序,也就是木马或病毒软件。通过对比判断,当应用程序的相关信息无法被安全防御软件所识别时,此时,该应用程序就被确定为未知应用程序。This step is to monitor the unknown application program in real time after it is started. Among them, the judgment of the unknown application program is that after the application program is started, the security defense software in the system will obtain the relevant information of the application program to determine the security of the application program. Generally, the security defense software will store a large number of The security judgment information of the application program includes a safe application program and a dangerous application program, that is, Trojan horse or virus software. Judging by comparison, when the relevant information of the application program cannot be recognized by the security defense software, at this time, the application program is determined as an unknown application program.

由于不能确定未知应用程序会对系统或本地中的数据文件造成损害。因此,不能与处理木马或病毒软件的方式一样禁止未知应用程序的执行。所以,当未知应用程序启动时,需要对其进行实时的监控,以判断该未知应用程序是否具有安全威胁。在本发明实施例中,由于针对的是恶意加密软件的防护,而恶意加密软件都是要获取本地的数据文件进行加密后来达到敲诈勒索的目的,因此,本步骤中对未知应用程序监控的主要目的是判断其是否会加载数据文件,并进一步的进行加密操作,其中,根据系统中数据文件的重要程度,可以对指定类型的数据文件进行监控。Because it is uncertain that unknown applications can cause damage to data files in the system or locally. Therefore, the execution of unknown applications cannot be blocked in the same way as Trojan horses or virus software. Therefore, when an unknown application program is started, it needs to be monitored in real time to determine whether the unknown application program poses a security threat. In the embodiment of the present invention, because it is aimed at the protection of malicious encryption software, and malicious encryption software is to obtain local data files to encrypt and then achieve the purpose of extortion, therefore, the main purpose of monitoring unknown application programs in this step The purpose is to judge whether it will load data files, and further perform encryption operations. Among them, according to the importance of data files in the system, specified types of data files can be monitored.

202、在未知应用程序修改指定的数据文件之前对该数据文件进行备份。202. Back up the specified data file before the unknown application program modifies the data file.

当监控到未知应用程序准备修改指定的数据文件时,系统将提前对该数据文件进行备份。本步骤中,可以在监控到未知应用程序加载本地中指定的数据文件时,将将该数据文件进行备份,以防止未知应用程序对该数据文件进行恶意加密。When it is monitored that an unknown application is about to modify a specified data file, the system will back up the data file in advance. In this step, when it is monitored that an unknown application loads the specified data file locally, the data file will be backed up, so as to prevent the unknown application from maliciously encrypting the data file.

此外,在监控到未知应用程序加载或修改本地中指定的数据文件时,可以进一步的输出提示信息给用户,由用户判断是否继续执行修改该数据文件的操作。当用户选择终止该操作后,系统将停止运行该未知应用程序,而当用户选择继续执行该操作时,系统将先对该数据文件进行备份后,在执行未知应用程序修改该数据文件的操作。In addition, when it is monitored that an unknown application loads or modifies a specified data file locally, a prompt message can be further output to the user, and the user can judge whether to continue the operation of modifying the data file. When the user chooses to terminate the operation, the system will stop running the unknown application, and when the user chooses to continue the operation, the system will first back up the data file, and then execute the operation of modifying the data file by the unknown application.

203、判断未知应用程序修改指定的数据文件的内容中是否存在特征数据。203. Determine whether characteristic data exists in the content of the data file specified by the unknown application program.

在执行该步骤之前,需要先获取恶意加密软件的特征数据,而这些特征数据是预先设置的恶意加密软件在对数据文件进行加密时所必须修改的一些数据内容的特征,包括:加密格式信息,比如加密所需的密钥信息,解密提示信息,如“想知道密码请向XXX账号汇款XXX”等类似的提示信息。Before performing this step, it is necessary to obtain the characteristic data of the malicious encryption software, and these characteristic data are the characteristics of some data content that must be modified by the preset malicious encryption software when encrypting the data file, including: encryption format information, For example, the key information required for encryption, and the prompt information for decryption, such as "If you want to know the password, please transfer money to XXX account XXX" and similar prompt information.

在确定特征数据后,对未知应用程序修改数据文件的内容进行监控,匹配该内容中是否存在有所获取的恶意加密软件的特征数据。当匹配成功时,就将该未知应用程序确定为疑似恶意加密软件。After the feature data is determined, the content of the data file modified by the unknown application program is monitored to match whether there is any feature data of the acquired malicious encryption software in the content. When the match is successful, the unknown application is identified as suspected malicious encryption software.

204、当存在特征数据时,发送报警信息。204. Send alarm information when there is characteristic data.

该步骤是在确定未知应用程序为疑似恶意加密软件后,发送报警信息以提示用户当前正在运行的未知应用程序为疑似恶意加密软件。其中,在该报警信息中,还包括有用户的操作接口,用户可以在看到该报警信息后通过操作接口来确定是否继续执行未知应用程序,若用户选择继续执行,系统将不拦截该未知应用程序,而当用户选择终止执行时,将执行步骤205。In this step, after it is determined that the unknown application program is suspected malicious encryption software, an alarm message is sent to prompt the user that the currently running unknown application program is suspected malicious encryption software. Among them, the alarm information also includes the user's operation interface. After seeing the alarm information, the user can determine whether to continue to execute the unknown application through the operation interface. If the user chooses to continue to execute, the system will not block the unknown application. program, and when the user chooses to terminate execution, step 205 will be executed.

205、根据用户的操作指令结束未知应用程序的进程,并利用数据文件的备份文件替换被修改的数据文件。205. Terminate the process of the unknown application program according to the user's operation instruction, and replace the modified data file with the backup file of the data file.

需要说明的是,由于备份文件一般会保存在本地中的安全区域中以防止被恶意加密软件感染,而本地的安全区域往往容量有限,因此,所保存的备份文件在确定未知应用程序的安全性后,将被移除出该安全区域。也就是说,当确定未知应用程序为普通应用程序时,将直接删除该备份文件,而当确定该未知应用程序为恶意加密软件时,将该提取该备份文件,并使用该备份文件替换已被修改的数据文件。It should be noted that since the backup files are generally stored locally in a safe area to prevent infection by malicious encryption software, and the local safe area often has limited capacity, the saved backup files are important in determining the security of unknown applications. After that, it will be removed from the safe zone. That is to say, when it is determined that the unknown application program is a common application program, the backup file will be directly deleted, and when it is determined that the unknown application program is malicious encryption software, the backup file will be extracted and replaced by the backup file. Modified data files.

以上详细说明了针对恶意加密软件的防护方法在实际应用中的具体实现,作为实现上述方法的具体装置,本发明实施例还提供了一种针对恶意加密软件的防护装置,如图3所示,该装置包括:The specific implementation of the protection method against malicious encryption software in practical applications has been described in detail above. As a specific device for implementing the above method, an embodiment of the present invention also provides a protection device against malicious encryption software, as shown in FIG. 3 , The unit includes:

第一判断单元31,用于监控未知应用程序的执行过程,判断所述未知应用程序是否存在修改指定的数据文件的操作,所述未知应用程序是不能确定安全性的应用程序;The first judging unit 31 is used to monitor the execution process of the unknown application program, and judge whether the unknown application program has an operation to modify the specified data file, and the unknown application program is an application program whose security cannot be determined;

备份单元32,用于当所述第一判断单元31判断存在修改指定的数据文件的操作时,在所述未知应用程序修改所述数据文件之前对所述数据文件进行备份;A backup unit 32, configured to back up the data file before the unknown application program modifies the data file when the first judging unit 31 judges that there is an operation to modify the specified data file;

第二判断单元33,用于判断所述未知应用程序修改所述数据文件的内容中是否存在特征数据,所述特征数据为恶意加密软件的特征数据;The second judging unit 33 is used to judge whether there is feature data in the contents of the data file modified by the unknown application program, and the feature data is feature data of malicious encryption software;

替换单元34,用于当所述第二判断单元33确定修改所述数据文件的内容中存在所述特征数据时,终止所述未知应用程序的执行,利用所述备份单元32复制所述数据文件的备份文件替换被修改的数据文件。A replacement unit 34, configured to terminate the execution of the unknown application program when the second judging unit 33 determines that the feature data exists in the modified content of the data file, and use the backup unit 32 to copy the data file The backup file replaces the modified data file.

进一步的,如图4所示,所述替换单元34包括:Further, as shown in Figure 4, the replacement unit 34 includes:

发送模块341,用于发送报警信息,所述报警信息用于提示所述未知应用程序疑似恶意加密软件,获取用户的操作指令;The sending module 341 is configured to send alarm information, and the alarm information is used to prompt that the unknown application program is suspected of malicious encryption software, and to obtain user operation instructions;

终止模块342,用于当所述用户的操作指令为终止执行指令时,结束所述未知应用程序的进程;Termination module 342, configured to end the process of the unknown application program when the user's operation instruction is an instruction to terminate execution;

替换模块343,用于利用所述数据文件的备份文件替换被修改的数据文件。A replacement module 343, configured to use the backup file of the data file to replace the modified data file.

进一步的,如图4所示,所述第一判断单元31包括:Further, as shown in FIG. 4, the first judging unit 31 includes:

识别模块311,用于当应用程序启动执行时,识别所述应用程序的安全性;An identification module 311, configured to identify the security of the application program when the application program starts to execute;

确定模块312,用于当所述识别模块311无法确定所述应用程序的安全性时,确定所述应用程序为未知应用程序;A determination module 312, configured to determine that the application is an unknown application when the identification module 311 cannot determine the security of the application;

监控模块313,用于监控所述确定模块312确定的未知应用程序是否加载指定的数据文件。The monitoring module 313 is configured to monitor whether the unknown application determined by the determining module 312 loads a specified data file.

进一步的,如图4所示,所述备份单元32包括:Further, as shown in Figure 4, the backup unit 32 includes:

输出模块321,用于当所述未知应用程序存在修改所述数据文件的操作时,输出提示信息,以判断是否继续执行修改所述数据文件的操作;An output module 321, configured to output prompt information when the unknown application program has an operation to modify the data file, so as to determine whether to continue to perform the operation to modify the data file;

备份模块322,用于当所述输出模块321输出的提示信息的反馈信息为继续执行修改操作时,在修改所述数据文件之前对所述数据文件进行备份。The backup module 322 is configured to back up the data file before modifying the data file when the feedback information of the prompt information output by the output module 321 is to continue the modification operation.

进一步的,如图4所示,所述第二判断单元33包括:Further, as shown in FIG. 4, the second judging unit 33 includes:

获取模块331,用于获取恶意加密软件的特征数据,所述特征数据包括加密格式信息、解密提示信息;An acquisition module 331, configured to acquire characteristic data of malicious encryption software, said characteristic data including encrypted format information and decryption prompt information;

匹配模块332,用于根据所述获取模块331获取的特征数据匹配所述未知应用程序修改所述数据文件的内容;A matching module 332, configured to match the unknown application program to modify the content of the data file according to the characteristic data acquired by the acquiring module 331;

确定模块333,用于当所述匹配模块332匹配成功时,确定所述未知应用程序为疑似恶意加密软件。The determining module 333 is configured to determine that the unknown application program is suspected malicious encryption software when the matching module 332 successfully matches.

综上所述,本发明实施例所提供的一种针对恶意加密软件的防护方法及装置,是在未知的应用程序对本地中的文件进行读取或修改操作之前,先将该未知应用程序所要读取或修改的文件进行备份,之后允许未知应用程序对文件进行的所有操作,同时,对未知应用程序所修改的文件内容进行监控,判断所修改的内容中是否含有符合恶意加密软件的特征数据,在确定其含有特征数据时,则将该未知应用程序确定为疑似恶意软件,同时向本地用户发送报警信息,当用户选择终止该应用程序时,结束该应用程序的进程并将所修改的文件删除,使用备份文件覆盖所删除的文件。通过本发明实施例所采用的防护方法及装置,可以对疑似恶意加密的勒索软件在执行过程中所携带的特征数据加以判断,而对于疑似的勒索软件所修改的本地文件,通过预先的备份也可以确保本地被修改的文件能够有效修复,从而实现预防未知应用对本地的文件进行恶意加密所造成的危害与损失。To sum up, the method and device for protecting against malicious encryption software provided by the embodiments of the present invention is to first read or modify the files in the local file before the unknown application program reads or modifies the local file. The read or modified files are backed up, and then all operations on the files are allowed by unknown applications. At the same time, the content of files modified by unknown applications is monitored to determine whether the modified content contains characteristic data consistent with malicious encryption software. , when it is determined that it contains characteristic data, the unknown application program is determined as suspected malware, and an alarm message is sent to the local user at the same time. When the user chooses to terminate the application program, the process of the application program is terminated and the modified file Delete to overwrite deleted files with backup files. Through the protection method and device adopted in the embodiment of the present invention, it is possible to judge the characteristic data carried by the suspected malicious encrypted ransomware during the execution process, and for the local files modified by the suspected ransomware, the backup can also be performed in advance. It can ensure that the locally modified files can be effectively repaired, so as to prevent the damage and loss caused by the malicious encryption of local files by unknown applications.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

可以理解的是,上述云端服务器及装置中的相关特征可以相互参考。另外,上述实施例中的“第一”、“第二”等是用于区分各实施例,而并不代表各实施例的优劣。It can be understood that related features in the above cloud server and devices can be referred to each other. In addition, "first", "second" and so on in the above embodiments are used to distinguish each embodiment, and do not represent the advantages and disadvantages of each embodiment.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述云端服务器实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the aforementioned cloud server embodiment, and will not be repeated here.

在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的云端服务器、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known cloud servers, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地,应当理解,为了精简本发明并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的云端服务器解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline the present disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何云端服务器或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any cloud server so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. Or all processes or units of equipment combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的发明名称(如确定网站内连接等级的装置)中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的云端服务器的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the components in the title of the invention (such as the device for determining the connection level in the website) according to the embodiment of the present invention some or all of the features. The present invention can also be implemented as a device or device program (for example, a computer program and a computer program product) for executing a part or all of the cloud server described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

Claims (10)

1. a kind of means of defence for malice encryption software, it is characterised in that methods described includes:
The implementation procedure of Unknown Applications is monitored, the data file that the Unknown Applications are specified with the presence or absence of modification is judged Operation, the Unknown Applications are the application programs that not can determine that security;
If in the presence of being backed up to the data file before the Unknown Applications change the data file;
Whether there is characteristic, the characteristic in the content for judging the Unknown Applications modification data file It is the characteristic of malice encryption software;
If in the presence of, terminate the implementation procedure of the Unknown Applications, replace quilt using the backup file of the data file The data file of modification.
2. method according to claim 1, it is characterised in that the implementation procedure of the termination Unknown Applications, The data file changed is replaced using the backup file of the data file to be included:
Warning message is sent, the warning message is used to point out the Unknown Applications doubtful malice encryption software, obtains and use The operational order at family;
When the operational order is to terminate execute instruction, terminate the process of the Unknown Applications;
The data file changed is replaced using the backup file of the data file.
3. method according to claim 1, it is characterised in that the implementation procedure of the monitoring Unknown Applications, judges The operation of the data file that the Unknown Applications are specified with the presence or absence of modification includes:
When application program launching is performed, the security of the application program is recognized;
If the security of the application program cannot be determined, it is determined that the application program is Unknown Applications;
Monitor whether the Unknown Applications load the data file specified.
4. method according to claim 3, it is characterised in that the Unknown Applications change the data file it It is preceding backup is carried out to the data file to include:
When the Unknown Applications have the operation of the modification data file, export prompt message, with judge whether after The continuous operation for performing the modification data file;
If continuing executing with, the data file is backed up before the data file is changed.
5. the method according to any one of claim 1-4, it is characterised in that the judgement Unknown Applications are repaiied Include with the presence or absence of characteristic in the content for changing the data file:
The characteristic of malice encryption software is obtained, the characteristic includes encryption format information, decryption prompt message;
The content that the Unknown Applications change the data file is matched according to the characteristic;
Determine that the Unknown Applications are doubtful malice encryption software if the match is successful.
6. a kind of protector for malice encryption software, it is characterised in that described device includes:
First judging unit, the implementation procedure for monitoring Unknown Applications judges that the Unknown Applications whether there is The operation of the data file that modification is specified, the Unknown Applications are the application programs that not can determine that security;
Backup units, for when first judging unit is judged in the presence of the operation for changing the data file specified, described Unknown Applications are backed up before changing the data file to the data file;
Second judging unit, for whether there is feature in the content for judging the Unknown Applications modification data file Data, the characteristic is the characteristic of malice encryption software;
Replacement unit, for there is the characteristic in the content that the modification data file is determined when second judging unit According to when, terminate the execution of the Unknown Applications, the backup file for replicating the data file using the backup units is replaced Change the data file changed.
7. device according to claim 6, it is characterised in that the replacement unit includes:
Sending module, for sending warning message, the warning message is used to point out the doubtful malice of the Unknown Applications to add Close software, obtains the operational order of user;
Terminate module, for when the operational order of the user is to terminate execute instruction, terminating the Unknown Applications Process;
Replacement module, the data file changed is replaced for the backup file using the data file.
8. device according to claim 6, it is characterised in that first judging unit includes:
Identification module, for when application program launching is performed, recognizing the security of the application program;
Determining module, during for the security that the application program cannot be determined when the identification module, determines the application journey Sequence is Unknown Applications;
Whether monitoring module, the data file specified is loaded for monitoring the Unknown Applications that the determining module determines.
9. device according to claim 8, it is characterised in that the backup units include:
Output module, for when the Unknown Applications have the operation for changing the data file, exporting prompt message, To judge whether to continue executing with the operation for changing the data file;
Backup module, for when the prompt message that the output module is exported feedback information for continue executing with modification operation when, The data file is backed up before the data file is changed.
10. the device according to any one of claim 6-9, it is characterised in that second judging unit includes:
Acquisition module, the characteristic for obtaining malice encryption software, the characteristic includes encryption format information, decryption Prompt message;
Matching module, the characteristic for being obtained according to the acquisition module matches the Unknown Applications and changes the number According to the content of file;
Determining module, for when the match is successful for the matching module, determining that the Unknown Applications are encrypted for doubtful malice Software.
CN201611246120.5A 2016-12-29 2016-12-29 A kind of means of defence and device for malice encryption software Pending CN106844097A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611246120.5A CN106844097A (en) 2016-12-29 2016-12-29 A kind of means of defence and device for malice encryption software

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611246120.5A CN106844097A (en) 2016-12-29 2016-12-29 A kind of means of defence and device for malice encryption software

Publications (1)

Publication Number Publication Date
CN106844097A true CN106844097A (en) 2017-06-13

Family

ID=59113164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611246120.5A Pending CN106844097A (en) 2016-12-29 2016-12-29 A kind of means of defence and device for malice encryption software

Country Status (1)

Country Link
CN (1) CN106844097A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506645A (en) * 2017-08-30 2017-12-22 北京明朝万达科技股份有限公司 A kind of detection method and device for extorting virus
CN107563199A (en) * 2017-09-04 2018-01-09 郑州云海信息技术有限公司 It is a kind of that software detection and defence method in real time are extorted based on file request monitoring
CN107729752A (en) * 2017-09-13 2018-02-23 中国科学院信息工程研究所 One kind extorts software defense method and system
CN107871079A (en) * 2017-11-29 2018-04-03 深信服科技股份有限公司 A kind of suspicious process detection method, device, equipment and storage medium
CN109145604A (en) * 2018-08-21 2019-01-04 成都网思科平科技有限公司 One kind extorting software intelligent detecting method and system
CN109284608A (en) * 2017-07-19 2019-01-29 阿里巴巴集团控股有限公司 Extort recognition methods, device and equipment, the security processing of software
CN110502894A (en) * 2018-05-18 2019-11-26 阿里巴巴集团控股有限公司 Recognition methods, equipment and the system of operation behavior
CN110795730A (en) * 2018-10-23 2020-02-14 北京安天网络安全技术有限公司 Method, system and storage medium for thoroughly eliminating malicious files

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090106587A1 (en) * 2002-08-16 2009-04-23 Mcm Portfolio Llc Software Recovery Method for Flash Media with Defective Formatting
CN105760759A (en) * 2015-12-08 2016-07-13 哈尔滨安天科技股份有限公司 Method and system for protecting documents based on process monitoring
CN106096397A (en) * 2016-05-26 2016-11-09 倪茂志 A kind of prevention method extorting software and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090106587A1 (en) * 2002-08-16 2009-04-23 Mcm Portfolio Llc Software Recovery Method for Flash Media with Defective Formatting
CN105760759A (en) * 2015-12-08 2016-07-13 哈尔滨安天科技股份有限公司 Method and system for protecting documents based on process monitoring
CN106096397A (en) * 2016-05-26 2016-11-09 倪茂志 A kind of prevention method extorting software and system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109284608A (en) * 2017-07-19 2019-01-29 阿里巴巴集团控股有限公司 Extort recognition methods, device and equipment, the security processing of software
CN107506645A (en) * 2017-08-30 2017-12-22 北京明朝万达科技股份有限公司 A kind of detection method and device for extorting virus
CN107563199A (en) * 2017-09-04 2018-01-09 郑州云海信息技术有限公司 It is a kind of that software detection and defence method in real time are extorted based on file request monitoring
CN107729752A (en) * 2017-09-13 2018-02-23 中国科学院信息工程研究所 One kind extorts software defense method and system
CN107729752B (en) * 2017-09-13 2019-12-03 中国科学院信息工程研究所 One kind extorting software defense method and system
CN107871079A (en) * 2017-11-29 2018-04-03 深信服科技股份有限公司 A kind of suspicious process detection method, device, equipment and storage medium
CN110502894A (en) * 2018-05-18 2019-11-26 阿里巴巴集团控股有限公司 Recognition methods, equipment and the system of operation behavior
CN110502894B (en) * 2018-05-18 2023-03-21 阿里巴巴集团控股有限公司 Operation behavior identification method, device and system
CN109145604A (en) * 2018-08-21 2019-01-04 成都网思科平科技有限公司 One kind extorting software intelligent detecting method and system
CN110795730A (en) * 2018-10-23 2020-02-14 北京安天网络安全技术有限公司 Method, system and storage medium for thoroughly eliminating malicious files

Similar Documents

Publication Publication Date Title
CN106844097A (en) A kind of means of defence and device for malice encryption software
CN102902919B (en) A kind of identifying processing methods, devices and systems of suspicious operation
KR101626424B1 (en) System and method for virtual machine monitor based anti-malware security
US8918878B2 (en) Restoration of file damage caused by malware
JP7537661B2 (en) Advanced Ransomware Detection
CN102882875B (en) Active defense method and device
KR101700552B1 (en) Context based switching to a secure operating system environment
CN104268476B (en) A kind of method for running application program
US20100306851A1 (en) Method and apparatus for preventing a vulnerability of a web browser from being exploited
CN104751063B (en) A kind of operating system trusted bootstrap method based on real pattern technology
CN104268475B (en) A kind of system for running application program
CN107330328B (en) Method and device for defending against virus attack and server
CN106778244B (en) Virtual machine-based kernel vulnerability detection process protection method and device
CN106557701A (en) kernel leak detection method and device based on virtual machine
CN105653974B (en) A kind of document means of defence and device
CN106778243A (en) Kernel Hole Detection document protection method and device based on virtual machine
CN102999720A (en) Program identification method and system
CN105550581A (en) Malicious code detection method and device
CN106778242A (en) kernel leak detection method and device based on virtual machine
CN114417326A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN102984134B (en) Safety defense system
CN105095758A (en) Processing method and device for lock-screen application program and mobile terminal
CN102857519B (en) Active defensive system
CN102984135B (en) Security defense method, device and system
CN110020530B (en) Method for determining security of application program in running time and device thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170613