Malicious file detection method and deviceTechnical field
The present invention relates to computer security technique field, more particularly to a kind of malice text based on operation action log analysisPart detection method and device.
Background technology
At present, spread unchecked without restraint with viral, Malware, Virus Sample analytical technology is also improved constantly, and is passed throughVirus Sample analyze, make virus analysis personnel can Rapid identification virus and understand its behavior, so as to formulate corresponding anti-virus planSlightly, virus is effectively intercepted, protects custom system damage.
Newest sample can timely and effectively be got by being currently based on the Antivirus system of cloud, while also bring magnanimitySample Storehouse.Because manual analysis virus is more time-consuming, a large amount of diseases being currently skyrocketed through can not be tackled by depending merely on manual analysisPoison, it is therefore desirable to improve the efficiency of virus analysis with reference to various viral automated analysis technologies.
Existing virus analysis technology mainly includes:It is heuristic virus analysis technology, anti-static virus analysis technology, virtualMachine testing virus technology and Initiative Defense(Real-time defence)Detection technique, wherein:
Heuristic virus analysis is to judge one using the difference of behavior pattern when virus operation and normal program operationWhether individual program is virus, and this mode is to draw analysis result by summarizing the operation action of a large amount of viruses, for example is passed throughThe activity-summaries such as viral self-starting, propagation, steal-number go out certain behavior pattern rule, and virus is detected with this.But this diseaseMalicious analysis efficiency is not high, and Viral diagnosis is not accurate enough.
For anti-static virus analysis technology, Static Analysis Technology is fairly simple in heuristic analysis and detection speed is fast,But not can do with shell adding, obscure, deform and Polymorph virus, because this viroid has obscured the generation of itself by various technologiesCode, and static analysis can not handle this kind of sample to understand virus behavior so as to judge its malice attribute.
For virtual machine testing virus technology, it can be used for tackling shell adding or add flower instruct, obscure, changeable viruses, virtuallyMachine is typically by simulating CPU and file, internal storage management system and system API and then the implementation procedure of simulation code, viral journeySequence is performed rather than really performed in the virtual environment of virtual machine, the behavior in monitoring system during running software, according toThese user behaviors logs match some rules, and explanation is found that suspicious sample if matching.But because virtual system comparesExpend system resource, therefore the not complete simulation whole system of this kind of virtual machine.Virus can run some special instructions,Now if virtual machine does not simulate this instruction, virus oneself is run under virtual machine with regard to that can detect, then can change executionFlow, for example malicious act etc. is not performed, so as to escape from anti-viral software detection.In addition, this kind of virtual technology is not sufficiently stable,Client using when compare consuming system resource, cause the operation of user's machine slow.
Initiative Defense(Real-time defence)Detection technique is by carrying out hook to some crucial API in system, recordingThese API of which routine call and parameter when calling, by the API sequences of a process run time call can be substantiallyThe behavior of the program is solved, judges its malice attribute, through being judged as that rogue program can then prevent the rogue program to perform in time.It is thisAlthough it is smaller that detection technique expends resource, when detecting virus, virus may in systems be run and system is madeInto infringement.Moreover, if virus realizes its function using the non-hook of some anti-viral softwares API, can bypass activelySystem of defense.
Therefore, existing Virus Sample analytical technology to virus detection greater risk be present, easily by virus find and aroundCross so that Detection accuracy is not high, and virus analysis efficiency is not also high.
The content of the invention
It is a primary object of the present invention to provide a kind of malicious file detection method and device, it is intended to improve Viral diagnosis standardThe efficiency of true rate and virus analysis.
In order to achieve the above object, the present invention proposes a kind of malicious file detection method, including:
Obtain sample file to be detected;
The sample file is run, and monitors the operation action of the sample file, generates journal file;
The journal file is analyzed, and malicious file detection is carried out based on preset matched rule.
The present invention also proposes a kind of malicious file detection means, including:
Acquisition module, for obtaining sample file to be detected;
Monitoring module is run, for running the sample file, and monitors the operation action of the sample file, generates dayWill file;
Detection module is analyzed, malicious file inspection is carried out for analyzing the journal file, and based on preset matched ruleSurvey.
A kind of malicious file detection method and device proposed by the present invention, by running sample file in virtual machine, soMonitoring programme is run in virtual machine afterwards, records the operation action of sample file, journal file is generated with this, then again by carryingThe characterization rules taken match to these journal files, finally realize the malice detection of sample file, and the present invention can carry significantlyHigh virus analysis efficiency, and new samples that current anti-viral software can not detect or certain class can be found out in time have specific behavior classThe sample of type, so as to improve the Detection accuracy of Virus Sample.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of malicious file detection method preferred embodiment of the present invention;
Fig. 2 is to run the sample file in malicious file detection method preferred embodiment of the present invention, and monitors the sampleThe operation action of this document, generate the schematic flow sheet of journal file;
Fig. 3 is to analyze the journal file in malicious file detection method preferred embodiment of the present invention, and based on presetMatched rule carries out the schematic flow sheet of malicious file detection;
Fig. 4 is the structural representation of malicious file detection means preferred embodiment of the present invention;
Fig. 5 is the structural representation that monitoring module is run in malicious file detection means preferred embodiment of the present invention;
Fig. 6 is the structural representation that detection module is analyzed in malicious file detection means preferred embodiment of the present invention.
In order that technical scheme is clearer, clear, it is described in further detail below in conjunction with accompanying drawing.
Embodiment
The solution of the embodiment of the present invention is mainly:By running sample file in virtual machine, then in virtual machineMiddle operation monitoring programme, record the operation action of sample file, including the reading related to sample file, registration table, network, processWrite, modification information record, thus generate journal file, then again by the characterization rules of extraction to the progress of these journal filesMatch somebody with somebody, it is malice sample to show the sample file if matching, so as to realize the analysis of the Automatic behavior of virus.
As shown in figure 1, present pre-ferred embodiments propose a kind of malicious file detection method, including:
Step S101, obtain sample file to be detected;
Sample file to be detected can not limit it and obtain source, for example can be downloaded from specified location.
The sample file to be detected obtained will be input to Automatic monitoring systems.
By taking virus as an example, the Automatic monitoring systems set by the present embodiment are used for the automatic operating virus of batch and rememberedBehavior during record virus operation obtains journal file, and for analysis, personnel check, so as to quickly understand virus behavior, saves manpower.
Wherein, Automatic monitoring systems can only run exe programs, and the sample file downloaded may have many compressed packages(Rar, zip, 7z etc.), the file such as dll, sys.Therefore enter row format firstly the need of all sample files to downloading to knowNot, decompression and Screening Treatment, if compressed package is then decompressed using decompression tool, then filter out the exe files in sampleFixed file is put into the exe files after decompression, the samples sources as Automatic monitoring systems operation.
Step S102, the sample file is run, and monitor the operation action of the sample file, generate journal file;
As it was previously stated, sample file to be detected is originally input to Automatic monitoring systems, transported by Automatic monitoring systemsRow sample file simultaneously monitors the operation action of sample file and obtains journal file, and for analysis, personnel check, quickly to understand diseaseThe behavior of the malicious files such as poison.
The present embodiment has used virtual software VMware and monitoring tools in Automatic monitoring systemsProcessMonitor instruments, the operation of above-mentioned instrument, automation control are controlled by AutoIt shell scripts in virtual machineThe file of system output processed is the journal file of each sample file operation action(ProcessMonitor monitors obtained daily recordFile).
Wherein, the operation action of sample file includes:To the associative operation of file, registration table, process and the network information, such asGenerate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;, evenThe information such as which ip address are connect.
Further, since many rogue programs can discharge other rogue program after operation, therefore it is also required to these maliceProgram release file calculated, obtain its MD5, and form Automatic monitoring systems output journal file a part inHold.Under normal circumstances, if parent file judges it is malice, then its daughter file discharged is also likely to be malice.
The virtual machine detection technique that prior art uses is placed on client executing mostly, and uses easy voidPlan machine, full simulation operating system, the Automatic monitoring systems that the present embodiment uses do not use in running background sampleVirtual software VMware, can be than more complete simulated operating system, and can reduce the risk for being found and being bypassed by virus.
Step S103, the journal file is analyzed, and malicious file detection is carried out based on preset matched rule.
ProcessMonitor journal file can be generated after each sample file operation, by analyzing the daily recordFile is recognized that behavior during sample file operation, mainly includes the correlation of file, registration table, process, the network information etc.Operation, for example generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which is closedA little processes;It is connected to the information such as which ip address.
The present embodiment is literary to match the current sample of filtering with this in advance to some specific sample extraction log matches rulesThe journal file of part.The journal file generated after sample file is run is matched with the above-mentioned matched rule pre-set,If the malice attributes match of the journal file of some sample file has arrived certain rule, it is this rules and regulations to show the sample fileThen corresponding specific malicious file.
Specifically, as shown in Fig. 2 as the operation sample file, and the operation action of the sample file is monitored, it is rawInto a kind of embodiment of journal file, above-mentioned steps S102 can include:
Step S1021, context initialization operation is carried out to the virtual machine for running sample file;
When sample file is run in Automatic monitoring systems and monitoring the operation action of sample file, it is necessary first to certainlyContext initialization operation is carried out to the virtual machine for running sample file in dynamicization monitoring system, that is, recovers virtual machine snapshot, this is fastAccording to the virtual machine environment configured before being, control program, bat files etc. are provided with a virtual machine environment, virtual machine is enteredRow context initialization operates, and is the preparation for making virtual machine carry out operation sample file.
Step S1022, the sample file is copied to the fixation catalogue of virtual machine;
Step S1023, the sample file is run in the virtual machine, and by monitoring tools to institute in runningThe operation action for stating sample file is monitored, and generates journal file.
Run in virtual machine and supervised using ProcessMonitor instruments current embodiment require that sample file is copied toControl the operation action of sample file.Therefore, in monitoring, it is necessary to all executable sample programs filtered out before enumerating, oftenA sample file is enumerated then to complete once to monitor process automatically.The process uses the VMware instrument vmrun.exe's carriedSome control commands to control the operation of virtual machine by physical machine.
Enumerate sample file is copied to a fixed catalogue of virtual machine first, then run in virtual machineMonitoring programme, the function of the program is to set ProcessMonitor filters, for filtering out some system programs, thenRun the scheduled time(Such as 10s)After close process, then preserve ProcessMonitor journal file, and initial analysis dayWill file, check the file of its release and calculate its md5 being saved in specified file.
Step S1024, the journal file is copied to the fixation catalogue of physical machine from the virtual machine.
Finally by ProcessMonitor journal file, include the md5 lists of user behaviors log and releasing document, from virtualMachine copies to the fixation catalogue of physical machine, to analyze journal file.
As shown in figure 3, carry out malicious file detection as the analysis journal file, and based on preset matched ruleA kind of embodiment, above-mentioned steps S103 can include:
Step S1031, the journal file is obtained from the fixation catalogue of the physical machine;
Step S1032, analyze the operation action of the journal file;
By taking virus as an example, ProcessMonitor journal file can be generated after each Virus operation, is led toCross analyze the journal file be recognized that virus operation when behavior, mainly including file, registration table, process, the network informationDeng associative operation.As generated, accessing, what file being deleted;Set, be newly-built, which registry entry deleted;Open, closeWhich process;It is connected to the information such as which ip address.
Step S1033, by the malice daily record progress in the operation action of the journal file and preset matched ruleMatch somebody with somebody;
Step S1034, if the match is successful, it is malicious file to detect sample file corresponding to the journal file.
Daily record rule can be extracted for some specific samples and carrys out filtering log, if the journal file of some sampleCertain rule is fitted on, then it is specific virus corresponding to this rule to illustrate the sample.Such as QQ Trojans for stealing numbers, can be withExtracting a feature is:QQ automated log on file is deleted, therefore, if it find that having in the user behaviors log of a sample suchLog recording, you can it is QQ Trojans for stealing numbers to judge the sample.
By taking instant messaging QQ as an example, at present in actual applications, screening and QQ steal-number wood that QQ brushes bore program can be related toThe screening of horse, QQ brushes bore the classification for the various brills that can show QQ business after program is run on interface, then prompt user's inputQQ number code and password, and open various brills(Referred to as brush bores)Business, its essence is user cheating, steal user QQ number code andPassword, because these application programs are actually unable in brush and bored.
Bore program because QQ is brushed and mainly utilize social engineering method user cheating, it is typically no using technical method comeQQ passwords are stolen, without specific behavioural characteristic, but this kind of brush, which bores, there are some specific keys on the main program interface of programWord, this kind of sample can be matched by these keywords, therefore be brushed for QQ and bore program, be the keyword by match windowTo realize the detection of malice sample.
After sample file is run in virtual machine, run a QQ brush and bore detection program, the program can be enumerated in systemAll windows and these windows subwindow word, then search whether to include following keyword:Brush bore, brush bore, brush Q,Red brill, Q business, QQ passwords, Q coin, QB, if it find that then showing that the sample is that a QQ brush bores program.
Screening for QQ Trojans for stealing numbers is screened by extracting rule of conduct.Because this kind of QQ Trojans for stealing numbers are logicalTechnical method is crossed to steal QQ passwords, for example replace QQ some files etc., the screening rule of conventional QQ Trojans for stealing numbers is as follows:
(1)Close QQ.exe processes;
(2)Access(Release)QQ file under bin catalogues;
(3)Delete QQ Registry.db files(This document preserves QQ auto login informations, many QQ Trojans for stealing numbersThis document, which can be deleted, causes QQ automated log ons to fail, to allow user to input QQ passwords again to realize steal-number);
(4)It has modified QQ.lnk shortcut files so that the lnk files point to QQ Trojans for stealing numbers.
When corresponding screening rule carries out matching judgment, every a line of journal file is read, then judges often to go whether haveAny one in following four character string:Simultaneously exist QQ.exe and Process Exit, QQ Bin, Registry.db,QQ.lnk。
If include any one in aforementioned four behavior, then it is QQ to be judged as sample file corresponding to the journal fileTrojan for stealing numbers, and its md5 recorded in the text specified.
In actual applications, by configuring plan target an Automatic monitoring systems can be run daily, from the previous daySample file in obtain QQ brushes and bore program and QQ Trojans for stealing numbers, by constantly monitoring the temperature and range of these sample files,So as to obtain the sample file of temperature and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation monitoring system.Wherein, automatically-monitored system is setThe average time of system one sample file of monitoring is 45s, by testing a few lot sample sheets(In one day " brush bore keyword filtration " andAll samples that " monitoring of QQ catalogues " obtains, the monitoring of QQ catalogues is file of the monitoring in the release of QQ catalogues, due to many steal-number woodHorse is to realize steal-number in catalogue release DLL, and automation here is to be used for automatic running EXE programs, is actually foundEXE programs are largely QQ Trojans for stealing numbers), four batch datas are randomly selected, it is as follows:
It is as shown in table 1 below that brush bores keyword filtration sample data:
| Sample size | The brush detected bores sample size | Brush bores sample proportion |
| 328 | 110 | 33.5% |
| 607 | 252 | 41.5% |
| 370 | 138 | 37.3 |
| 308 | 152 | 49.3% |
Table 1
QQ catalogues monitoring sample data is as shown in table 2 below:
Table 2
Then the present embodiment runs monitoring programme in virtual machine, records sample by running sample file in virtual machineThe operation action of this document, journal file is generated with this, then these journal files carried out by the characterization rules of extraction againMatching, the malice detection of sample file is finally realized, is greatly improved virus analysis efficiency, and current anti-virus can be found out in timeNew samples or certain class that software can not detect have the sample of specific behavior type, accurate so as to improve the detection of Virus SampleRate.
In addition, in the follow-up demand for excavating specific sample, can by attempt to analyze the journal file of sample comeRealize, therefore this embodiment scheme has wide range of applications, for excavating specific sample file or most from Massive Sample fileNew samples have reference and reference role.
As shown in figure 4, present pre-ferred embodiments propose a kind of malicious file detection means, including:Acquisition module 401,Monitoring module 402 and analysis detection module 403 are run, wherein:
Acquisition module 401, for obtaining sample file to be detected;
Monitoring module 402 is run, for running the sample file, and monitors the operation action of the sample file, it is rawInto journal file;
Detection module 403 is analyzed, malicious file is carried out for analyzing the journal file, and based on preset matched ruleDetection.
Wherein, sample file to be detected can not limit it and obtain source, for example can be downloaded from specified location.
The sample file to be detected that acquisition module 401 obtains will be input to Automatic monitoring systems.
By taking virus as an example, the Automatic monitoring systems set by the present embodiment are used for the automatic operating virus of batch and rememberedBehavior during record virus operation obtains journal file, and for analysis, personnel check, so as to quickly understand virus behavior, saves manpower.
Wherein, Automatic monitoring systems can only run exe programs, and the sample file downloaded may have many compressed packages(Rar, zip, 7z etc.), the file such as dll, sys.Therefore enter row format firstly the need of all sample files to downloading to knowNot, decompression and Screening Treatment, if compressed package is then decompressed using decompression tool, then filter out the exe files in sampleFixed file is put into the exe files after decompression, the samples sources as Automatic monitoring systems operation.
As it was previously stated, sample file to be detected is originally input to Automatic monitoring systems, transported by Automatic monitoring systemsRow sample file simultaneously monitors the operation action of sample file and obtains journal file, and for analysis, personnel check, quickly to understand diseaseThe behavior of the malicious files such as poison.
The present embodiment has used virtual software VMware and monitoring tools in Automatic monitoring systemsProcessMonitor instruments, the operation of above-mentioned instrument, automation control are controlled by AutoIt shell scripts in virtual machineThe file of system output processed is the journal file of each sample file operation action(ProcessMonitor monitors obtained daily recordFile).
Wherein, the operation action of sample file includes:To the associative operation of file, registration table, process and the network information, such asGenerate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;, evenThe information such as which ip address are connect.
Further, since many rogue programs can discharge other rogue program after operation, therefore it is also required to these maliceProgram release file calculated, obtain its MD5, and form Automatic monitoring systems output journal file a part inHold.Under normal circumstances, if parent file judges it is malice, then its daughter file discharged is also likely to be malice.
The virtual machine detection technique that prior art uses is placed on client executing mostly, and uses easy voidPlan machine, full simulation operating system, the Automatic monitoring systems that the present embodiment uses do not use in running background sampleVirtual software VMware, can be than more complete simulated operating system, and can reduce the risk for being found and being bypassed by virus.
ProcessMonitor journal file can be generated after each sample file operation, mould is monitored by runningBlock 402 analyzes the behavior when journal file is recognized that sample file operation, mainly including file, registration table, process, netThe associative operation of network information etc., for example generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;It is connected to the information such as which ip address.
The present embodiment is literary to match the current sample of filtering with this in advance to some specific sample extraction log matches rulesThe journal file of part.The journal file and above-mentioned pre-set that analysis detection module 403 generates after sample file is runMatched with rule, if the malice attributes match of the journal file of some sample file has arrived certain rule, show thisSample file is specific malicious file corresponding to this rule.
Specifically, as shown in figure 5, as the operation sample file, and the operation action of the sample file is monitored, it is rawInto a kind of embodiment of journal file, the operation monitoring module 402 can include:Initialization unit 4021, copied cells4022 and operation monitoring unit 4023, wherein:
Initialization unit 4021, for carrying out context initialization operation to the virtual machine for running sample file;
Copied cells 4022, for the sample file to be copied to the fixation catalogue of virtual machine;
Monitoring unit 4023 is run, for running the sample file in the virtual machine, and passes through monitoring tools pairThe operation action of sample file described in running is monitored, and generates journal file.
The copied cells 4022 is additionally operable to copy to the journal file from the virtual machine fixation mesh of physical machineRecord.
When sample file is run in Automatic monitoring systems and monitoring the operation action of sample file, it is necessary first to certainlyContext initialization operation is carried out to the virtual machine for running sample file in dynamicization monitoring system, that is, recovers virtual machine snapshot, this is fastAccording to the virtual machine environment configured before being, control program, bat files etc. are provided with a virtual machine environment, virtual machine is enteredRow context initialization operates, and is the preparation for making virtual machine carry out operation sample file.
Run in virtual machine and supervised using ProcessMonitor instruments current embodiment require that sample file is copied toControl the operation action of sample file.Therefore, in monitoring, it is necessary to all executable sample programs filtered out before enumerating, oftenA sample file is enumerated then to complete once to monitor process automatically.The process uses the VMware instrument vmrun.exe's carriedSome control commands to control the operation of virtual machine by physical machine.
Enumerate sample file is copied to a fixed catalogue of virtual machine first, then run in virtual machineMonitoring programme, the function of the program is to set ProcessMonitor filters, for filtering out some system programs, thenRun the scheduled time(Such as 10s)After close process, then preserve ProcessMonitor journal file, and initial analysis dayWill file, check the file of its release and calculate its md5 being saved in specified file.
Finally by ProcessMonitor journal file, include the md5 lists of user behaviors log and releasing document, from virtualMachine copies to the fixation catalogue of physical machine, to analyze journal file.
As shown in fig. 6, carry out malicious file detection as the analysis journal file, and based on preset matched ruleA kind of embodiment, the analysis detection module 403 can include:Acquiring unit 4031, analytic unit 4032, matching unit 4033And detection unit 4034, wherein:
Acquiring unit 4031, for obtaining the journal file from the fixation catalogue of the physical machine;
Analytic unit 4032, for analyzing the operation action of the journal file;
Matching unit 4033, for by the malice daily record in the operation action of the journal file and preset matched ruleMatched;
Detection unit 4034, for when the malice daily record in the operation action of the journal file and preset matched ruleWhen the match is successful, it is malicious file to detect sample file corresponding to the journal file.
By taking virus as an example, ProcessMonitor journal file can be generated after each Virus operation, is led toCross analyze the journal file be recognized that virus operation when behavior, mainly including file, registration table, process, the network informationDeng associative operation.As generated, accessing, what file being deleted;Set, be newly-built, which registry entry deleted;Open, closeWhich process;It is connected to the information such as which ip address.
Daily record rule can be extracted for some specific samples and carrys out filtering log, if the journal file of some sampleCertain rule is fitted on, then it is specific virus corresponding to this rule to illustrate the sample.Such as QQ Trojans for stealing numbers, can be withExtracting a feature is:QQ automated log on file is deleted, therefore, if it find that having in the user behaviors log of a sample suchLog recording, you can it is QQ Trojans for stealing numbers to judge the sample.
By taking instant messaging QQ as an example, at present in actual applications, screening and QQ steal-number wood that QQ brushes bore program can be related toThe screening of horse, QQ brushes bore the classification for the various brills that can show QQ business after program is run on interface, then prompt user's inputQQ number code and password, and open various brills(Referred to as brush bores)Business, its essence is user cheating, steal user QQ number code andPassword, because these application programs are actually unable in brush and bored.
Bore program because QQ is brushed and mainly utilize social engineering method user cheating, it is typically no using technical method comeQQ passwords are stolen, without specific behavioural characteristic, but this kind of brush, which bores, there are some specific keys on the main program interface of programWord, this kind of sample can be matched by these keywords, therefore be brushed for QQ and bore program, be the keyword by match windowTo realize the detection of malice sample.
After sample file is run in virtual machine, run a QQ brush and bore detection program, the program can be enumerated in systemAll windows and these windows subwindow word, then search whether to include following keyword:Brush bore, brush bore, brush Q,Red brill, Q business, QQ passwords, Q coin, QB, if it find that then showing that the sample is that a QQ brush bores program.
Screening for QQ Trojans for stealing numbers is screened by extracting rule of conduct.Because this kind of QQ Trojans for stealing numbers are logicalTechnical method is crossed to steal QQ passwords, for example replace QQ some files etc., the screening rule of conventional QQ Trojans for stealing numbers is as follows:
(1)Close QQ.exe processes;
(2)Access(Release)QQ file under bin catalogues;
(3)Delete QQ Registry.db files(This document preserves QQ auto login informations, many QQ Trojans for stealing numbersThis document, which can be deleted, causes QQ automated log ons to fail, to allow user to input QQ passwords again to realize steal-number);
(4)It has modified QQ.lnk shortcut files so that the lnk files point to QQ Trojans for stealing numbers.
When corresponding screening rule carries out matching judgment, every a line of journal file is read, then judges often to go whether haveAny one in following four character string:Simultaneously exist QQ.exe and Process Exit, QQ Bin, Registry.db,QQ.lnk。
If include any one in aforementioned four behavior, then it is QQ to be judged as sample file corresponding to the journal fileTrojan for stealing numbers, and its md5 recorded in the text specified.
In actual applications, by configuring plan target an Automatic monitoring systems can be run daily, from the previous daySample file in obtain QQ brushes and bore program and QQ Trojans for stealing numbers, by constantly monitoring the temperature and range of these sample files,So as to obtain the sample file of temperature and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation monitoring system.Wherein, automatically-monitored system is setThe average time of system one sample file of monitoring is 45s, by testing a few lot sample sheets(In one day " brush bore keyword filtration " andAll samples that " monitoring of QQ catalogues " obtains, the monitoring of QQ catalogues is file of the monitoring in the release of QQ catalogues, due to many steal-number woodHorse is to realize steal-number in catalogue release DLL, and automation here is to be used for automatic running EXE programs, is actually foundEXE programs are largely QQ Trojans for stealing numbers), four batch datas are randomly selected, wherein, brush bores keyword filtration sample data such as upper tableShown in 1.QQ catalogues monitor sample data as shown in upper table 2.
Then the present embodiment runs monitoring programme in virtual machine, records sample by running sample file in virtual machineThe operation action of this document, journal file is generated with this, then these journal files carried out by the characterization rules of extraction againMatching, the malice detection of sample file is finally realized, is greatly improved virus analysis efficiency, and current anti-virus can be found out in timeNew samples or certain class that software can not detect have the sample of specific behavior type, accurate so as to improve the detection of Virus SampleRate.
In addition, in the follow-up demand for excavating specific sample, can by attempt to analyze the journal file of sample comeRealize, therefore this embodiment scheme has wide range of applications, for excavating specific sample file or most from Massive Sample fileNew samples have reference and reference role.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the scope of the invention, every utilizationEquivalent structure or the flow conversion that description of the invention and accompanying drawing content are made, or directly or indirectly it is used in other related skillsArt field, is included within the scope of the present invention.