Method and device for intercepting behaviors of program, and client equipment
A program execution and program technology, which is applied in the field of intercepting program behavior and client devices, can solve problems such as disconnection and inability to effectively intercept malicious programs, and achieve the effect of improving protection capabilities and effective interception.
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
Method used
Image
Examples
Example
[0168] Example 1:
[0169] a.exe is a malicious program that first disconnects the network when running, and then triggers the interception point by writing a system startup entry in the registry for self-starting.
[0170] Before using the technology proposed in the present invention, the active defense intercepted the writing behavior of the registry. When trying to obtain the file level of a.exe, because the network has been disconnected, it cannot be obtained. In order to avoid error prompts, Choose to allow its operation.
[0171] After using the technology proposed by the present invention, when creating a process for a.exe (that is, before running), it will query and record its process information. When the registry write behavior is detected, it is determined that the current network cannot be connected. The file level of the current process will be obtained by querying the previous records, thereby normally intercepting the execution of this program.
Example
[0172] Example 2:
[0173] Combine the process chain to handle the disconnection. For example: a.exe is an unknown program, b.exe is a white program that can be used (white use), the network will be disconnected when a.exe is running, and then b.exe is called to start writing Item, which triggers the interception point.
[0174] When creating processes for a.exe and b.exe, the process information is recorded. For example, the file level of the process executed by a.exe is malicious, the file level of the process executed by b.exe is safe, and a.exe The executed process is the parent process of the process executed by b.exe.
[0175] When b.exe executes the operation of writing to the registry, it triggers the interception point and actively defends against the process creation relationship recorded before. It can be known that b.exe was created by a.exe, so the process executed by b.exe is obtained at the same time The file levels of the process executed by a.exe and a.exe are res...
PUM
Abstract
Description
Claims
Application Information
- R&D Engineer
- R&D Manager
- IP Professional
- Industry Leading Data Capabilities
- Powerful AI technology
- Patent DNA Extraction
Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.
© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap