阅读说明：本技术 一种恶意程序清除方法及装置 (Malicious program clearing method and device ) 是由 康吉金 李博 樊兴华 于 2021-11-02 设计创作，主要内容包括：本申请实施例提供一种恶意程序清除方法及装置,涉及网络安全技术领域,该恶意程序清除方法包括：先判断在目标主机上是否检测到恶意程序；如果是,则获取恶意程序的通信特征；再根据预设的恶意程序清除指令库获取与通信特征相匹配的目标清除指令；最后将目标清除指令下发至目标主机,以使目标主机根据目标清除指令对恶意程序进行清除处理,能够实现恶意程序的自动清除,有效避免被再次攻击的风险,从而提升主机的网络安全。(The embodiment of the application provides a malicious program removing method and a malicious program removing device, which relate to the technical field of network security, and the malicious program removing method comprises the following steps: firstly, judging whether a malicious program is detected on a target host; if yes, acquiring the communication characteristics of the malicious program; then, acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library; and finally, the target clearing instruction is issued to the target host, so that the target host can clear the malicious program according to the target clearing instruction, the automatic clearing of the malicious program can be realized, the risk of being attacked again is effectively avoided, and the network security of the host is improved.)

1. A malicious program removal method, comprising:

determining whether a malicious program is detected on the target host;

if yes, acquiring the communication characteristics of the malicious program;

acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library;

and issuing the target clearing instruction to the target host to enable the target host to clear the malicious program according to the target clearing instruction.

2. The malware removal method of claim 1, wherein before the obtaining of the target removal instruction matching the communication feature according to a preset malware removal instruction library, the method further comprises:

acquiring a pre-collected malicious program sample;

running the malicious program sample through a pre-deployed sandbox to obtain a clearing instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample;

acquiring the associated information of the malicious program sample;

and constructing a malicious program clearing instruction library according to the clearing instruction, the online characteristics and the associated information.

3. The method for removing the malicious program according to claim 2, wherein the step of running the malicious program sample through a pre-deployed sandbox to obtain a removal instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample comprises:

running the malicious program sample through a pre-deployed sandbox to obtain specific behaviors and network interaction data of the malicious program sample when running in the sandbox;

performing time-series processing on the specific behaviors and the network interaction data to obtain a behavior chain of the malicious program sample running in the sandbox;

and determining a clearing instruction corresponding to the malicious program sample and an online characteristic corresponding to the malicious program sample according to the behavior chain.

4. The method according to claim 3, wherein the determining, according to the behavior chain, the cleaning instruction corresponding to the malicious program sample and the online characteristic corresponding to the malicious program sample includes:

determining a cleaning action of the malicious program sample when the malicious program sample runs in the sandbox according to the action chain;

determining a trigger factor for triggering clearing operation according to the clearing behavior;

and determining a clearing instruction corresponding to the malicious program sample and an online characteristic corresponding to the malicious program sample according to the trigger of the clearing operation.

5. The malware removal method of claim 2, wherein after the building of the malware removal instruction library according to the removal instructions, the online features and the associated information, the method further comprises:

rerunning the malware sample;

adopting the malicious program clearing instruction library to clear the malicious program sample, and detecting the clearing verification effect of the clearing processing;

judging whether the clearing verification effect reaches a preset effect threshold value or not;

and if so, storing the malicious program clearing instruction library, and executing the target clearing instruction matched with the communication characteristics obtained according to the preset malicious program clearing instruction library.

6. A malicious program removal apparatus, comprising:

a judging unit configured to judge whether a malicious program is detected on the target host;

the first acquisition unit is used for acquiring the communication characteristics of the malicious program when the malicious program is detected;

the second acquisition unit is used for acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library;

and the issuing unit is used for issuing the target clearing instruction to the target host so as to enable the target host to clear the malicious program according to the target clearing instruction.

7. The malware removal device of claim 6, further comprising:

a third obtaining unit, configured to obtain a pre-collected malicious program sample before obtaining, according to a preset malicious program removal instruction library, a target removal instruction matched with the communication feature;

the running unit is used for running the malicious program sample through a pre-deployed sandbox to obtain a clearing instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample;

the third obtaining unit is further configured to obtain associated information of the malicious program sample;

and the constructing unit is used for constructing a malicious program clearing instruction library according to the clearing instruction, the online characteristics and the associated information.

8. The malware removal device of claim 7, wherein the execution unit comprises:

the running subunit is used for running the malicious program sample through a pre-deployed sandbox to obtain specific behaviors and network interaction data of the malicious program sample when running in the sandbox;

the processing subunit is configured to perform time-series processing on the specific behavior and the network interaction data to obtain a behavior chain in which the malicious program sample runs in the sandbox;

and the determining subunit is configured to determine, according to the behavior chain, a clearing instruction corresponding to the malicious program sample and an online feature corresponding to the malicious program sample.

9. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the malicious program removal method of any of claims 1 to 5.

10. A readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the malware removal method of any one of claims 1 to 5.

Technical Field

The application relates to the technical field of network security, in particular to a malicious program removing method and device.

Background

With the continuous development of the internet, services running on internet devices are abundant and diverse, but huge network risks are hidden, and attackers usually use malicious programs to launch network attacks to steal user privacy, cause user loss and the like. The existing malicious program removing method usually blocks the communication Domain and the IP address of the malicious program to block the connection between the controlled end and the remote control end, and the malicious program is not actually removed, so the risk still remains. Therefore, the prior art cannot eradicate the malicious program, and the malicious program can also continue to communicate with the control end in other ways, so that the risk of being attacked again exists.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method and an apparatus for removing a malicious program, which can implement automatic removal of the malicious program, and effectively avoid a risk of being attacked again, thereby improving network security of a host.

A first aspect of an embodiment of the present application provides a method for removing a malicious program, including:

determining whether a malicious program is detected on the target host;

if yes, acquiring the communication characteristics of the malicious program;

acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library;

and issuing the target clearing instruction to the target host to enable the target host to clear the malicious program according to the target clearing instruction.

In the implementation process, whether a malicious program is detected on a target host is judged; if yes, acquiring the communication characteristics of the malicious program; then, acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library; and finally, the target clearing instruction is issued to the target host, so that the target host can clear the malicious program according to the target clearing instruction, the automatic clearing of the malicious program can be realized, the risk of being attacked again is effectively avoided, and the network security of the host is improved.

Further, before the obtaining of the target cleaning instruction matched with the communication characteristic according to the preset malicious program cleaning instruction library, the method further includes:

acquiring a pre-collected malicious program sample;

running the malicious program sample through a pre-deployed sandbox to obtain a clearing instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample;

acquiring the associated information of the malicious program sample;

and constructing a malicious program clearing instruction library according to the clearing instruction, the online characteristics and the associated information.

Further, the step of running the malicious program sample through a pre-deployed sandbox to obtain a clearing instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample includes:

running the malicious program sample through a pre-deployed sandbox to obtain specific behaviors and network interaction data of the malicious program sample when running in the sandbox;

performing time-series processing on the specific behaviors and the network interaction data to obtain a behavior chain of the malicious program sample running in the sandbox;

and determining a clearing instruction corresponding to the malicious program sample and an online characteristic corresponding to the malicious program sample according to the behavior chain.

Further, the determining, according to the behavior chain, a clearing instruction corresponding to the malicious program sample and an online feature corresponding to the malicious program sample includes:

determining a cleaning action of the malicious program sample when the malicious program sample runs in the sandbox according to the action chain;

determining a trigger factor for triggering clearing operation according to the clearing behavior;

and determining a clearing instruction corresponding to the malicious program sample and an online characteristic corresponding to the malicious program sample according to the trigger of the clearing operation.

In the implementation process, the online characteristics of the remote control Trojan horse and the corresponding clearing instructions can be automatically extracted by determining the clearing instructions corresponding to the malicious program samples and the online characteristics corresponding to the malicious program samples.

Further, after the building a malware removal instruction library according to the removal instruction, the online characteristic and the associated information, the method further includes:

rerunning the malware sample;

adopting the malicious program clearing instruction library to clear the malicious program sample, and detecting the clearing verification effect of the clearing processing;

judging whether the clearing verification effect reaches a preset effect threshold value or not;

and if so, storing the malicious program clearing instruction library, and executing the target clearing instruction matched with the communication characteristics obtained according to the preset malicious program clearing instruction library.

In the implementation process, after the malicious program clearing instruction library is obtained, the malicious program sample can be repeatedly operated, the clearing effect is verified, and the reliability of the clearing function is improved.

A second aspect of the embodiments of the present application provides a malicious program removal apparatus, where the malicious program removal apparatus includes:

a judging unit configured to judge whether a malicious program is detected on the target host;

the first acquisition unit is used for acquiring the communication characteristics of the malicious program when the malicious program is detected;

the second acquisition unit is used for acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library;

and the issuing unit is used for issuing the target clearing instruction to the target host so as to enable the target host to clear the malicious program according to the target clearing instruction.

In the implementation process, the judging unit firstly judges whether a malicious program is detected on the target host; when judging that the malicious program is detected, the first acquisition unit acquires the communication characteristics of the malicious program; the second acquisition unit acquires a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library; and finally, the issuing unit issues the target clearing instruction to the target host so that the target host clears the malicious program according to the target clearing instruction, automatic clearing of the malicious program can be realized, the risk of secondary attack is effectively avoided, and the network security of the host is improved.

Further, the malware removal device further includes:

a third obtaining unit, configured to obtain a pre-collected malicious program sample before obtaining, according to a preset malicious program removal instruction library, a target removal instruction matched with the communication feature;

the running unit is used for running the malicious program sample through a pre-deployed sandbox to obtain a clearing instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample;

the third obtaining unit is further configured to obtain associated information of the malicious program sample;

and the constructing unit is used for constructing a malicious program clearing instruction library according to the clearing instruction, the online characteristics and the associated information.

Further, the operation unit includes:

the running subunit is used for running the malicious program sample through a pre-deployed sandbox to obtain specific behaviors and network interaction data of the malicious program sample when running in the sandbox;

the processing subunit is configured to perform time-series processing on the specific behavior and the network interaction data to obtain a behavior chain in which the malicious program sample runs in the sandbox;

and the determining subunit is configured to determine, according to the behavior chain, a clearing instruction corresponding to the malicious program sample and an online feature corresponding to the malicious program sample.

In the implementation process, the online characteristics of the remote control Trojan horse and the corresponding clearing instructions can be automatically extracted by determining the clearing instructions corresponding to the malicious program samples and the online characteristics corresponding to the malicious program samples.

A third aspect of embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the malicious program removal method according to any one of the first aspect of embodiments of the present application.

A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions, when read and executed by a processor, perform the malicious program removal method according to any one of the first aspect of the present embodiment.

Drawings

In order to more clearly explain the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a schematic flowchart illustrating a malicious program removal method according to an embodiment of the present disclosure;

fig. 2 is a flowchart illustrating another malicious program removal method according to an embodiment of the present disclosure;

fig. 3 is a schematic structural diagram of a malicious program removal apparatus according to an embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of another malicious program removal apparatus according to an embodiment of the present disclosure;

fig. 5 is a schematic diagram of an information interaction flow of a malicious program removal system according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.

Example 1

Referring to fig. 1, fig. 1 is a flowchart illustrating a malicious program removal method according to an embodiment of the present disclosure. The method is mainly applied to detection and elimination scenes aiming at the malicious programs. The malicious program cleaning method comprises the following steps:

s101, judging whether a malicious program is detected on a target host, and if so, executing the step S102-the step S104; if not, step S101 is executed to continuously determine whether a malicious program is detected on the target host.

In the embodiment of the application, the execution subject of the method may be a malicious program removal device.

In this embodiment, the malicious program removal apparatus may be run on a computing apparatus such as a computer and a server, and this embodiment is not limited in any way.

In this embodiment, the malicious program removal device may also be operated on an electronic device such as a smart phone or a tablet computer, which is not limited in this embodiment.

Preferably, the malicious program removing device runs on a cloud server.

In this embodiment of the application, the malicious program may specifically be a backdoor, a remote access trojan, spyware, and the like, which is not limited in this embodiment of the application.

After step S101, the following steps are also included:

and S102, acquiring the communication characteristics of the malicious program.

In this embodiment of the present application, the communication feature includes a malicious program online feature, a malicious program network connection, and the like, where the malicious program network connection includes, but is not limited to, a Domain name of the malicious program, an Internet Protocol (Internet Protocol) address, a Uniform Resource Locator (URL) of the malicious program, a family identifier of the malicious program, and the like, and this is not limited in this embodiment of the present application. Wherein, the URL is a network address.

S103, acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library.

In the embodiment of the application, each parameter in the communication characteristics can be sequentially matched and compared with a preset malicious program clearing instruction library to obtain the target clearing instruction.

And S104, issuing the target clearing instruction to the target host so that the target host clears the malicious program according to the target clearing instruction.

According to the embodiment of the application, different malicious programs are automatically cleared through flow proxy and replay.

According to the method, in an actual network environment, the communication characteristics of the malicious programs are used as matching input, the query is carried out in a preset malicious program clearing instruction library, if the query is hit, a target clearing instruction is returned, and then the target clearing instruction is issued to the controlled target host to achieve automatic clearing of the malicious programs on the target host.

In the embodiment of the application, after the communication characteristics of the malicious program are acquired, the communication characteristics can be used as an implementation index and applied to collection and storage of threat intelligence.

Therefore, the malicious program removing method described in this embodiment can automatically remove the malicious program, and effectively avoid the risk of being attacked again, thereby improving the network security of the host.

Example 2

Referring to fig. 2, fig. 2 is a flowchart illustrating another malicious program removal method according to an embodiment of the present disclosure. As shown in fig. 2, the malware removal method includes:

s201, obtaining a pre-collected malicious program sample.

In the embodiment of the application, the sandbox cluster can be deployed in advance, the latest malicious program can be analyzed in time, and the clearing instruction of the latest remote control Trojan horse is captured at the first time.

In the embodiment of the application, the latest sample can be collected, and file detection analysis can be performed on the latest sample through a antivirus engine, a multi-engine, a Yara engine and the like, so that a malicious program sample is obtained.

In the embodiment of the present application, the malware sample may specifically be a trojan horse sample, a spyware sample, or another malware sample, and the embodiment of the present application is not limited thereto.

S202, running the malicious program sample through a pre-deployed sandbox to obtain specific behaviors and network interaction data of the malicious program sample when the malicious program sample runs in the sandbox.

In the embodiment of the present application, a multi-platform and multi-version sandbox environment is deployed, a system includes Windows7, Windows10, Ubuntu, CentOS, and the like, and a version includes 32 bits and 64 bits, and the embodiment of the present application is not limited thereto.

In the embodiment of the application, the malicious program sample is delivered to a pre-deployed sandbox environment (a virtual machine is used as a main part, and a physical machine is used as an auxiliary part) for analysis, so that specific behaviors and network interaction data of the malicious program sample during running in the sandbox can be obtained.

In the embodiment of the application, the latest trojan horse can be timely analyzed through the pre-deployed sandbox analysis cluster, and the possibility of missing is greatly reduced. Meanwhile, the multi-platform sandbox is deployed, so that the multi-platform trojan can be covered, and the coverage of automatic clearing is improved.

S203, carrying out time sequence processing on the specific behaviors and the network interaction data to obtain a behavior chain of the malicious program sample running in the sandbox.

In the embodiment of the application, by monitoring the running of the malicious program sample, the time points of various behaviors when the malicious program sample runs can be captured, the specific behaviors and the network interaction data of the malicious program sample running in the sandbox are combined, the specific behaviors and the network interaction data are subjected to time sequence processing, a behavior chain when the malicious program sample runs can be obtained, and analysis is stopped after the removal behavior of the malicious program sample is captured.

In the embodiment of the present application, the removing behavior includes behaviors such as process destruction of a malicious program sample, automatic deletion of a file related to the malicious program sample, and deletion of a persistence setting, which is not limited in the embodiment of the present application.

After step S203, the following steps are also included:

and S204, determining the cleaning action of the malicious program sample when the malicious program sample runs in the sandbox according to the action chain.

And S205, determining a trigger for triggering the clearing operation according to the clearing behavior.

In the embodiment of the application, the reason for triggering the clearing operation can be determined by analyzing the specific behaviors of the malicious program sample and the network interaction data. For example, when a network interaction is detected as a malicious sample, the network interaction occurring after the network interaction may be related to the network interaction, it may be determined that the network interaction prior to the network interaction of the malicious sample is the cause of triggering the cleaning operation.

S206, determining a clearing instruction corresponding to the malicious program sample and an online characteristic corresponding to the malicious program sample according to the trigger of the clearing operation.

In the embodiment of the present application, taking the above example as an example, when it is determined that network interaction before a removing behavior of a malicious program sample is a cause for triggering a removing operation, a network response of a control terminal before the removing operation of the malicious program sample may be used as a removing instruction, and communication between the malicious program sample and the control terminal is used as an online feature.

In the embodiment of the present application, the network response of the control end (i.e. the host of the attacker, i.e. the target host) is linked with the behavior of the controlled end (i.e. the attacker host) to capture the clearing instruction of the control end according to the predefined clearing behavior.

In the embodiment of the application, by implementing the steps S204 to S206, the removal instruction corresponding to the malicious program sample and the online feature corresponding to the malicious program sample can be determined according to the behavior chain, so that the online feature of the remote control trojan and the corresponding removal instruction can be automatically extracted.

In the embodiment of the application, by implementing the steps S202 to S206, the malicious program sample can be run through the pre-deployed sandbox, and the removal instruction corresponding to the malicious program sample and the online characteristics of the malicious program sample are obtained.

In the embodiment of the application, the online characteristics of the malicious program sample can be automatically and continuously collected by running the malicious program sample through the pre-deployed sandbox, so that the online characteristic library of the malicious program sample is obtained.

In the embodiment of the application, a malicious program clearing instruction library can be further constructed according to the clearing instruction corresponding to the malicious program sample.

And S207, acquiring the associated information of the malicious program sample.

In the embodiment of the present application, the associated information of the malware sample includes, but is not limited to, a family identifier, a Hash value of the malware sample (malware sample Hash value), and a communication Domain (communication Domain name), an IP address, and a URL address of the malware sample, and the embodiment of the present application is not limited thereto.

After step S207, the following steps are also included:

and S208, constructing a malicious program clearing instruction library according to the clearing instruction, the online characteristics and the associated information.

In the embodiment of the application, the clearing instruction, the online characteristic, the associated information and other network assets are associated, so that a malicious program clearing instruction library is obtained.

In the embodiment of the application, the malicious program removal instruction library comprises an online feature library and a removal instruction library, wherein the online feature library and the removal instruction library are in one-to-one correspondence relationship through corresponding correlation information, and in the malicious program removal instruction library, the removal instruction, the online feature and the correlation information are in one-to-one correspondence relationship.

As an optional implementation manner, after constructing the malware removal instruction library according to the removal instruction, the online feature and the associated information, the method may further include the following steps:

rerunning the malicious program sample;

adopting a malicious program clearing instruction library to clear the malicious program sample, and detecting the clearing verification effect of the clearing processing;

judging whether the clearing verification effect reaches a preset effect threshold value or not;

and if so, storing the malicious program clearing instruction library, and executing to obtain a target clearing instruction matched with the communication characteristics according to the preset malicious program clearing instruction library.

In the above embodiment, after the malicious program removal instruction library is obtained, the malicious program sample may be repeatedly run in the isolation environment, and the removal effect is verified and the reliability of the removal function is improved by performing flow proxy and simulating flow response analysis, matching and replaying the flow containing the removal instruction.

In the above embodiment, the trojan is rerun and the cleaning effect is verified by the traffic agent and the analysis module agent.

In the above embodiment, when the erasure verification effect reaches the preset effect threshold, the erasure verification method can be used in an actual environment.

After step S208, the following steps are also included:

s209, judging whether the malicious program is detected on the target host, and if so, executing the step S210-the step S212; if not, step S209 is performed to continuously determine whether a malicious program is detected on the target host.

And S210, acquiring the communication characteristics of the malicious program.

S211, acquiring a target clearing instruction matched with the communication characteristics according to a preset malicious program clearing instruction library.

And S212, issuing the target clearing instruction to the target host so that the target host clears the malicious program according to the target clearing instruction.

In the embodiment of the present application, please refer to fig. 5, where fig. 5 is a schematic key flow diagram of a malicious program removal method according to the embodiment of the present application. As shown in fig. 5, when the malicious program sample is a trojan program, the file detection module is configured to obtain a pre-collected trojan program, then obtain a behavior chain of the trojan program running in a sandbox through the sandbox analysis environment, then construct a malicious program removal instruction library including an online feature library and a removal instruction library through the monitoring and analysis module, the behavior chain of the trojan program, and the associated information, and finally verify a removal verification effect of the malicious program removal instruction library through the flow agent, analysis, matching, and replay module, and if the removal verification effect reaches a preset effect threshold, perform trojan program removal in an actual environment through the automatic trojan removal module.

Therefore, the malicious program removing method described in this embodiment can automatically remove the malicious program, and effectively avoid the risk of being attacked again, thereby improving the network security of the host.

Example 3

Referring to fig. 3, fig. 3 is a schematic structural diagram of a malicious program removal apparatus according to an embodiment of the present disclosure. As shown in fig. 3, the malware removal apparatus includes:

a judging unit 310 for judging whether a malicious program is detected on the target host;

a first obtaining unit 320, configured to, when a malicious program is detected, obtain a communication characteristic of the malicious program;

a second obtaining unit 330, configured to obtain, according to a preset malicious program removal instruction library, a target removal instruction matched with the communication feature;

the issuing unit 340 is configured to issue the target clear instruction to the target host, so that the target host performs a clearing process on the malicious program according to the target clear instruction.

In the embodiment of the present application, for explanation of the malicious program removal device, reference may be made to the description in embodiment 1 or embodiment 2, and details of this embodiment are not repeated.

Therefore, the malicious program removing device described in this embodiment can automatically remove the malicious program, and effectively avoid the risk of being attacked again, thereby improving the network security of the host.

Example 4

Referring to fig. 4, fig. 4 is a schematic structural diagram of another malicious program removal apparatus according to an embodiment of the present disclosure. The malware removal device shown in fig. 4 is optimized by the malware removal device shown in fig. 3. As shown in fig. 4, the malware removal apparatus further includes:

a third obtaining unit 350, configured to obtain a pre-collected malicious program sample before obtaining a target removal instruction matching the communication feature according to a preset malicious program removal instruction library;

the running unit 360 is configured to run the malicious program sample through the pre-deployed sandbox to obtain a clearing instruction corresponding to the malicious program sample and an online characteristic of the malicious program sample;

a third obtaining unit 350, configured to obtain associated information of the malware sample;

and the constructing unit 370 is used for constructing a malicious program clearing instruction library according to the clearing instruction, the online characteristics and the associated information.

As an alternative embodiment, the operation unit 360 includes:

the running subunit 361 is configured to run the malicious program sample through a pre-deployed sandbox, so as to obtain a specific behavior and network interaction data of the malicious program sample when the malicious program sample runs in the sandbox;

the processing subunit 362 is configured to perform time-series processing on the specific behavior and the network interaction data to obtain a behavior chain in which a malicious program sample runs in a sandbox;

the determining subunit 363 is configured to determine, according to the behavior chain, a cleaning instruction corresponding to the malicious program sample and an online feature corresponding to the malicious program sample.

As an optional implementation, the determining subunit 363 includes:

the first module is used for determining the clearing action of the malicious program sample when the malicious program sample runs in the sandbox according to the action chain;

the second module is used for determining a cause for triggering the clearing operation according to the clearing behavior;

and the third module is used for determining a clearing instruction corresponding to the malicious program sample and an online characteristic corresponding to the malicious program sample according to the incentive of triggering the clearing operation.

As an optional implementation manner, the running unit 360 is further configured to rerun the malicious program sample after constructing a malicious program removal instruction library according to the removal instruction, the online feature, and the associated information;

the malicious program removal device further includes:

the processing unit 380 is configured to perform cleaning processing on the malicious program sample by using a malicious program cleaning instruction library, and detect a cleaning verification effect of the cleaning processing;

the determining unit 310 is further configured to determine whether the erasure verification effect reaches a preset effect threshold;

the storage unit 390 is configured to, when the determining unit 310 determines that the preset effect threshold is reached, store the malicious program removal instruction library, and trigger the second obtaining unit 330 to obtain the target removal instruction matched with the communication feature according to the preset malicious program removal instruction library.

In the embodiment of the present application, for explanation of the malicious program removal device, reference may be made to the description in embodiment 1 or embodiment 2, and details of this embodiment are not repeated.

Therefore, the malicious program removing device described in this embodiment can automatically remove the malicious program, and effectively avoid the risk of being attacked again, thereby improving the network security of the host.

An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute a malicious program removal method according to any one of embodiment 1 and embodiment 2 of the present application.

An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for removing a malicious program according to any one of embodiments 1 and 2 of the present application is executed.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.

The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.