本帖最后由 sniss 于 2011-1-23 18:27 编辑
sololp 发表于 2011-1-21 10:03
因为bd是单步拦截,不对整个流程进行控制
Most common process actions considered suspect by Active Virus Control: §Not waiting for/requesting any type of user interaction
§Not displaying any type of UI when terminating the execution
§Copying or moving files in C:\Windows\ or C:\Windows\Systme32\
§Having as an icon and unrelated types of an icon (e.g. a process that has as an icon a folder icon; social engineering tactics)
§Executing code in other processes’ space (trying to execute code with higher privileges)
§Running files that have been created by themselves with information stored in its binary file.
§Copying its own contents inside a different file on a disk (replicating itself)
§Adding itself in the startup sequence of the Operating System.
§Hiding themselves from typical process enumeration applications.
§Dropping drivers in C:\Windows\System32\ and registering them
Important note: None of the actions listed above is relevant enough by itself. This is why Active Virus Control keeps a score and monitors the process until a threshold is reached. Identifying only one of this actions, renders that specific process as suspect (to some degree), but not as malicious.
|