惡意程式傷害範圍估測與清除機制

Abstract

在半虛擬化環境中心使用行為比對來偵測惡意程式有著高偵測率，但由於其偵測期間，惡意行為持續對其造成傷害，因此嘗試設計一套系統可以對特定程式、執行序進行傷害範圍估測及清除，以處理管理端所欲達成的修復系統傷害。 在Xen環境底下，我們針對Windows客戶端虛擬機設計一套傷害範圍估測與清除機制，修改一套Mini-filter driver以攔截並記錄IRPs(I/O Request Packets)行為歷程，已完成在行為比對偵測動作完成時，能夠提供完整的資訊及清除能力。

In paravirtualized environment, Behavior matching is a detection method with high detection rate. However, during the matching behavior time passed, the malicious software continually doing damage. We design this for estimate and recovery those damages after malware was found. With Xen, we design an estimation and recovery mechanism for guest OS which is Windows. We modified a mini-filter Driver to intercept IRPs(I/O Request Packets). With this system design, we could provide the complete estimation and recovery just after matching.