Anti-virus technology-signature scanning technology, its core idea is that anti-virus companies manually extract virus signatures from virus body codes, and then anti-virus products compare the inspected objects with virus signatures. If the inspected objects contain virus signatures, they are reported as viruses. A virus whose signature is extracted by an anti-virus company is called a known virus, and a virus whose signature is not extracted is called an unknown virus. The signature scanning technology relies on the signature extracted from the virus body, and it is impossible to obtain the signature without obtaining the virus body. Its technical principle determines that signature scanning technology can only identify known viruses and cannot prevent unknown viruses. The process of traditional anti-virus technology is as follows: when users find abnormal phenomena in their computers and suspect that they may be infected by viruses → users with certain anti-virus knowledge send suspicious files to anti-virus companies by email → after the anti-virus companies receive the suspicious files, they are manually analyzed by virus analysis engineers → if they are determined to be viruses, the signatures of the viruses are extracted from the virus codes, and then an upgrade program is made and put on the Internet → finally, users can only kill viruses after upgrading their anti-virus software. But before the user upgrades, the antivirus products on the user's computer can't prevent the virus from being infected and destroyed. At present, the traditional anti-virus technology is facing a very serious virus challenge. Hackers produce a large number of Trojan viruses aimed at stealing trade secrets, virtual property, bank accounts, etc. This new virus for profit has become the dominant trend of virus development. In order to prevent Trojan from being discovered by antivirus software, hackers have developed various simple antivirus technologies. There is no need to rewrite virus programs, they just need to simply add shells, add instructions, locate and modify virus signature codes, and so on. In a short time, they can mass-produce Trojan variants and avoid traditional anti-virus products. What is more serious is the emergence of automatic shelling, automatic anti-killing, and even commercialization. The virus author updates every day, and the upgrade speed even exceeds the anti-virus software. Hackers can usually avoid the latest version of antivirus software by using Trojan variants automatically generated by such tools. The "industrialization and automation" of Trojan horse production makes it more and more difficult for anti-virus companies to collect Trojans, or these Trojans have existed for a long time before being collected, causing irreparable losses to users. According to the statistics of German AV testing laboratory, about 5.5 million malicious programs spread through the Internet appeared in 2007, and anti-virus companies need to analyze1.5,000 to 20,000 new viruses every day. This makes the average daily workload of anti-virus companies increase to four times in 2006 and 15 times in 2005. The traditional anti-virus technology "appears virus-collects virus-analyzes virus-upgrades virus database". Although we can better guard against known viruses, users are still threatened by a large number of virus www.shlunwen.com that are not collected by anti-virus companies and tens of thousands of new viruses every day, and their information security cannot be effectively guaranteed. It is an indisputable fact that the traditional anti-virus technology lags behind the virus technology, which can no longer meet the current anti-virus needs. Therefore, computer users urgently need an anti-virus software that can automatically kill unknown viruses. Micro-point active defense technology and its principle Since anti-virus engineers can accurately judge whether a program is a virus by analyzing the behavior of the program, can this analysis and judgment process be automated and programmed? XX thinks this idea is feasible. Micro-point active defense technology is designed according to this idea: by analyzing, summarizing and summarizing the virus behavior law, combined with the experience of anti-virus experts in judging viruses, it is refined into a knowledge base of virus identification rules, simulating the mechanism of experts discovering new viruses, dynamically monitoring the actions of running programs calling various application programming interfaces (API) through many probes distributed in the operating system, combining a series of actions of programs with logical relationship analysis to form meaningful behaviors, and then comprehensively applying the knowledge of virus identification rules. Liu Xu, an anti-virus expert, took the lead in establishing an active defense technology system of "monitoring and dynamic protection" on the basis of summarizing his anti-virus technology practice in the past 20 years, and creatively established the core standards of active defense products, that is, on the premise of having a dynamic simulation anti-virus expert system, the basic requirement of automatically and accurately judging unknown viruses, and the mechanism guarantee of monitoring program behavior. Led by Liu Xu, Micropoint R&D team has successfully developed the world's first new generation of anti-virus software that can actively defend against computer viruses and network attacks-Micropoint Active Defense Software. This software adopts five core technologies: dynamic simulation of anti-virus expert system, automatic and accurate determination of new viruses, synchronous monitoring program behavior, automatic extraction of feature codes to achieve multiple protection, and visual display of monitoring information, which realizes independent identification, clear reporting and automatic removal of unknown viruses, effectively overcoming the fatal defect that traditional anti-virus software lags behind viruses. Faced with various concepts of active defense, Liu Xu pointed out that, like all anti-virus technologies, active defense technology must also make a clear judgment on the nature of the program. If it is a virus, an alarm should be clearly given to prompt the user to find the virus. If it is only a single action alarm of the program, it is not active defense for the user to judge whether this action is threatening. The program action mentioned here means that the anti-virus software detects that the program calls an API provided by Windows. API is a function provided by Windows for program development. Both normal programs and viruses can be used, which means that there is no distinction between good and evil in API itself. If you only call the police according to one action of the program, it is really difficult for ordinary users to judge whether this action is harmful or not, and they will be at a loss. This is obviously not the antivirus technology that most computer users need.