A malicious program is a general term, which refers to any software program deliberately created for performing an unauthorized and usually harmful behavior. A computer virus, a backdoor, a keylogger, a password stealer, a Word and Excel macro virus, a boot sector virus, a script virus (batch, windows shell, java, etc.), a Trojan, a crimeware, a spyware, and an adware, etc. are all some examples which can be called a malicious program.
The traditional ways of defending and killing a malicious program rely mainly on a feature library mode. A feature library consists of feature codes of samples of a malicious program collected by a manufacturer, while a feature code is a segment of program codes similar to “search keywords” truncated by an analysis engineer from where a malicious program is found to be different from a legitimate software. In the course of searching and killing, an engine will read a file and match the file with all of the feature codes “keywords” in the feature library; if a program code of the file is found to be hit, the program of the file may be determined to be a malicious program.
Feature library matching is a very effective technique for searching and killing a known malicious program. However, nowadays in the world the number of malicious programs increases exponentially; because of such an explosive growth, the generation and update of a feature library often lags behind, and most of the time an antivirus software cannot defense and kill endlessly emergent unknown malicious programs.
Active defense came into being as a consequence, which is a real-time protection technique based on a self-analysis and determination on the program behavior, does not take a feature code as the basis for determining a malicious program. Instead, the active defense starts from an original definition and takes directly the program's behavior as the basis for determining a malicious program, wherein ways of using a feature library locally, setting a behavior threshold locally and killing the virus heuristically locally are derived to discriminate and intercept the behavior of the malicious program, thereby to some extent achieving the purpose of protecting a computer of a user.
However, drawbacks inevitably exist for the above local active defense means. First, it is very easy for the local active defense to cause a malicious program to be free to kill. For example, the feature library based defensing and killing mode of the local active defense may be avoided by packing a malicious program or modifying a feature code of the malicious program; for the behavior of the malicious program, the startup upper limit of a behavior threshold based defensing and killing mode is avoided to be triggered by decreasing or replacing associated behaviors performed by a malicious program. Additionally, the local active defense still relies on a timely update of a local database.