With the rapid development of various computer applications, malwares run on the computer spread and are stubbornly resided on the computer, such that the security is serious harmed. In order to reside in the operating system of a computer, the malwares have developed a variety of techniques to protect themselves, therefore they cannot be removed by conventional security software.
The conventional security software usually remove the malware by the following manners: (1) force deleting the registry or file of the malware in a driver layer; however, after deletion, the malware can perform write-back, thus the registry or file of the malware cannot be force deleted; (2) using an accounting pit file to prevent the write-back of the malware, which has the highest system privilege in the kernel and a sharing open is prohibited, however, when being aware of the write-back failure, the malware will be renamed and re-create write-back file until the write-back is successful; (3) writing the file path of the malware in the registry, and deleting the malware according to the file path in the registry during the start up of the system, however, the malware can monitor the registry key during the start up, and it can delete the registry key as long as it finds the protected path exists in the registry key, such that the deletion of the malware is failure; (4) deleting the write-back process of the malware, and then deleting the corresponding registry and file of the malware, however, if the malware enters the system process and write-back the file or registry in the system process, the deletion of the write-back process will fail, so that the registry and the file of the malware cannot be deleted.
As for the conventional security software, the malware uses protective technology or has logic to bypass deleting of the security software, which results in that the security software cannot do anything to the malware resident in the operating system even if it has been found, which greatly reducing the security.