Detecting and responding to malware using link files

摘要

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for monitoring the generation of link files by processes on a computer and performing protection processes based on whether the link files target malicious objects or are generated by malicious processes. In one aspect, a method includes monitoring for a generation of a first file that includes a target path that points to an object; in response to monitoring the generation of the first file: determining whether the target path is a uniform resource locator; in response to determining that the target path is a uniform resource locator, identifying a process that caused the first file to be generated; determining whether the process is a prohibited process; in response to determining that the process is a prohibited process, performing one or more protection processes on the process and the first file; in response to determining that the process is not a prohibited process, determining whether the uniform resource locator is a prohibited uniform resource locator; in response to determining that the uniform resource locator is a prohibited uniform resource locator, performing one or more protection processes on the process and the first file.

主权项

1. A computer-implemented method, comprising:
monitoring, by a first computer, a generation of a link file that includes a target path that points to an object; in response to monitoring the generation of the link file:
identifying, by the first computer, a process that caused the link file to be generated;determining, by the first computer, whether the process is a prohibited process;in response to determining that the process is a prohibited process, performing, by the first computer, one or more protection processes on the process and the link file;in response to determining that the process is not a prohibited process, determining, by the first computer, whether the link file generates a request to a uniform resource locator;in response to determining that the link file generates a request to a uniform resource locator, determining, by the first computer, whether the uniform resource locator is associated with a malicious resource;in response to determining that the uniform resource locator is associated with a malicious resource, performing, by the first computer, one or more protection processes on the link file.