| 摘要 |
A system, method and computer program product for treating a malware in a computer having multiple copies of the same malicious code activated, where the multiple copies monitor each other's existence, including (a) identifying a presence of the malicious code on the computer; (b) blocking actions that permit one active copy of the malicious code to activate another copy of the malicious code; (c) deleting, from persistent storage, a file containing executable code of the malware; and (d) rebooting the computer. The actions include disabling writes to the persistent storage, disabling writes to a system registry, and/or blocking activation of new processes. The blocking utilizes a driver loaded into the kernel space. The identifying can use signature identification for malware detection.
|
