CN102945348A - Method and device for collecting file information - Google Patents
Method and device for collecting file information Download PDFInfo
- Publication number
- CN102945348A CN102945348A CN2012104015740A CN201210401574A CN102945348A CN 102945348 A CN102945348 A CN 102945348A CN 2012104015740 A CN2012104015740 A CN 2012104015740A CN 201210401574 A CN201210401574 A CN 201210401574A CN 102945348 A CN102945348 A CN 102945348A
- Authority
- CN
- China
- Prior art keywords
- file
- terminal
- unknown
- detected
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method and a device for collecting the file information of an unknown file. The method comprises the following steps: an enterprise intranet control server acquires file characteristics of the to-be-detected file from a terminal, wherein the to-be-detected file is a file lately added in the terminal and/or the modified file; the control server judges whether the file characteristics of the to-be-detected file is matched with the file characteristics of normally executed files and the virus files stored in the file characteristics database in the control server or not; if not, the control server determines that the to-be-detected file is the unknown file; the control server returns the message that the to-be-detected file is the unknown file to the terminal, and notifies the terminal to upload the file information of the unknown file; and the control server receives the collects the file information of the unknown file uploaded by the terminal. The method and the device can improve the security of the system, and the detecting and processing efficiencies of the unknown file.
Description
Technical field
The application relates to field of computer technology, particularly relates to a kind of fileinfo collection method and device of unknown file.
Background technology
Antivirus software also claims anti-viral software or antivirus software, is for a class software of eliminating computer virus, Trojan Horse and Malware.The common integrated monitoring identification of antivirus software, virus scan and the functions such as removing and auto-update, the antivirus software that has is also with functions such as data recoveries, that the computing machine system of defense (comprises antivirus software, fire wall, the killing program of Trojan Horse and other Malwares, intrusion prevention system etc.) important component part.
At present, when using antivirus software to carry out system's defence and checking and killing virus, on the one hand, antivirus software is treated the killing file according to the coupling of the virus characteristic in the virus characteristic database of self storing, if coupling is consistent, then think and treat that the killing file is virus document, carry out checking and killing virus and process; If mate inconsistently, then think and treat that the killing file is normal file, lets pass; On the other hand, above-mentioned killing process is only carried out in this locality.
Yet, for some suspicious unknown file, because it does not belong to the virus document that has now in the antivirus software virus base, do not have corresponding virus characteristic in the virus base, existing antivirus software is let pass it, thereby existing antivirus software can't effectively detect suspicious unknown file, can't carry out effective suspicious unknown file defence; And local killing is relatively limited to, and can't use the killing result to affect the checking and killing virus of other machine.
Summary of the invention
In view of above-mentioned existing antivirus software can't effectively detect and defends unknown file, and the killing result affects limited problem, has proposed the present invention in order to a kind of fileinfo collection method and device that overcomes the problems referred to above or address the above problem at least in part is provided.
According to one aspect of the present invention, a kind of fileinfo collection method is provided, comprise: the corporate intranet Control Server obtains the file characteristic of file to be detected from terminal, and wherein, file to be detected is the file that increases newly in the terminal and/or has carried out the file of revising; Control Server judges whether the file characteristic of the normal executable file of storing in the file characteristic of file to be detected and the file characteristic database in the Control Server and the file characteristic of virus document mate; If the file characteristic of file to be detected does not all mate with the file characteristic of normal executable file and the file characteristic of described virus document, then Control Server determines that file to be detected is unknown file; Control Server returns the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of unknown file; Control Server receives and the fileinfo of the unknown file that collection terminal is uploaded.
Alternatively, the file characteristic of file to be detected is to the MD5 value behind the file content use MD5 algorithm of file to be detected; Obtain from terminal at the corporate intranet Control Server before the step of file characteristic of file to be detected, also comprise: Control Server obtains the file content of normal executable file and the file content of virus document; Respectively the file content of normal executable file and the file content of virus document are used the MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document; The MD5 value of normal executable file is saved as the file characteristic of normal executable file, the MD5 value of virus document is saved as the file characteristic of virus document.
Alternatively, the Control Server step of obtaining the file characteristic of file to be detected from terminal comprises: the Control Server receiving terminal uses the MD5 value of the file to be detected of http protocol encapsulation.
Alternatively, Control Server receives and the step of the fileinfo of the unknown file that collection terminal is uploaded comprises: Control Server receives and the fileinfo of the unknown file that collection terminal is directly uploaded by the terminal backstage, wherein, the fileinfo of unknown file uses the http protocol encapsulation.
Alternatively, Control Server receive and the step of the fileinfo of the unknown file that collection terminal is uploaded after, also comprise: Control Server is analyzed the fileinfo of unknown file, determines whether unknown file is secure file; If determine that unknown file is not secure file, then record the MD5 value of unknown file, forbid the unknown file operation.
Alternatively, Control Server receives and the step of the fileinfo of the unknown file that collection terminal is uploaded comprises: Control Server receives and the MD5 value of the unknown file that collection terminal is uploaded, and following information one of at least: the ProductName under the digital signature of unknown file, fileversion number, filename, the unknown file, Production Version, the affiliated company's copyright information of unknown file.
Alternatively, the file that increases newly in the terminal is that terminal is by current all non-existent new files in corporate intranet all terminals that confirm, corporate intranet; The file that has carried out revising is that terminal is by current all non-existent amended files in corporate intranet all terminals that confirm, corporate intranet.
According to a further aspect in the invention, a kind of fileinfo gathering-device is provided, be arranged at the Control Server end of corporate intranet, this document information collection apparatus comprises: acquisition module, be used for obtaining from the terminal of corporate intranet the file characteristic of file to be detected, wherein, file to be detected is the file that increases newly in the terminal and/or has carried out the file of revising; Judge module, whether the file characteristic of the normal executable file of storing in the file characteristic database for the file characteristic of judging file to be detected and Control Server and the file characteristic of virus document mate; Determination module judges that the file characteristic of file to be detected and the file characteristic of normal executable file and the file characteristic of virus document all do not mate, and determine that then file to be detected is unknown file if be used for judge module; Collection module be used for returning the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of unknown file; The fileinfo of the unknown file that reception and collection terminal are uploaded.
Alternatively, the file characteristic of file to be detected is to the MD5 value behind the file content use MD5 algorithm of file to be detected; This document information collection apparatus also comprises: preserve module, be used for obtaining the file content of normal executable file and the file content of virus document before acquisition module obtains the file characteristic of file to be detected from the terminal of corporate intranet; Respectively the file content of normal executable file and the file content of virus document are used the MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document; The MD5 value of normal executable file is saved as the file characteristic of normal executable file, the MD5 value of virus document is saved as the file characteristic of virus document.
Alternatively, acquisition module is used for obtaining the MD5 value that terminal is used the file to be detected of http protocol encapsulation from the terminal of corporate intranet.
Alternatively, collection module be used for returning the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of unknown file; And, receive and the fileinfo of the unknown file that collection terminal is directly uploaded by the terminal backstage, wherein, the fileinfo of unknown file uses the http protocol encapsulation.
Alternatively, also comprise: analysis module, be used for collection module receive and the fileinfo of the unknown file that collection terminal is uploaded after, the fileinfo of unknown file is analyzed, determine whether unknown file is secure file; If determine that unknown file is not secure file, then record the MD5 value of unknown file, forbid the unknown file operation.
Alternatively, the fileinfo of the unknown file that collection module is collected comprises: the MD5 value of unknown file, and following information is one of at least: the ProductName under the digital signature of unknown file, fileversion number, filename, the unknown file, Production Version, the affiliated company's copyright information of unknown file.
Alternatively, the file that increases newly in the terminal is that terminal is by current all non-existent new files in corporate intranet all terminals that confirm, corporate intranet; The file that has carried out revising is that terminal is by current all non-existent amended files in corporate intranet all terminals that confirm, corporate intranet.
According to fileinfo collection scheme of the present invention, at the Control Server end of corporate intranet except the file characteristic (being virus characteristic) of preserving virus document, also preserve simultaneously the file characteristic of normal executable file, by these file characteristics, when the terminal of corporate intranet has increased file newly or file has been carried out modification, can these files to be detected of terminal be detected, when these file characteristics of preserving in the file characteristic of the file to be detected of terminal to report and the Control Server all do not mate, the file to be detected that terminal then is described is unknown file, at this moment, notification terminal also requires the fileinfo of terminal to report file to be detected, Control Server is by the fileinfo of this unknown file of content collecting of terminal to report, in order to carry out identification and the judgement of follow-up other terminal unknown file.Unknown file might be normal file, but more may be the file (such as the virus document etc. of distortion) that system is had harm, if unknown file information is not collected and then is carried out unknown file control according to existing scheme, then may be caused harm system and user's consequence; And by the solution of the present invention, by the collection to the fileinfo of unknown file, can understand the unknown file situation, and then the character of judgement unknown file, in time management and defence, the security that can greatly improve all terminals in the whole system reduces system safety hazards; And, the Control Server end can use the fileinfo of the unknown file of this collection, the file to be detected of follow-up other terminal is detected and judges, expand the unknown file impact of a terminal to whole system, further improved Security of the system, and unknown file detects and treatment effeciency.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 is the flow chart of steps according to a kind of fileinfo collection method of the embodiment of the invention one;
Fig. 2 is the flow chart of steps according to a kind of fileinfo collection method of the embodiment of the invention two;
Fig. 3 is the flow chart of steps according to a kind of fileinfo collection method of the embodiment of the invention three;
Fig. 4 is the structured flowchart according to a kind of fileinfo gathering-device of the embodiment of the invention four.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Embodiment one
With reference to Fig. 1, show the flow chart of steps according to a kind of fileinfo collection method of the embodiment of the invention one.
The fileinfo collection method of present embodiment may further comprise the steps:
Step S102: the Control Server of corporate intranet obtains the file characteristic of file to be detected from the terminal of corporate intranet.
Wherein, file to be detected is the file that increases newly in the terminal and/or has carried out the file of revising.
The file that increases newly in the terminal may be the newly-increased file of the machine only, and may have the new file that also may all not have in other terminal in the corporate intranet; Also may be the new file for whole corporate intranet, that is, terminal be by current all non-existent new files in corporate intranet all terminals that confirm, corporate intranet.Equally, the file that has carried out revising may be the file that amended file only limits to the machine, and may have this amended file that also may all not have in other terminal in the corporate intranet; Also may be for whole corporate intranet carrying out the file of revising, that is, terminal is by current all non-existent amended files in corporate intranet all terminals that confirm, corporate intranet.Can determine whether there is corresponding file in other terminal by information interaction between the terminal.Like this, for whole corporate intranet, greatly reduced file data to be detected and because detect the information interaction amount that produces, improved detection efficiency.
When terminal had increased file newly or carried out file modification, terminal reported Control Server automatically with the file characteristic that this increases the file of file or modification newly, triggered the file characteristic that Control Server obtains the file to be detected of terminal.For example, in terminal, there is certain file to be modified, then triggers Control Server and obtain the fileinfo collection that this document carries out follow-up unknown file detection; Perhaps, when having copied file by third party device such as USB flash disk to terminal, then trigger Control Server and obtain the fileinfo collection that this document carries out follow-up unknown file detection; Perhaps, when initial terminal is carried out system's installation, trigger Control Server and obtain the file characteristic that all are fit into the file of terminal, and carry out the fileinfo collection that follow-up unknown file detects.But be not limited to this, in actual applications, those skilled in the art also can arrange suitable rule, when satisfying arrange regular, by the file characteristic of terminal to report or server active obtaining file to be detected.
File characteristic is the characteristic information of file, can reflect that a file is different from the characteristics of other file, can be used as the unique identification of file, as, by the MD5 value of fileinfo calculating, the digital signature of file, the version number of file, the ProductName under the file, the Production Version under the file, exabyte, company's copyright information even the whole file etc. under the file.
Step S104: Control Server judges whether the file characteristic of the normal executable file of storing in the file characteristic of file to be detected and the file characteristic database in the Control Server and the file characteristic of virus document mate.
Store simultaneously the file characteristic of normal executable file and the file characteristic of virus document (being virus characteristic) in the file characteristic database of Control Server, the above-mentioned file characteristic of storage can by the heap file data analysis of collecting is extracted, also can be collected storage by other appropriate ways.
Step S106: if the file characteristic of file to be detected does not all mate with the file characteristic of normal executable file and the file characteristic of virus document, then Control Server determines that file to be detected is unknown file.
Step S108: Control Server returns the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of unknown file.
Step S110: Control Server receives and the fileinfo of the unknown file that collection terminal is uploaded.
Pass through present embodiment, at the Control Server end except the file characteristic (being virus characteristic) of preserving virus document, also preserve simultaneously the file characteristic of normal executable file, when the terminal of corporate intranet has increased file newly or file has been carried out modification, can these files to be detected of terminal be detected by these file characteristics, when these file characteristics of preserving in the file characteristic of the file to be detected of terminal to report and the Control Server all do not mate, the file to be detected that terminal then is described is unknown file, at this moment, notification terminal also requires the fileinfo of terminal to report file to be detected, Control Server is by the fileinfo of this unknown file of content collecting of terminal to report, in order to carry out identification and the judgement of follow-up other terminal unknown file.Unknown file might be normal file, but more may be the file (such as the virus document etc. of distortion) that system is had harm, if unknown file information is not collected and then is carried out unknown file control according to existing scheme, then may be caused harm system and user's consequence; And the scheme by present embodiment by the collection to the fileinfo of unknown file, can be understood the unknown file situation, and then the character of judgement unknown file, in time management and defence, the security that can greatly improve all terminals in the whole system reduces system safety hazards; And, the Control Server end can use the fileinfo of the unknown file of this collection, the file to be detected of follow-up other terminal is detected and judges, expand the unknown file impact of a terminal to whole system, further improved Security of the system, and unknown file detects and treatment effeciency.
Need to prove that fileinfo collection scheme of the present invention is except applicable to the corporate intranet scene, also applicable to the unit scene.Embodiment one is illustrated fileinfo collection scheme of the present invention from the corporate intranet scene, and hereinafter embodiment two is explained the present invention from the unit scene.
Embodiment two
With reference to Fig. 2, show the flow chart of steps according to a kind of fileinfo collection method of the embodiment of the invention two.
Present embodiment is explained fileinfo collection method of the present invention take the local antivirus software of unit as example.
The fileinfo collection method of present embodiment may further comprise the steps:
Step S202: the local antivirus software of corporate intranet terminal obtains the file characteristic of normal executable file and the file characteristic of virus document, and is saved in the file characteristic database of local antivirus software.
The corporate intranet terminal can be obtained the file characteristic of normal executable file and the file characteristic of virus document from the Control Server end of corporate intranet, also can be self-contained file characteristic, can also be file is carried out spanned file feature behind the collection analysis.
In the present embodiment, the file characteristic of normal executable file and the file characteristic of virus document all are the forms of MD5 value, and MD5 value information amount is little, is convenient to relative discern, and collision rate is low, can effectively distinguish each file characteristic.Certainly, other suitable file characteristic form is applicable too, such as the calculated value that draws by Secure Hash Algorithm such as Sha1.
Step S204: local antivirus software obtains the file characteristic of file to be detected.
When the corporate intranet terminal has increased file newly and/or carried out file modification, will trigger this step.File to be detected in the present embodiment is the file that increases newly in the terminal and/or has carried out the file of revising.
In the present embodiment, the form of the file characteristic of the file characteristic of file to be detected and the normal executable file of storage and the file characteristic of virus document is consistent, is the form of MD5 value.
Need to prove that when generating the MD5 value, the generation parameter of MD5 can suitably be chosen by those skilled in the art, such as filename, file size, feature vocabulary, file content etc.In the present embodiment, no matter be the MD5 value of file to be detected, or the MD5 value of the MD5 value of normal executable file and virus document all is to obtain after file content is used the MD5 algorithm.Use the MD5 algorithm to obtain the MD5 value to file content, can more effectively represent the file characteristic of file.In addition, the generating algorithm of file characteristic also is not limited to the MD5 algorithm, can also be for other appropriate algorithm, such as Secure Hash Algorithm such as Sha1.
Step S206: local antivirus software judges whether the file characteristic of the normal executable file of storing in the file characteristic of file to be detected and the file characteristic database and the file characteristic of virus document mate, if coupling, execution in step S208; If do not mate, execution in step S210.
Whether the MD5 value of the MD5 value of also namely, judging file to be detected and normal executable file or the MD5 value of virus document be consistent.
Step S208: according to matching result, determine that file to be detected is normal executable file or is virus document, if normal executable file is then let pass; If virus document then carries out checking and killing virus and processes, finish this flow process.
Step S210: local antivirus software determines that file to be detected is unknown file, collects the fileinfo of this unknown file.
As, collect the MD5 value of this unknown file, and following information is one of at least: the company's copyright information under the ProductName under the digital signature of this unknown file, fileversion number, filename, this unknown file, Production Version, this unknown file etc.
Step S212: local antivirus software is analyzed the fileinfo of this unknown file, determines whether this unknown file is secure file; If determine that this unknown file is not secure file, then record the MD5 value of this unknown file, forbid this unknown file operation; If determine that this unknown file is secure file, then let pass.
By present embodiment, realized that local antivirus software to detection and the defence of unknown file, has reduced the security risk of local system.
Embodiment three
With reference to Fig. 3, show the flow chart of steps according to a kind of fileinfo collection method of the embodiment of the invention three.
Present embodiment still is the fileinfo collection scheme under the corporate intranet scene, and present embodiment is explained fileinfo collection method of the present invention take the Control Server end antivirus software of corporate intranet as example.
The fileinfo collection method of present embodiment may further comprise the steps:
Step S302: the Control Server of corporate intranet obtains the file content of normal executable file and the file content of virus document.
Step S304: Control Server uses the MD5 algorithm to the file content of normal executable file and the file content of virus document respectively, obtains the MD5 value of normal executable file and the MD5 value of virus document.
Step S306: Control Server is saved to the MD5 value of the MD5 value of normal executable file and virus document in the file characteristic database of antivirus software of Control Server, respectively as the file characteristic of normal executable file and the file characteristic of virus document.
Step S308: the terminal of corporate intranet is found file to be detected, obtains the file content of file to be detected, to the file content use MD5 algorithm of file to be detected, obtains the MD5 value of file to be detected.
Wherein, file to be detected is the file that increases newly in the terminal and/or has carried out the file of revising.
Step S310: terminal uses http protocol that the MD5 value of file to be detected is packaged into message, sends to Control Server.
Such as, terminal the MD5 value of file to be detected is transmit a request to Control Server as the content of POST with http protocol.
Step S312: the Control Server receiving terminal uses the message of http protocol encapsulation, obtains the MD5 value of file to be detected from message.
Step S314: Control Server judges whether the MD5 value of the normal executable file of storing in the MD5 value of file to be detected and the file characteristic database and the MD5 value of virus document mate, if coupling, then execution in step S316; If do not mate, execution in step S318 then.
Step S316: Control Server is according to matching result, determines that file to be detected is normal executable file or is virus document, and to return file to be detected be normal executable file or be the message of virus document to terminal, finishes this flow process.
Terminal can be carried out follow-up processing according to message content after receiving the message that Control Server returns, such as killing virus or carry out file to be detected etc.
Step S318: Control Server determines that file to be detected is unknown file, return the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of this unknown file.
Step S320: terminal use http protocol encapsulates the fileinfo of this unknown file, and directly is uploaded to Control Server by the terminal backstage.
As, terminal is uploaded the MD5 value of this unknown file, and following information one of at least: the company's copyright information under the ProductName under the digital signature of this unknown file, fileversion number, filename, this unknown file, Production Version, this unknown file etc.
In the present embodiment, terminal is the MD5 value of unknown file, and file digital signature, filename, fileversion number, ProductName, Production Version, the copyright(of company copyright information), send Control Server as the content of POST with http protocol.
Step S322: the Control Server receiving terminal is also preserved by the fileinfo of the unknown file that directly upload on the terminal backstage, returns to terminal and uploads success message.
Step S324: Control Server is analyzed the fileinfo of this unknown file, determines whether this unknown file is secure file; If be defined as secure file, notification terminal this unknown file of letting pass then; If determine not to be secure file, then record the MD5 value of this unknown file, notification terminal is forbidden this unknown file operation.
For example, terminal place computer inserts USB flash disk under user's subjective consciousness, has copied a file to the terminal of Intranet.At this time, terminal just can mail to Control Server to file characteristic does inquiry, when being unknown file, the Control Server judgement issues upload notifications to terminal, terminal just mails to Control Server to the fileinfo of this document so, Control Server will record the fileinfo of this document, in order to make reference to the keeper.As, realize the function of 360 privately owned clouds.360 privately owned clouds need to make up private database, and private database is used for clearance and the forbidding of all Intranet files of control, by fileinfo is analyzed, can determine to let pass or this forbids this document.
Pass through present embodiment, realized based on the antivirus software terminal of corporate intranet and the C/S framework of Control Server, terminal is done the inquiry of file by http protocol, Control Server passes through Query Result, unknown file is done upload notifications, and terminal sends the fileinfo of unknown file by next HTTP request.The scheme of present embodiment can be utilized the antivirus software terminal at corporate intranet, the file characteristic of the file that monitors (such as MD5 value of file), sending to Control Server identifies, when the Control Server qualification result for not being normal file, neither when virus, this document namely is unknown file, and Control Server is namely notified the antivirus software terminal information of presenting a paper, and the fileinfo of submission will be kept on the Control Server.Control Server can be controlled the file that all terminals are uploaded to be needed, the initiatively background scanning All Files of notification terminal of also having the ability, and unknown file submission Control Server.Compare any unknown file of the traditional forms of enterprises's not management and control of level antivirus software, intranet security risk and evidence obtaining all want relatively easy.
Embodiment four
With reference to Fig. 4, show the structured flowchart according to a kind of fileinfo gathering-device of the embodiment of the invention four.
The fileinfo gathering-device of present embodiment is arranged at the Control Server end of corporate intranet, this device comprises: acquisition module 402, be used for obtaining from the terminal of corporate intranet the file characteristic of file to be detected, wherein, file to be detected is the file that increases newly in the terminal and/or has carried out the file of revising; Judge module 404, whether the file characteristic of the normal executable file of storing in the file characteristic database for the file characteristic of judging file to be detected and Control Server and the file characteristic of virus document mate; Determination module 406 judges that the file characteristic of file to be detected and the file characteristic of normal executable file and the file characteristic of virus document all do not mate, and determine that then file to be detected is unknown file if be used for judge module 404; Collection module 408 be used for returning the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of unknown file; The fileinfo of the unknown file that reception and collection terminal are uploaded.
Preferably, the file characteristic of file to be detected is to the MD5 value behind the file content use MD5 algorithm of file to be detected; The fileinfo gathering-device of present embodiment also comprises: preserve module 410, be used for obtaining the file content of normal executable file and the file content of virus document before acquisition module 402 obtains the file characteristic of file to be detected from terminal; Respectively the file content of normal executable file and the file content of virus document are used the MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document; The MD5 value of normal executable file is saved as the file characteristic of normal executable file, the MD5 value of virus document is saved as the file characteristic of virus document.
Preferably, acquisition module 402 is used for obtaining the MD5 value that terminal is used the file to be detected of http protocol encapsulation from the terminal of corporate intranet.
Preferably, collection module 408 be used for returning the message that file to be detected is unknown file to terminal, and notification terminal is uploaded the fileinfo of unknown file; And, receive and the fileinfo of the unknown file that collection terminal is directly uploaded by the terminal backstage, wherein, the fileinfo of unknown file uses the http protocol encapsulation.
Preferably, the fileinfo gathering-device of present embodiment also comprises: analysis module 412, be used for after collection module 408 is collected the fileinfo of unknown file, the fileinfo of unknown file being analyzed, and determine whether unknown file is secure file; If determine that unknown file is not secure file, then record the MD5 value of unknown file, forbid the unknown file operation.
Preferably, the fileinfo of the unknown file that collection module 408 is collected comprises the MD5 value of unknown file, and following information one of at least: the ProductName under the digital signature of unknown file, fileversion number, filename, the unknown file, Production Version, the affiliated company's copyright information of unknown file.
Preferably, the file that increases newly in the terminal is that terminal is by current all non-existent new files in corporate intranet all terminals that confirm, corporate intranet; The file that has carried out revising is that terminal is by current all non-existent amended files in corporate intranet all terminals that confirm, corporate intranet.
The fileinfo gathering-device of present embodiment is used for realizing the fileinfo collection method of the corresponding Control Server end of aforementioned a plurality of embodiment of the method, and the beneficial effect with corresponding embodiment of the method, does not repeat them here.
The fileinfo collection scheme of unknown file provided by the invention efficiently solves the problem that existing antivirus software can't effectively detect and defend unknown file, has realized detection and the defence of unknown file.In addition, Control Server is uploaded the mechanism of unknown file all in the enterprise in distributed antivirus software terminal, can realize more other application based on this function, the for example transmission of file evidence obtaining, to the automatic identifying system of unknown file, based on the unknown file quantitative proportion in the net and safety estimation system of the unknown file quantity in the computing machine etc.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, the desired structure of system that structure has the present invention program is apparent.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the fileinfo collection scheme of the unknown file of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (14)
1. a fileinfo collection method is characterized in that, comprising:
The corporate intranet Control Server obtains the file characteristic of file to be detected from terminal, and wherein, described file to be detected comprises the file that increases newly in the described terminal and/or carried out the file of revising;
Described Control Server judges whether the file characteristic of the normal executable file of storing in the file characteristic of described file to be detected and the file characteristic database in the described Control Server and the file characteristic of virus document mate;
If the file characteristic of the file characteristic of described file to be detected and described normal executable file and the file characteristic of described virus document all do not mate, then described Control Server determines that described file to be detected is unknown file;
It is the message of unknown file that described Control Server returns described file to be detected to described terminal, and notifies described terminal to upload the fileinfo of described unknown file;
Described Control Server receives and collects the fileinfo of the described unknown file that described terminal uploads.
2. method according to claim 1 is characterized in that, the file characteristic of described file to be detected is to the MD5 value behind the file content use MD5 algorithm of described file to be detected;
Obtain from terminal at described corporate intranet Control Server before the step of file characteristic of file to be detected, also comprise: described Control Server obtains the file content of described normal executable file and the file content of described virus document; Respectively the file content of described normal executable file and the file content of described virus document are used the MD5 algorithm, obtain the MD5 value of described normal executable file and the MD5 value of described virus document; The MD5 value of described normal executable file is saved as the file characteristic of described normal executable file, the MD5 value of described virus document is saved as the file characteristic of described virus document.
3. method according to claim 2 is characterized in that, the step that described Control Server obtains the file characteristic of file to be detected from terminal comprises:
Described Control Server receives the MD5 value that described terminal is used the described file to be detected of http protocol encapsulation.
4. method according to claim 3 is characterized in that, the step that described Control Server received and collected the fileinfo of the described unknown file that described terminal uploads comprises:
Described Control Server receives and collects the fileinfo of the described unknown file that described terminal directly uploads by the terminal backstage, and wherein, the fileinfo of described unknown file uses the http protocol encapsulation.
5. method according to claim 2 is characterized in that, after described Control Server receives and collect the step of fileinfo of the described unknown file that described terminal uploads, also comprises:
Described Control Server is analyzed the fileinfo of described unknown file, determines whether described unknown file is secure file;
If determine that described unknown file is not secure file, then record the MD5 value of described unknown file, forbid described unknown file operation.
6. method according to claim 2 is characterized in that, the step that described Control Server received and collected the fileinfo of the described unknown file that described terminal uploads comprises:
Control Server receives and collects the MD5 value of the described unknown file that described terminal uploads, and following information one of at least: the ProductName under the digital signature of described unknown file, fileversion number, filename, the described unknown file, Production Version, the affiliated company's copyright information of described unknown file.
7. method according to claim 1 is characterized in that, the file that increases newly in the described terminal is that described terminal is by current all non-existent new files in described corporate intranet all terminals that confirm, described corporate intranet; The described file that has carried out revising is that described terminal is by current all non-existent amended files in described corporate intranet all terminals that confirm, described corporate intranet.
8. a fileinfo gathering-device is characterized in that, is arranged at the Control Server end of corporate intranet, and described device comprises:
Acquisition module, for the file characteristic that obtains file to be detected from the terminal of described corporate intranet, wherein, described file to be detected comprises the file that increases newly in the described terminal and/or has carried out the file of revising;
Judge module, whether the file characteristic of the normal executable file of storing in the file characteristic database for the file characteristic of judging described file to be detected and described Control Server and the file characteristic of virus document mate;
Determination module judges that the file characteristic of described file to be detected and the file characteristic of described normal executable file and the file characteristic of described virus document all do not mate if be used for described judge module, determines that then described file to be detected is unknown file;
Collection module, being used for returning described file to be detected to described terminal is the message of unknown file, and notifies described terminal to upload the fileinfo of described unknown file; Receive and collect the fileinfo of the described unknown file that described terminal uploads.
9. device according to claim 8 is characterized in that, the file characteristic of described file to be detected is to the MD5 value behind the file content use MD5 algorithm of described file to be detected;
Described device also comprises: preserve module, be used for obtaining the file content of described normal executable file and the file content of described virus document before described acquisition module obtains the file characteristic of described file to be detected from the terminal of described corporate intranet; Respectively the file content of described normal executable file and the file content of described virus document are used the MD5 algorithm, obtain the MD5 value of described normal executable file and the MD5 value of described virus document; The MD5 value of described normal executable file is saved as the file characteristic of described normal executable file, the MD5 value of described virus document is saved as the file characteristic of described virus document.
10. device according to claim 9 is characterized in that,
Described acquisition module is used for obtaining the MD5 value that described terminal is used the described file to be detected of http protocol encapsulation from the terminal of described corporate intranet.
11. device according to claim 10 is characterized in that, described collection module, and being used for returning described file to be detected to described terminal is the message of unknown file, and notifies described terminal to upload the fileinfo of described unknown file; And, receive and collect the fileinfo of the described unknown file that described terminal directly uploads by the terminal backstage, wherein, the fileinfo of described unknown file uses the http protocol encapsulation.
12. device according to claim 9 is characterized in that, also comprises:
Analysis module is used for after described collection module receives and collect the fileinfo of the described unknown file that described terminal uploads the fileinfo of described unknown file being analyzed, and determines whether described unknown file is secure file; If determine that described unknown file is not secure file, then record the MD5 value of described unknown file, forbid described unknown file operation.
13. device according to claim 9, it is characterized in that, the fileinfo of the described unknown file that described collection module is collected comprises: the MD5 value of described unknown file, and following information is one of at least: the ProductName under the digital signature of described unknown file, fileversion number, filename, the described unknown file, Production Version, the affiliated company's copyright information of described unknown file.
14. device according to claim 8 is characterized in that, the file that increases newly in the described terminal is that described terminal is by current all non-existent new files in described corporate intranet all terminals that confirm, described corporate intranet; The described file that has carried out revising is that described terminal is by current all non-existent amended files in described corporate intranet all terminals that confirm, described corporate intranet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210401574.0A CN102945348B (en) | 2012-10-19 | 2012-10-19 | Fileinfo collection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210401574.0A CN102945348B (en) | 2012-10-19 | 2012-10-19 | Fileinfo collection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102945348A true CN102945348A (en) | 2013-02-27 |
| CN102945348B CN102945348B (en) | 2016-08-03 |
Family
ID=47728289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210401574.0A Active CN102945348B (en) | 2012-10-19 | 2012-10-19 | Fileinfo collection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102945348B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607438A (en) * | 2013-11-08 | 2014-02-26 | 北京奇虎科技有限公司 | Control method and apparatus for terminal disposition |
| CN103607433A (en) * | 2013-11-01 | 2014-02-26 | 北京奇虎科技有限公司 | Method of deploying files in batches on terminal and apparatus thereof |
| CN104281806A (en) * | 2013-07-01 | 2015-01-14 | 宁夏新航信息科技有限公司 | Automatic computer virus detection system |
| CN107145780A (en) * | 2017-03-31 | 2017-09-08 | 腾讯科技(深圳)有限公司 | Malware detection method and device |
| CN107689975A (en) * | 2016-08-05 | 2018-02-13 | 腾讯科技(深圳)有限公司 | A kind of computer virus recognition methods and system based on cloud computing |
| CN107730066A (en) * | 2017-08-25 | 2018-02-23 | 北京元心科技有限公司 | Cruising inspection system task cooperation processing method and processing device |
| CN109726555A (en) * | 2017-10-30 | 2019-05-07 | 腾讯科技(深圳)有限公司 | Viral diagnosis processing method, viral reminding method and relevant device |
| CN110084041A (en) * | 2019-04-29 | 2019-08-02 | 深信服科技股份有限公司 | Querying method, device, client, management end and the storage medium of virus document |
| CN110688658A (en) * | 2019-10-09 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | Unknown virus infection tracing method, device and system |
| CN110765493A (en) * | 2018-12-28 | 2020-02-07 | 北京安天网络安全技术有限公司 | File baseline defense method and device based on Linux pre-link and storage equipment |
| CN111159708A (en) * | 2019-12-02 | 2020-05-15 | 中国建设银行股份有限公司 | Apparatus, method and storage medium for detecting web Trojan horse in server |
| CN113055412A (en) * | 2019-12-26 | 2021-06-29 | 奇安信科技集团股份有限公司 | Sample collection method, apparatus, system, computer device and readable storage medium |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6963978B1 (en) * | 2001-07-26 | 2005-11-08 | Mcafee, Inc. | Distributed system and method for conducting a comprehensive search for malicious code in software |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101304426A (en) * | 2008-07-10 | 2008-11-12 | 腾讯科技(深圳)有限公司 | Method and device for recognizing and reporting questionable document |
| CN101827096A (en) * | 2010-04-09 | 2010-09-08 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
| CN101908116A (en) * | 2010-08-05 | 2010-12-08 | 潘燕辉 | Computer safeguard system and method |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
-
2012
- 2012-10-19 CN CN201210401574.0A patent/CN102945348B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6963978B1 (en) * | 2001-07-26 | 2005-11-08 | Mcafee, Inc. | Distributed system and method for conducting a comprehensive search for malicious code in software |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101304426A (en) * | 2008-07-10 | 2008-11-12 | 腾讯科技(深圳)有限公司 | Method and device for recognizing and reporting questionable document |
| CN101827096A (en) * | 2010-04-09 | 2010-09-08 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
| CN101908116A (en) * | 2010-08-05 | 2010-12-08 | 潘燕辉 | Computer safeguard system and method |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
Non-Patent Citations (1)
| Title |
|---|
| 汪峰: "白名单主动防御系统的设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)》, no. 4, 15 April 2012 (2012-04-15) * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104281806A (en) * | 2013-07-01 | 2015-01-14 | 宁夏新航信息科技有限公司 | Automatic computer virus detection system |
| CN103607433A (en) * | 2013-11-01 | 2014-02-26 | 北京奇虎科技有限公司 | Method of deploying files in batches on terminal and apparatus thereof |
| CN103607438B (en) * | 2013-11-08 | 2017-06-27 | 北京奇安信科技有限公司 | A kind of control method and device of terminal disposition |
| CN103607438A (en) * | 2013-11-08 | 2014-02-26 | 北京奇虎科技有限公司 | Control method and apparatus for terminal disposition |
| CN107689975B (en) * | 2016-08-05 | 2020-07-31 | 腾讯科技(深圳)有限公司 | Cloud computing-based computer virus identification method and system |
| CN107689975A (en) * | 2016-08-05 | 2018-02-13 | 腾讯科技(深圳)有限公司 | A kind of computer virus recognition methods and system based on cloud computing |
| CN107145780A (en) * | 2017-03-31 | 2017-09-08 | 腾讯科技(深圳)有限公司 | Malware detection method and device |
| CN107145780B (en) * | 2017-03-31 | 2021-07-27 | 腾讯科技(深圳)有限公司 | Malicious software detection method and device |
| CN107730066A (en) * | 2017-08-25 | 2018-02-23 | 北京元心科技有限公司 | Cruising inspection system task cooperation processing method and processing device |
| CN109726555A (en) * | 2017-10-30 | 2019-05-07 | 腾讯科技(深圳)有限公司 | Viral diagnosis processing method, viral reminding method and relevant device |
| CN109726555B (en) * | 2017-10-30 | 2023-03-10 | 腾讯科技(深圳)有限公司 | Virus detection processing method, virus prompting method and related equipment |
| CN110765493A (en) * | 2018-12-28 | 2020-02-07 | 北京安天网络安全技术有限公司 | File baseline defense method and device based on Linux pre-link and storage equipment |
| CN110765493B (en) * | 2018-12-28 | 2021-05-25 | 北京安天网络安全技术有限公司 | File baseline defense method and device based on Linux pre-link and storage equipment |
| CN110084041A (en) * | 2019-04-29 | 2019-08-02 | 深信服科技股份有限公司 | Querying method, device, client, management end and the storage medium of virus document |
| CN110688658A (en) * | 2019-10-09 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | Unknown virus infection tracing method, device and system |
| CN110688658B (en) * | 2019-10-09 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Unknown virus infection tracing method, device and system |
| CN111159708A (en) * | 2019-12-02 | 2020-05-15 | 中国建设银行股份有限公司 | Apparatus, method and storage medium for detecting web Trojan horse in server |
| CN113055412A (en) * | 2019-12-26 | 2021-06-29 | 奇安信科技集团股份有限公司 | Sample collection method, apparatus, system, computer device and readable storage medium |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102945348B (en) | 2016-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102945348A (en) | Method and device for collecting file information | |
| CN102945349A (en) | Method and device for processing unknown files | |
| CN108763031B (en) | Log-based threat information detection method and device | |
| US11716348B2 (en) | Malicious script detection | |
| US10148689B2 (en) | Method and apparatus for monitoring malicious link injection into website source code | |
| CN100448203C (en) | System and method for identifying and preventing malicious intrusions | |
| EP3420489B1 (en) | Cybersecurity systems and techniques | |
| CN102663288B (en) | Virus killing method and device thereof | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| CN103825888A (en) | Network threat processing method and apparatus | |
| KR20150124370A (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| CN107995179B (en) | Unknown threat sensing method, device, equipment and system | |
| US20150026813A1 (en) | Method and system for detecting network link | |
| US20150317479A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| KR102095853B1 (en) | Virus database acquisition method and device, equipment, server and system | |
| CN103473501A (en) | Malware tracking method based on cloud safety | |
| JP6904709B2 (en) | Technology for detecting malicious electronic messages | |
| CN106503556A (en) | The method of data storage, apparatus and system | |
| CN105791250B (en) | Application program detection method and device | |
| CN104966020B (en) | The anti-virus cloud detection method of optic and system of feature based vector | |
| US9239907B1 (en) | Techniques for identifying misleading applications | |
| CN103679024B (en) | Virus treating method and device | |
| US9491193B2 (en) | System and method for antivirus protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20161208 Address after: 100015 Chaoyang District Road, Jiuxianqiao, No. 10, building No. 3, floor 15, floor 17, 1701-26, Patentee after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee before: Beijing Qihu Technology Co., Ltd. Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |