CN102982284B - For the scanning device of rogue program killing, cloud management equipment and method and system - Google Patents

For the scanning device of rogue program killing, cloud management equipment and method and system Download PDF

Info

Publication number
CN102982284B
CN102982284B CN201210506137.5A CN201210506137A CN102982284B CN 102982284 B CN102982284 B CN 102982284B CN 201210506137 A CN201210506137 A CN 201210506137A CN 102982284 B CN102982284 B CN 102982284B
Authority
CN
China
Prior art keywords
program file
scans
client device
information
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210506137.5A
Other languages
Chinese (zh)
Other versions
CN102982284A (en
Inventor
江爱军
刘智锋
孔庆龙
张波
姚彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210506137.5A priority Critical patent/CN102982284B/en
Publication of CN102982284A publication Critical patent/CN102982284A/en
Priority to PCT/CN2013/088196 priority patent/WO2014082599A1/en
Priority to US14/648,298 priority patent/US9830452B2/en
Application granted granted Critical
Publication of CN102982284B publication Critical patent/CN102982284B/en
Priority to US15/823,534 priority patent/US20180082061A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of scanning device for rogue program killing, cloud management equipment and method and system.Wherein, a kind of cloud management equipment for rogue program killing, comprising: the second transmission interface; First indicator, is configured to generate the first scans content instruction according to the characteristic of newborn rogue program and the system environmental information of client device transmission; First adaptation, is configured to the characteristic of the described unknown program file being obtained client device transmission by the second transmission interface, and mates in known rogue program characteristic record accordingly; And second indicator, be configured to when the first adaptation fails to generate the second scans content instruction when matching known record, second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and transfers to client device by the second transmission interface.

Description

For the scanning device of rogue program killing, cloud management equipment and method and system
Technical field
The present invention relates to technical field of network information safety, be specifically related to a kind of scanning for rogue program killing, cloud management equipment and method and system.
Background technology
Existing rogue program checking and killing method, mostly scanned according to built-in scanning position by local engine, the features such as the MD5 of the unknown program file of local None-identified are sent to cloud server, the program file feature sent according to client by cloud server is compared and determines whether rogue program, if the local engine of rogue program client is again according to the removing logic cleaning rogue program of built in client this locality.But in rogue program and the perfervid lasting antagonism of fail-safe software, the available point that rogue program author always finds operating system new and the point that fail-safe software is ignored thus walk around detection and the killing of fail-safe software.After now security firm takes the sample of rogue program, the new rogue program of local engine ability killing revised by usual needs, from take sample to manual analysis then redaction engine program document upgrading to all clients, in the meantime rogue program large area propagate.
Summary of the invention
In view of the above problems, propose the present invention to provide a kind of overcoming the problems referred to above or the scanning device for rogue program killing solved the problem at least in part and corresponding scan method, and for the cloud management equipment of rogue program killing and corresponding cloud management, and a kind of malware scanning systems based on cloud security and scan method.
According to one aspect of the present invention, provide a kind of scanning device for rogue program killing, comprising: the first transmission interface, be configured to server-side devices transmission information, and the information of reception server end device transmission; Environmental information reader, is configured to read the current system environmental information of client device, and transfers to server-side devices by the first transmission interface; First scanner, be configured to obtain server-side devices at least based on the first scans content instruction that system environmental information judges by the first transmission interface, and scan the assigned address in the first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to server-side devices by the first transmission interface; And second scanner, be configured to the second scans content instruction being obtained server-side devices transmission by the first transmission interface, second scans content indicates to comprise and scans the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file, and scans according to the second scans content instruction.
According to a further aspect in the invention, provide the cloud management equipment of planting for rogue program killing, comprising: the second transmission interface, be configured to client device transmission information, and receive the information of client device transmission; First indicator, be configured to generate the first scans content instruction according to the characteristic of newborn rogue program and the system environmental information of client device transmission, first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and by the second transmission interface, the first scans content instruction is transferred to client device; First adaptation, is configured to the characteristic of the unknown program file being obtained client device transmission by the second transmission interface, and mates in known rogue program characteristic record accordingly; And second indicator, be configured to when the first adaptation fails to generate the second scans content instruction when matching known record, second scans content indicates to comprise and scans the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file, and transfers to client device by the second transmission interface.
According to another aspect of the invention, provide a kind of malware scanning systems based on cloud security, comprise arbitrary scanning device for rogue program killing as above, and arbitrary cloud management equipment for rogue program killing as above.
According to another aspect of the invention, provide a kind of cloud management for rogue program killing, comprise: generate the first scans content instruction according to the characteristic of newborn rogue program and the system environmental information of client device transmission, first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and the first scans content instruction is transferred to client device; Obtain the characteristic of the unknown program file of client device transmission, and mate in known rogue program killing database accordingly; And when failing to match known record according to the characteristic of unknown program file, generate the second scans content instruction, second scans content indicates to comprise and scans the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file, and the second scans content instruction is transferred to client device.
According to another aspect of the invention, provide a kind of rogue program scan method based on cloud security, comprising: client device reads current system environmental information, and transfers to server-side devices; Server-side devices generates the first scans content instruction according to the system environmental information of the characteristic of newborn rogue program and client device transmission, first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and the first scans content instruction is transferred to client device; Client device scans according to the first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to server-side devices; Server-side devices mates in known rogue program killing database according to the characteristic of unknown program file; When failing to match known record according to the characteristic of unknown program file, server-side devices generates the second scans content instruction, second scans content indicates to comprise and scans the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file, and the second scans content instruction is transferred to client device; Client device scans according to the second scans content instruction.
Can find out according to embodiment provided by the invention, in the essential characteristic data by means of only unknown program file (as filename, MD5, SHA1 or other features etc. calculated according to file content) rogue program cannot be determined whether or cannot find accurately recovery scenario time, can again by requiring that client device scans the signature of unknown program file further, the attribute of the context environmental of the specified attribute such as version and/or unknown program file does further judgement, thus can judge that client oneself cannot determine whether safe unknown program file more accurately.Owing to adopting this scheme, cloud server issues personalized scans content in time, and according to the attribute of program file and the attribute of place context environmental thereof from server end Dynamic Acquisition checking and killing method, avoid and could detect and remove newborn rogue program by upgrade local feature database and engine program, thus the blow speed accelerated newborn rogue program, effectively contain that it spreads fast.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows according to an embodiment of the invention based on the malware scanning systems of cloud security;
Fig. 2 shows according to an embodiment of the invention based on the rogue program scan method process flow diagram of cloud security; And
Fig. 3 shows the rogue program checking and killing method process flow diagram based on cloud security according to another embodiment of the present invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
The embodiment of the present invention can be applied to computer system/server, and it can operate with other universal or special computing system environment numerous or together with configuring.The example of the well-known computing system being suitable for using together with computer system/server, environment and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, little type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is performed by the remote processing devices by communication network links.In distributed cloud computing environment, program module can be positioned at and comprise on the Local or Remote computing system storage medium of memory device.
Refer to Fig. 1, it illustrates according to an embodiment of the invention based on the malware scanning systems of cloud security, comprise the scanning device 110 for rogue program killing, and for the cloud management equipment 210 of rogue program killing, wherein, scanning device 110 can be arranged at client, in such as client device 100, cloud management equipment 210 can be arranged at server end, in such as server-side devices 200.Scanning device 110 can communicate with cloud management equipment 210, and specifically, the first transmission interface 112 in scanning device 110 can to server-side devices 200 transmission information, and the information of reception server end equipment 200 transmission; Second transmission interface 218 of cloud management equipment to client device 100 transmission information, and can receive the information of client device 100 transmission.Wherein, scanning device 110 can comprise environmental information reader 112, first scanner 114, second scanner 116 and the first transmission interface 118.Cloud management equipment 210 can comprise the first indicator 212, first adaptation 214, second indicator 216 and the second transmission interface 218.
First, environmental information reader 112 reads the current system environmental information of client device 100, and transfers to the second transmission interface 218 of server-side devices 200 by the first transmission interface 118.The current system environmental information of client device 100 can comprise a lot, in the version information of such as operating system, system mend mount message, software installation information, drive installation information and the information such as active process and information on services any one or multiple.Wherein, operating system has a variety of, such as windows98, windows2003, windowsXP and WindowsVista etc., the version information that different operating system is corresponding is also different, therefore by the version information of operating system, the operating system of what server-side devices 200 just can know the current operation of client device 100 is which kind of concrete version.Active process is the process run in system, can by calling corresponding API (ApplicationProgrammingInterface, application programming interface) multiple means such as function inquires the various progress informations that ought run in systems in which, and the identifier that process is relevant, user name, cpu occupancy, memory usage, descriptor etc.After the local engine of client device 100 initialization and network environment, environmental information reader 112 just can read current system environmental information, and transfers to server device 200.
After the second transmission interface 218 being arranged in the cloud management equipment 210 of server-side devices 200 receives the current system environmental information of client device 100, be transferred to the first indicator 212, and then the first indicator 212 generates the first scans content instruction according to the system environmental information that the characteristic of newborn rogue program and client device 100 are transmitted.Wherein, the characteristic of newborn rogue program can have a variety of, the newborn rogue program such as gone out according to the Analysis on Epidemic Trend of up-to-date rogue program utilizes ad-hoc location to carry out the characteristic information hidden and/or attack, the position that such as newborn rogue program utilizes usually, as the installation directory of certain game, the installation directory, some specific registry entry etc. of popular software.And then, what server-side devices 200 can utilize usually according to newborn rogue program hides and/or attacks position, in conjunction with the current system environmental information that client device reports, the scans content that just can provide for this client device personalization indicates, i.e. the first scans content instruction.The software installation information reported as by client device 100 finds that this client device 100 has installed certain Games Software, and know that current a lot of rogue program is all utilize the installation directory of this Games Software to carry out hiding or malice alternate file according to the characteristic of newborn rogue program, content under then server-side devices 200 will require client device 100 to scan this game installation directory in the first scans content instruction, to find unknown program file suspicious in this client device 100.Can find out, because the first scans content instruction is not only according to the characteristic of the newborn rogue program of server end grasp, also will in conjunction with the concrete system environmental information of client device 100, therefore the first scans content instruction is personalized, targetedly, the first scans content issued for different client devices 100 indicates different often.
At least comprise in the first scans content instruction and the content of assigned address scanned and requires to inform the characteristic of the unknown program file scanned, specifically, first scans content instruction can be the one section of text or script that generate according to the characteristic of newborn rogue program and the current system environmental information of client device 100, namely can inform that client device 100 needs to scan which content by this instruction, and report which scanning result.
It should be noted that the first scans content instruction can be no-strings instruction, also can be conditional instruction.If conditional instruction, then only when meeting prerequisite, the scanning device 110 in client device 100 just scans according to the first scans content instruction.First scanning instruction can incident have a lot, such as include but not limited in following content one or more: whether specified file exists, whether assigned catalogue exists, whether the attribute of program file meets specified requirements (such as whether eap-message digest MD5 is designated value), registry key is specified whether to exist, registration table key assignments is specified whether to exist, whether the content of registry key meets specified requirements, whether the content of registration table key assignments meets specified requirements (such as whether comprise or equal specific character string or certain value), whether appointment process exists, whether specified services exists and whether specified services meets whether the condition of specifying (is such as specific service name, specific service describing or specific display Name) etc.
The instruction of this first scans content, after the first indicator 212 generates the first scans content instruction, is just transferred to the first transmission interface 118 in client device 100 by server end by the second transmission interface 218.
Then, be arranged in the first transmission interface 118 of the scanning device 110 of client device 100, based on system environmental information, the server-side devices 200 received at least is judged that the first scanner 114 is informed in the first scans content instruction obtained.And then the first scanner 114 scans the assigned address in the first scans content instruction.Mention above, the first scans content instruction can be conditional instruction, or is called the condition of scanning, and so the first scanner 114 needs first to judge whether that satisfied first scans content indicates the incidental condition of scanning, than those optional conditioies as previously mentioned.When the first scanner 114 judges to meet the first scans content incident, just the assigned address in the first scans content instruction is scanned.Certainly, if the first scans content instruction is not conditional instruction, then the first scanner 114 is just without the need to first judging, directly scans according to the scanning position indicated in the first scans content.
Optionally, the first scanner 114 except carrying out except personalized scanning according to the first scans content instruction in client device 100, and the first scanner 114 can also carry out conventional sweep by the scanning position built-in to the local engine of client device 100.
Unknown program file will be found after the first scanner 114 completes scanning, then the characteristic of unknown program file is extracted, characteristic can have a variety of, one or more in such as following information: the data and filename etc. that calculate according to specific algorithm (as MD5, SHA1 or other algorithms) all or part of key content (namely extracting a part of content from file) of unknown program file.These characteristics of program file, can be understood as is the base attribute information of program file.The characteristic of unknown program file, after the characteristic obtaining unknown program file, is just transferred to the second transmission interface 218 in server-side devices 200 by the first scanner 114 by the first transmission interface 118.
And then, the characteristic of the unknown program file received is supplied to the first adaptation 214 by the second transmission interface 218 of server end, first adaptation 214 mates accordingly in known rogue program killing database, some characteristic informations of rogue program are recorded in this database, the decision logic determining whether rogue program can be recorded in addition, and possible checking and killing method (as repaired logic) etc.Wherein, the feature of rogue program can comprise a lot of information, the attribute information of the file such as summary, file size, signing messages, version information of such as filename, program file, can also comprise the enable position in file place catalogue, registration table, context environmental attribute with the attribute supervisor file of alternative document under catalogue or under assigned catalogue for another example.Because existing rogue program more complicated, accurately cannot determine whether rogue program by one or two feature often merely, need in a lot of situation according to various features comprehensive descision, whether this comprehensive descision unknown program file is the logic of rogue program is exactly aforesaid decision logic.Checking and killing method includes but not limited to scanning/judgement and repairs operation.Due to the memory space of server end, operand and collect the ability of rogue program characteristic information, renewal speed is better than client all far away, therefore, when the unknown program file that client device 100 cannot judge according to local engine, server-side devices 200 just can judge according to known database.
If the first adaptation 214 is in known rogue program killing database, the match is successful, namely can judge whether this unknown program file is rogue program, optionally, some situation can also match corresponding reparation logic, then judged result and corresponding reparation logic can be fed back to the first transmission interface 118 of client device 100 by the second transmission interface 218.Optionally, client device 100 also comprises killing device, based on the feature of unknown program file, server-side devices 200 is judged that whether it be the judged result of rogue program and repair logic and inform killing device by the first transmission interface 118 in client device 100, killing device performs corresponding operation.Such as, if judged result finds that this unknown program file is rogue program, then the reparation logic that killing device returns according to server-side devices 200 carries out repair process to unknown program file.Repair process includes but not limited to delete registration table key/value, the edit the registry key/value of specifying and is given content, deletes appointing system service entry, reparation/deletion designated program file etc.
Specific to reparation designated program file, then the file type difference of repairing as required has multiple recovery scenario.Such as, what some needed reparation is system file, and some is the program file of popular software, and some is general file.The ultimate principle of repairing these program files is similar, usually be all server end needs the program file repaired some attribute informations according to client, mate in database beyond the clouds, search the program file of the uninfecting virus whether having coupling, if had, just be supplied to client to replace, thus complete reparation.Different file can arrange different matching conditions according to actual needs when concrete coupling, such as if system file, can the various attribute informations (as file name, version information etc.) of demand file all consistent, just the match is successful in calculation, namely successfully finds the alternate file for repairing; And for nonsystematic generic-document, if what store in cloud database is basic version or Standard Edition, then also can think that the match is successful.In addition, even if be system file equally, or be nonsystematic generic-document equally, also different matching conditions can be set according to the actual application environment difference of file, requirement difference or operating system difference.Such as, certain system file possible, the match is successful just to need each attribute such as file name, version information all unanimously just to calculate, but another kind of system file, only need that file name is consistent, version is basic version or Standard Edition, just can think that the match is successful.
Give a kind of popular software below again to be destroyed as example by wooden horse, describe in detail in repair process and how program file is replaced.Such as, after wooden horse destroys the program file of certain popular software, the information of original program file is unavailable.In this case the information of relevant this software of server-side devices 200 by providing before client device 100, as dbase, version, the version of program file, catalogue etc., just can know and need for which alternate file client device 100 provides, and then according to file name, the information such as version are mated in database beyond the clouds, find out uninfecting virus and coupling alternate file be supplied to client device 100, then client device 100 uninfecting virus that server-side devices 200 is provided, the program file consistent with the machine, replace original destroyed program file.
If the first adaptation 214 is failed in known rogue program killing database, the match is successful, namely cannot accurate match according to the characteristic of unknown program file, then can notify the second indicator 216, and then second characteristic of the essential information that provides according to the characteristic of unknown program file of indicator 216 and known newborn rogue program, continue the instruction of generation second scans content.Because be aware of the base attribute information such as the characteristic of unknown program file by the first indicator, and then in conjunction with the characteristic of current rogue program, such as this kind of unknown program file is if rogue program, generally which characteristic also there is, the signing messages of such as this unknown program file may not be create name, alternative document attribute under this unknown program file place catalogue or associative directory may be specified attribute etc.
Specifically, the second scans content indicates to comprise and scans the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file.Such as, second scans content instruction only can require that client device 100 scans the specified attribute of unknown program file and reports, also only can require that client device 100 scans the specified attribute of the context environmental of unknown program file and reports, can also require that the specified attribute of other specified attribute and context environmental reports by client device 100 in the lump.
It should be noted that the specified attribute of unknown program file includes but not limited in following information one or more: characteristic, file size, level of security, signing messages and version information etc.It should be noted that, although client device 100 had reported this base attribute of characteristic of unknown program file according to after the first scans content beacon scanning of server end before this, but because client device 100 and server-side devices 200 may not be long connections, therefore, when subsequent client equipment 100 reports the specified attribute information of unknown program file after according to server end second scans content beacon scanning, likely also need again the essential informations such as the characteristic of unknown program file to be reported once again.Therefore, in the second scans content instruction, existing requirement may scan and report the content of other specified attribute beyond unknown program file feature data, have again requirement to scan and report the content of unknown program file feature data.Certainly, if between client device 100 and server-side devices 200 be long connection, so also can not require that client device 100 reports the essential informations such as the characteristic of the unknown program file once once reported again in the second scans content instruction.Level of security includes but not limited to malice (namely belonging to blacklist), safety (namely belong to white list, credible), unknown and suspicious etc.The attribute of the context environmental of unknown program file include but not limited in following information one or more: the information of unknown program file place catalogue, specify the information of registration table key assignments, with described unknown program file with the attribute information of the alternative document under catalogue or assigned catalogue and specify running state of a process etc.
Second indicator 216, after the instruction of generation second scans content, transfers to the first transmission interface 118 in client device 100 by the second transmission interface 218, and then the second scans content instruction is notified the second scanner 116 by the first transmission interface 118 again.Second scanner 116 scans the specified attribute information of unknown program file and/or the attribute information of context environmental according to the second scans content instruction again, finally scanning result is transferred to the second transmission interface 218 of server-side devices 200.
In one embodiment of the invention, the scanning result that the second scanner 116 received provides is informed the second indicator 216 by the second transmission interface 218 again, and then second indicator 216 analyse and compare in known rogue program killing database accordingly, above to the particular content appearing rogue program killing database, it can thus be appreciated that, because the scanning result of the unknown program file that this client device 100 provides contains more information, such as contain the signing messages of unknown program file, level of security, other attributes such as version information, or contain the various attribute informations of the context environmental of unknown program file, again or other attributes of unknown program file and the attribute of context environmental all scanned, so the second indicator 216 just can according to these more fully information, and characteristic information in rogue program killing database and decision logic are analyzed further and are judged whether this unknown program file is rogue program file, if judge it is that rogue program can also look into the reparation logic seeing if there is correspondence further.Repair that logic includes but not limited in following logic one or more: delete the registry key of specifying and/or key assignments, edit the registry key and/or key assignments are given content, delete appointing system service entry and reparation or delete designated program file.
And then the judged result whether unknown program file is rogue program file by the second transmission interface 218 by the second indicator 216 transfers to client device 100.Further, if judged result is rogue program, and the reparation logic of coupling can be found in known rogue program killing database, then also the reparation logic of coupling be transferred to client device by the second transmission interface 218.
The scanning device 110 of client also comprises first processor, first processor obtains by the first transmission interface 118 judged result whether unknown program file that second indicator in server-side devices 200 provides is rogue program file, and processes accordingly according to this judged result.Such as, if judged result is safe program file, then killing process need not be carried out to unknown program file again; If judged result is rogue program, and the second indicator 216 provides reparation logic, then can point out user, and inquires whether user repairs, and carries out repair process on obtaining confirmation from the user according to this reparation logic to unknown program file.
In another embodiment of the present invention, in order to reduce the communication between client device 100 and server-side devices 200, second indicator 216 can also while informing client device 100 by the second scans content instruction, indicate relevant decision logic by the second scans content, even relevant to decision logic reparation logic sends to client device 100 together.Specifically, because the second scans content indicates the specified attribute of the context environmental of other specified attribute and/or the unknown program file mainly comprised beyond to the characteristic of unknown program file to scan, therefore server end can be predicted client device 100 and may obtain which scanning result according to after the second scans content beacon scanning, then can judge which type of scanning result shows that this unknown program file is rogue program according to rogue program killing database, therefore can find out and indicate relevant decision logic to the second scans content, namely how to judge whether this unknown program file is rogue program according to follow-up scanning result.If rogue program, then can also whether have according to known rogue program killing database lookup further indicate to above-mentioned second scans content, reparation logic that decision logic is relevant.
The scanning device 110 being in client can also comprise the second processor, what by transmission interface 118, the second processor obtained that server end second indicator 216 provides indicates relevant decision logic to the second scans content, then according to this decision logic and the second scanner 116 according to the scanning result obtained after the second scans content beacon scanning, judge whether this unknown program file is rogue program, and process accordingly.Such as, if judged result is this unknown program file is rogue program, and the second indicator 216 of server end also have sent the reparation logic relevant to decision logic, when the scanning result that then can provide at the second scanner 116 meets this reparation logic, carry out corresponding repair process according to this reparation logic.All the other process particular content and last embodiment in first processor do respective handling similar, repeat no more.Can find out in this embodiment, the second scanner 116 to be uploaded onto the server according to the second scans content instruction end equipment to the result after unknown program file scans with regard to no longer needing, but is directly supplied to the second processor.
Can be found out by above-described embodiment, if scanning device 110 only includes environmental information reader 112, first scanner 114, second scanner 116 and the first transmission interface, then it is simple rogue program scanning device, if also comprise first processor or the second processor, then this scanning device is the equipment that can complete rogue program killing in essence, and can be understood as is killing equipment for rogue program.
Refer to Fig. 2, it illustrates according to an embodiment of the invention based on the rogue program scan method process flow diagram of cloud security.The method comprises a part of flow process being positioned at client-side, also comprise a part of flow process being positioned at server side, be the scan method for rogue program killing in the flow process of client-side, be the cloud management for rogue program killing in the flow process of server side.
The method starts from step S210, reads the system environmental information that client device is current, and transfer to server-side devices in S210.System environmental information include but not limited in the version information of operating system, system mend mount message, software installation information, drive installation information and the information such as active process and information on services any one or multiple.This step can be realized by the environmental information reader 112 in aforementioned scanning devices 110, and relevant technology realizes with reference to aforesaid environmental information reader 112 associated description in embodiments, to repeat no more herein.
Then, in step S220, server-side devices obtains the system environmental information of client device, the first scans content instruction is generated according to the characteristic of newborn rogue program and the system environmental information of client device transmission, the instruction of this first scans content at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and the instruction of this first scans content is transferred to client device.This step can be realized by aforementioned the first indicator 212 being arranged in the cloud management equipment 210 of server end, and correlation technique realizes also please refer to the first description of indicator 212 in foregoing embodiments, repeats no more herein.
Client device is after the first scans content instruction being obtained the system environmental information judgement that server-side devices is uploaded based on it by step S220, in step S230, the assigned address in the first scans content instruction is scanned, and the characteristic scanning the unknown program file obtained to major general transfers to server-side devices, again so that server-side devices further judges accordingly.This step can be achieved by the first scanner 114 being arranged in the scanning device 110 of client, and correlation technique realizes also please refer to the first description of scanner 114 in foregoing embodiments, repeats no more herein.
Server-side devices is after the characteristic of unknown program file being obtained client device transmission by step S230, mate in known rogue program killing database according to the characteristic of unknown program file in step S240, judge whether this unknown program file is rogue program.If the match is successful, judge that this unknown program file is rogue program, then can also search further and whether have corresponding reparation logic, if had, then judged result and reparation logic can be transferred to client in the lump; If do not find corresponding reparation logic, then only judged result can be transferred to client device.This step can be realized by aforementioned the first adaptation 214 being arranged in the cloud management equipment 210 of server end, and correlation technique realizes also please refer to the first description of adaptation 214 in foregoing embodiments, repeats no more herein.
If server-side devices cannot match known record according to known rogue program killing database, namely cannot judge whether this unknown program file is rogue program, then generate the second scans content instruction in step s 250, second scans content indicates to comprise and scans the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file, then the second scans content instruction is transferred to client device.Can find out, why server-side devices also will send the second scans content instruction to client device, is to obtain the relevant information of more unknown program file, further judging to do.This step can be realized by aforementioned the second indicator 216 being arranged in the cloud management equipment 210 of server end, and correlation technique realizes also please refer to the first description of indicator 212 in foregoing embodiments, repeats no more herein.
Client device, after obtained the second scans content instruction by step S250, is scanned according to the second scans content instruction, thus knows the specified attribute of the specified attribute of unknown program file and/or the context environmental of unknown program file in step S260.Such as, the specified attribute of unknown program file includes but not limited to one or more in following information: the characteristic of unknown program file, file size, level of security, signing messages and version information etc.Again such as, the attribute of the context environmental of unknown program file includes but not limited to one or more in following information: the information of the enable position in the information of unknown program file place catalogue, registration table, with this program file with the attribute information of the alternative document under catalogue or assigned catalogue and specify running state of a process etc.
After step S260, in one embodiment of the invention, first client device indicates the scanning result after scanning to transfer to server-side devices by according to the second scans content, this step can be performed by the second scanner 116 in foregoing embodiments, correlation technique feature referring to the description of these parts, can repeat no more herein; And then after server-side devices obtains the scanning result that client device obtains according to the second scans content beacon scanning, analyse and compare further in rogue program killing database according to this scanning result, again judge whether unknown program file is rogue program, then by judged result (as malice, safety, the unknown, suspicious) and/or, the reparation logical transport of mating with this scanning result is to client device.Server end is performed this step and can be performed by the second indicator 216 in the cloud management equipment 210 in foregoing embodiments, and correlation technique feature referring to the description of these parts, can repeat no more herein.It should be noted that and not allly can find corresponding reparation logic when judging to be rogue program, so when finding, judged result and repair logic can together with transfer to client device; When not finding reparation logic, only judged result can be transferred to client for itself or user's reference; Also likely only logic is repaired in transmission, because client receives and repairs logic namely to can be regarded as unknown program file be exactly rogue program, otherwise server-side devices can not to the reparation logic of its feedback for this unknown program file.After whether the unknown program file of client device acquisition server-side devices feedback is the judged result of rogue program, just can process accordingly according to this judged result.Such as, by playing the safety prompt function means reminding users such as window, or carry out repair process according to reparation logic after user confirms.Client device is performed this step and can be performed by the first processor in scanning device in foregoing embodiments 110, and correlation technique feature referring to the description of these parts, can repeat no more herein.
Describe as can be seen from this embodiment subsequent step, client device needs at least to transmit twice sweep result to server-side devices, so that server-side devices makes a decision according to scanning result.In order to reduce the number of communications between client device and server-side devices, raising the efficiency, following flow processing can also be adopted in another embodiment of the present invention.
In yet another embodiment of the present invention, in abovementioned steps S250, server-side devices is delivered to except client device except generating the second scans content indicating concurrent, server-side devices also obtains according to known rogue program killing database and indicate relevant decision logic to the second scans content and/or repair logic, then decision logic and/or reparation logic and the second scans content is indicated and transfers to client device together.This step can be achieved by the second indicator 216 in the cloud management equipment 210 of foregoing embodiments, and correlation technique realizes with reference to the associated description of these parts, to repeat no more herein.Can find out, after step S250, client device at least have received the second scans content instruction and has indicated relevant decision logic to the second scans content, also likely also have received in the lump and indicate associated restoration logic with the second scans content, therefore client device by step S260 according to second scans content instruction carry out scanning acquisition scanning result after, what client device just can transmit according to server-side devices indicates relevant decision logic and scanning result to the second scans content, judge whether this unknown program file is rogue program, if, whether further detection server-side devices also transmits associated restoration logic simultaneously, if had, continue to carry out repair process according to reparation logic to unknown program file, such as delete the registry key and/or key assignments of specifying, edit the registry key and/or key assignments are given content, delete appointing system service entry, and repair or delete designated program file etc.This step can be performed by the second processor in the scanning device 110 of previous embodiments, and correlation technique realizes with reference to the associated description of this step aforementioned, to repeat no more herein.
In yet another embodiment of the present invention, give a kind of rogue program checking and killing method based on cloud security, refer to process flow diagram shown in Fig. 3.
This flow process starts from step S310, the local engine of client initialization and network environment.
Then, perform step S320, client reading system environmental information sends to server end.
And then perform step S330, server end judges according to the condition of the system environmental information of client and preset scans content, send to client needing the content of scanning.The first scans content needing the content scanned just to be equivalent in foregoing embodiments herein indicates.
Then perform step S340, the scans content that the local engine of client executing is built-in and the scans content that server end returns, obtain the feature of unknown program file, such as filename, MD5 or SHA etc.
Then perform step S350, client device sends to server end the feature of unknown program file.
After this, perform step S360, server end is searched in a database according to the attribute of the feature of program file and/or the context environmental of program file.
Then enter step S370, judge whether to find matched record in a database, namely whether find corresponding checking and killing method, include but not limited to scanning/acts of determination and repair action.If find matched record, then perform step S380; If do not find matched record, then perform step S400.
Step S380: server end is back to client the checking and killing method of correspondence.Then step S390 is performed.
Step S390: the checking and killing method that client returns according to server end performs corresponding actions.Then terminate.
Step S400: server end judges whether other attributes needing to check client unknown program file further, other attributes beyond the unknown program file characteristic that such as step S350 fed back, and/or the attribute etc. of the context environmental of unknown program file.If so, then continue to perform step S410; If not, then directly terminate.
Step S410: the specified attribute of program file that the inspection conditional capture that client returns according to server end needs and the attribute of its context environmental, then send to server end.Then return and perform step S360, until flow process terminates.
In yet another embodiment of the present invention, the instantiation of a rogue program killing is given.Such as certain audio-visual software xxxUpdate.exe can load xxxUpdate.dll under same catalogue; this audio-visual software is the very large software of a installation in China; but enough protections and anti-tamper inspection are not done to the program file of self; so rogue program m can utilize these security breaches of this audio-visual software, xxxUpdate.dll is replaced with rogue program.Detection and the killing step of employing this programme are as follows:
First, client sends to server end the filename of xxxUpdate.dll and MD5 value;
Then, server end matches corresponding checking and killing method according to filename and MD5 value, so send scanning instruction (being equivalent to the second scans content instruction in foregoing embodiments), decision logic and reparation logic to client further.Wherein, require to check be the level of security of this file whether to be credible in scanning instruction, whether " Beijing xxx company limited " company's signature title of file; If the level of security indicating this file in decision logic is not credible and company's signature title is not " Beijing xxx company limited ", then judging that this file is distorted by rogue program, is rogue program; Point out if scanning result meets decision logic in corresponding reparation logic, judge that this file is rogue program, then corresponding repair action forbids that xxxUpdate.exe starts with system, and xxxUpdate.dll is replaced with original document.
Finally, client scans this file according to scans content above, and judge whether this file is rogue program according to the decision logic that scanning result and server end provide, if, then rogue program is reported to user, the killing action that server end returns is performed, such as repair process when user selects to remove.
In another embodiment of the present invention, client device does not report current system environmental information to server-side devices, and then server end does not just need the system environmental information reported according to client device to generate the first scans content instruction yet, equipment in client is then allowed to scan according to the first scans content instruction.The substitute is, client device directly scans according to known scanning logic (scanning logic that the scanning logic of such as local engine or before this server end are informed), then direct by scanning obtain cannot judge whether that safe suspicious unknown program file reports to server-side devices, remaining processing procedure just with describe in foregoing embodiments the same, therefore to repeat no more.
Can be found out by aforementioned each embodiment provided by the invention, the embodiment of the present invention cannot determine whether rogue program by means of only the filename of suspicious unknown program file, MD5, SHA etc. or cannot find accurately recovery scenario time, again by requiring that the attribute that client device scans other attributes such as signature, version of unknown program file and/or the context environmental of unknown program file further does further judgement, thus can judge that client oneself cannot determine whether safe unknown program file more accurately.Owing to adopting this scheme, no matter be that the various attribute results scanned further are sent to server end to judge by client, or server end is directly by the decision logic relevant to scanning result, repair logic and send to client in the lump, it is allowed oneself to judge, essence is all that cloud server issues personalized scans content in time, and according to the attribute of program file and the attribute of place context environmental thereof from server end Dynamic Acquisition checking and killing method, avoid and could detect and remove newborn rogue program by upgrade local feature database and engine program, thus the blow speed accelerated newborn rogue program, effectively contain that it spreads fast.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the scanning device for rogue program killing of the embodiment of the present invention or cloud management equipment.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Disclosed herein is A1, a kind of scanning device for rogue program killing, comprising: the first transmission interface, be configured to server-side devices transmission information, and receive the information of described server-side devices transmission; Environmental information reader, is configured to read the current system environmental information of described client device, and transfers to described server-side devices by described first transmission interface; First scanner, be configured to obtain described server-side devices at least based on the first scans content instruction that described system environmental information judges by described first transmission interface, and scan the assigned address in described first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to described server-side devices by described first transmission interface; And second scanner, be configured to the second scans content instruction being obtained the transmission of described server-side devices by described first transmission interface, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and scans according to described second scans content instruction.A2, scanning device according to A1, described second scanner is also configured to, by the scanning result after scanning according to described second scans content instruction, transfer to described server-side devices by described first transmission interface; Described scanning device also comprises: the first obturator, be configured to obtain by described first transmission interface the reparation logic that described server-side devices determines based on the scanning result that described second scanner provides, and according to described reparation logic, repair process carried out to described unknown program file.A3, scanning device according to A1, also comprise: the second obturator, be configured to by described first transmission interface obtain from server-side devices, to described second scans content indicate transmit together indicate relevant reparation logic with described second scans content, when the scanning result of described second scanner meets described reparation logic, repair process is carried out to described unknown program file.A4, scanning device according to A2 or A3, described repair process comprise in following processing mode one or more: delete the registry key of specifying and/or key assignments, edit the registry key and/or key assignments are given content, delete appointing system service entry, and repair or delete designated program file.A5, scanning device according to any one of A1 to A4, described environmental system information comprise in following information one or more: the process run in the version information of operating system, system mend mount message, software installation information, drive installation information and system and information on services.A6, scanning device according to any one of A1 to A5: the characteristic of described program file comprise in following information one or more: the data, the filename that adopt special algorithm to obtain to all or part of key content of described unknown program file; The specified attribute of described unknown program file comprise in following information one or more: characteristic, file size, level of security, signing messages and version information.A7, scanning device according to any one of A1 to A6, the attribute of the context environmental of described unknown program file comprise in following information one or more: the information of the enable position in the information of described unknown program file place catalogue, registration table, with described program file with the alternative document under catalogue or assigned catalogue attribute information, specify running state of a process.
Disclosed herein is B8, a kind of cloud management equipment for rogue program killing, comprising: the second transmission interface, be configured to client device transmission information, and receive the information of described client device transmission; First indicator, be configured to generate the first scans content instruction according to the characteristic of newborn rogue program and the system environmental information of described client device transmission, described first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and by described second transmission interface, described first scans content instruction is transferred to described client device; First adaptation, is configured to the characteristic of the described unknown program file being obtained the transmission of described client device by described second transmission interface, and mates in known rogue program characteristic record accordingly; And second indicator, be configured to when described first adaptation fails to generate the second scans content instruction when matching known record, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and transfers to described client device by described second transmission interface.B9, cloud management equipment according to B8: described second indicator is also configured to obtain described client device according to the scanning result obtained after described second scans content beacon scanning by described second transmission interface, and judge whether described unknown program file is rogue program accordingly, and judged result is transferred to described client device by described second transmission interface; Or, described second indicator is also configured to indicate relevant decision logic to transfer to described client device by described second transmission interface together by described second scans content, and described decision logic judges that whether described unknown program file is the logic of rogue program.B10, cloud management equipment according to B9, described second indicator is also configured to according to described client device according to the scanning result obtained after described second scans content beacon scanning, mate in known rogue program killing database, if find the reparation logic of mating with described scanning result, be then transferred to client device by described second transmission interface; Or, described second indicator is also configured to mate in known rogue program killing database according to described second scans content instruction, by match to described second scans content indicate relevant reparation logic to indicate with described second scans content together with transfer to described client device by described second transmission interface.B11, cloud management equipment according to any one of B8 to B10, the characteristic of described newborn rogue program comprises: newborn rogue program utilizes ad-hoc location to carry out the characteristic information hidden and/or attack.B12, cloud management equipment according to any one of B8 to B11, described first scans content instruction is conditional instruction, described condition comprise in following content one or more: whether whether specified file exists, whether assigned catalogue exists, whether the attribute of program file meets specified requirements, specify registry key to exist, specify whether registration table key assignments exists, whether the content of registry key meets specified requirements, whether the content of registration table key assignments meets specified requirements, whether appointment process exists and whether specified services exists.B13, cloud management equipment according to any one of B8 to B12, described reparation logic comprise in following logic one or more: delete the registry key of specifying and/or key assignments, edit the registry key and/or key assignments are given content, delete appointing system service entry and reparation or delete designated program file.B14, cloud management equipment according to any one of B8 to B13, the characteristic of described unknown program file comprise in following information one or more: the data, the filename that adopt special algorithm to obtain to all or part of key content of described unknown program file; The specified attribute of described unknown program file comprise in following information one or more: characteristic, file size, signing messages and version information.B15, cloud management equipment according to any one of B8 to B14, the attribute of the context environmental of described unknown program file comprise in following information one or more: the information of the enable position in the information of described unknown program file place catalogue, security level information, registration table, with described program file with the alternative document under catalogue or assigned catalogue attribute information, specify running state of a process.
C16, a kind of malware scanning systems based on cloud security are disclosed herein, comprise the scanning device for rogue program killing according to any one of A1 to A7, and the cloud management equipment for rogue program killing according to any one of B8 to B15.
Disclosed herein is D17, a kind of scan method for rogue program killing, comprising: read the system environmental information that client device is current, and transfer to server-side devices; Obtain the first scans content instruction that described server-side devices judges based on described system environmental information, and scan the assigned address in described first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to described server-side devices; And obtain the second scans content instruction of described server-side devices transmission, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and scans according to described second scans content instruction.D18, scan method according to D17, also comprise: the scanning result after scanning according to described second scans content instruction is transferred to server-side devices; Obtain the judged result whether described unknown program file that described server-side devices determines based on this scanning result is rogue program, and process accordingly according to described judged result; Or, what obtain that described server-side devices informs indicates relevant decision logic to described second scans content, and according to indicating the scanning result after scanning and described decision logic to determine that whether described unknown program file is rogue program, and process accordingly according to the second scans content.
E19, a kind of cloud management for rogue program killing are disclosed herein, comprise: generate the first scans content instruction according to the characteristic of newborn rogue program and the system environmental information of client device transmission, described first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and described first scans content instruction is transferred to described client device; Obtain the characteristic of the described unknown program file of described client device transmission, and mate in known rogue program killing database accordingly; And when failing to match known record according to the characteristic of described unknown program file, generate the second scans content instruction, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and described second scans content instruction is transferred to described client device.E20, cloud management according to E19, also comprise: obtain described client device according to the scanning result obtained after described second scans content beacon scanning, and judge whether described unknown program file is rogue program accordingly, by judged result and/or the reparation logical transport of mating with described scanning result to described client device; Or, will relevant decision logic be indicated to described second scans content and/or repair logic, together with indicating with described second scans content, transfer to described client device.
Disclosed herein is F21, a kind of rogue program scan method based on cloud security, comprising: client device reads current system environmental information, and transfers to server-side devices; Server-side devices generates the first scans content instruction according to the system environmental information of the characteristic of newborn rogue program and the transmission of described client device, described first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and described first scans content instruction is transferred to described client device; Described client device scans according to described first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to described server-side devices; Described server-side devices mates in known rogue program killing database according to the characteristic of described unknown program file; When failing to match known record according to the characteristic of described unknown program file, described server-side devices generates the second scans content instruction, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and described second scans content instruction is transferred to described client device; Described client device scans according to described second scans content instruction.

Claims (17)

1., for a scanning device for rogue program killing, comprising:
First transmission interface, is configured to server-side devices transmission information, and receives the information of described server-side devices transmission;
Environmental information reader, is configured to read the current system environmental information of client device, and transfers to described server-side devices by described first transmission interface;
First scanner, be configured to obtain described server-side devices by described first transmission interface indicate according to the first scans content of the characteristic of newborn rogue program and the generation of described system environmental information, and scan the assigned address in described first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to described server-side devices by described first transmission interface; And
Second scanner, be configured to obtain by described first transmission interface the second scans content instruction generated when described server-side devices fails in known rogue program killing database that the match is successful according to described characteristic, the characteristic information of described rogue program is recorded in described rogue program killing database, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and scan according to described second scans content instruction, and be configured to indicate the scanning result after scanning by according to described second scans content, described server-side devices is transferred to by described first transmission interface,
First obturator, is configured to obtain by described first transmission interface the reparation logic that described server-side devices determines based on the scanning result that described second scanner provides, and carries out repair process according to described reparation logic to described unknown program file.
2. scanning device according to claim 1, also comprises:
Second obturator, be configured to by described first transmission interface obtain from server-side devices, to described second scans content indicate transmit together indicate relevant reparation logic with described second scans content, when the scanning result of described second scanner meets described reparation logic, repair process is carried out to described unknown program file.
3. scanning device according to claim 1 and 2, described repair process comprise in following processing mode one or more:
The registry key that deletion is specified and/or key assignments, edit the registry key and/or key assignments are given content, delete appointing system service entry, and repair or delete designated program file.
4. scanning device according to claim 1 and 2, described system environmental information comprise in following information one or more:
The process run in the version information of operating system, system mend mount message, software installation information, drive installation information and system and information on services.
5. scanning device according to claim 1 and 2:
The characteristic of described unknown program file comprise in following information one or more: the data, the filename that adopt special algorithm to obtain to all or part of key content of described unknown program file;
The specified attribute of described unknown program file comprise in following information one or more: characteristic, file size, level of security, signing messages and version information.
6. scanning device according to claim 1 and 2, the attribute of the context environmental of described unknown program file comprise in following information one or more:
The information of the enable position in the information of described unknown program file place catalogue, registration table, with described unknown program file with the alternative document under catalogue or assigned catalogue attribute information, specify running state of a process.
7., for a cloud management equipment for rogue program killing, comprising:
Second transmission interface, is configured to client device transmission information, and receives the information of described client device transmission;
First indicator, be configured to generate the first scans content instruction according to the characteristic of newborn rogue program and the system environmental information of described client device transmission, described first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and by described second transmission interface, described first scans content instruction is transferred to described client device;
First adaptation, be configured to the characteristic of the described unknown program file being obtained the transmission of described client device by described second transmission interface, and mate in known rogue program killing database accordingly, record the characteristic information of described rogue program in described rogue program killing database; And
Second indicator, be configured to when described first adaptation fails to generate the second scans content instruction when matching known record, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and transfer to described client device by described second transmission interface, and be configured to obtain described client device according to the scanning result obtained after described second scans content beacon scanning by described second transmission interface, and judge whether described unknown program file is rogue program accordingly, and judged result is transferred to described client device by described second transmission interface, or, be configured to indicate relevant decision logic to transfer to described client device by described second transmission interface together by described second scans content, described decision logic judges that whether described unknown program file is the logic of rogue program.
8. cloud management equipment according to claim 7,
Described second indicator is also configured to according to described client device according to the scanning result obtained after described second scans content beacon scanning, mate in known rogue program killing database, if find the reparation logic of mating with described scanning result, be then transferred to client device by described second transmission interface;
Or,
Described second indicator is also configured to mate in known rogue program killing database according to described second scans content instruction, by match to described second scans content indicate relevant reparation logic to indicate with described second scans content together with transfer to described client device by described second transmission interface.
9. the cloud management equipment according to claim 7 or 8, the characteristic of described newborn rogue program comprises: newborn rogue program utilizes ad-hoc location to carry out the characteristic information hidden and/or attack.
10. the cloud management equipment according to claim 7 or 8, described first scans content instruction is conditional instruction, described condition comprise in following content one or more:
Whether whether specified file exists, whether assigned catalogue exists, whether the attribute of program file meets specified requirements, specify registry key to exist, specify whether registration table key assignments exists, whether the content of registry key meets specified requirements, whether the content of registration table key assignments meets specified requirements, whether appointment process exists and whether specified services exists.
11. cloud management equipment according to claim 8, described reparation logic comprise in following logic one or more:
The registry key that deletion is specified and/or key assignments, edit the registry key and/or key assignments are given content, delete appointing system service entry and reparation or delete designated program file.
12. cloud management equipment according to claim 7 or 8,
The characteristic of described unknown program file comprise in following information one or more: the data, the filename that adopt special algorithm to obtain to all or part of key content of described unknown program file;
The specified attribute of described unknown program file comprise in following information one or more: characteristic, file size, signing messages and version information.
13. cloud management equipment according to claim 7 or 8, the attribute of the context environmental of described unknown program file comprise in following information one or more:
The information of the enable position in the information of described unknown program file place catalogue, security level information, registration table, with described unknown program file with the alternative document under catalogue or assigned catalogue attribute information, specify running state of a process.
14. 1 kinds of malware scanning systems based on cloud security, comprise the scanning device for rogue program killing according to any one of claim 1 to 6, and the cloud management equipment for rogue program killing according to any one of claim 7 to 13.
15. 1 kinds, for the scan method of rogue program killing, comprising:
Read the system environmental information that client device is current, and transfer to server-side devices;
Obtain the first scans content instruction that described server-side devices generates according to the characteristic of newborn rogue program and described system environmental information, and scan the assigned address in described first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to described server-side devices; And
Obtain the second scans content instruction generated when described server-side devices fails in known rogue program killing database that the match is successful according to described characteristic, the characteristic information of described rogue program is recorded in described rogue program killing database, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and scans according to described second scans content instruction;
Scanning result after scanning according to described second scans content instruction is transferred to server-side devices; Obtain the judged result whether described unknown program file that described server-side devices determines based on this scanning result is rogue program, and process accordingly according to described judged result;
Or,
What obtain that described server-side devices informs indicates relevant decision logic to described second scans content, and according to indicating the scanning result after scanning and described decision logic to determine that whether described unknown program file is rogue program, and process accordingly according to the second scans content.
16. 1 kinds, for the cloud management of rogue program killing, comprising:
The first scans content instruction is generated according to the characteristic of newborn rogue program and the system environmental information of client device transmission, described first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and described first scans content instruction is transferred to described client device;
Obtain the characteristic of the described unknown program file of described client device transmission, and mate in known rogue program killing database accordingly, in described rogue program killing database, record the characteristic information of described rogue program; And
When failing to match known record according to the characteristic of described unknown program file, generate the second scans content instruction, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and described second scans content instruction is transferred to described client device;
After obtaining the scanning result that described client device obtains according to the second scans content beacon scanning, analyse and compare further in rogue program killing database according to described scanning result, again judge whether unknown program file is rogue program, then by judged result and/or the reparation logical transport of mating with this scanning result to described client device.
17. 1 kinds, based on the rogue program scan method of cloud security, comprising:
Client device reads current system environmental information, and transfers to server-side devices;
Server-side devices generates the first scans content instruction according to the system environmental information of the characteristic of newborn rogue program and the transmission of described client device, described first scans content instruction at least comprises and to scan the content of assigned address and to inform the characteristic of the unknown program file scanned, and described first scans content instruction is transferred to described client device;
Described client device scans according to described first scans content instruction, and the characteristic scanning the unknown program file obtained to major general transfers to described server-side devices;
Described server-side devices mates in known rogue program killing database according to the characteristic of described unknown program file;
When failing to match known record according to the characteristic of described unknown program file, described server-side devices generates the second scans content instruction, described second scans content indicates to comprise and scans the specified attribute of the specified attribute of described unknown program file and/or the context environmental of described unknown program file, and described second scans content instruction is transferred to described client device;
Described client device scans according to described second scans content instruction, and the scanning result after scanning according to described second scans content instruction is transferred to described server-side devices;
After described server-side devices obtains the scanning result that described client device obtains according to the second scans content beacon scanning, analyse and compare further in known rogue program killing database according to described scanning result, again judge whether unknown program file is rogue program, then by judged result and/or the reparation logical transport of mating with this scanning result to described client device;
Described client device obtain described server-side devices feedback unknown program file whether be the judged result of rogue program after, process accordingly according to described judged result.
CN201210506137.5A 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system Active CN102982284B (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201210506137.5A CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system
PCT/CN2013/088196 WO2014082599A1 (en) 2012-11-30 2013-11-29 Scanning device, cloud management device, method and system for checking and killing malicious programs
US14/648,298 US9830452B2 (en) 2012-11-30 2013-11-29 Scanning device, cloud management device, method and system for checking and killing malicious programs
US15/823,534 US20180082061A1 (en) 2012-11-30 2017-11-27 Scanning device, cloud management device, method and system for checking and killing malicious programs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210506137.5A CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system

Publications (2)

Publication Number Publication Date
CN102982284A CN102982284A (en) 2013-03-20
CN102982284B true CN102982284B (en) 2016-04-20

Family

ID=47856288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210506137.5A Active CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system

Country Status (1)

Country Link
CN (1) CN102982284B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014082599A1 (en) * 2012-11-30 2014-06-05 北京奇虎科技有限公司 Scanning device, cloud management device, method and system for checking and killing malicious programs
CN103390130B (en) * 2013-07-18 2017-04-05 北京奇虎科技有限公司 Based on the method for the rogue program killing of cloud security, device and server
CN103618626A (en) * 2013-11-28 2014-03-05 北京奇虎科技有限公司 Method and system for generating safety analysis report on basis of logs
CN103929323A (en) * 2013-12-16 2014-07-16 汉柏科技有限公司 Health degree monitoring method of cloud network equipment
CN104462975A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program scanning method, device and system
CN104462601B (en) * 2014-12-31 2017-04-12 北京奇安信科技有限公司 File scanning method, device and system
CN104573518B (en) * 2015-01-23 2019-03-26 百度在线网络技术(北京)有限公司 File scanning method, device, server and system
TWI547823B (en) 2015-09-25 2016-09-01 緯創資通股份有限公司 Method and system for analyzing malicious code, data processing apparatus and electronic apparatus
CN105335191B (en) * 2015-10-16 2019-03-01 珠海豹趣科技有限公司 A kind of method, apparatus and terminal of end of scan equipment
CN105429956B (en) * 2015-11-02 2018-09-25 重庆大学 Malware detection system based on P2P dynamic clouds and method
CN106682508B (en) * 2016-06-17 2019-01-11 腾讯科技(深圳)有限公司 The checking and killing method and device of virus
CN107645483B (en) * 2016-07-22 2021-03-19 创新先进技术有限公司 Risk identification method, risk identification device, cloud risk identification device and system
CN106682495B (en) * 2016-11-11 2020-01-10 腾讯科技(深圳)有限公司 Safety protection method and safety protection device
CN110971575B (en) * 2018-09-29 2023-04-18 北京金山云网络技术有限公司 Malicious request identification method and device, electronic equipment and computer storage medium
CN109829303A (en) * 2018-12-28 2019-05-31 北京奇安信科技有限公司 A kind of Intranet cloud checking and killing method, console and client based on system file
CN110879887B (en) * 2019-11-15 2022-03-04 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for repairing mining trojan program
CN114115936A (en) * 2021-10-27 2022-03-01 安天科技集团股份有限公司 Method and device for upgrading computer program, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102279912A (en) * 2011-06-03 2011-12-14 奇智软件(北京)有限公司 Client program monitoring method and device and client
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
CN102799811A (en) * 2012-06-26 2012-11-28 腾讯科技(深圳)有限公司 Scanning method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102750463A (en) * 2011-12-16 2012-10-24 北京安天电子设备有限公司 System and method for improving file rescanning speed

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN102279912A (en) * 2011-06-03 2011-12-14 奇智软件(北京)有限公司 Client program monitoring method and device and client
CN102799811A (en) * 2012-06-26 2012-11-28 腾讯科技(深圳)有限公司 Scanning method and device

Also Published As

Publication number Publication date
CN102982284A (en) 2013-03-20

Similar Documents

Publication Publication Date Title
CN102982284B (en) For the scanning device of rogue program killing, cloud management equipment and method and system
CN103034808B (en) Scan method, equipment and system and cloud management and equipment
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
Costin et al. A {Large-scale} analysis of the security of embedded firmwares
CN103281325A (en) Method and device for processing file based on cloud security
CN102332072B (en) System and method for detection of malware and management of malware-related information
CN102984121B (en) Access supervision method and signal conditioning package
CN1577272B (en) Automatic detection and patching of vulnerable files
US10986104B2 (en) Remote malware scanning capable of static and dynamic file analysis
CN101743530B (en) Method and system for anti-virus scanning of partially available content
US10546143B1 (en) System and method for clustering files and assigning a maliciousness property based on clustering
CN103390130B (en) Based on the method for the rogue program killing of cloud security, device and server
CN102982121B (en) A kind of file scanning method, file scanning device and file detection system
US20130133069A1 (en) Silent-mode signature testing in anti-malware processing
CN103679031A (en) File virus immunizing method and device
CN107896219B (en) Method, system and related device for detecting website vulnerability
CN101297286A (en) Automated device driver management
CN1777867A (en) System and method for updating files utilizing delta compression patching.
CN104598815A (en) Identification method and device of malicious advertisement program and client side
CN104598822A (en) Detection method and detection device of applications
CN103631678A (en) Backup method, restoring method and device for client software
CN103473501A (en) Malware tracking method based on cloud safety
CN103646062A (en) Scanning method and device for downloaded file
RU2491623C1 (en) System and method of verifying trusted files
US8402544B1 (en) Incremental scanning of computer files for malicious codes

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220801

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.